Manage My Health & Privacy Act 2020: Compliance Review
Discover how Manage My Health aligns with NZ's Privacy Act 2020. This assessment covers data security, retention policies, and identified implementation gaps.
Outlines of Manage My Health & the Privacy Act 2020
An Assessment of MMH's Alignment, Gaps, and Recommendations
Prepared for General Public & Journalists | April 2026
Part 1
Positive Alignments with the Privacy Act 2020
How MMH demonstrates strong commitment to privacy principles.
Part 1 • Positive Alignments
Security Commitment & Data Classification
Strong Security Commitment
MMH demonstrates robust alignment with the Act's security requirements.
Clinical Notes & NHI Numbers
Classified as Personal Information, categorised under Section 4 of the Privacy Act 2020.
Two-Step Verification (2SV)
Used for user login, providing an additional layer of data protection.
Part 1 • Positive Alignments
Data Storage & Cross-Border Protection
Data Stored in New Zealand
MMH stores user data domestically, supporting data sovereignty and compliance.
Offshore Data Transfers Protected
MMH states that any data transferred offshore is protected in accordance with New Zealand privacy laws.
These practices reflect MMH's genuine commitment to protecting the personal information of New Zealanders.
Part 2
Alignment with the Act's Structure & Language
How MMH interprets and applies the legal framework of the Privacy Act 2020.
Part 2 • Structural & Language Alignment
Section 7
Retention of personal information
90-Day Data Deletion Policy
MMH deletes user data 90 days after account deletion.
This represents a good interpretation of Section 7 of the Privacy Act 2020, which deals with the retention of personal information.
“By not retaining data indefinitely, MMH demonstrates awareness of its obligations to dispose of personal information once it is no longer needed.”
Part 2 • Structural & Language Alignment
MMH as an Accountable Agency
MMH positions itself as an accountable agency under the Privacy Act 2020, not merely a service provider to a medical centre.
This demonstrates a strong and robust understanding of the Act's accountability framework and obligations.
This positioning makes MMH directly and clearly accountable for any data breaches under the Act — a significant and commendable legal stance.
Rather than deflecting responsibility, MMH accepts its role as primary data custodian.
Part 3
Failures & Recommendations
Where implementation falls short — and what needs to change.
Part 3 • Failures & Recommendations
Barriers to Account Deletion & Data Retention Failures
Barriers to Deleting Accounts
Despite a sound written Privacy Policy, users face significant practical obstacles when attempting to delete their accounts and remove their personal data.
Data Retained Beyond Deletion Date
Multiple users have had their data retained by MMH for days beyond the stated 90-day deletion period, violating the spirit of the policy.
The gap between policy and practice represents a real risk to user privacy.
Part 3 • Failures & Recommendations
Recommendations
MMH Should Prioritise Technical Improvements
Complete the technological changes needed to allow users to delete their data more effectively and reliably.
Stronger Oversight by the Office of the Privacy Commissioner
The OPC should more rigorously scrutinise organisations where the weakest link is not legislation but its technical implementation.
Clearer Technical Guidelines for Implementing the Privacy Act 2020
More effectively communicated guidelines for digital service providers would help ensure genuine and consistent protection of New Zealanders' personal information.
“Strong legislation means little without strong implementation.”
- privacy-act-2020
- manage-my-health
- data-privacy
- health-tech
- new-zealand-compliance
- data-security