Digital, data and technology services – minimum requirements

These are the baseline common requirements that all health organisations are expected to meet. We update them annually.

General

All new digital services and the data they collect and hold must conform with our published HISO standards, roadmaps and architecture guidelines (external link), use standard digital resources such as SNOMED CT and the national terminology service, and integrate with the mandated national digital services listed in the Digital Services Hub, such as the National Health Index (NHI).
Digital services should be integrated to support a consistent and seamless user experience and avoid unnecessary duplication of data and functions. Application programming interfaces (APIs) should be used where possible to support integration with and by others.
Digital services and supporting infrastructure must be maintained and regularly upgraded to stay within agreed supplier support thresholds as a minimum.
Cloud delivery should be considered for all digital services in preference to locally hosted and configured technology, and an assessment of risk undertaken before their use. Government organisations must follow the Cloud First policy (external link).

Health organisations must regularly assess their conformance with the Health Information Security Framework (external link) and follow the guidance on risks assessment for public cloud services (external link).
Security processes must be consistent with industry good practice such as that described in the Health Information Security Framework (external link), including applying security patches in a time frame proportionate to the assessed risk.
Digital services should be regularly independently security-tested in a time frame proportionate to their criticality and the type of data they process, and evidence provided that any deficiencies or vulnerabilities identified have been rectified.

Data must be governed in accord with industry good practice and following established guidance on data protection and use, privacy, social licence and Māori data governance. Health organisations should consider their conformance with the Health Information Governance Guidelines (external link). Health organisations must clearly define the data assets they hold and who is responsible for their stewardship.
Data must be available for sharing, transfer and access, with appropriate authorisation to other digital services, organisations and stakeholders, including the consumer. Access to data must not be unreasonably withheld or onerous to obtain, and supplier contracts must not impose technical or commercial barriers.

Supplier contracts must not include exclusive commercial arrangements that incentivise or require aggregation of services.
Suppler contracts must include provisions for service retirement or exit, for example maintaining data access or reconfiguring integration design, in the event that supplier contracts are terminated.