Collecting Health Information? Here’s Why A Privacy Policy Is Important. (2026 Updated)

If your business collects health information in New Zealand, you’re dealing with some of the most sensitive personal data there is.

That can include obvious things (like a patient’s diagnosis) and not-so-obvious things (like a client’s allergy information, mental health notes, injury details, or even a health questionnaire you use to “tailor” your service).

This 2026 update reflects what we’re consistently seeing across NZ: more businesses are collecting health information digitally (online forms, apps, telehealth, booking platforms), and privacy expectations are higher than ever. The good news? With the right legal foundations, collecting health information can be done safely and confidently from day one.

In this article, we’ll break down what “health information” really covers, why a Privacy Policy matters, and how to set up privacy practices that actually protect your business (not just look good on your website).

What Counts As “Health Information” In New Zealand?

In NZ, privacy law doesn’t just care about “medical records” in a hospital setting. Under the Privacy Act 2020, “personal information” is any information about an identifiable individual. Health information is generally treated as especially sensitive.

In practice, you may be collecting health information if you run or work in:

• medical practices, allied health, physiotherapy, psychology, counselling or telehealth
• gyms, personal training, yoga, pilates or fitness studios
• massage therapy or wellness clinics
• beauty clinics (especially where you ask about allergies, skin conditions, medications, pregnancy, etc.)
• childcare services (medical conditions, medication authorities, immunisation records)
• disability support services and aged care support
• workplaces collecting health information for H&S or sick leave management

Common examples of health information include:

• medical history, medications and diagnoses
• mental health information (including counselling notes)
• injury details and ACC-related information
• pregnancy, fertility or sexual health information
• allergies and dietary requirements (especially where tied to a health condition)
• disability information and support needs
• results of drug/alcohol tests or fitness to work assessments

Even if you’re not a “health provider” in the traditional sense, you can still end up holding health information. For example, a gym might ask a new client to disclose existing conditions before training. A childcare centre might record asthma plans and medication instructions. A workplace might collect medical certificates for sick leave.

Once you collect it, you have legal responsibilities around how you handle it.

Why A Privacy Policy Matters When You Collect Health Information

A privacy policy isn’t just a “nice to have” website page. It’s one of the clearest ways to show people you take their data seriously-and it’s often the first place someone will look if they’re deciding whether they can trust you.

When you collect health information, having a well-drafted privacy policy matters for a few big reasons.

1) It Helps You Meet Your “Transparency” Obligations

One of the key themes in the Privacy Act 2020 is that people should understand what’s happening with their personal information.

That means you should be able to explain (in plain language):

• what health information you collect
• why you’re collecting it
• how you’ll use it
• who you might share it with
• how long you’ll keep it
• how people can access or correct their information

Your privacy policy is the document that ties those explanations together in one accessible place.

2) It Builds Trust (Which Is Everything With Sensitive Information)

Health information is personal. People usually won’t share it unless they feel safe.

If your forms ask for medical details but your business has no visible privacy policy (or it’s a generic copy-paste), it can raise red flags. That can lead to abandoned bookings, lower conversion rates, and uncomfortable “why do you need this?” conversations with clients.

A tailored policy helps you communicate: “We have thought about this, and we’ve built our systems to protect you.”

3) It Reduces The Risk Of Complaints, Disputes, And Brand Damage

Even if you’re trying to do the right thing, privacy complaints often happen because:

• your client didn’t understand why you collected certain information
• your staff handled it inconsistently
• you shared information with a third party without clear permission
• you kept information longer than you needed

A strong privacy policy sets expectations and supports consistent internal processes. And if something goes wrong, being able to show you had clear privacy documentation and systems in place can help you respond faster and more credibly.

4) It Supports Your Contracts And Customer Journey

If you sell services online, run bookings through a website, or provide services through an app, privacy terms often connect with other legal documents you should have in place-like Website Terms and Conditions or service terms.

