White Rose Osteopathy complies with the New Zealand Privacy Act 2020 when dealing with personal information.  Personal information is information about an identifiable individual.

This policy sets out how we collect, use, disclose and protect your personal information.

This policy does not limit or exclude any of your rights under the Act.  If you wish to seek further information on the Act, see


We may change this policy by uploading a revised policy onto our website.  The change will apply from the date we upload the revised policy.



White Rose Osteopathy will collect personal information about you from:

  • you, when you provide that personal information to us, including via our website and any related service, through registration or subscription process, through any contact with us (e.g telephone calls or email), or when you buy or use any of our products or services.
  • Third parties where you have authorised this or the information is publicly available.
  • If possible we will collect personal information from you directly



  • To verify your identity
  • To provide services and products to you
  • To confirm future appointments
  • To share radiographic images and reports with specialists
  • To share treatment notes with ACC when required
  • If necessary incase of a medical emergency
  • To improve the services and products that we provide to you
  • To bill you and collect money owing
  • To respond to communication from you, not discluding complaints or concerns
  • For any other purpose authorised by you or the ACT
  • Contact Tracing



White Rose Osteopathy may disclose your personal information to:

  • ACC
  • Specialist services
  • Your General Practitioner
  • Our supporting IT businesses, that support our services or product, computer programs including any person that hosts or maintains any underlying IT system or data centre that we use to provide our website. 

Via remote control access, password controlled.

  • A person who can require us to supply your personal information (eg a regulatory authority)
  • Any other person authorised by you



White Rose Osteopathy will take reasonable steps to keep your personal information safe from loss, unauthorised activity, or other misuse.

  • Encrypted access to all devices in clinic
  • Secured Programs password access



Subject to certain grounds for refusal set out in the Act, you have the right to access your readily retrievable personal information that we hold and to request a correction to your personal information.  Before you exercise this right, we will need evidence to confirm that you are the individual to whom the personal data relates.

If you choose to exercise your rights, emails us any time on



While we take reasonable steps to maintain secure internet connections, if you provide us with personal information over the internet, the provision of that information is of your own risk. If you post your personal information on the website or facebook page please be aware that your post is publicly available.



If you have any questions about this privacy policy, our privacy practices or if you would like to request access to, or correction of, your personal information, you can contact us at



The Privacy Act 2020 has 13 privacy principles that govern how you should collect, handle and use personal information.

Principal 1

You can only collect personal information if it is for a lawful purpose and the information is necessary for that purpose.

Principal 2

You should generally collect personal information directly from the person it is about.  Because that will not always be possible, you can collect it from other people in certain situations for instance, if:

  • the person concerned gives you permission
  • collecting it in another way would not prejudice the person’s interest
  • collecting the information from the person directly would undermine the purpose of the collection
  • you are getting it from a publicly available source.

Principal 3

When you collect personal information, you must take reasonable steps to make sure that the person knows:

  • why it is being collected
  • who will receive it
  • whether giving it is compulsory or voluntary
  • what will happen if they do not give you the information

Sometimes there may be good reason for not letting a person know you are collecting their information – for example, if it would undermine the purpose of the collection, or if it is just not possible to tell them.

Principal 4

You may only collect personal information in ways that are lawful, fair and not unreasonably intrusive.  Take particular care when collecting personal information from children and young people.

Principal 5

You must make sure that there are reasonable security safeguards in place to prevent loss, misuse or disclosure of personal information.  This includes limits on employee browsing of other people’s information.

Principal 6

People have the right to ask you for access to their personal information .  In most cases you have to promptly  give them their information.  Sometimes you may have good reason to refuse access.  For example if releasing their information could:

  • endanger someone else’s safety
  • create a significant likelihood of serious harassment
  • prevent the detection or investigation of a crime
  • breach someone else’s privacy

Principal 7 

A person has the right to ask an organisation or business to correct their information if they think it is wrong.  Even if you do not agree that it needs correcting, you must take reasonable steps to attach a statement of correction to the information to show the person’s view.

Principal 8

Before using or disclosing personal information, you must take reasonable steps to make sure it is accurate, complete, relevant up to date and not misleading.

Principal 9

You must not keep personal information for longer than it is necessary.

Principal 10

You can generally only use personal information for the purpose you collected it.  You may use it in another ways that are directly related to the original purpose, or you may use it another way if the person gives you permission, or in other limited circumstances.

Principal 11

You may only disclose personal information in limited circumstances. For example, if:

  • disclosure is one of the purposes for which you get the information
  • The person concerned authorised the disclosure
  • The information will be used in an anonymous way
  • disclosure is necessary to avoid endangering someone’s health or safety
  • disclosure is necessary to avoid a prejudice to the maintenance of the law

Principal 12

You can only send personal information to someone overseas if the information will be adequately protected. For example:

  • the receiving person is subject to the New Zealand Privacy Act because they do business in New Zealand
  • The information is going to a place with comparable privacy safeguards to New Zealand
  • The receiving person has agreed to adequate protect the information – through model contract clauses, etc

If there are not adequate protections in place, you can only send personal information overseas if the individual concerned gives you express permission, unless the purpose is to uphold or enforce the law or to avoid endangering someone’s health or safety.

Principal 13

A unique identifier is a number  or code that identifies a person in your dealings with them, such as an IRD or drivers licence number.  You can only assign your own unique identifier to individuals where necessary for operational functions.  Generally you may not assign the same identifier as used by another organisation.  If you assign a unique identifier to people, you must make sure that the risk of misuse (such as identity theft) is minimised.