The views of some health practitioners
As most will know, on 1 May 2026 the new information privacy principle 3A (IPP 3A) came into force. As explained in a previous post, if your agency collects personal information about someone from a source other than the individual themself, it now has transparency obligations that largely mirror those under IPP3. In the health sector, the same applies under the new health information privacy rule 3A, which is largely the same as IPP 3A.
Over the last week I’ve heard of some health practitioners who believe the new rule applies every time they receive personal or health information from a third party. Some practitioners are concerned that they now need to notify patients or clients whenever they receive personal or health information from a third party source, even when they didn’t ask for it, even when the information came to them out of the blue.
I was puzzled by what seemed to be the conviction of this belief, so I did some digging. What I found was a page on the website of The Royal New Zealand College of General Practitioners (RNZCGP) that provides an update on rule 3A. The RNZCGP itself doesn’t say anything wrong, but it refers readers to resources produced by the Medical Protection Society, the first of which is an article from late April, “Are you ready for your new Privacy Act obligations?”
The Medical Protection Society website has generally helpful information on rule 3A. They’ve clearly spent a good amount of time helping their members, most of what they say is indeed helpful, and I don’t mean to criticise them. However, their guidance on IPP 3A/rule 3A contains a passage which may be leading health practitioners astray. Given that RNZCGP has 6000 members and that other health professions may be relying on it, and given the significance of the issue, it’s important to surface it. The article in question says this:
“Another area where IPP3A may require more careful consideration is when clinicians or practices receive unsolicited third-party information. This is the situation where, for example, a worried relative or neighbour approaches a clinician and provides information about the patient’s health, often without the patient’s knowledge. From 1 May 2026, this will trigger an obligation to notify the patient the information has been collected, unless one of the exemptions applies. This situation may be difficult to address fully in the Privacy Statement, as it may be hard to anticipate both the source and the potential use of such information. For this reason, it is important that the clinician or practice staff member collecting the information advises the informer that they may have an obligation under IPP3A to notify the patient about the collection, and that anonymity cannot be guaranteed. There may be exceptions to this in some specific circumstances, but this should be carefully considered. If there is any doubt, we would advise clinicians to call their indemnifier to discuss the specific facts of the situation.”
This passage does not accurately reflect the law. It all boils down to a single word in IPP 3A and rule 3A: “collects”. There’s a nuance here that’s easily overlooked.
Rule 3A and the definition of “collect”
Rule 3A commences:
If a health agency collects health information about an individual other than from the individual concerned or from the individual’s representative, the health agency must take any steps that are, in the circumstances, reasonable to ensure that the individual concerned, or their representative, is aware of [the listed matters]
“Collects” is the operative word. “Collect” is not defined in the Health Information Privacy Code but the Code makes it clear in rule 3(2) that a term “defined in the Act and used, but not defined, in this code has the same meaning as in the Act.” In the Act, “collect” is defined as follows:
collect, in relation to personal information, means to take any step to seek or obtain the personal information, but does not include receipt of unsolicited information
This definition is critical to understanding the scope of the new IPP 3A and rule 3A, because both principles are triggered only when an agency “collects” personal or health information from a source other than the individual concerned.
If a health practitioner does not take any step to seek or obtain a particular item of information that comes its way, the health agency concerned does not “collect” it. If the agency does not collect it, rule 3A does not apply.
What “collects” looks like in practice
As is now apparent from the Act’s definition of ‘collect’, collection is an active process that involves taking a step to seek or obtain personal information. You collect personal information when, for example, you ask for it, look it up, run a search, send a query, set up a system that pulls information from a source, or post an advertisement (e.g., a job ad) seeking applications. The key element is that the agency has done something to seek or obtain the information.
Here are some examples of collection of personal information from a source other than the individual:
- A GP asks a hospital for a patient’s discharge summary.
- An insurer requests information about a claimant from a third-party repairer.
- A practice manager runs a search on a third party health database to retrieve a patient’s test results.
- A recruitment firm contacts a referee for a reference about a candidate.
In each case, the agency took a step to seek or obtain the information. It is in these situations that the agency must take reasonable steps to notify the individual of the matters in IPP 3A/rule 3A, unless an exception applies.
What “receipt of unsolicited information” looks like
By contrast, receipt of unsolicited information is passive. The information arrives without the agency having asked for it or done anything to obtain it.
Here are some examples:
- A patient’s family member phones a GP practice, out of the blue, to express concern about the patient’s mental health.
- A neighbour sends an unsolicited letter to a medical centre alleging that a patient has been behaving erratically, warning the medical centre to be careful.
- A former partner emails a counsellor, unprompted, with claims about a client’s substance use.
- An anonymous caller leaves a voicemail at a clinic reporting concerns about a child’s welfare.
In each case, the agency did nothing to seek or obtain the information. It simply arrived. That is receipt of unsolicited information, and it falls outside the definition of “collect”. IPP 3A and rule 3A do not apply.
Why the distinction matters
If IPP 3A / rule 3A applied to every piece of personal information that happened to land on a health practitioner’s desk, the compliance burden would be unworkable. Subject to application of rule 3A exceptions, practitioners would need to notify patients about every unsolicited phone call, every unexpected forwarded letter, every piece of information volunteered by a worried family member. That, I suggest, was never the intention.
The Privacy Act draws the line at collection because the collection principles (IPPs 1 through 4 and their HIPC equivalents) are about regulating how agencies go about gathering information. They govern the agency’s active conduct: what it seeks, from whom, for what purpose, how it goes about it, and what it tells people about that process. Passive receipt of information the agency did not ask for sits outside that framework.
To my mind there can be situations where the distinction is vitally important. Take the example of a psychologist who has a new and highly vulnerable, erratic, and possibly violent client. She hasn’t had enough sessions with him yet to explore what’s troubling him and is unaware of the potential for violence. A friend of the client who has witnessed erratic behaviour in recent times learns he is receiving therapy from the psychologist and becomes worried for the psychologist’s welfare. He finds her email address and sends her an urgent email, explaining what he has seen and advising her to be careful. In this kind of situation, no obligation arises under rule 3A. Contrary to the passage quoted above (which gives a similar example), there is no need for the psychologist to think about advising the informer that, due to rule 3A, she may need to notify the client unless an exception applies. Similarly, there is no need for the psychologist to waste time working out whether a rule 3A exception applies.
What health practitioners should take from this
If you’re a health practitioner wondering whether IPP 3A or rule 3A applies to information you have received from a third party, ask yourself one question: did I (or my practice) take any step to seek or obtain this information?
If yes, you’ve most likely “collected” it. IPP 3A or rule 3A applies, and you need to consider your notification obligations (bearing in mind the exceptions, which may well cover certain clinical scenarios).
If no, you will have received unsolicited information. IPP 3A and rule 3A do not apply to that information. Your other Privacy Act obligations still apply once you hold it, but the new notification requirement does not.
The Privacy Commissioner’s guidance on IPP 3A and rule 3A is available on the OPC website and is worth reading. Perhaps unfortunately, though, the information on rule 3A does not yet address the important point addressed here. It is hoped that, in time, it will. But, to avoid any doubt, the Act itself is clear. By definition, the receipt of unsolicited information is not “collected”.