Privacy Statement

The Canopy Healthcare Group (CHG) takes our responsibility to protect your personal health information and confidentiality very seriously. CHG is committed to providing you with the highest quality healthcare. To do this we must collect and retain information about you.

The Health Information and Privacy Code 2020 (Code) sets specific rules for health organisation on the use of health information in compliance with the Privacy Act 2020 (Act). We are required to observe certain restrictions and standards relating to the information we collect, hold, use, and disclose about you. Access to more information about the Privacy code can be found at

This Privacy Statement explains what information CHG collects and why.  It also explains how such information is used, stored, and disclosed.

What information do we collect and why do we collect it?

As a health provider we may collect certain personal information about you. The main reason we do this is to gain an understanding of your health needs so we can provide you with appropriate services.  We may also collect your personal information for the reasons set out below in this Privacy Statement.

We collect information including

  • Basic details about you such as name, address, date of birth, national health index number and next of kin details.

  • Details about your presenting complaint, symptoms, diagnosis, treatment, and health conditions.

  • Results of imaging and laboratory tests

  • Social information

How do we use personal information?

The primary purpose for collection of information is for the provision of healthcare services.  We will only use or disclose your personal information:

  • For the purpose it was collected;

  • For any other purpose for which you have authorised; and

  • Otherwise, where we are permitted to do so by law.

We take your privacy seriously. 

You do not have to provide us with your personal information – it is entirely voluntary. However, this may prevent us being able to provide you with some services.

How do we collect health information?

We collect health information from a variety of sources, including:

  • You
  • Medical practitioners
  • Shared Health portals (radiology systems from our own practices and other practices, both private and public, electronic health records, e.g. from ‘Testsafe’, and Te Whatu Ora).
  • Insurers

Who do we share information with?

For your benefit and only for the purpose which the information was connected, we may need to share information from your health records outside of the organisation with other providers that are involved with your Healthcare, including:

  • Medical practitioners (e.g. General Practitioners, Specialists and other referrers)

  • Shared Health portals (radiology images, Testsafe, Te Whatu Ora). These are secured systems which can only be accessed by registered users. Your healthcare records are shared with these services to provide the best and safest care to our service users.

  • Funders (When private treatment is funded by insurers, CHG will share certain requested information relating to a care episode with the Health Insurance Providers and/or ACC)

  • Drug companies cost share programmes. For some companies as part of the enrolment we may be required to provide patient details (For Canopy patients only)

  • Other non-government agencies (NGOs), for example hospice or support services

Your personal information may be transferred overseas for one of the purposes outlined in this Policy including for quality audit purposes and second opinions from overseas providers.  If so, Canopy shall comply with the Act in all respects, including ensuring that your information is adequately protected.  This means we will take such steps as are reasonable in the circumstances to ensure that those organisations are either subject to privacy laws, that overall, provide comparable safeguards to those under the Act, or are otherwise required to protect the information in a way that, overall, provides comparable safeguards to those under the Act.

Research/ Audit

From time to time, we may take part in minimal risk research studies or conduct clinical audits. Under certain circumstances, we may use and disclose health information about you for research purposes and clinical audit, subject to a special ethics approval process. We may also allow approved potential researchers to review information that may help them prepare for research, so long as the health information they review does not leave our facility, and so long as they agree to specific privacy protection.  For these purposes we will only use anonymous information and so you will not be able to be identified.

Quality Improvement

As part of the organisation’s commitment to quality we may participate in quality audits whereby we evaluate our performance against other institutions. The data used for these audits are anonymous, meaning that we do not share any of your identifiable information such as your name, address, or date of birth.


We may also allow access to patient information to external auditors as part of external accreditation requirements for the purpose of a professionally recognized accreditation of a Health and Disability Service and/or for a professionally recognized external quality assurance program.

Rule 11 of the Code permits the sharing of information for the above purpose.

How long do we hold information for?

There is a requirement of the Health (Retention of Health Information) R1996 (Regulations) that healthcare providers retain health records for a minimum of 10 years and 1 day from the date the last consultation or service was provided to the patient.

How your information is stored

Your personal information is held and managed in accordance with the Act and Code.

Information you choose to share with us will be held securely in compliance with our standards. As discussed below, security measures are in place to protect your information from unauthorised access.

All reasonable steps are taken to protect your information form misuse, loss, and unauthorised access, modification, and disclosure.

Patient records are stored securely on password protected systems with two factor authentication.

Access to our systems is strictly controlled and audited.

Our security procedures and policies are audited on a regular basis to ensure compliance with legal requirements.

What are your rights?

Accessing your information

Under Rule 6 of the Code, you have the right to access the information we hold about you.

To enable us to process your request you will need to complete this Request for Information Form.  Proof of identification will be required.

Request to have personal data erased.

The Regulations require all health information be retained for 10 years. However, requests can be made to delete inaccurate or incomplete information.

If you feel that your information is inaccurate and or incomplete and want to request your information, be deleted this needs to be put in writing clearly stating the information you would like to be deleted and the reason you believe it is inaccurate.

CHG reserves the right to decline requests if they do not agree that information was either inaccurate or incorrect. In these situations, your statement of correction will be saved in your medical record.

Requesting correction

You have the right to request correction of inaccurate or incomplete information we hold about you.  You can contact us to view or correct information CHG holds about you on

Opting out

You can opt out of providing your personal information for the above purposes, however it should be appreciated that restricting access may have unintended or detrimental consequences should your health information be required in an emergency and/or prevent the ability to provide some services.

If you do not consent to CHG collecting and/or sharing your information, please email us clearly detailing the specific restrictions you have regarding your information. Emails can be sent to the CHG Privacy Officer

Privacy complaints

If you have a complaint about privacy, please contact the CHG Privacy Officer


If the Privacy Officer is not able to satisfactorily answer your concerns, you may contact the Privacy Commissioner on Freephone 0800 803 909 (or 09 302 8655 if you are calling from Auckland) or via email at

This Privacy Statement may be updated to let you know about changes in how we collect and process your information in providing the services or changes in related laws. The date when the document was last updated is shown at the top of this Privacy Statement.