Data Security in Aged Care

The Privacy Act 2020 sets the framework for how personal information should be collected, used, stored, and shared in New Zealand. For care providers, this means understanding your obligations around the twelve privacy principles — from ensuring individuals know what information is being collected, to taking reasonable steps to protect that information against loss, access, or misuse.

Under Ngā Paerewa, these obligations are reinforced with sector-specific requirements. Standard 5.3, for example, requires that information management systems protect privacy, confidentiality, and security. Auditors will want to see evidence that your data security practices are not just documented, but actively followed.

The key principle to understand is that you're responsible for the data you hold — even if it's stored by a third-party vendor. If you're using a cloud-based care management system, you need to know where your data is stored, who has access to it, and what security measures are in place. Your vendor should be able to provide clear, documented answers to all of these questions.

Not everyone in your facility needs access to every resident's information. Role-based access control is a fundamental security practice that ensures each staff member can only see the information they need to do their job.

A caregiver on one wing doesn't need access to resident records on another wing. An administrator doesn't need to see clinical notes. A family member should only see information about their own loved one. Good digital systems make this kind of granular access control straightforward to implement and maintain.

Regular access audits are important too. Review who has access to what at least quarterly, and make sure that when a staff member leaves or changes roles, their access is updated promptly. It sounds basic, but lapses in offboarding are one of the most common security gaps in care facilities.

Encryption is the backbone of data security. It ensures that even if someone gains unauthorised access to your systems, the data itself remains unreadable. Any reputable digital care platform should encrypt data both in transit (while being sent between devices and servers) and at rest (while stored on servers).

For New Zealand care providers, data sovereignty is an increasingly important consideration. Where is your data stored? Is it within New Zealand's jurisdiction? What happens if your vendor is served with a request for data from an overseas authority? These aren't hypothetical questions — they have real implications for your legal obligations under New Zealand law.

When evaluating a digital platform, ask about their data centre locations, their encryption standards, their backup and disaster recovery processes, and their data retention and deletion policies. A provider that takes security seriously will be transparent about all of these.

Your security systems are only as strong as the people using them. A well-trained team that understands the importance of data security and follows good practices is your most effective defence against breaches.

Training should cover the basics: using strong passwords and not sharing them, locking workstations when away from the desk, not discussing resident information in public areas, recognising phishing attempts, and understanding what to do if they suspect a security incident.

It's also important to explain the "why" behind security policies. When your team understands that data security is about protecting the vulnerable people in their care — not just following rules — they're far more likely to take it seriously. Regular refresher training helps keep security top of mind, especially as new threats emerge.

Despite your best efforts, security incidents can still happen. The question isn't just how to prevent them — it's how to respond when they occur. Having a clear, documented incident response plan is essential.

Your plan should cover: how to recognise and report a potential breach, who in your organisation is responsible for managing the response, how to contain the incident, when and how to notify affected individuals, and your obligations to report to the Office of the Privacy Commissioner.

Under the Privacy Act 2020, you're required to notify the Privacy Commissioner and affected individuals as soon as practicable after becoming aware of a notifiable privacy breach. That means you need to be able to detect breaches quickly, assess their impact, and take action. Having a plan in place before an incident occurs can make the difference between a managed response and a crisis.

In the rush to address digital security, it's easy to overlook physical security. But many data breaches in care settings still happen the old-fashioned way — paper records left in public areas, unlocked filing cabinets, unattended devices, and conversations overheard in hallways.

A comprehensive approach to data security addresses both digital and physical risks. Secure storage for paper records, clear desk policies, privacy screens on devices used in public areas, and secure disposal processes for documents and devices that have reached end of life.

One of the hidden benefits of moving to digital systems is that they actually reduce many of these physical security risks. When resident information is stored securely in the cloud and accessed through authenticated devices, there are fewer paper records to manage, fewer physical files to secure, and fewer opportunities for information to end up in the wrong hands.

Ultimately, data security isn't a set of policies or technologies — it's a culture. The facilities that protect resident information most effectively are the ones where security is everyone's responsibility, not just something the IT person or the compliance manager worries about.

When your team understands the value of the information they handle, when they feel confident raising concerns without being dismissed, when security becomes a natural part of how they work rather than an extra burden — that's when you know you've built a genuine security culture.

At iCareNZ, we take data security seriously. Our platform is built with New Zealand's privacy and regulatory requirements in mind, with encryption, role-based access, comprehensive audit trails, and NZ-based data hosting. If you'd like to learn more about how we keep resident information safe, we'd be happy to walk you through it.