27 January 2023
AS Van Wey
[FYI request #20883 email]
Tēnā koe AS Van Wey,
Official information request HNZ00009318
Thank you for your follow up request under the Of icial Information Act 1982 (the Act) to Te Whatu
Ora – Health New Zealand on 4 January 2023 about policies relating to the protection against
unauthorized access of information. You specifically requested:
“Thank you for your response and the policies; however the policies attached are not those
required under section 8 of HISO 10029(2015). Would you please include these policies,
which are about the protection against unauthorized access of information, including email
correspondence. For instance, this section would pertain to the data breach that occurred
at Waikato DHB. Waikato DHB and all DHBs were to have policies to ensure that all
information was held securely”.
There were no national policies stemming from HISO 10029:2015 Health Information Security
Framework. However, Te Whatu Ora has identified 12 documents within scope of your request and
is released in full. Al documents are itemised in Appendix 1 and copies of the documents are
enclosed. This information relates to the security policies in place during the former Waikato
District Health Board (DHB) ransomware attack in May 2021. These have since been re-issued but
not updated. Therefore, this means that the policies are all dated later than May 2021, but all the
same policies were in effect at that time.
I trust the information provided is of assistance. Should you have any concerns with this
response, I would encourage you to raise these with Te Whatu Ora at:
[email address]. You have the right to make a complaint to the Ombudsman.
Information about how to do this is available at
www.ombudsman.parliament.nz or by
phoning 0800 802 602.
As this information may be of interest to other members of the public, Te Whatu Ora may
proactively release a copy of this response on our website. Al requester data, including your name
and contact details, wil be removed prior to release.
Gaynor Bradfield
Manager
Office of the Chief Data and Digital
Appendix 1: List of documents for release
#
Date
Document details
Decision on release
1
23 November 2017 Information Security – Access
Information released in full.
Control
2
4 May 2017
Information Security – Anti Malware
3
23 November 2017 Information Security –
Communications
4
4 May 2017
Information Security – Cryptography
Management
5
4 May 2017
Information Security – Information
and Data Management
6
23 November 2017 Information Security – Incident
Management
7
23 November 2017 Information Security – Information
Security Management
8
23 November 2017 Information Security – Operations
Security
9
4 May 2017
Information Security – Suppliers
10
6 July 2018
Information Security – Policy
11
19 February 2018
Mobile Communication Devices
Management
12
6 July 2018
Policy Responsibilities and
Authorisation
TeWhatuOra.govt.nz
Te Whatu Ora, PO Box 793,
Wel ington 6140, New Zealand