Pacific Health Group (PHG)’s Privacy Statement

Pacific Health Group (PHG) (the legal owner of Habit Health and its related companies) supports people in their communities to optimise health and live their best lives. Our About Us page shares more about our purpose and our vision for health.

As a health care provider, PHG may collect, use, and disclose personal and health information relating to its customers and clients to provide health care services and information relating to contractors, suppliers, and employees in the performance of its business activities. 

This privacy statement applies to all of PHG, its related companies, and anyone acting on its behalf. It explains how we collect, use, store, disclose, update, and destroy individuals' personal information in New Zealand. 

We respect the confidentiality of our clients' personal information and take privacy seriously. This statement sets out: 

• Types of personal information we collect  
• How we collect information 
• How we use personal information 
• Who we share personal information with  
• How to request access to your personal information  
• How to request the correction of your personal information  
• How to make a complaint 
• How we treat other information we collect that is not personal information 

PHG is committed to handling personal information fairly, lawfully, and transparently, in accordance with the Privacy Act 2020, the Health Information Privacy Code 2020, the Privacy Act 2020, the Information Privacy Principles, and other relevant legislation or guidelines.

This Privacy Statement will be made available to anyone who asks for it.  

What is personal information?

Personal Information is any information about an identifiable individual.

Types of personal information we collect

The type of personal information we collect will depend on the business purpose activity, funding type, and/or services for which you have engaged with PHG. We will not collect personal information about you unless that information is necessary for one or more of our functions or activities. 

Personal information collected by us may include: 

• Contact information – name, date of birth, address, email address, phone numbers, next of kin/emergency information, membership details.  
• Unique identifiers – an identifier assigned to an individual by another agency such as ACC claim numbers, NHI numbers, employee numbers etc. 
• Employment information – employment history, work performance.
• Financial information – bank account details.  
• Health information – medical history necessary for safe, effective healthcare delivery.  
• Client and business relationship data – including feedback and opinions  

Why we collect and use your personal and health information

We may collect your personal information and health information to:

• Confirm the identity of our clients and people we communicate with for business. 
• Deliver safe and complete clinical and support services.
• Obtain payment for our services
• Enable secure access to our online services and communication.
• Improve service quality through feedback and evaluation.
• Inform you about relevant services and updates.
• Comply with legal, contractual, and professional obligations.
• Provide services and business activities associated with:
  • Injury Rehabilitation and Assessment
  • Psychology and Counselling
  • Employee Assistance Programmes (EAP)
  • Disruptive Event Management
  • Health and Wellbeing services 
  • Workplace Assessments and Education
  • Occupational Health and Safety Services
  • Employment and Career Services
  • HR Consulting and Organisational Development
  • Health, Fitness, Diet, and Nutrition

We may also collect your personal information to provide confidential, de-identified reporting on organisational trends relating to the health and wellbeing services we provide.  All reasonable steps will be taken to ensure individuals are not identifiable from such reporting.

How we collect information 

We generally collect personal information directly from you, unless you authorise the collection from another party. Collection of information will be conducted fairly, through lawful means, and will not intrude unreasonably into your personal affairs.

Collection methods include:

• In-person or over-the-phone communication.
• Online forms or via our app.
• Email or website inquiries.
• Employer referrals.

You’ll be informed of the purpose for collection, how we’ll handle and protect your information, and your options. If you choose not to provide personal information, we may not be able to provide the appropriate services you seek or require.

We also collect contact and professional information from contractors, suppliers, employees, and other parties we interact with for purposes under the same privacy standards.

Providing personal information about others 

If you give us someone else’s personal information, you must ensure you have the right to do so and that the person is aware of:

• Our identity and contact details
• Our purposes for collecting their personal information and our disclosure practices
• Their rights to access and correct their information

Phone call recordings

We may record calls (such as calls made to and from our EAP service National Support Centre, and our Occupational Health Services) to:

• Support staff training and service improvements
• Record enquiry types and volumes 
• Maintain accurate records of calls
• Protect our people from abusive behaviour

Callers will be informed by an automated message when recording occurs.

CCTV use

CCTV is in use in areas such as entrances, reception, and public spaces to help keep our clients, visitors, and staff safe. Where safety concerns arise, footage may be shared with appropriate authorities (such as NZ Police).

Mailing lists

When you register for one of our services, you may be added to our mailing list for relevant service updates and information. You may unsubscribe anytime using the links at the bottom of our newsletter.

Automatically collected website information

When you visit our websites, we may automatically collect:

• IP address, browser type, OS, date/time of visit
• Usage data through cookies, pixels, and tracking tools (e.g., Google Analytics)

These technologies help us customise content and improve your experience.

More information about how cookies work, how Google uses your data and how you can opt out is available on the Google website here. 

You can manage your preference via browser settings. 

Continued website use is considered consent for this tracking unless you opt out.

