What you need to know:

  • The Government has recently approved a proposal to establish a Digital Identity Trust Framework (Framework) in law.
  • The Framework aims to create a regulatory environment which will support information sharing and data management practices for verifying a person’s identity, by establishing common standards and best practice rules to be adhered to by the various players in the digital identity ecosystem.
  • The Framework will enable Aotearoa New Zealand to keep pace with its international partners, with countries like the UK, Australia and Canada also looking to introduce similar legislative frameworks. 
  • The legislation to give effect to the Framework is set to be drafted later this year. 

What is Digital Identity?

A digital identity is a digital representation of who you are. It enables you to prove who you are, and some of your attributes (eg your name or age) using digital technologies, and can thereby facilitate the purchase of, or access to, certain products and services, or the participation in certain transactions.

Being able to prove who you are digitally has some clear benefits in accessing services, including not having to be physically present to gain access to services (eg digitally sharing your prescriptions with a pharmacy), or not having to keep physical documents on your person (eg by having an electronic version of your driver’s licence on your phone). Businesses also benefit from streamlined processes and be seen as easy to do business with. They also could benefit by being able to access and use the electronic identity information of customers collected and verified by other organisations.

Understandably, digital identity raises a number of privacy and security concerns for individuals, and for organisations using that information, concerns about trustworthiness.

What is the Digital Identity Trust Framework?

The Framework is intended to facilitate the adoption of digital identity and to maximise the potential benefits across the economy of doing so.

The Framework is intended to do that by setting out best practice, standards-based rules on issues such as privacy, security, identification management and interoperability that participants in the digital identity ecosystem - information providers, infrastructure providers and relying parties - agree to follow. The rules themselves are to be further defined, but are expected to leverage existing standards such as the Identification Management Standards issued by the Department of Internal Affairs (DIA).

The Framework will also establish a body to accredit participants that have demonstrated they can meet the rules as those rules relate to their role in the ecosystem. Participants accredited under the Framework will be publicly recognised by a ‘trust mark’, demonstrating to the general public that the accredited provider can be trusted to use personal information in a way that safeguards their privacy. The Framework’s rules will be legally enforceable on accredited participants, who will be audited to ensure that the rules are being complied with. A governance body will be created and tasked with updating and enforcing the rules.

The Framework will be built around the following eight guiding principles:

  1. People centred - the rights and needs of the people are of the highest importance. People should retain control over their information in line with existing legislation such as the Privacy Act 2020.
  2. Inclusive - everyone has the right to participate in the digital identity ecosystem, without risk of discrimination or exclusion.
  3. Secure - services are designed with the security of information in mind.
  4. Privacy enabling - privacy is to be embedded in the design and maintenance of digital identity systems and services.
  5. Enabling Te Ao Maori approaches to identity - the ecosystem will be inclusive of Maori perspectives and caters towards Maori needs.
  6. Sustainable - designed in a manner that supports technical, social and economic sustainability in the long run.
  7. Interoperable - information should be reusable across services, sectors and geographies.
  8. Open and transparent - the ecosystem is maintained in an a clear, accessible, responsive and accountable manner.

How does it differ from RealMe?

RealMe, a government endorsed online identity initiative already enables individuals to verify their identity online to access a range of government and public sector services. However, the Framework is intended to allow others to provide trustworthy verification services by implementing standard rules that all identity service providers (including RealMe) will need to comply with. The Framework will help ensure consistency in how businesses and organisations store and manage people’s information.

How does the Framework compare with similar initiatives overseas?

The Framework is intended to align with similar digital identity trust frameworks being implemented in Australia, Canada and the UK.

In Australia, the Trusted Digital Identity Framework (TDIF) requires providers of identity-related services to be accredited and sets out the accreditation requirements but is currently only applicable to Australian Government entities. This year the Australian Government is consulting on the introduction of the Digital Identity Legislation, which proposes to expand the TDIF to private sector providers. The expectation is that there will eventually be mutual recognition of digital identity services with Australia under the Single Economic Market Agenda, enabling digital identity information to be used seamlessly between New Zealand and Australia.

In the UK, the Government consulted on its draft framework earlier this year and the next iteration is expected to be released in the very near future. The UK Government has in parallel opened a public consultation process seeking views on: (i) who should regulate the framework and what the scope of their remit should be; (ii) how to enable a legal gateway between public and private sector organisations for data checking; and (iii) whether it would be helpful to affirm in legislation that digital identities can be valid as physical forms of identification.

In Canada, the Digital Identity & Authentication Council of Canada (DIACC), which is a non-profit coalition of public and private sector organisations from a range of industries, is seeking to established the Pan-Canadian Trust Framework (PCTF). This PCTF is a set of digital identification and authentication standards that participants in the digital ecosystem agree to comply with. The DIACC will also administer the “Voila Verified” trust mark to organisations that demonstrate compliance with the PCTF and this is set to launch later in the year.

Having rules and standards that are comparable with those of our major trading partners will assist in maintaining and facilitate the ease of doing business with those nations.

What’s next?

The Minister for the Digital Economy and Communications has indicated that he will be introducing the Trust Framework Bill, which will provide the legal mechanism for establishing the Framework, into Parliament later this year. Watch this space.

Thanks to Iqra Khan for her assistance in writing this article.

Contacts

Related Articles