Cardiovascular disease risk assessment (CVDRA) tool

The digital cardiovascular disease risk assessment tool can be used by primary and community healthcare providers.

On this page

About the cardiovascular disease risk assessment tool

The CVDRA tool assesses a person's risk of having a serious cardiovascular event, such as a heart attack, within the next 5 years.

The tool is designed to assess people aged between 30 to 74 who do not have a history of cardiovascular disease. It uses a range of health measurements and personal history to calculate a person's risk, which is shown as a percentage.

The tool can help primary or community healthcare providers assess their patient's risk of cardiovascular disease. This can then prompt conversations with patients about managing the risk, and shared care planning.

How the risk is calculated

The tool was developed based on algorithms specific to the New Zealand population. These were created by the School of Population Health at the University of Auckland.

The tool complies with Ministry of Health recommendations for cardiovascular disease risk management and Health Information Standards Organisation (HISO) standards.

Cardiovascular Disease Risk Assessment and Management for Primary Care 2018 — Ministry of Healthexternal link

HISO 10071:2025 Cardiovascular Disease Risk Assessment Data Standardexternal link

Privacy and data sharing

The tool may collect personally identifiable health data, including a person's:

  • NHI number
  • age, sex and ethnicity
  • height and weight
  • other relevant health measurements and history.

This information is securely managed by Health New Zealand | Te Whatu Ora and follows the requirements of the:

  • Privacy Act
  • Health Information Privacy Code.

We may use the data for healthcare service planning, statistical analysis and reporting as well as for approved research by third party researchers. No reports produced will contain identifiable information.

CVDR privacy statement 

The privacy statement provides transparency on our collection, use and disclosure of information gathered through the CVDRA tool.

This Privacy Statement sets out how Te Whatu Ora | Health New Zealand (“Te Whatu Ora”, “we” and “us”) collects, uses, and shares health consumers’ personal information when providing the National Cardiovascular Disease Risk Assessment Service, risk calculator, API, software, application, product, or website (collectively the CVDRA Service).

We may update this privacy statement from time to time. Please check this privacy statement regularly for modifications and updates. This privacy statement was last updated on 23 June 2023

What is the purpose of the Cardiovascular Disease Risk Assessment Service?

Te Whatu Ora provides a national CVDRA Service to enable the cardiovascular disease risk profile of an individual to be assessed, understood, and managed at the primary care level. It is voluntary for everyone to participate in the CVDRA Service.

The CVDRA Service calculates an individual’s 5-year cardiovascular disease risk based on risk factors specific to the New Zealand population. This CVDRA Service can be used by Gceneral Practitioners, nurses, and other clinicians to calculate the risk (expressed as a percentage) of a person having a serious cardiovascular disease event in the next five years. The CVDRA Service can also be used by a health organisation to make the calculator available to the public.

What personal information we collect

To perform the CVDRA Service we may collect the following information about you:

  • Age
  • Sex
  • National Health Index (NHI) number
  • Ethnicity
  • New Zealand Deprivation Index (NZDep) score
  • Height, weight, smoking status, diabetes, personal health history, family health history, and other clinical measures directly related to cardiovascular disease risk.

We may collect information about the health provider when they use the CVDRA Service:

  • Health Provider Identifier (HPI) or Common Person Number (CPN)
  • Facility Identifier (location where the risk assessment is delivered)

Choice

It is not mandatory to participate in the CVDRA Service.

If you choose not to provide with your personal information, we may be unable to provide you with
a CVDRA calculation.

