What is the Digital Identity Services Trust Framework Bill?

The Digital Identity Services Trust Framework (Framework) is a legislative framework for the provision of digital identity services in New Zealand. 

On 29 September 2021, the Bill to establish the Framework in law was introduced to Parliament.

The Government has said that the Bill is needed because “…currently, New Zealand lacks consistency in the way personal and organisational information is shared, stored, and used in a digital identity environment. This has led to inconsistencies and inefficiencies in how this information is handled, undermining trust and confidence in the digital identity system for individuals, government agencies, and the private sector”.

The Bill has four aims:

• To help drive consistency, trust and efficiency in the provision of digital identity services;
• To support the development of interoperable digital identity services;
• To provide people with more control over their personal information and how it is used in this context; and
• To enable the user-authorised sharing of personal information digitally to access private and public sector services.

We take a closer look at the Bill’s key aspects below.

What is a Digital Identity Service?

The Bill defines digital identity services as “… a service or a product that, either alone or together with one or more other digital identity services, enables a user to share personal or organisational information in digital form in a transaction with a relying party.” Examples of digital identity services given in the Bill include:

• Checking the accuracy of personal or organisational information;
• Checking the connection of personal or organisational information to a particular individual or organisation; and
• Providing secure sharing of personal or organisation information between Framework participants.

Trust Framework (TF) Rules

A major component of the Framework will be the TF rules that will apply to the provision of digital identity services in New Zealand. The TF rules will apply to providers and the accredited services that they provide, and will set minimum requirements across 5 key categories:

• Identification management
• Information and data management
• Security and risk management
• Privacy requirements
• Sharing and facilitation requirements

The TF rules will focus on incorporating existing standards and requirements that need to be met to provide a trusted environment for those operating within the digital identity ecosystem. The TF rules will be made by the Minister following a consultation process and kept under review to ensure they keep pace with technological developments.

Accreditation

The Bill establishes an opt-in accreditation scheme, enabling service providers to become accredited under the Framework. Providers who elect to become accredited will need to comply with the TF rules.

The Bill also establishes a ‘trust mark’ regime, enabling accredited providers to use an approved trust mark to demonstrate their compliance with the TF rules.

TF Board

The Bill provides for the establishment of a governance board (the TF board), which will publish guidance and monitor the performance and effectiveness of the Framework. The TF board will also have responsibility for recommending draft TF rules to the Minister following a consultation process with a range of groups (including the Office of the Privacy Commissioner).

Te ao Māori

The Bill includes specific provisions designed to help ensure that te ao Māori approaches to identity are considered in the Framework’s governance and decision making.

Enforcement

To ensure that the TF rules are enforced and to protect the security and privacy of the Framework’s users, the Bill proposes the establishment of an authority (the TF authority) that will be responsible for making decisions on applications and renewals of accreditation, investigating complaints submitted to it, investigating non-compliance on its own initiative, and granting remedies for breaches.

If the TF authority finds that a provider has breached the TF rules, it has a range of enforcement actions available to it, including publishing a public warning, or suspending or cancelling the provider’s accreditation.

The Bill also contains offences for activities that threaten the integrity of the Framework, such as falsifying accreditation.

Privacy considerations

The Bill includes a specific requirement that accredited providers must not collect, use, share, or otherwise deal with personal information in providing digital identity services unless:

• they have reasonable grounds to believe that the collection, use, sharing, or other dealing with the information is authorised by the individual; and
• they do so in accordance with the TF rules.

Importantly, the Bill provides that nothing in the Act will override the Privacy Act 2020.

Our views

The Bill is a step in the right direction towards addressing some of the challenges that the Government has identified as inhibiting a thriving digital identity ecosystem operating in New Zealand. Having a common set of rules, combined with a robust governance and enforcement framework, will help to drive the right behaviours from providers and help to build the trust of users.

A key challenge will be ensuring that the TF rules will be operationally practicable, supported by industry, and sufficiently flexible to account for the emerging challenges and opportunities as digital identity technologies continue to evolve. Ensuring the Bill is consistent with similar rules adopted in our major trading partners (like Australia and the UK) will also remain important.

What’s next?

The Bill passed its first reading on 10th October and is currently under Select Committee consideration. Submissions for the Bill close on 2nd December 2021. A copy of the Bill and details of the submission process can be viewed here.

Get in touch

Please get in touch with our contacts if you have any questions about this article or data privacy in general, or if you would like assistance in preparing a submission to the Bill.