Overview
New Zealand's approach to health data de-identification is primarily governed by the Health Information Privacy Code (HIPC) 2020 and the Privacy Act 2020. These frameworks provide specific rules for handling health information, recognizing its sensitive nature while enabling its use for healthcare delivery, research, and public health purposes.
Key Developments in New Zealand's Health Data Framework
- 1993: Original Privacy Act established
- 1994: First Health Information Privacy Code issued
- 2008: Major revision of the HIPC
- 2017: Privacy Commissioner issued specific guidance on health information
- 2020: New Privacy Act came into effect
- 2020: Updated Health Information Privacy Code issued
- 2022: Updated guidance on health research and privacy
- 2023: New guidance on Māori data sovereignty principles
Legal Framework
The key legislation governing health data de-identification in New Zealand includes:
- Health Information Privacy Code 2020: A code of practice issued under the Privacy Act that provides specific rules for health agencies handling health information
- Privacy Act 2020: The primary legislation governing privacy in New Zealand, which replaced the Privacy Act 1993
- Guidance from the Office of the Privacy Commissioner: Including specific guidance on anonymization and de-identification
- Health Research Council Guidelines: Guidelines for research contexts involving health data
- National Ethics Advisory Committee (NEAC) Guidelines: Ethical guidelines for health research
- Health and Disability Ethics Committees (HDEC) Guidelines: Guidelines for ethical review of health research
Reference Links:
- Health Information Privacy Code 2020: https://www.privacy.org.nz/privacy-act-2020/codes-of-practice/hipc2020/
- Privacy Act 2020: https://www.legislation.govt.nz/act/public/2020/0031/latest/LMS23223.html
- Office of the Privacy Commissioner: https://www.privacy.org.nz/
- Health Research Council: https://www.hrc.govt.nz/resources/data-protection-and-use
- National Ethics Advisory Committee: https://neac.health.govt.nz/
Key Concepts and Definitions
New Zealand's framework defines several important concepts related to health data:
| Concept | Definition | Source |
|---|---|---|
| Health Information | Information about an identifiable individual's health, disabilities, health services provided, or to be provided | HIPC 2020 |
| Health Agency | Providers of health or disability services, including DHBs, PHOs, private hospitals, and individual practitioners | HIPC 2020 |
| De-identified Information | Information from which identifiers have been removed to the extent that the individual is not reasonably identifiable | Privacy Commissioner Guidance |
| Anonymized Information | Information that has been irreversibly de-identified so that re-identification is not possible | Privacy Commissioner Guidance |
| Pseudonymized Information | Information where identifiers have been replaced with alternative identifiers (pseudonyms) | Privacy Commissioner Guidance |
Reference:
Privacy Commissioner's Guidance on Anonymization: https://www.privacy.org.nz/publications/guidance-resources/anonymisation-and-de-identification/
Key Requirements
New Zealand's framework for health data de-identification includes these key requirements:
| Requirement | Description | Practical Implementation |
|---|---|---|
| De-identification Standard | Information must be de-identified to the extent that the individual is not reasonably identifiable | Removal of direct identifiers and sufficient transformation of indirect identifiers based on context-specific risk assessment |
| Purpose Limitation | De-identified health information should only be used for the purpose for which it was de-identified | Clear documentation of intended use and restrictions on repurposing de-identified data |
| Risk Assessment | Assessment of the risk of re-identification must consider the context, including other available information | Formal risk assessment process considering data environment, potential recipients, and available external datasets |
| Small Population Considerations | Special care for Māori data and small population groups to prevent identification | Additional aggregation or suppression for small demographic groups, consultation with Māori representatives |
| Governance Controls | Technical de-identification must be accompanied by appropriate governance controls | Access controls, confidentiality agreements, security measures, and audit trails |
| Information Provision | Organizations should inform individuals if their health information will be de-identified for secondary purposes | Privacy notices and collection statements that explain potential de-identified use of data |
Example: De-identification Process for a Health Research Project
A research project examining diabetes outcomes across New Zealand implemented this de-identification process:
- Removal of direct identifiers (names, NHI numbers, addresses, contact details)
- Conversion of dates to age ranges or time intervals
- Generalization of location data to DHB region level rather than specific locations
- Special treatment for rare conditions or treatments (grouping into broader categories)
- Additional aggregation for small demographic groups, particularly in rural areas
- Specific consultation with Māori health representatives regarding appropriate handling of Māori health data
- Implementation of secure data environment with access controls and audit logging
- Confidentiality agreements for all researchers accessing the data
- Ethics committee review of the de-identification protocol
Technical Approaches
While New Zealand's framework is principles-based rather than prescriptive about specific techniques, the Privacy Commissioner's guidance recommends several approaches:
