Privacy Policy

BV13 PRIVACY POLICY

This privacy policy describes how Dance & Arts Therapy NZ (DTNZ) collects, handles, processes, and stores customer data, how we deal with Kiritaki (Clients) personal information, and how we protect their privacy.

Our commitment to our Kiritaki privacy
DTNZ is committed to respecting our Kiritaki rights to privacy and their right to view and update their personal information that we hold about them. We are committed to protecting Kiritaki privacy during Kiritaki appointments or if they contact us.

DTNZ is committed to complying with the Privacy Act 2020 and the Health Information Privacy Code 2020 in connection with all Personal Information relating to ACC Services Kiritaki, accredited employers, levy payers,

ACC personnel or any other individual that we obtain information about. This includes:

(a) collecting, using and disclosing Personal Information only where the collection, use or disclosure is permitted or authorised by the Privacy Act 2020 or the Health Information Privacy Code 2020

(b) having a plain English privacy notice or privacy statement for Kiritaki that complies with the Privacy Act 2020 and the Health Information Privacy Code 2020

(c) ensuring that any Personal Information that we have in our possession or control: (i) is protected by reasonable security safeguards against loss or unauthorised or unlawful access, use, modification or disclosure - utilising secure information management systems such as CMS and for non-ACC Kiritaki, Infoodle. (ii) is not unlawfully transmitted, transferred, exported, processed or stored by us or a third party Service Provider, and (iii) is only accessed by authorised personnel who need to see Personal Information in connection with the Services provided by DTNZ

(d) appointing a Privacy Officer - this being our Clinical Director Anaia Treefoot and in their absence, our Clinical Manager

(e) having a privacy policy which complies with the Privacy Act 2020 and the Health Information Privacy Code 2020 that includes: (i) measures to mitigate the occurrence of a Privacy Breach that follow good practice at the level expected from a leading supplier in the relevant profession or industry, and (ii) what to do if there is an actual or suspected Privacy Breach or near miss including procedures to notify ACC if a breach involves an ACC Kiritaki, in accordance with clause 9.4 of ACC’s terms and conditions and, when required, the Privacy Commissioner and any affected individual(s)

(f) acting in a manner that facilitates compliance with the Privacy Act 2020 and the Health Information Privacy Code 2020, and

(g) complying with any reasonable policies or directions relating to the collection, use or disclosure of Personal Information we obtain.

Protection of Confidential non-personal Information
DTNZ confirms that we will not use or disclose Confidential Information to any person or organisation other than if:

(a) use or disclosure is necessary to provide or use DTNZ’s Services provided

(b) the other Party gives prior written approval for the use or disclosure

(c) the use or disclosure is required by law (including under the Official Information Act 1982), Ministers or parliamentary convention

(d) information disclosed has already become public, other than through a breach of the obligation of confidentiality by one of the Parties.

If there is a Privacy Breach

DTNZ will notify the appropriate parties and phone as soon as possible and within 24 hours;

(a) will work to manage the implications and consequences, including:

(i) ensuring all relevant personnel are available to understand and manage the implications for any Kiritaki

(ii) providing all reasonable and legally permissible information about the actual or suspected Privacy Breach or near miss

(iii) using reasonable endeavours to have prior discussions before making any public comments, including to media

(iv) complying with reasonable issues management procedures, and

(v) identifying and implementing reasonable procedures to prevent such Privacy Breaches or near misses in the future

DTNZ Privacy Breach Procedure

The Clinical Director will, on behalf of DTNZ, undertake an initial investigation and if necessary, inform our insurer and/or seek legal advice. The Clinical Director will notify the Police if the breach appears to involve theft or other criminal activity.

There are four steps DTNZ follows when dealing with a privacy breach. The first three should be completed at the same time or in quick succession:

1. Contain - try and get lost information back, disable the breached system, cancel or change computer access codes and try to fix any weaknesses in DTNZ physical or electronic security.

2. Assess the risks of the privacy breach: (a) type/sensitivity of personal information involved (health information and credit card details are sensitive information) (b) try and find out what caused the breach

(c) try and identify the size of the breach, including: how many people can access the lost information, how many people have lost personal information, the risk of the information being circulated further, whether the breach is the result of a systemic problem or an isolated incident

(d) consider the potential harm resulting from the breach: identity theft, financial loss, loss of business or employment opportunities, significant humiliation or loss of dignity

(e) consider who holds the information now: is it a trusted person or organisation and you expect them to return it, or is it in the hands of unknown people with potential malicious intentions.

