Medsafe and AI as a medical device (SaMD) in New Zealand in 2026

Where AI software used for a therapeutic purpose sits in New Zealand — with the Therapeutic Products Act 2023 repealed and the regime transitioning under the Medical Products Bill, the position is in flux.

dgm is an independent osFoundry integration partner — not affiliated with the company that makes osFoundry, and dgm has not yet completed any client integrations. This article describes services dgm offers, not past results.

Where AI software is used for a therapeutic purpose in New Zealand, it can fall under Medsafe’s medical-device remit — but the regime is in transition, and one common mistake is to cite a repealed Act.

Key points

• AI used for diagnosis or clinical decision support can be Software as a Medical Device
• The Therapeutic Products Act 2023 was repealed (effective 15 January 2025) — don’t cite it as current law
• The regime is transitioning under the Medical Products Bill; the Medicines Act 1981 framework remains for now
• Health data is also sensitive under the Privacy Act 2020

The detail

New Zealand’s data-protection law is the Privacy Act 2020, in force since 1 December 2020 (it replaced the Privacy Act 1993). It is built around 13 Information Privacy Principles (IPPs) and is enforced by the Office of the Privacy Commissioner (OPC / Te Mana Mātāpono Matatapu). It is New Zealand’s own law — not the GDPR. Two recent additions matter for AI: IPP 12 governs disclosing personal information to anyone outside New Zealand (you must reasonably believe the overseas recipient is subject to comparable safeguards — the OPC publishes model contract clauses), and a new IPP 3A (from the Privacy Amendment Act 2025, in force 1 May 2026) adds a notification duty when you collect someone’s personal information indirectly. There is a mandatory notifiable-breach scheme: if a privacy breach is likely to cause serious harm, you must notify the OPC and affected individuals as soon as practicable. A binding Biometric Processing Privacy Code 2025 has been in force since 3 November 2025 (existing agencies have until 3 August 2026 to comply). The OPC has also published guidance on AI and the IPPs — its expectations include leadership sign-off, a privacy impact assessment before use, transparency, consulting Māori on risks and impacts, and human review of AI outputs.

Where this leaves your AI project

A model-agnostic platform like osFoundry helps you meet these obligations in practice — you can keep data in New Zealand (an Auckland region or local-first), control model choice via BYOK, and connect to your own systems. dgm can help you scope and implement with this in mind.

How dgm can help

dgm is an independent integration partner that helps New Zealand organisations put osFoundry to work — from choosing a worthwhile first use case through to the hands-on build and connecting it to the systems you already run. dgm is not affiliated with the company that makes osFoundry, and it has not yet completed any client integrations, so what is described here is the service dgm offers, not past results. If you want help scoping a realistic first project, dgm can work through it with you.

This article is general information only and is not legal, tax or investment advice. Rates, caps and programme status change — confirm the current position with the relevant official body or a licensed adviser before you act.

Related reading

• The Privacy Act 2020 and AI
• Is AI regulated in New Zealand?
• Responsible AI governance for New Zealand organisations
• Data residency in New Zealand and AI: a practical guide