Does ‘engagement’ extend further than the systems that HNZ actually procures to those that access it’s digital services and beyond? During my time in the Digital Medicines Team at HNZ, there were no security assessments, etc., performed on any of the many systems that participate in NZePS and access the MDR API. In theory, this should cover any system that accesses the NHI which would bring all NZ digital health applications that hold patient data into scope.
When all is said and done, the fundamental issue here is legal compliance. Every organisation that holds personal information in NZ must comply with the requirements of the Privacy Act and these are about to be strengthened on 1 May 206 by the Privacy Amendment Act 2025. Patient data in this country is scattered to the 4 winds (e.g., details of an individual prescription item can be held in at least a dozen places) - it is virtually impossible to implement security effectively and comply with privacy legislation in this highly distributed environment. We need to discuss alternative solutions that allow the (engaged) consumer to be custodians of their own healthcare and wellness data.