Most health data governance frameworks start with compliance. What does the Privacy Act require? What does the Health Information Privacy Code mandate? These are necessary questions, but they're insufficient. The organisations that govern health data well start with a different question: does the community trust us with this information?
What You Need to Know
- Compliance is the floor, not the ceiling. Meeting legal requirements for health data handling doesn't mean communities trust you to use their data wisely.
- Trust is built through transparency, reciprocity, and demonstrable benefit. Communities that see their data used to improve their health outcomes trust the system more. Communities that see their data disappear into reports they never see trust it less.
- Māori data governance requires specific attention. Tino rangatiratanga over Māori data isn't a compliance checkbox - it's a relationship that needs to be built and maintained.
- Data governance frameworks that include community voice from the beginning produce better decisions and higher trust than frameworks designed by IT departments and presented to communities for approval.
The Trust Deficit
In my years managing health information systems, I've watched the trust conversation evolve. A decade ago, data governance was almost entirely an IT function. Access controls, audit logs, backup procedures. The community wasn't part of the conversation because the community didn't know the conversation was happening.
That's changed. Patients are more aware of their data rights. Māori communities are asserting data sovereignty. High-profile data breaches, both locally and internationally, have eroded the assumption that health organisations can be trusted to handle data responsibly by default.
54%
of NZ adults expressed concern about how their health data is used beyond direct clinical care
Source: Office of the Privacy Commissioner, Privacy Survey, 2022
The consequence is that health organisations now need to earn trust actively, not assume it. And the governance frameworks they build need to reflect that.
What Trust-Based Governance Looks Like
Transparency about data use
Most patients understand that their GP needs their health information to provide care. The trust gap opens when data is used for purposes beyond direct clinical care: population health analytics, service planning, research, quality improvement, and increasingly, AI model development.
Trust-based governance means being explicit about all the ways patient data is used. Not buried in a privacy policy. Clearly communicated, in plain language, at the point of care.
At RAPHS, we found that patients were far more willing to have their data used for population health analysis when we explained what that meant in concrete terms. "We look at patterns across all our patients to identify where we need to improve services" is different from "your data may be used for research purposes." Same activity, completely different trust response.
Reciprocity
Communities that provide data should see benefit from it. This sounds obvious, but it's routinely violated in health. Data is collected from communities, analysed centrally, and the insights flow to funders and policymakers. The community that generated the data rarely sees the results in a form they can use.
Trust isn't built by collecting data more carefully. It's built by showing communities what you did with their information and how it made things better.
Rikimata Massey
Health CIO Advisory
Reciprocity means sharing insights back. It means presenting population health findings to the community that generated them. It means using local data to inform local service decisions and showing the connection between the data collected and the improvements made.
Māori data governance
For Māori communities, data governance has a specific dimension. Te Mana Raraunga's principles of Māori data sovereignty establish that Māori have an inherent right to governance over data that describes them. In practice, this means Māori communities should have input into how Māori health data is collected, stored, analysed, and used.
76%
of Māori respondents said they want more control over how their health data is used
Source: Te Mana Raraunga, Māori Data Sovereignty Survey, 2022
This isn't just about consent. Individual consent mechanisms don't cover community-level data use. When a PHO analyses diabetes rates among Māori patients in its catchment, that's community-level data. The governance of that analysis needs to include Māori voice, not as a consultation step at the end, but as a standing part of the governance structure.
The organisations I've seen do this well have Māori representation on their data governance committees. Not as a token seat, but as a genuine decision-making role with the authority to shape how Māori data is used.
Building the Framework
A trust-based data governance framework for health includes the standard components - access controls, audit trails, retention policies, breach response - plus several additional elements.
Community advisory input. A standing mechanism for community feedback on data practices. Not a one-time consultation, but an ongoing relationship. This could be a community advisory panel, regular community forums, or integration with existing community governance structures.
Plain-language data use statements. Every data use beyond direct clinical care should be documented in language patients can understand. These statements should be actively communicated, not hidden in policy documents.
Benefit-sharing commitments. Explicit commitments about how insights derived from community data will flow back to those communities. Measurable, reportable, and accountable.
Māori governance integration. For organisations serving Māori communities, a specific Māori data governance framework aligned with Te Mana Raraunga principles. This should include Māori decision-making authority over Māori data use, not just advisory input.
Regular trust measurement. Survey your patient population about their confidence in your data practices. Track it over time. If trust is declining, your governance framework needs adjustment regardless of whether you're technically compliant.
Compliance Is Not Enough
The Privacy Act 2020 and the Health Information Privacy Code set minimum standards for health data handling. They're well-designed pieces of legislation. But they're minimums.
Meeting the legal requirements doesn't mean your community trusts you. And without that trust, the most ambitious health data initiatives - population health analytics, predictive models, shared care records - will face resistance that no technology can overcome.
Data governance in health is ultimately about relationships. The relationship between a patient and their provider. The relationship between a community and the health system that serves it. The relationship between Māori communities and the organisations that collect data about them. Get those relationships right, and the technical governance follows naturally. Get them wrong, and the best technical framework in the world won't save you.