Member Log In
Contact

Privacy at thePHO

Last updated: 1 May 2026

thePHO (New Zealand Primary Health Organisation Limited) is a national Primary Health Organisation. We work with your enrolled general practice to fund and coordinate your primary health care. This page explains, in plain language, how we collect, use, and share your health information, and your rights. We handle your information in line with the Privacy Act 2020 and the Health Information Privacy Code 2020.

Who we are

thePHO is the agency that collects and holds your information.

What we hold and where it comes from

We hold information about you that includes your name, date of birth, contact details, NHI number, your enrolment with one of our member general practices, the clinical and encounter information needed to fund and coordinate your care, information needed for capitation and other funding claims, and equity-related demographic information (such as ethnicity) where you have provided it.

We do not collect information directly from you. We collect information about you from two sources:

  • Health New Zealand | Te Whatu Ora, under the PHO Services Agreement between Health New Zealand and thePHO; and
  • your enrolled general practice, under our back-to-back agreement and Data Sharing Agreement with that practice.

We are required to tell you this by Information Privacy Principle 3A. Some of our service providers (for example, our data and digital services partner Karo Data Management Limited) handle information on our behalf as our agents under section 11 of the Privacy Act 2020. The information remains held by thePHO.

Why we collect it

We use your information to:

  • fund and coordinate your primary health care through your enrolled general practice;
  • claim capitation and other funding for the services you receive;
  • plan, monitor and improve the quality and equity of care for our enrolled population;
  • produce de-identified analyses and reports; and
  • meet our legal, contractual, audit and reporting obligations.

Who we share it with

We share your information with: your enrolled general practice and the clinicians involved in your care; thePHO staff and contractors who need it to do their jobs; Health New Zealand | Te Whatu Ora; auditors acting under contractual or legal obligations; our service providers acting on our behalf as agents under section 11 of the Privacy Act 2020; and anyone you authorise, or where the law permits or requires disclosure.

The legal basis

Our collection of your information is permitted by the Health Information Privacy Code 2020 (in particular Rules 2, 10 and 11) and is operationalised through our agreement with Health New Zealand | Te Whatu Ora (the PHO Services Agreement) and through our back-to-back agreements and Data Sharing Agreements with member general practices. The wider statutory framework is the Privacy Act 2020, the Health Information Privacy Code 2020, the Pae Ora (Healthy Futures) Act 2022, and the Health Act 1956.

Keeping your information safe and how long we keep it

We hold your information in secure, access-controlled systems with encryption, audit logging and regular security assessments. thePHO’s data environment is hosted in Microsoft Azure data centres in Australia (Azure AU-Hosted), assessed against HISO 10029 (Health Information Security Framework). Member practice patient management systems are hosted by their own vendors under their own arrangements. We retain health information for the periods required by the Health (Retention of Health Information) Regulations 1996 — generally at least 10 years — and securely destroy or anonymise it after that.

Your rights

You have the right to ask to see the information we hold about you and to ask us to correct it. We will respond within 20 working days. To make a request, email our Privacy Officer at privacy@thepho.org.nz. Some limited grounds for refusal apply under the Privacy Act 2020 and the Health Information Privacy Code 2020.

Complaints

If you are unhappy with how we have handled your information, please tell us first so we can try to put it right. If you remain unsatisfied, you can contact:

  • the Office of the Privacy Commissioner — 0800 803 909 or www.privacy.org.nz — for privacy complaints; or
  • the Health and Disability Commissioner — 0800 11 22 33 or www.hdc.org.nz — for complaints about the standard of care.

Changes to this notice

We may update this notice from time to time. The date at the top shows when it was last updated. Material changes will be notified on our website.