Sharing and disclosing personal information

We only share your information for the purpose it was collected, with your authorisation, or as legally required. This may include: 

• Disclosures related to your care or service use
• With your authorised health practitioners 
• Our related companies and staff
• Personal advisors (e.g., lawyers, accountants) 
• Government or third-party service partners (such as ACC, MSD, Apex NZ) in relation to carrying out the service you've requested

We may share de-identified data with external and internal parties for analysis, reporting or service improvement. 

We will not disclose your personal information to parties outside of New Zealand unless we ensure they provide comparable safeguards under IPP 12. 

Keeping your information secure

PHG stores data securely in specialised software in the cloud or secure server environments. Only authorised personnel can access your information, and only for approved purposes. Identity verification is required before information is shared. 

We take reasonable steps to destroy or permanently de-identify information when it is no longer needed.  

How long we keep your information

We follow all relevant legislation regarding retention. For example, health information must be retained for at least 10 years from the last date of service per the Health (Retention of Health Information) Regulations 1996.

How to request access to your personal information

You have the right to request access to your personal information. You can request access by: 

• Completing our Request to Access Personal Records Form and sending it with a copy of your photo identification to NotesRequests@habit.health
• Phoning 0800 557 556, or emailing hello@habit.health. (You will still be required to complete our Request to Access Personal Records Form)

We will acknowledge your requests within 5 working days and respond to the request within 20 working days. If your request is urgent, please include the reasons and required timeframe in your request, and all efforts will be made to meet this timeframe.

In limited situations, an access request may be denied, or restricted access given. We will provide reasons in writing for any refusal or limitation of access (e.g., due to serious harm risk, legal proceedings) along with information on how to complain.

How to request correction of your personal information

If your personal information is incorrect, you may request a correction by: 

• Phoning us at 0800 557 556
• Emailing us at hello@habit.health
• Speaking with your treatment provider

We will respond and check our records. If the information we hold is confirmed to be factually incorrect, we will: 

• Update the information on your file.
• Send the corrected information to any third party who may have received the incorrect information.
• Let you know we’ve made the change.

Sometimes we may not be able to make the change you’ve requested. This is usually because it relates to opinion-based information, e.g., clinical or medical assessment. If this occurs, we’ll provide a written explanation on why and offer to attach a correction statement to your file.

Complaints or privacy concerns

We are happy to discuss with you any concerns regarding the management of personal information or any information about our privacy statement.

You can view our complaints management process here. 

You can raise concerns or complaints by:

• Submitting a feedback form on our website here
• Our website feedback portal for Habit Health here
• Contacting your service provider
• Emailing our Privacy Officer at qualityteam@habit.co.nz

We will acknowledge your complaint within 5 working days and aim to resolve it within 10 working days after the complaint is received. If we cannot conclude the complaint within this timeframe, we will provide you with information on how long we think it will take to investigate and respond to it and keep you updated regularly. 

If you are not satisfied with the response or the outcome of the complaint, you can appeal to the Privacy Commissioner. 

Alternatively, you can lodge a complaint with the Office of the Privacy Commissioner here. 

Personal Identifiers 

EAP Services uses a unique Client Identification Numbering System, which allows for privacy and security of your information, and which is not related to any other identifier system. 

Updates to This Privacy Statement 

We may amend or update this Privacy Statement occasionally with or without notice to you. 

This privacy statement was last updated on 23/6/2025.

habithealth+

habithealth+ is an app that works in tandem with professional support and features prompts and notifications to increase motivation. With habithealth+ you can: 

• Manage your health on the move
• Customise notifications to boost motivation
• Manage regular check-ins
• Book in with a wide range of EAP professionals
• Access support and advice
• Integrate your device to access insights about your wellbeing

To delete your habithealth+ account and data: 

• Open habithealth+ on your mobile phone. 
• Open "Settings", then click your "Profile" and then click "Delete My Account". 

Follow the instructions to "Delete My Account" by entering your registered mobile phone number. 

When you delete your habithealth+ account: 

• You will permanently delete your personal data. 
• You will lose access to the habithealth+ app.  

To find out more, click here.

HealthOne - South Island-based patients

South Island based patients only - please note that this organisation is contributing to, and accessing healthcare information from, HealthOne -  

What is HealthOne?

 HealthOne is a South Island based secure electronic record that allows registered healthcare providers directly involved in your healthcare, to quickly access information such as your test results, allergies, medications, GP summaries and hospital information. HealthOne adheres to the principles of the Privacy Act 2020 as well as the Rules set out in the Health Information Privacy Code 2020.  Access is only possible via an approved highly secure healthcare information network which is regularly audited and tested.  Privacy auditing is used to check that only those directly involved in your care are accessing your information. 

To find out more about HealthOne please visit https://healthone.org.nz/.  Please note that you are entitled to restrict the sharing of your healthcare records by contacting 0508 837 872 or emailing HealthOne.privacy@pegasus.health.nz