Health Data Sharing Agreements in New Zealand: Privacy Issues for Businesses

A health data sharing agreement can look straightforward on paper, especially when the other side says they have a standard form and need it signed quickly. But this is where New Zealand businesses often get caught. Common mistakes include assuming consent covers every future use, sharing more health information than the project actually needs, and relying on broad confidentiality wording without dealing properly with privacy law, security, retention, or cross border transfers.

If your business collects, analyses, stores, hosts, integrates, or receives health information, the legal risks are usually higher than people expect. Health data is sensitive, and a weak agreement can create real exposure if there is a privacy breach, a patient complaint, or a dispute over who can use the data later. The key questions are usually practical ones: what data is being shared, why it is being shared, who is responsible if something goes wrong, and what limits need to sit in the contract before you sign.

Overview

A health data sharing agreement should do more than say parties will keep information confidential. For New Zealand businesses, it should clearly allocate privacy responsibilities, match the actual data flows, and set workable limits on collection, use, disclosure, storage, security, and deletion.

The stronger the agreement, the easier it is to show that your business has thought carefully about privacy compliance and commercial risk before you sign.

• Identify exactly what health information will be shared, and whether it includes identifiable, de-identified, or aggregated data.
• Confirm the legal basis for sharing, including whether consent is required and whether any privacy notices or collection notices need updating.
• Set clear rules on purpose limitation, data minimisation, access controls, security standards, and incident response.
• Allocate responsibility for Privacy Act compliance, patient requests, complaints, breach notification, and regulator enquiries.
• Check whether the information will be hosted or accessed outside New Zealand, and set rules for offshore disclosure.
• Deal with ownership, permitted secondary use, subcontracting, retention periods, destruction, audit rights, and exit arrangements.

What Health Data Sharing Agreement Means For New Zealand Businesses

A health data sharing agreement is a contract that sets the rules for sharing health information between organisations. In practice, it is the document that should explain who can access the data, what they can do with it, what they must not do with it, and who carries the risk if the arrangement causes privacy or commercial problems.

For many SMEs, this comes up in ordinary growth moments. You might be a digital health platform integrating with a clinic network, a software provider hosting patient records, a wellness business partnering with a medical service, or an analytics company receiving health related datasets for reporting. Even where your business is not a traditional healthcare provider, the agreement still matters if the information is health information about identifiable people.

Why health information is treated more carefully

Health information is generally more sensitive than standard customer data because it can reveal medical conditions, treatment history, disability status, test results, medication, mental health details, or care arrangements. A misuse or accidental disclosure can cause more than embarrassment. It can affect trust, reputation, employment, insurance, and ongoing care.

That is why businesses should expect a higher standard of privacy governance before they accept the provider's standard terms or rely on a simple NDA.

How New Zealand privacy rules affect the contract

The Privacy Act 2020 matters here, and businesses dealing with health information also need to consider the Health Information Privacy Code 2020. These rules affect how personal information is collected, used, disclosed, stored, corrected, and retained. The agreement should reflect those legal duties rather than contradict them.

That means a contract cannot fix an unlawful data practice just by getting both parties to sign. If the actual sharing arrangement is too broad, lacks a proper purpose, or does not give individuals the transparency they are entitled to, the legal issue remains.

What a good agreement usually covers

A well drafted health data sharing agreement usually covers both privacy compliance and commercial control. The practical clauses often include:

• a clear description of the data sets and whether the information is identifiable, coded, de-identified, or aggregated
• the permitted purposes for collection, access, analysis, disclosure, and any onward sharing
• restrictions on secondary use, product development, machine learning, benchmarking, marketing, or research use
• security obligations, including encryption, access controls, logging, testing, and staff confidentiality requirements
• responsibility for giving privacy notices and obtaining any required consent
• processes for responding to access requests, correction requests, complaints, and privacy breaches
• retention periods, deletion or return obligations, and what happens to backup copies
• audit rights, reporting obligations, indemnities, liability caps, and termination rights

Controller or processor style roles still matter

New Zealand law does not always use the same labels as overseas privacy regimes, but the practical distinction still matters. One party may decide why and how the health information is used, while another party may only handle it on instructions. If the agreement blurs those roles, responsibility gets muddy fast.