Done properly, your privacy policy becomes part of a bigger “legal foundations” setup that protects your business as you grow.

What Laws Apply To Collecting Health Information In NZ?

When collecting health information, the main law you’ll need to think about is the Privacy Act 2020. But depending on your industry and how you operate, there can be other layers too.

The Privacy Act 2020 (And Why It’s Not Optional)

The Privacy Act 2020 sets out information privacy principles that shape how you should collect, store, use and disclose personal information.

In simple terms, it generally expects that you:

• collect information only when you have a genuine reason (and don’t over-collect “just in case”)
• collect it fairly and explain what you’re doing
• store it securely and limit access
• use it only for the purpose you collected it for (unless an exception applies)
• keep it accurate and allow people to request access or correction
• not keep it longer than necessary

There are also mandatory data breach notification requirements for serious breaches. If you collect health information and something goes wrong (for example, an accidental email, hacked account, or lost device), you may need to notify affected individuals and the Office of the Privacy Commissioner.

Health Information Often Has Higher Expectations

Because health information is sensitive, regulators and customers tend to expect a higher standard of care.

That doesn’t mean you need to be a tech giant with a security team. But it does mean you should take privacy seriously, document what you’re doing, and avoid casual practices like:

• storing health questionnaires in unprotected shared drives
• emailing medical details without safeguards
• letting multiple staff use one login
• collecting health details that you don’t actually need

Employment And Workplace Scenarios

If you’re collecting health information from employees (for example, medical certificates, injury reports, return-to-work plans), privacy still applies.

It’s also important that your internal policies and employment documentation match what you’re doing in practice, including your Employment Contract and any workplace privacy guidelines.

Workplace privacy gets especially sensitive when employers consider things like monitoring or surveillance. If you’re dealing with health-related concerns and also use workplace cameras, you’ll want to be clear on your approach and boundaries (including what’s covered in Are Cameras Legal In The Workplace?).

What Should A Privacy Policy Include If You Collect Health Information?

A privacy policy should be tailored to your business. A medical clinic and a fitness studio might both collect health information, but the “why”, “how”, and “who you share it with” can be totally different.

As a starting point, a solid privacy policy for health information should usually cover the following.

1) What Information You Collect (And What You Don’t)

Be specific. For example:

• client contact details
• health questionnaires and screening forms
• notes taken during sessions (where relevant)
• payment information (and whether you store it or your payment provider does)

It’s also helpful to clarify boundaries. If you don’t collect certain types of sensitive information, saying so can reassure clients.

2) Why You Collect It

This is where you explain your purpose. For example:

• to assess whether your service is safe and appropriate
• to tailor treatment/training recommendations
• to meet your professional obligations
• to manage bookings, invoicing and client communications

Purposes should be genuine and connected to what you actually do.

3) How You Collect It

For many businesses, collection methods now include:

• online booking forms
• intake questionnaires
• email and phone communications
• apps or wearable integrations (in some fitness or wellness contexts)

If you’re collecting information through third-party platforms, your privacy policy should reflect that reality (and ideally, you should also understand what those platforms do with the information too).

4) Who You Share It With (And Why)

Clients are often most concerned about sharing. Your privacy policy should clearly explain who may receive the information and for what purpose.

Examples could include:

• staff members who need access to provide the service
• IT providers or practice management software providers (as processors/storage providers)
• professional advisers (for example, accountants) where relevant and appropriate
• third parties where legally required (in limited cases)

If you work with contractors (for example, a contractor practitioner, nurse, or allied health provider), you’ll also want the privacy handling to be consistent with your broader contracting setup, including an appropriate Contractor Agreement and confidentiality obligations.

5) Storage, Security, And Access Controls

Your privacy policy should explain, at a high level, how you protect the information. You don’t need to publish your full security architecture, but you should be able to say things like:

• you use secure cloud software
• access is limited to authorised staff
• passwords and multi-factor authentication are used where possible
• hard copy documents are stored securely

Health information security is a practical risk issue. A privacy policy can set the expectation, but you’ll also need internal processes to match.