De-identification Techniques
| Technique | Description | Example in Health Context |
|---|---|---|
| Removal | Complete removal of identifying information | Removing patient names, NHI numbers, and contact details from clinical records |
| Aggregation | Combining data points into categories | Converting exact ages to age ranges (e.g., 30-34 years) |
| Generalization | Making data less specific | Reporting location at DHB level rather than specific address or GP practice |
| Perturbation | Adding noise to data | Adding small random variations to laboratory values while maintaining clinical significance |
| Suppression | Withholding specific data points | Suppressing rare diagnoses or treatments that could enable identification |
| Pseudonymization | Replacing identifiers with alternative values | Replacing NHI numbers with study-specific identifiers |
Reference:
Health and Disability Ethics Committees: https://ethics.health.govt.nz/operating-procedures/
Example: De-identified Health Record
Original Health Record:
- Name: John Smith
- NHI: ABC1234
- Date of Birth: 15/03/1978
- Address: 123 Main Street, Karori, Wellington
- Phone: 04-123-4567
- GP: Dr. Jane Wilson, Wellington Family Practice
- Diagnosis: Type 2 Diabetes Mellitus
- Admission Date: 23/06/2024
- Rare Genetic Condition: Alport Syndrome
De-identified Record:
- Study ID: PT-2024-78945
- Age Range: 45-49 years
- Region: Capital & Coast DHB
- Diagnosis: Type 2 Diabetes Mellitus
- Admission Year: 2024
- Secondary Condition: Genetic kidney disorder
Māori Data Considerations
A distinctive aspect of New Zealand's approach is the consideration of Māori data sovereignty principles:
- Treaty of Waitangi Obligations: Health data de-identification must respect Treaty principles of partnership, participation, and protection
- Consultation Requirements: Significant health data projects should consult with Māori representatives
- Collective Privacy: Recognition that privacy interests may be both individual and collective
- Data Sovereignty: Acknowledgment of Māori rights to govern Māori data
- Cultural Context: Understanding that certain data may have cultural significance beyond individual privacy concerns
Case Study: Māori Health Data Protocol
The Health Research Council and Te Mana Raraunga (Māori Data Sovereignty Network) developed a protocol for Māori health data that includes:
- Early engagement with Māori stakeholders before data collection
- Co-design of de-identification protocols with Māori researchers
- Consideration of both individual and collective privacy interests
- Additional protections for data about small Māori communities
- Governance arrangements that include Māori representation
- Recognition that some data may need to remain identifiable for cultural reasons
- Benefits sharing from research using Māori health data
Reference:
Te Mana Raraunga - Māori Data Sovereignty Network: https://www.temanararaunga.maori.nz/
Health Research Council Guidelines for Māori Health Research: https://www.hrc.govt.nz/resources/guidelines-researchers-health-research-involving-maori
Implementation Considerations
When implementing health data de-identification in New Zealand:
- Small Population Challenges: Organizations must consider New Zealand's relatively small population (5 million) which increases re-identification risks
- Treaty of Waitangi Principles: The principles of partnership, participation, and protection must be respected, ensuring Māori have appropriate control over Māori health data
- "Reasonably Identifiable" Standard: This context-dependent standard requires consideration of all available means, including other datasets that might be combined
- De-identification Spectrum: De-identification should be viewed as a spectrum rather than a binary state, with appropriate controls based on risk level
- Complementary Controls: Technical de-identification should be complemented by contractual, security, and governance controls
- Regular Review: Regular review of de-identification methods is necessary as re-identification risks evolve with new technologies and data sources
- Ethics Committee Review: Health research using de-identified data may still require ethics committee review depending on the context
Example: Multi-layered De-identification Approach
A national health survey implemented these complementary controls:
- Technical measures: Removal of direct identifiers, generalization of demographic data, suppression of unique characteristics
- Legal controls: Data use agreements prohibiting re-identification attempts
- Security controls: Secure data environment with access logging and monitoring
- Governance controls: Data access committee with diverse representation including Māori members
- Procedural controls: Researcher training on privacy obligations
- Transparency measures: Public documentation of de-identification methods used
Reference:
Privacy Commissioner's Health Information Privacy FAQs: https://www.privacy.org.nz/publications/guidance-resources/health-information-privacy-faqs/
Health Data Initiatives
New Zealand has several initiatives that utilize de-identified health data:
1. Integrated Data Infrastructure (IDI)
A research database managed by Statistics New Zealand that contains de-identified data from across the government sector, including health data. The IDI:
- Links de-identified individual-level data from multiple government agencies
- Implements a "five safes" framework for data access
- Requires formal approval for research projects
- Provides access through secure data labs
- Reviews all outputs before release to prevent re-identification
Reference:
