An urgent overhaul of health systems to better catch and control communicable diseases, from Covid-19 to measles, is months behind schedule. Photo / Getty Images
With that now months off, the agencies would “work closely to reduce duplication of effort and to avoid gaps in public health surveillance”, the ministry said in its statement on Friday.
A strategy plan for integrating national surveillance nationwide would be released in June or July.
The NPHS and PHA are the centrepiece of a $60m overhaul that sprang from the pandemic, exposing the fragmentation of the country’s then-dozen district public health services.
They were meant to streamline the handling of outbreaks and potential outbreaks, and immunisations, but have struggled, documents showed.
The aim was to set up “a world-class” surveillance system, that was expert, and defined “clear accountabilities”. A contractor put in an initial analysis in March of what to do, monthly progress reports released under the Official Information Act said.
The progress reports were only two pages each and provided very little information on the surveillance work.
Aside from surveillance, “policy making process, health protection and emergency management, development and implementation of regulation development and a clinical governance framework” all had “issues”, though strategising and local-to-national connections had improved, a 2023 review found.
Covid-19 stretched system beyond its limits
The third agency involved, Te Aka Whai Ora, the Māori Health Authority, is being disestablished by the government at the end of June, though the Waitangi Tribunal has agreed to an inquiry to be heard later this year.
A fourth agency, Environmental Science and Research, provided oversight to the surveillance system.
The priority diseases public health focuses on include measles, Covid-19, meningococcal disease, pertussis, mumps, tuberculosis, typhoid, enteric diseases, legionellosis, hepatitis B and sexually transmitted diseases.
Covid-19 stretched the system beyond its limits. The dozen district public health units existing at the time had so may different data systems they could often not share basic outbreak information with each other.
A stopgap was rushed in - the National Contact Tracing Solution - which helped. That was shut down in February 2024, and was gradually being replaced up to 2025 by the National Disease Management System (NDMS).
These systems depended on getting sensitive personal health information from people who may have been exposed to a disease, under the provisions of the Health Act 1956.
“There is still work underway to evaluate exactly what information will be captured for a given disease. This may include things such as a food diary in some instances,” an interim privacy impact assessment on the NDMS said in February.
The NDMS was being hosted within a “private isolated section” of Amazon’s ‘cloud’ of data warehouse servers in Sydney.
It used other tech from two other major suppliers, Snowflake and Salesforce - but not artificial intelligence, the assessment said.
Te Whatu Ora “routinely” used these tech companies to “extract, store and analyse data“, and they were assessed as okay to use for personal health information, the assessment said.
“Access, governance and privacy will be reviewed” as the data warehouse was built, it said.
Cyber security was being assessed by an internal team, not an external one.
A series of privacy protections - such as widespread encryption - and audit controls were detailed in the privacy impact assessment.
The NDMS was using the same platform as that for the Aotearoa Immunisation Register. This was “an appropriate choice and provides the necessary security”, the assessment said.
Decisions over who to communicate with when an analysis of contact tracing was triggered, would be made using another tool, the Consumer Population Identification and Registration Service (CPIR). This may depend on health checks or information from someone infected or their parents or guardians. The privacy impact assessment on the CPIR was not available on Te Whatu Ora’s website.
People could apply to Te Whatu Ora to see what information it held on them in these systems.
Otherwise, “access to NDMS for users outside of Te Whatu Ora is strictly controlled”.
By far the highest risk rating was from “insider curiosity” for the NDMS system - scoring ‘18′, with ‘possible’ odds of happening and ‘major’ consequences. This would be where an authorised user accessed or altered someone’s information when not authorised to.
It was “unlikely” NDMS information would be used for something other than what was intended, the interim assessment concluded.