6) How Long You Keep Health Information

A common mistake is keeping everything forever. In NZ, the general idea is you shouldn’t keep personal information for longer than you need it for the purpose you collected it.

Your policy should explain your approach to retention and disposal, even if it’s described in broad terms.

7) Access And Correction Requests

People can request access to their personal information and ask for corrections. Your policy should outline:

• how someone can make a request
• how you verify identity (important for health information)
• how long you typically take to respond

It can also help to have a process document or form ready internally. For context on the access side of things, many people search for steps like how to get your medical records, which shows how common (and important) these requests can be.

8) What Happens If There’s A Privacy Breach

If a serious breach occurs, you may have obligations to notify. Your privacy policy should explain how you handle privacy incidents and who a client can contact with concerns.

This is also where it helps to have an internal response plan. When things go wrong, speed and clarity matter.

Common Mistakes Businesses Make When Handling Health Information

Most privacy issues aren’t caused by bad intentions. They happen when a business grows quickly, adds new software, hires new staff, or starts collecting “just one extra field” in an online form.

Here are some of the most common pitfalls we see.

Using A Generic Template Privacy Policy

Generic templates often:

• don’t reflect what you actually collect
• fail to deal with sensitive information properly
• miss NZ-specific requirements or language
• don’t match your real systems (which can create compliance risk)

If your privacy policy says you “never share personal information,” but you use a booking platform, email marketing tool, cloud storage, or practice software, you’re probably sharing personal information in some form.

That mismatch is where problems start.

Collecting More Health Information Than You Need

It’s tempting to collect a full medical history “just in case.” But if you don’t truly need it to provide your service safely and professionally, it can create unnecessary privacy risk.

A good rule of thumb is: collect the minimum needed for the purpose, and be able to explain that purpose clearly.

Not Training Staff On Privacy Handling

Your privacy policy can be perfect, but if staff aren’t aligned, things can slip quickly-especially in busy environments like clinics, childcare centres, and fitness studios.

Consider practical training around:

• what information can be discussed (and where)
• who can access files and why
• how to verify identity before sharing information
• how to handle emails, texts and phone calls that include sensitive details

Not Managing Third-Party Providers Properly

Many NZ businesses use third parties for:

• booking and payments
• telehealth or video calls
• practice management software
• cloud file storage
• marketing and email automation

You should understand what those providers do with your data, where it is stored, and what security features are available. In some situations, you may need more than just a privacy policy-you may need contractual protections as well (for example, in B2B relationships, a Data Processing Agreement can be relevant where a supplier processes personal information on your behalf).

Assuming Consent Fixes Everything

Consent matters, but it’s not a magic wand.

Even if a client signs a form, you still need to ensure your collection and use is reasonable, your storage is secure, and your disclosures align with what you told them. Over-relying on consent (without clear processes) is a common gap.

Key Takeaways

• Health information is highly sensitive, and many businesses collect it even if they’re not a “traditional” health provider.
• If you collect health information, you should take privacy seriously and comply with the Privacy Act 2020, including secure storage and clear collection practices.
• A well-drafted Privacy Policy helps you be transparent, build trust, and reduce the risk of privacy complaints and reputational damage.
• Your privacy policy should clearly cover what you collect, why you collect it, who you share it with, how you store it, how long you keep it, and how people can request access or correction.
• Avoid generic templates-if your privacy policy doesn’t match your real-world tools and processes (like booking systems or cloud storage), it can create compliance risk.
• Privacy compliance is easier when it’s part of your legal foundations from day one, alongside documents like Website Terms and Conditions and an Employment Contract for staff handling sensitive information.

If you’d like help putting the right privacy documents and processes in place for your business, you can reach us at 0800 002 184 or team@sprintlaw.co.nz for a free, no-obligations chat.