Security statement

In order to engage with the CTIP APIs, third-party vendors will need to show they have robust security controls in place for sensitive data and have taken all appropriate risk assessment measures for their solution.

In particular, vendors must confirm that:

  • sensitive data will be encrypted both at rest and in transit to the CTIP. This is to ensure that there will be no unauthorised access to personally identifiable information at any stage of the process. (It will remain encrypted in the NCTS environment.)
  • appropriate protection has been placed around API access. (All access to NCTS information requires authentication and all access will be monitored and can be tracked.)
  • they have appropriate consumer authorisation for any information they share with the Ministry.

Privacy statement

In order to engage with the CTIP APIs, third-party vendors must have a fair and lawful process for data collection. They must provide privacy statements for their products and confirm that they have addressed issues of data security, governance and user consent.

In particular, vendors must:

  • demonstrate that they are able to limit the information supplied to CTIP. This is so the Ministry can ensure that only information directly relating to an individual’s risk of exposure to COVID-19 is shared
  • demonstrate that they have the appropriate consumer authorisation for any of the information they share. A process whereby consumers can access information held about them and request a correction if necessary is advisable
  • confirm that particular care is taken with information about children and young people
  • be aware that any future use cases for information sharing with the Ministry will be subject to additional privacy assessments.

Terms of Use statement

In order to engage with the contact tracing APIs, third-party vendors must be able to meet the Ministry’s general requirements around development, maintenance and ongoing compliance of their service.

In particular, vendors must confirm that:

  • they are developing against the contact tracing APIs for the express purpose of receiving (a) exposure event notifications, and uploading either (b) users’ locations, or (c) visitor registers, depending on their application
  • they will develop in accordance with the API documentation provided by the contact tracing API project team
  • they have completed the relevant test cases to the required standard
  • during that period they will communicate with the Ministry any relevant changes, issues or opportunities. In particular they will notify the Ministry of anything that might:
    • significantly impact the end-user experience of their product
    • affect their conformance with privacy or security standards
    • have an adverse impact on the contact tracing APIs
  • they have taken steps to ensure that their solution does not negatively impact service performance of the contact tracing APIs
  • they will authenticate, authorise and audit their own users’ access to the contact tracing APIs and provide an audit trail on request
  • they understand that access requests are managed and approved by the Ministry to ensure that the Health Information Privacy Code and operational requirements are met Therefore only those organisations for which the Ministry has agreed channels to report back and resolve data quality issues may be granted update access
  • they recognise that the Ministry reserves the right to suspend or terminate access to contact tracing APIs if data quality is compromised.