This is where founders often get caught. A software provider may think it is only storing information, while the customer thinks the provider is also responsible for breach response and patient requests. The contract should remove that ambiguity before you sign.

Legal Issues To Check Before You Sign

The main legal question is not whether the other party looks trustworthy. It is whether the agreement accurately reflects the real data flows and gives your business enough protection if privacy, security, or scope issues arise later.

1. What exactly is being shared?

Do not accept vague wording such as “health data” or “patient information” if different categories carry different risks. The agreement should spell out the data fields, source systems, format, frequency, and whether identifiers are included.

You should also separate out information that may be technically de-identified from information that can still be re-identified when combined with other datasets. That distinction matters for both legal risk and internal handling rules.

2. What is the lawful purpose?

A health data sharing arrangement needs a clear and limited purpose. If the stated purpose is too broad, the other party may later argue they can use the information for unrelated analytics, platform training, or product development.

Before you sign a contract, make sure the purpose clause answers:

• why the data is being shared
• which business function it supports
• whether the use is operational, clinical, research based, or analytical
• whether any secondary use is permitted
• when fresh consent or further notice may be needed

3. Do you have the right privacy notices and consent position?

Many businesses assume that because information was originally collected from a customer or patient, it can be shared freely inside a broader commercial arrangement. That is not always right. The original collection notice, service terms, and consent process need to line up with the proposed sharing.

If your business is the party collecting the information, ask whether individuals were told:

• who would receive their information
• why the sharing would happen
• whether any offshore providers are involved
• what choices or rights they have

If the answer is no, the agreement alone may not solve the problem.

4. Who is responsible for security?

Security clauses should be specific enough to be workable. General promises to use “reasonable security” can become hard to enforce if there is a breach.

Before you rely on a verbal promise, check whether the contract deals with:

• encryption in transit and at rest
• role based access controls
• multi factor authentication where appropriate
• logging and monitoring
• staff training and confidentiality undertakings
• subcontractor security controls
• penetration testing or assurance reporting
• physical security for hosted systems or records

5. What happens if there is a privacy breach?

Breach response is one of the most negotiated parts of a health data sharing agreement because timing matters. If one party delays telling the other, the business that faces patients or regulators may lose valuable time.

The agreement should set out:

• when a suspected or actual breach must be notified
• what information must be provided in the notification
• who investigates and who pays the immediate response costs
• who decides whether affected individuals or the Privacy Commissioner should be notified
• who manages external communications
• what remediation steps must follow

6. Is any data going offshore?

A lot of health information is stored in cloud systems, support tools, or integrated platforms that may be accessed from outside New Zealand. Offshore disclosure is not a box ticking issue. You need to know where the information may go, who can see it, and what protections apply.

If the other party uses overseas hosting or support teams, the agreement should deal with approval rights, destination countries, equivalent safeguards, and restrictions on onward transfers, including any cross border data transfer terms.

7. Can the recipient use the data for product improvement or AI?

This is becoming a major issue in software and analytics contracts. A provider may ask for the right to use health data, or derived data, to improve services, train models, create benchmarks, or build commercial insights.

Sometimes there is a legitimate limited use case. Often the clause is much broader than the customer expects. Before you accept the provider's standard terms, check whether the agreement clearly says:

• whether raw health information can be reused
• whether only aggregated or properly de-identified outputs may be used
• whether machine learning or model training is allowed
• whether any derived intellectual property belongs to one party or is shared
• whether competitors' data could be pooled for benchmarking

8. Who handles access and correction requests?

Individuals in New Zealand may have rights to ask for access to their personal information and request correction. If your business receives the request but another party actually holds the relevant records, the agreement should tell both sides what to do.

Without a clear process, requests can be delayed, mishandled, or answered inconsistently.

9. What are the liability settings?

Liability clauses often decide who really carries the risk. A supplier may offer broad rights over the data but cap its liability at a very low level. That can leave the business facing patient claims, reputational harm, and remediation costs with limited contractual recourse.

Look carefully at indemnities, exclusions, and caps, especially for:

• privacy breaches
• confidentiality breaches
• unauthorised disclosure or misuse of health information
• regulatory investigations
• breach of security obligations
• third party claims caused by one party's misconduct

10. What happens when the arrangement ends?

Exit terms matter because health information often survives the relationship unless the contract clearly says what must happen next. The agreement should address return, deletion, retention required by law, backup copies, transition assistance, and proof of destruction where appropriate.

