Secure methods for sending/receiving health records electronically

Anon made this Official Information request to Privacy Commissioner

Privacy Commissioner did not have the information requested.

From: Anon

Dear Privacy Commissioner,

I am seeking very clear and specific information as to the methods, programmes or applications that have been approved by the DoIA (e.g., Government Chief Privacy Officer & Government Information Security Officer) for the sending/receiving private information (like health information) electronically, which meet the standards, regulations, and legislative requirements.

We all know that email is not safe from interception or unauthorised access.

Rule 5 of the Health Information Privacy Code 2020 states:
(1) A health agency that holds health information must ensure—
(a) that the information is protected, by such security safeguards as are reasonable in the circumstances to take, against—
(i) loss;
(ii) access, use, modification, or disclosure that is not authorised by the agency; and
(iii) other misuse;
(b) that, if it is necessary for the information to be given to a person in connection with the provision of a service to the health agency, including any storing, processing, or destruction of the information, everything reasonably within the power of the health agency is done to prevent unauthorised use or unauthorised disclosure of the information; and
(c) that, where a document containing health information is not to be kept, the document is disposed of in a manner that preserves the privacy of the individual.
(2) This rule applies to health information obtained before or after the commencement of
this code.

Section 22 (IPP 5) of the Privacy Act 2020 is essentially the same rule.

I also refer to standards set out by the:
• Ministry of Health: HISO 10029 and HISO 10064;
• Center for Internet ecurity (CIS)
• CERT NZ Top Ten:
• Cloud Security Alliance (CSA) Cloud Controls Matrix:
• Health Insurance Portability and Accountability Act (HIPAA) (US):
• ISO 27001 Information Security Management Standard:
• ISO 27002 Information Technology – Security Techniques – Code of practice for
information security controls
• ISO 27799 Health informatics – Information Security Management in health using
ISO/IEC 27002:
• New Zealand Information Security Manual (NZISM):
• Protective Security Requirements (PSR)(external link)
• National Cyber Security Centre
• Information security management protocol(external link)
• New Zealand Government Security Classification System

This is also a request for all risk assessments undertaken by the OPC for the use of email to transfer patient records by NZ Agencies (e.g., Health NZ, ACC, MoJ, ...). If the OPC has not conducted any risk assessments for any government agencies, then I request your assistance and ask you transfer this part of my request to the proper agency/organisation.

Thank you.

Anon

Link to this

From: OIA
Privacy Commissioner


Attachment image001.jpg
0K Download

Attachment image002.png
0K Download

Attachment 2024 02 19 official information response.pdf
184K Download View as HTML


Tçnâ koe

 

Please find attached the Privacy Commissioner’s response to your official
information request.

 

 

 

Aku mihi

 

Sharyn Leonard

Executive Assistant (Legal) | Kaiâwhina Mâtâmua, Taha Ture

 

Office of the Privacy Commissioner  Te Mana Mâtâpono Matatapu
PO Box 10094, The Terrace, Wellington 6143

privacy.org.nz 

 

[1]NZBN 9429041913161

 

Privacy is about protecting personal information, yours and others. To
find out how, and to stay informed, [2]subscribe to our newsletter
or follow us online. [3]Description: Description: Description: Small
facebook icon [4]Description: twitter-bird-blue-on-whiteHave a privacy
question? [5]AskUs

 

Caution: If you have received this message in error please notify the
sender immediately and delete this message along with any attachments. 
Please treat the contents of this message as private and confidential.
Thank you.

 

References

Visible links
1. https://www.nzbn.govt.nz/mynzbn/nzbndeta...
2. http://privacy.org.nz/subscribe/
3. http://www.facebook.com/PrivacyNZ
4. https://twitter.com/NZPrivacy
5. http://www.privacy.org.nz/ask

Link to this

Things to do with this request

Anyone:
Privacy Commissioner only: