Determining risk score

Data sensitivity


The types of information and data you want to access will have varying levels of privacy and identity risks. This is determined by how sensitive this data is.

Privacy and identity sensitivity of API data

Data type

Example

1

No personal or health information about identifiable individuals or information is available 

eg. Medicine names, allergies

2

Lower risk personal and clinical information

eg. Immunisation record, planned events

3

Personal, health or demographic information about identifiable individuals 

eg. name, date of birth, address, NHI along with information about an individual’s social circumstances (eg. housing, education, employment, whanau, domestic abuse, finances) and/or an individual’s health (eg. diagnosis, conditions, smoking status, treatment, care plans, discharge papers, clinical records, weight)

Privacy and identity use case

Different functionality available within the API can lead to varying levels of privacy and identity risks.

Use case risk tier

API functionality

Example

1

Validate

eg. Confirm information supplies is correct or give an error if incorrect

2

Search / Read

eg. Display read-only view of planned events

3

Create / Add to / Edit / Update

eg. Adding a new allergy, updating an existing allergy information to add more details

4

Delete 

eg. Can remove existing data

Privacy and identity risk score matrix

This is a combination of API use case functionality and the data sensitivity of the information requested.

   

(2) Data sensitivity 

  

  

1 

2 

3 

(1)  Use case 

4 

12 

3 

11 

2 

10 

1 

 

Legend:

Low

Medium

High

Extreme

Overall risk rating 

The table below explains the categorisation of overall risk, onboarding requirements, and recertification period details. 

Low 
(1-3) 

No identity verification required 

No harm if sharing limited to authorised agencies or individuals  
Should only be used by or shared with specified authorised agencies or individuals.

Medium 
(4-5) 

Level 1 identity verification required 

Potential harm  
If compromised or destroyed in an unauthorised transaction may breach privacy or individuals and/or impact organisation as includes personal or health information about identifiable individuals   

High 
(6-8) 

Level 2 identity verification required 

Serious harm  
If compromised or destroyed in an unauthorised transaction will seriously breach privacy or individuals and/or significantly impact organisation as includes personal or health information about identifiable individuals.  

NOTE:  Level of identity can differ at this level depending on what info is available. 

Level 3 identity verification required 

Extreme 
(9-12) 

Level 3 identity verification required 

Catastrophic harm  
If compromised or destroyed in an unauthorised transaction will very seriously breach privacy or individuals and/or catastrophically impact organisation as includes personal or health information about identifiable individuals  

 

Onboarding controls

Depending on the privacy and identity risk of the data & use case, you will either fall in low, medium, high or extreme category of risks. For each level of risks, varying degree of mandatory controls are expected in order to gain production access to the API. This is determined by how sensitive, confidential, or identifying the data is.

Requirements 

Low 

Medium 

High 

Extreme 

You must only collect the minimum information necessary to achieve that purpose and redacting/ignoring the remaining data from the API. 

YES 

 

YES 

 

YES 

 

YES 

 

You must anonymise the data using Appendix 13 of the HISO Health Information Governance Guidelines to mitigate the impact of a potential privacy incident 

NO 

 

 

 

NO 

 

 

 

YES 

 

 

 

YES 

 

 

 

You must have a method for recording consents for processing personal information and consent revocations from data subjects whose data will be shared via the API. 
 
If you do not need to track consent under New Zealand Privacy Laws, please provide the condition that allows you to process personal information without consent in the comments box. 

YES 

 

 

 

YES 

 

 

 

YES 

 

 

 

YES 

 

 

 

You must have a privacy notice that is compliant with New Zealand Privacy Act 2020 requirements. 

YES 

 

YES 

 

YES 

 

YES 

 

Your staff who will have access to the personal data must have been trained on their privacy and data protection responsibilities under the Privacy Act 2020. 

YES 

 

 

YES 

 

 

YES 

 

 

YES 

 

 

You must have a process in place for individuals to request actions on their data (access and correction) in accordance with the New Zealand Privacy Act 2020. 

YES 

 

 

YES 

 

 

YES 

 

 

YES 

 

 

You must have an information retention and disposal policy for PII and can you demonstrate compliance with. 

YES 

 

 

YES 

 

 

YES 

 

 

YES 

 

 

You must audit access, use and disclosure of personal or health information. 

YES   

YES 

YES  

YES  

You must have performed a Privacy Impact Assessment on the systems and processes involved in processing personal data to understand the privacy risks involved. 

YES 

 

 

YES 

 

 

YES 

 

 

YES 

 

 

If a PIA was performed, you must have all the identified actions been completed. 

YES  

YES  

YES  

YES