In 2020, New Zealand took additional steps to protect personal information for its residents. A new privacy act was introduced, which replaced the Privacy Act of 1993. The purpose of this new act was to ensure that New Zealanders knew when their personal information was collected, how it was going to be used, and how they could access their information. It also provided safeguards to ensure that personal information is being stored in a safe and secure manner.

The new act has 13 principles that govern how businesses and organisations should collect, handle, and use your personal information. We have separated out the principles and added comments on how Cliniko adheres to each of them. Some of the principles require a bit more effort on the part of the clinic, but we do everything we can to ensure it’s easily executable in Cliniko.

To read the entire act, head to the Privacy Commissioner’s website, or if you have any questions specific to the act, you can contact them through their Enquiry Form.


Principle 1 - Purpose for collection

Organisations must only collect personal information if it is for a lawful purpose connected with their functions or activities, and the information is necessary for that purpose. This principle is about data minimisation.

  • In Cliniko, the only personal information we collect from users is that which is necessary to create your account and any user that is added to your account in Cliniko.

  • A clinic will need to be sure they are only collecting patient information that is needed for their clinic. The information that is collected differs between clinics depending on their healthcare needs.

  • Clinics can also capture consent received from their patients in Cliniko by following our collecting consent help guide.

Principle 2 - Source of personal information

Personal information should be collected directly from the person it is about. The best source of information about a person is usually the person themselves. Collecting information from the person concerned means they know what is going on and have some control over their information.

  • We only collect personal information in Cliniko that is provided directly to us.

In almost all cases, a clinic should be collecting information directly from a patient. The privacy act acknowledges that there may be some instances where collecting information directly from the patient isn’t feasible, those are outlined on the Privacy Commissioner's site.

Principle 3 - What to tell the individual about collection

Organisations should be open about why they are collecting personal information and what they will do with it. This principle is about helping people understand the reasons you are collecting their information.

  • When collecting information from patients, clinics should make sure that patients know why it is being collected and who gets access to it.

  • Patients should also know whether or not this information is compulsory, and what happens if they choose to not provide the information.

  • The Privacy Commissioner of New Zealand provides details on a privacy statement that can be helpful for this principle.

Principle 4 - Manner of collection

Personal information must be collected in a way that is lawful and seen as fair and reasonable in the circumstances.

  • The only user data that is collected by Cliniko, is for account creation. This includes first and last names as well as an email address.

  • Clinics will need to make sure that their patient data collection process is lawful, fair, and reasonable.

Principle 5 - Storage and security of information

Organisations must ensure there are safeguards in place that are reasonable in the circumstances to prevent loss, misuse or disclosure of personal information.

  • Privacy and Security is always top of mind for us at Cliniko. We ensure that all data is held and transmitted in the most secure way possible. We outline all the security measures within our Security Policies, and also conduct regular security assessments. You can check out our blog post that outlines some essentials to keeping patient information as well!

  • In the event that there is a breach and your Personal Information is at risk, you will be notified within 72 hours of discovering the breach.

  • Clinics should ensure appropriate safeguards are in place when it comes to storing and securing personal information collected from patients.

Principle 6 - Providing people access to their information

People have a right to ask for access to their own personal information and Organisations must provide access to the personal information it holds about someone if the person in question asks to see it.

Principle 7 - Correction of personal information

A person has a right to ask an organisation or business to correct information about them if they think it is wrong.

  • Admins and account owners have the ability to edit or update nearly anything within their Cliniko account.

Principle 8 - Accuracy of personal information

An organisation must check before using or disclosing personal information that it is accurate, up to date, complete, relevant, and not misleading.

  • As Cliniko does not collect information directly from patients, a clinic will need to ensure that they are confirming the accuracy of their personal information.

Principle 9 - Retention of personal information

An organisation should not keep personal information for longer than it is required for the purpose it may lawfully be used.

  • Clinics have the ability to delete any data that is no longer needed to be stored in Cliniko.

Principle 10 - Limits on use of personal information

Organisations can generally only use personal information for the purpose it was collected, and there are limits using personal information for different purposes.

  • Cliniko only uses personal information for the purpose that it was originally collected. This applies to both our customers and their patients. For details on what data we collect and how we use it, please see our privacy policy.

  • The Privacy Commissioner of New Zealand has guidelines on how specific your purposes should be.

Principle 11 - Disclosure of personal information

An organisation may generally only disclose personal information for the purpose for which it was originally collected or obtained. Sometimes other reasons for disclosure are allowed, such as disclosure for a directly related purpose, or if the person in question gives their permission for the disclosure.

  • Cliniko will never use data collected for purposes other than what it was originally collected for. Those purposes are outlined in the privacy policy.

  • For a clinic, there may be some instances in which you may disclose patient information for another reason than what it was intended for. Those are outlined within the Privacy Act 2020 principles.

Principle 12 - Disclosure outside New Zealand

A business or organisation may only disclose personal information to another organisation outside New Zealand if they check that the receiving organisation is subject to the Privacy Act, will adequately protect the information, or is subject to privacy laws that provide comparable safeguards to the Privacy Act.

  • Cliniko adheres to many privacy acts around the world which provide comparable safeguards to the Privacy Act; Australia Privacy Principles, GDPR, HIPAA, and PIPEDA are the privacy acts that we currently adhere to.

  • With that, we often exceed the minimum requirements for adequately protecting personal information.

  • Clinics can use the decision tree provided by the Privacy Commissioner of New Zealand, to help determine if this principle applies to information that may need to be disclosed.

Principle 13 - Unique identifiers

The principle states that an organisation can only assign unique identifiers to people when it is necessary for its functions.

Unique identifiers are individual numbers, references, or other forms of identification allocated to people by organisations as a way to uniquely identify the person to the organisation assigning the identifier. Examples include driver’s licence numbers, passport numbers, IRD numbers, or National Health Index (NHI) numbers.

  • Cliniko does not generate nor require these numbers to be stored from patients, and we do not collect them from Cliniko users.


As always, if you have questions about any of this, reach out to our support team via the chat bubble in the lower-right corner of your screen! We'll be more than happy to discuss things with you! 😊

Did this answer your question?