4 NPP4 - Data security

(1) A health agency must take reasonable steps to protect the personal information it holds from misuse, loss and unauthorised access, modification or disclosure.

(2) If the personal information is no longer needed for any purpose for which the information may be used or disclosed under NPP 2, the health agency must take reasonable steps to ensure that the individual the subject of the personal information can no longer, and can not in the future, be identified from the personal information.

Subsection (2) will apply subject to the requirements of the Public Records Act 2002 providing for the retention of records.