NZ Compliance & Te Tiriti — testing in Aotearoa
The compliance landscape a NZ tester is actually accountable to.
When a digital product makes or shapes a decision about a person in Aotearoa, it sits inside a web of obligations that overseas testing courses never mention — Te Tiriti o Waitangi, Māori Data Sovereignty, the Privacy Act 2020, the Health Information Privacy Code, NZISM, and the Government Algorithm Charter. This track teaches you to test against them with accuracy and respect, so compliance is verified evidence rather than a hopeful assumption.
From Te Tiriti to the test environment
Te Tiriti in Digital Testing
Partnership, participation, and protection applied to testing. Māori Data Sovereignty and the Te Mana Raraunga principles. Equity testing across populations, culturally safe design, and the Algorithm Charter’s Tiriti commitments.
~30 min read · ~70 min with exercises · NZ Compliance
Lesson 2Health Information Security (HISF)
Protecting health information in test environments. The Health Information Security Framework, the Health Information Privacy Code 2020, Te Whatu Ora expectations, and de-identification of clinical test data.
~30 min read · ~70 min with exercises · NZ Compliance
Lesson 3Privacy in Test Environments
The risk of real data in non-prod. The information privacy principles that apply to testing, the NZISM controls a tester verifies, test-data minimisation and masking, and the breach scenarios that start in a test system.
~30 min read · ~70 min with exercises · NZ Compliance
Privacy Act 2020 and NZISM detail also runs through two related tracks: Privacy Testing covers consent, data minimisation, and breach response in depth, and All-of-Government Standards covers the wider public-sector control set. This track focuses on what those obligations mean inside a test environment, alongside Te Tiriti and health-information duties.
Compliance you can show, not assume
A tester in Aotearoa carries obligations that no imported testing syllabus teaches. Te Tiriti o Waitangi is the founding agreement of this country, and the Crown’s commitments to partnership, participation, and protection reach into the digital services it builds. Māori data is taonga, and how it is collected, stored, and used is governed by Māori Data Sovereignty, not by a default of “it is just data.” Health information is among the most sensitive a system can hold. And the moment real data is copied into a test environment, every privacy and security duty travels with it.
The risk is that these obligations get treated as someone else’s job — a policy team’s, a lawyer’s, a designer’s — and never become a test. They can and should be tested. Equity across populations is measurable. Data residency is verifiable. De-identification either holds or it does not. A masking rule either covers every field or it leaves one exposed. When you turn an obligation into a check with a measurable acceptance criterion and recorded evidence, “is this compliant?” stops being an opinion.
This track teaches that translation, with the respect these obligations are owed. By the end you will be able to bring Te Tiriti and Māori Data Sovereignty into a test plan accurately, protect health information in non-prod to the standard Te Whatu Ora expects, and prove that the data in your test environment is handled lawfully under the Privacy Act 2020 and NZISM.
Other specialised tracks
Privacy Testing
The NZ Privacy Act 2020 in practice — consent, data minimisation, and breach response.
SpecialisedAll-of-Government Standards
NZISM, the public-sector control set, and the standards government testing is held to.
SpecialisedHealth QA
Testing health systems in NZ — clinical safety, interoperability, and the duty of care in software.