Cloud computing and health information

On this page:

In April 2017, the Ministry worked with the Department of Internal Affairs (DIA)’s Government Chief Information Office (GCIO) to update our approach to the use of cloud based services:


What is cloud computing?

Cloud computing is a phrase that covers the transmission, storage and processing of information at a location not owned or managed by the information's owner. This information can be accessed from anywhere at any time.

Subscription options

Cloud computing contracts can be established to allow health providers to use the chosen computing resources on a pay-per-use or subscription basis.

Who owns the infrastructure?

A hosted service provider owns and oversees the infrastructure, software and administrative tasks and makes the service available to clients. There is no need for the health provider to maintain additional hardware and software.

The three main levels required to operate the service are:

  • software as a service (SaaS)
  • platform as a service (PaaS)
  • infrastructure as a service (IaaS).

Why use the cloud?

The use of cloud or hosted services is a viable option for funders and providers of health and disability support services (health agencies) because of its cost and convenience.


Under the Health Information Privacy Code 1994 (the Code), each health agency has a legal responsibility to ensure everything within the power of the health agency is done to prevent unauthorised access, use, modification or disclosure of information for which they are custodians. 

This responsibility may be meet by the health provider undertaking due diligence of the proposed cloud-based or hosted service using the GCIO questionnaire document:

DHBs and wholly owned DHB shared service organisations, are also subject to the Department of Internal Affairs (DIA)’s ICT functional leadership mandate – expressed through the role of the Government Chief Information Office (GCIO). This mandate includes a requirement that DHBs:

Health providers are responsible for the security and integrity of personal health information that is stored or processed by public cloud services. 

All health providers wanting to store personal health information in a public cloud service may do so provided:

  • they first undertake a formal risk assessment
  • the outcome of the risk assessment is signed-off by the health provider’s senior management prior to using the services. 

The Ministry also requires DHBs to:

Public cloud services should be considered on a case by case basis.

An expectation of the Health Information Security Framework and Government CIO cloud computing requirements is that all health agencies create an internal cloud computing policy to provide guidance to:

  • the agencies on assessing the risks of cloud-based services, process maturity and compliance with regulation
  • the purchasers when evaluating, procuring and contracting cloud-based services.

To help organisations create their own cloud computing policies, the Ministry of Health’s internal cloud computing policy is provided as an example.

Cloud service risk assessment

The risks associated with a third party not subject to New Zealand jurisdiction inappropriately accessing or releasing health information, could impact negatively on all health agencies, beyond  the particular health agency responsible for holding the health information. Maintaining clinician, patient and public trust depends on proactively managing these risks.

The Ministry considers the following are key risks for personally identifiable health information that is not retained within New Zealand:

  • trust in data security and privacy laws overseas, loss of control, and uncertainty over hosted service providers’ (and their local jurisdiction’s) alignment with New Zealand’s health information security and privacy requirements
  • uncertainty and unpredictability regarding performance, reliability and support
  • unauthorised access or use of health information about New Zealanders by the hosted service provider or third parties.

Connected Health and the cloud

Any health agency or Connected Health application service provider wishing to use a cloud service to transmit, store or process health information may use an accredited Connected Health access supplier to provide a secure network link between their cloud environment and Connected Health.

Organisations not currently approved for access to Connected Health or wishing to provide a Connected Health application service may apply.

(The information above is adapted from Alex Mu-Hsing Kuo (2011) ‘Opportunities and Challenges of Cloud Computing to Improve Health Care Services’. Journal of Medical Internet Research, 13(3): e67)

Back to top