Creating a legal framework
Find out about the Digital Identity Services Trust Framework — its progress through parliament, the aims of the Bill and the draft rules.
The trust framework will address gaps in regulation and assist the development of trusted, people-centred digital identity services.
The framework applies to service, technology and information providers who want to provide digital identity services.
Progress through Parliament
In September 2021, the Digital Identity Services Trust Framework Bill was introduced into Parliament.
In March 2023 the bill passed its third and final reading. It is now awaiting Royal Assent, where the Governor-General formally signs the bill into law.
Track the new law’s progress through the legislative stages via the New Zealand Parliament website:
Digital Identity Services Trust Framework Bill — New Zealand Parliament, Pāremata Aoteoroa
In July 2020, Cabinet agreed to establish the Digital Identity Trust Framework in legislation.
In February 2021, Cabinet approved policy proposals that underpin the Digital Identity Trust Framework, including the establishment of an Accreditation Authority and Governance Board.
In May 2021, Cabinet released detailed policy information about the Bill’s development.
Early versions referred to the Digital Identity Trust Framework. The word ‘services’ was added in the final stages of drafting.
Aims of the Bill
The Digital Identity Services Trust Framework Bill aims to promote the provision of secure and trusted digital identity services that meet essential minimum requirements for security, privacy, identification management and interoperability. It also aims to support community resilience and realise the wider benefits of digital identity.
The intention is for the Bill to establish:
- a governance board as a public service authority within a public service department
- an accreditation authority within a public service department
- a liability framework subject to the development of the rules
- the offences and penalties for the Trust Framework
- infringement notices, provided through primary legislation
- the accreditation authority′s ability to recover costs
- a disputes resolution process.
Draft Trust Framework rules
The rules apply minimum requirements across 5 categories:
- Identification management — defining how a user can be identified and authenticated so that they may have access to systems and services.
- Information and data management — defining how information is administered and determining the use, management and protection of data.
- Security and risk management — reducing and mitigating risks relating to the creation and sharing of information in a digital manner.
- Privacy requirements — includes the incorporation of requirements under the Privacy Act 2020.
- Sharing and facilitation requirements — includes consideration of the consent and delegation models to be used.
The rules will focus on incorporating existing standards and requirements that need to be met to provide a trusted environment for those operating within the digital identity system.
A development and testing group of public and private membership, and including Māori partners, is providing feedback on initial draft rules.
Te Ao Māori and Te Tiriti o Waitangi perspectives and requirements will be embedded in each category.