3. Notify - if any party may suffer harm as a result of DTNZ’s privacy breach, then all parties, including all Kiritaki should be informed about the breach.

If DTNZ has a privacy breach that is likely to cause anyone serious harm, DTNZ will notify the Privacy Commissioner, and any affected people as soon as we are practically able (Privacy Act, 2020).

This can be done on Notify-us.

Notification of affected people will be done directly through email, phone, letter, or in-person. This notification will include:

(a) information about the incident, including when it happened
(b) a description of the compromised personal information
(c) what DTNZ is doing to control or reduce harm
(d) what DTNZ is doing to help people the breach affects
(e) what steps people can take to protect themselves
(f) contact information for enquiries and complaints
(g) offers of support when necessary, e.g. advice on changing passwords
(h) whether DTNZ has notified the Office of the Privacy Commissioner
(i) contact information for the Privacy Commissioner.

4. Prevent - after the breach has been managed the Director will review the prevention plans and update any relevant policies.

Obligations for DTNZ’s personnel

DTNZ will ensure that all personnel, Named Service Providers (Service Providers) and subcontractors:

(a) are aware of and comply with the obligations to protect Personal Information and Confidential Information

(b) are aware of the character and sensitivity of Personal Information about Kiritaki

(c) only access Personal Information if they need to see it in connection with the Services provided by DTNZ

(d) do not collect, use or disclose any Confidential Information or any Personal Information, except as allowed by the Contract, and

(e) know when and how to report a Privacy Breach, security incident or conflict of interest that could affect the security, integrity or availability of Personal Information that we obtain under or in connection with the Services provided by DTNZ.

Recording of meetings by Kiritaki

If Kiritaki record (audio or video) a meeting with a Service Provider, and the Service Provider is aware of the recording, DTNZ will ensure that the Service Provider tells the Kiritaki that the Service Provider may also record or document the meeting to ensure a complete and accurate record. DTNZ will also ensure that:

(a) the Service Provider only collects, uses, stores and discloses such records or documents in accordance with the clause Protection of confidential non-personal information.

Changing Kiritaki personal information

Kiritaki have the right to view and change any personal information DTNZ holds about them at any time. This must be done through DTNZ or their Service Provider, and then referred to DTNZ’s Clinical Manager who will follow the above access to personal health information procedure.

BV11.3.1 HEALTH INFORMATION PRIVACY CODE

Dance & Arts Therapy NZ (DTNZ) has effective systems in place for data collection and management, meeting statutory reporting requirements.

How information will be managed and monitored

DTNZ commits to:

(a) keeping and maintaining records using prudent business practices and according to all applicable laws. This includes the storage of information on a secure, approved information management system, CMS or Infoodle

(b) making sure the records are easy to access, and

(c) keeping the records safe through checks and balances such as two step authentication and strict protocols around administrative access and management of CMS, Infoodle and all Kiritaki information

Keeping clinical records

DTNZ will ensure that, where clinical records are required, we maintain clinical records that are clear and accurate. The clinical records will:

(a) meet the relevant professional standards for clinical record keeping regarding:

(i) assessment
(ii) Kiritaki (Clients) discussion
(iii) care, treatment and medications provided (if applicable)
(iv) effectiveness of care or treatment
(v) evidence of informed consent

(b) be dated and signed and clearly attributable to the Kiritaki, DTNZ and the Named Service Provider (Service Provider)

(c) contain the ACC45 number and the National Health Index (NHI) number (if relevant).

Accessible and Accurate Information Records and Reporting - information specific to Named Service Providers

Your records must by law be accurate (as told to you by Kiritaki) and be accessible to Kiritaki if they wish to see them. Therefore, you must be clear, avoid abbreviations that won’t be understood by others, be respectful in the way you describe Kiritaki, omit any information which could embarrass or harm a Kiritaki if not directly related to the issue being worked on.