This is particularly important where a customer wants to switch platforms or bring data handling back in house.

Common Mistakes With Health Data Sharing Agreement

The most common mistake is treating a health data sharing agreement like a standard commercial contract with a privacy clause added at the end. Health information needs the privacy and operational detail built into the core of the document.

Using a generic NDA instead of a tailored agreement

An NDA may help with confidentiality, but it usually does not deal properly with purpose limitation, data subject requests, breach response, deletion, or offshore disclosures. It is not enough if the arrangement involves real handling of health information.

Failing to map the real data flow

Businesses often sign based on a high level description and only later discover the provider uses extra subprocessors, overseas support access, or broader analytics tools than expected. A short data flow exercise before you sign can prevent expensive renegotiation later.

The key operational points to map include:

• where the data comes from
• who receives it first
• which systems store or process it
• which people can access it
• whether any copies are created
• when the data is deleted or archived

Assuming de-identified data is always low risk

Some datasets are easy to re-identify when combined with dates, locations, demographics, or other records. If the agreement allows broad use of “de-identified” data without defining the standard or restricting re-identification, your business may have more exposure than expected.

Leaving consent and transparency to the other party

Each party may assume the other has handled the customer or patient messaging. Then a complaint arrives and neither side can show that individuals were clearly told how the sharing would work. The contract should allocate responsibility for notices, consents, and record keeping.

Accepting broad secondary use rights

Founders sometimes focus on pricing and functionality and overlook a clause allowing the recipient to use data for internal development, model training, research, or benchmarking. If that use matters commercially or reputationally, it should be narrowed or removed before you sign.

Ignoring retention and deletion details

“Delete when no longer needed” sounds sensible but can be too vague in practice. The contract should state retention periods, legal hold exceptions, backup treatment, and how deletion will be confirmed.

Underestimating supplier terms

Large providers often present non negotiable standard terms. Even so, businesses should still identify the highest risk clauses and ask targeted questions. Sometimes a side letter, data schedule, or security addendum can solve issues without reopening the whole contract.

Relying on operational trust instead of written process

Many privacy problems start after staff changes, growth, or system integration changes. Written escalation paths, named responsibilities, and review rights are much safer than relying on a friendly commercial relationship.

FAQs

Does every business handling health information need a health data sharing agreement?

No, not every arrangement needs a standalone document, but any business sharing health information with another organisation should have clear contractual terms covering privacy, security, use, and responsibility. If the data is sensitive, identifiable, or central to the service, a tailored agreement is usually the safer option.

Is confidentiality wording enough?

No. Confidentiality and privacy are related but different. A confidentiality clause does not usually cover lawful purpose, individual rights, breach notification, offshore disclosure, retention, or deletion in enough detail.

Can we use de-identified health data without restriction?

Not necessarily. The practical risk depends on whether the data can be re-identified, what other datasets exist, and what the contract allows. Your agreement should define de-identification standards and prohibit re-identification unless expressly permitted.

What if the other party hosts data overseas?

You should check where the data will be stored or accessed, what legal protections apply, and whether the arrangement aligns with New Zealand privacy requirements. Offshore hosting should be expressly covered in the contract, not left implied.

Who should handle patient or customer privacy requests?

The agreement should say who receives requests, who must assist, what timeframes apply, and who makes final decisions where records sit across more than one system. Clear process wording avoids delay and inconsistent responses.

Key Takeaways

• A health data sharing agreement should clearly define the data, the purpose, and the limits on use, not just include a short confidentiality clause.
• New Zealand businesses dealing with health information should align their contract with the Privacy Act 2020 and the Health Information Privacy Code 2020.
• The biggest issues to sort out before you sign are consent and transparency, security controls, breach response, offshore access, secondary use rights, and deletion at the end of the arrangement.
• Generic supplier terms and NDAs often miss the practical privacy points that matter most when health information is involved.
• A short data flow review and a tailored contract can reduce the risk of complaints, disputes, and expensive fixes later.

If you want help with privacy clauses, data breach risk allocation, offshore data transfer terms, and consent and notice issues, you can reach us on 0800 002 184 or team@sprintlaw.co.nz for a free, no-obligations chat.