How we use the information

The information you provide as part of the CVDRA Service may be used by Te Whatu Ora for:

  • Calculating and reporting: Calculating a cardiovascular risk score of an individual and reporting the risk score to the clinician or other user who uses the CVDRA Service and submits the relevant information to the Service.
  • Healthcare planning: Improving healthcare service planning and supporting decision making in policy development to increase equitable health outcomes for New Zealanders.
  • Research and statistical purposes: Researchers with appropriate permissions can use the CVDRA Service data on its own or in combination with other datasets to further develop and refine the New Zealand specific CVD risk calculation algorithms or for other health and wellbeing research. The default mechanism for sharing is to provide de-identified data. In some instances, third parties may need access to identifiable data. In these instances, approval from the Health and Disability Ethics Committee (HDEC) will be required, or from an appropriate data governance review process, prior to any identifiable information being provided. Users of identifiable data are required to abide by strict conditions for the use and storage of the information to protect its security and privacy.
  • Publication: We will publish or allow a third-party with the appropriate permissions to publish findings from research and analytics as aggregate data. Health consumers (individuals) will never be identified in any research findings or reports.
  • CVDRA system support: We use the data to identify and analyse operational and
    performance issues of the CVDRA Service. We use aggregate data for analytics and reporting
    on the Service usage and other operational metrics.

Sharing the information

Te Whatu Ora will only share CVDRA information with a limited set of organisations, where it is
consistent with the purpose of collection and it has been through an appropriate data governance
approval process.

Our trusted service providers who help us to provide this CVDRA Service and our authorised system support staff have access to the CVD data. All access is tracked and can be audited.

Storing your information securely

Your personal information will be held and managed by Te Whatu Ora in accordance with the Privacy Act 2020 and Health Information Privacy Code 2020 and overseen by Te Whatu Ora’s Data Governance Group.

Information that you choose to share with us will be held securely in compliance with Te Whatu Ora standards. Security measures are in place to protect your information from unauthorised access.

We use Microsoft Azure Services in Australia to deliver the CVDRA Service. The data is hosted in an operational datastore hosted on the Azure server(s) in Australia.

How long we hold information

We comply with the current Health Information Retention Regulations. We will keep the information for the minimum retention period of 10 years from the date we collect the information.

Access to, and requests to correct, the information

You have the right to access any information we hold about you and ask us to correct it if you think it is wrong.

To access any personal information held by us, or if you wish to correct your information, please email ltc@health.govt.nz

When making a request to access or change your information, please include:

  • your name
  • contact address (email or postal)
  • contact phone number
  • details of the information you want or want to correct - this needs to be as clear and specific as you can make it. We may ask you for more details.

Please note that before we can provide you with your information or make any changes we need to be satisfied about your identity. To do so, we may need to ask you further questions or to view identification which establishes your identity.

Queries or concerns?

If you have any queries or concerns about how your personal information has been managed, please contact us to see if we can resolve the problem. You can:

  • Email us at hnzprivacy@health.govt.nz
  • Write to us at Privacy Officer - Te Whatu Ora, PO Box 793, Wellington 6140, New Zealand

If you’re not satisfied with our response to your concerns, you can contact the Office of the Privacy Commissioner. For more information see the Office of the Privacy Commissioner website.

Office of the Privacy Commissionerexternal link 

Working with CVDRA providers (integrators)

We provide the tool in the form of an application programming interface (API).

Healthcare practices can connect to the API through an integrator, which can be a PHO, health IT service provider or other health organisation. The integrator runs a system that connects to the API and the healthcare practice’s software. Doctors, nurses, other healthcare providers, and the public can then access it through an easy‑to‑use interface.

The tool is voluntary, but healthcare practices are encouraged to use it to improve the accuracy and consistency of cardiovascular risk assessments and risk management.

Using our endorsed service enables healthcare providers to issue standardised clinical advice and support, which enhances consistency of care for patients.

Technical information

You can find all technical information about the CVDRA API on our digital service page.

Cardiovascular disease risk assessment (CVDRA) API

Contact us to use the CVDRA tool

If you are a healthcare provider and want to access the tool or find out more, contact our product team using the form on our Digital Services Hub. Tick 'General enquiry' and write your request in the text box.

Request access to the CVDRA toolexternal link

If you have a clinical question about the tool, contact our long term conditions team at Ltc@health.govt.nz.