Stats NZ Integrated Data Infrastructure: https://www.stats.govt.nz/integrated-data/integrated-data-infrastructure/
2. Health Information Standards Organisation (HISO)
HISO develops standards for health information management, including standards for de-identification:
- Develops technical standards for health data management
- Provides guidance on consistent approaches to de-identification
- Promotes interoperability while maintaining privacy
- Works with international standards organizations
Reference:
Health Information Standards Organisation: https://www.health.govt.nz/our-work/digital-health/digital-health-sector-architecture-standards-and-governance/health-information-standards-0
3. Virtual Health Information Network (VHIN)
A network of health researchers and data scientists who collaborate on health data projects:
- Shares best practices for health data de-identification
- Develops methodologies for working with linked data
- Provides training on responsible health data use
- Promotes collaboration across institutions
Reference:
Virtual Health Information Network: https://vhin.co.nz/
Case Study: COVID-19 Data Platform
During the COVID-19 pandemic, New Zealand established a national COVID-19 data platform that:
- Collected testing, case, and vaccination data nationwide
- Implemented tiered access to data based on sensitivity and de-identification level
- Provided fully de-identified data for public reporting and research
- Maintained identifiable data for public health response with strict access controls
- Applied special protocols for Māori and Pacific data, developed in consultation with community representatives
- Enabled rapid research while maintaining privacy protections
This approach demonstrated New Zealand's principles-based framework in action during a public health emergency.
Limitations and Criticisms
New Zealand's health data de-identification framework has been subject to certain criticisms:
- Small Population Challenges: Implementing appropriate de-identification in a country with only 5 million people creates inherent challenges, particularly for rare conditions
- Balancing Interests: Potential tension between privacy protection and the benefits of data sharing for research and public health
- Ambiguity: Evolving interpretations of what constitutes "reasonable identifiability" can create uncertainty for organizations
- Māori Data Sovereignty: Ongoing discussions about appropriate protection for Māori data and respect for data sovereignty principles
- Technical Guidance: Limited specific technical guidance compared to some international frameworks like HIPAA
- Emerging Technologies: Challenges in applying general principles to rapidly evolving healthcare technologies like genomics and AI
- Regional Variation: Inconsistent implementation across different health organizations and regions
Reference:
Office of the Privacy Commissioner Case Notes: https://www.privacy.org.nz/publications/case-notes-and-court-decisions/
Recent Developments
Recent developments in New Zealand's approach to health data de-identification include:
- Health NZ Transformation: The 2022 health system reforms created Health New Zealand (Te Whatu Ora) and the Māori Health Authority (Te Aka Whai Ora), with implications for health data governance
- Hira Programme: A new national health information platform being developed with privacy and de-identification built into its design
- Updated Ethics Guidelines: The National Ethics Advisory Committee published updated guidelines for health research in 2023
- AI Governance: Development of new guidance on using de-identified health data for artificial intelligence and machine learning
- Indigenous Data Sovereignty: Growing recognition of Māori data sovereignty principles in health data governance
Reference:
Hira Programme: https://www.tewhatuora.govt.nz/our-health-system/digital-health/hira-connecting-your-health-information/
Te Whatu Ora - Health New Zealand: https://www.tewhatuora.govt.nz/
Te Aka Whai Ora - Māori Health Authority: https://teakawhaiora.nz/
How It Compares to Other Frameworks
New Zealand's approach to health data de-identification can be compared to other international frameworks:
- Principles vs. Rules: Like the EU's GDPR, New Zealand takes a principles-based approach rather than a purely prescriptive one
- Specific Identifiers: Unlike HIPAA in the US, New Zealand does not provide a specific list of identifiers to remove
- Cultural Considerations: New Zealand places greater emphasis on cultural considerations, particularly for Māori data, than most other frameworks
- Risk Assessment: The framework emphasizes context-specific risk assessment rather than universal rules
- Purpose Focus: There is significant focus on the purpose of data use in determining appropriate de-identification levels
- Risk Management: The framework acknowledges that perfect anonymization may be impossible and emphasizes risk management
- Collective Privacy: New Zealand's approach recognizes collective privacy interests, not just individual privacy
- Small Population Context: The framework is adapted to the challenges of a small population country, unlike frameworks designed for larger jurisdictions
Practical Comparison Example
For a clinical research project using patient data:
- Under HIPAA Safe Harbor: Remove 18 specific identifiers to create a de-identified dataset that can be used without patient authorization
- Under New Zealand's Framework: Conduct a context-specific risk assessment, implement appropriate de-identification based on the specific research purpose and data environment, consider Māori data sovereignty implications, implement governance controls, and potentially seek ethics committee approval even for de-identified data