Only include objective information (not any working notes you might make for yourself) which is essential to the file on the Kiritaki and their presenting issue and progress. Use clear, concise, and objective language that is easily understood by the reader. Avoid using technical jargon or overly complex language that may confuse or alienate the reader. Your notes and reports can be cross-examined in court if subpoenaed so they need to be objective and factual and NOT contain opinion or unsubstantiated comments eg do not write: ‘’the client was angry” instead write: ”the client came in and thumped his fist on the counter” - the court will determine if the client was angry.

Evidenced based

Use evidence-based practices and techniques to support the conclusions and recommendations in the report. This includes using standardised testing instruments, relevant research studies, and your own or others’ clinical experience. Reports should be ethical and professional.

Report writing requires adherence to ethical and professional standards

You must ensure that the report is accurate, objective, and unbiased. Respect the privacy and confidentiality of the patient, client or individual and follow the appropriate ethical guidelines and laws. The specific content and format of a client report may vary depending on the purpose of the therapy, the population being assisted, and the preferences of the lead clinician, funding body or organisation requesting the report.

The British Association of Art Therapists advises that clinical reports should avoid long and detailed descriptions of how the therapy worked, but rather simply describe what occurred. They say that confusing how the work was done with what work was done is a common cause of weak, long-winded and confessional notes. The main purpose of clinical notes is to record, communicate and evidence sessions to others.

Purpose of Collection of Health Information

DTNZ will ensure that all Service Providers and administration staff have a clear understanding of the purpose of collection of health information. Service Providers will only collect information relevant to the Service being provided to Kiritaki.

Collection of ethnicity data

Health equity is evidenced through the accurate and consistent collection of ethnicity data on engagement forms, feedback forms and attendance records. This data is used to plan improvements to Services for Māori. Importantly, this includes comparing access to services and outcomes of care for Māori and non-Māori to measure the effectiveness of DTNZ’s services and that any existing disparities will cease to continue.

The purpose of collecting ethnicity data and other demographic information on all Kiritaki is explained and is to ensure Kiritaki and their whānau are receiving care appropriate to their needs, ensuring the whole practice team adopts a consistent approach.

Collecting or imparting information

Service Providers will give and request the information they need in a way that works for Kiritaki, so they can make informed decisions and manage their health and wellbeing in a way that feels safe and respectful.

How health conditions or treatments are explained and discussed will match the preferences of Kiritaki.

As each person has different preferences for receiving information, Named Service Providers need to:

1. Use plain language
2. Identify what people know or do not know so that new information builds on prior knowledge
3. Carefully explain referrals to unfamiliar health Services
4. Offer information in a number of ways to ensure that understanding is achieved
5. Be aware that for many Māori, the preferred method of exchanging information is kanohi ki te kanohi (face to face, in person, in the flesh), supplemented with written materials and diagrams
6. Check that Kiritaki and whānau have been given sufficient information that makes sense to them before leaving the consultation.

Source of Health Information

1. If Kiritaki are under 18, the name of the parent or guardian must be noted on Kiritaki records and all relevant Kiritaki and guardian consent forms filled in.

2. When recording ethnicity, Kiritaki are asked if they would like their ethnicity recorded and if so how they would like it recorded.

3. To assist in the collection of Health Information an interpreter may be necessary and will be provided by DTNZ at no cost.

4. If information is sought from a source other than Kiritaki or their guardian, an authority to collect and disclose information consent form will first be completed and signed.

5. If a session is to be recorded or telehealth used for a session, prior consent will be sought from Kiritaki or their guardian. The purpose, method, storage and deletion procedures will be included on this consent form and explained to Kiritaki / their guardian.

Collection of Health Information from Individuals

Service Providers will know why, and be prepared to explain if necessary, why this information is collected and who the intended recipients of the information would be (if any). Service Providers will use Kiritaki personal information to provide Kiritaki with the Service they have been referred for.

Manner of Collection of Health Information

When collecting information Service Providers will endeavour to maintain privacy from others present (for example, during group therapy) and store the information in a way that adheres to DTNZ’s Health Information Privacy Policy.

Storage and Security of Health Information

We use controlled central electronic systems (CMS for ACC Kiritaki and Infoodle for non-ACC Kiritaki) which enables secure password protected filing and storage of all relevant business documentation and information related to our programmes, clinical Services, staff and Kiritaki.

All of DTNZ’s resources are stored electronically and securely. These include our policies, a comprehensive procedure manual detailing all work systems and processes, Health & Safety documentation, training resources, Kiritaki referral forms, assessment notes and case notes.

All Service Providers have electronic access to their Kiritaki files, along with our BV Protocols and Procedures policy which will include all relevant information pertaining to working for DTNZ and under the ACC Sensitive Claims Service Contract.

We utilise a cloud based accounting system, Xero, and follow the Charities Commission accounting requirements. DTNZ‘s financial accounts are audited by an external auditor on an annual basis.

We use antivirus protection to ensure our data and networks are protected and secure.

Collecting and storing information security procedure - information for Named Service Providers

You must only ask for information that is relevant to your work with Kiritaki. Collection means any personal information about Kiritaki or patients that you ask for or gather. This includes recording or writing what Kiritaki say, the opinion you form about their health, their name, age, address and so forth, keeping and storing writing or artwork that Kiritaki produce and any correspondence to and from Kiritaki. All Kiritaki information should be lawful, relevant, taken directly from Kiritaki. Kiritaki must be told why the information is collected and must be told that this information may be shared (under what circumstances and to whom) and how they can access this information.

An agency, professional individual or organisation must store personal information securely, keep it for 10 years in New Zealand (with the knowledge that Kiritaki are considered a minor until they are 25 years of age) and dispose of it appropriately. It should also be protected from unauthorised access, use or disclosure.

When a client has a current claim for damages or who is under a guardianship or other court/tribunal order the records should be kept indefinitely, or until seven years after the client’s death. Where there has been a complaint about you by a client you should retain the records indefinitely.

1. Service Providers are asked to sign and file security/privacy issues/legislative requirements at orientation.
2. Only Lead Service Providers will have access to Kiritaki clinical records.
3. DTNZ requires all Kiritaki records to be kept on our secure cloud based client management systems (CMS and Infoodle). CMS and Infoodle are both secure cloud based platforms, which use a NZ server and are under NZ jurisdiction. They use 2 factor authentication and have frequent backups to different locations for resilience. CMS has very clear privacy, terms & conditions and data processing agreements.
4. All Service Providers will have their own log-in and unique password. This must not be shared.
5. Named Service Providers shall maintain records in sufficient detail to track the sequence and nature of professional Services provided. Such records shall be maintained in a manner consistent with ethical practice taking into account statutory, regulatory, agency or institutional requirements
6. Kiritaki records are archived within CMS and Infoodle after their Service ends or Kiritaki are disengaged. All documentation will remain retrievable as long as it is professionally prudent, or as required by law.
7. If Service Providers take paper records during a session with Kiritaki, these must be stored in a lockable cupboard or file in the Service Provider’s home office. Care must be taken if transporting these documents, they should be stored in a secure bag or kept out of sight. Any records must be locked if left unattended.
8. Where a document containing health information is to be disposed of (i.e. a hard copy consent form/paper notes containing health information), it will be done in a manner that preserves the privacy of the individual, such as shredding, careful incineration or by engaging professional, reputable document destruction services.

Access to Personal Health Information

DTNZ and the Service Provider must be satisfied as to the identity of the individual or the individual’s representative making the request, and a signed authorisation must be supplied by the person requesting the information and by Kiritaki or their guardian.

Complaints with regard to collection and use of personal data

If Kiritaki feel their privacy has been breached with regard to collection or use of personal data they can:

1. Make a complaint in writing to the Clinical Manager at DTNZ at programmes@dancetherapy.co.nz or acc@dancetherapy.co.nz for ACC Sensitive Claims Services.

2. The complaint will be acknowledged in writing within 5 working days of receipt, unless it has been resolved to the satisfaction of the complainant within that period.

3. The complaint and the actions taken will be documented.

4. Within 10 working days of acknowledging the complaint, the Clinical Director must decide whether they:

a. accept that the complaint is justified; or
b. do not accept that the complaint is justified; or
c. if they decide that more time is needed to investigate the complaint -
d. determine how much additional time is needed
e. if that additional time is more than 20 working days, inform the complainant as soon as practical after the Director decides whether or not they accept that a complaint is justified, they must inform the complainant of;


(i) the reasons for the decision
(ii) any actions the agency proposes to take
(iii) the right to complain to the Privacy Commissioner.