Skip to main content

Key concepts of the Trust Framework

An introduction to some key concepts and intentions of the Digital Identity Services Trust Framework, and an overview of what it will and will not allow.

Key concepts of The Digital Identity Service Trust Framework include the following.

  • Consent is always required
  • The system is opt-in
  • Sharing between government departments remains controlled
  • Privacy and security standards are built in
  • Rules incorporate Te Ao Māori perspectives of identity
  • Identity theft risks are managed

Consent is always required

People will always provide consent when they share their information within the digital identity system.

That means that digital identity service providers delivering accredited services within the trust framework must always seek the user’s consent before sharing personal or organisational information.

This is a core rule that applies to all transactions.

This requirement supports and aligns with the principles of the Privacy Act 2020.

The digital identity system is opt-in

Non-digital transactions will still be possible

The new framework will not require people to use the digital identity system.

People will still be able to apply for services in person, over the phone, or by using physical credentials to show who they are when applying.

Service providers do not have to seek accreditation

Digital identity service providers can still deliver their services without being accredited under the Trust Framework if they wish to.

A trust mark will enable people and businesses to distinguish between accredited and non-accredited digital identity service providers.

Sharing between government departments remains controlled

Currently, government departments may only share information if there is an Approved Information Sharing Agreement (AISA) in place. These are covered under Part 7 of the Privacy Act: Sharing, accessing and matching personal information.

Information sharing arrangements, such as AISAs, will continue.

More information is available from the Office of the Privacy Commissioner.

Privacy and security standards are built in

There are clear rules for how personal and organisational information can be handled when sharing information within the trust framework.

Digital identity services will be accredited against these rules.

They cover requirements for:

  • collecting information — so that privacy is always 'front of mind'. For example, there are rules on being clear about the purpose for collecting the information, and only collecting what is required
  • holding information — so that the security of systems and processes for storing information are robust and meet industry standards
  • sharing information — so that:
    • there are expectations around the technical processes for sharing, for example, encryption standards
    • there are ways to stop different parties being able to track information as it is shared
  • disposing of information — so that necessary records are kept, but other information is disposed of safely and securely.

Rules incorporate Te Ao Māori perspectives of identity

Specific provisions in the Digital Identity Services Trust Framework Bill will ensure that Te Ao Māori approaches to identity are considered in trust framework governance and decision making.

Ways of embedding Te Ao Māori and Te Tiriti o Waitangi perspectives and requirements throughout the rules are being considered through the development and testing stages.

Identity theft risks are minimised

New Zealand’s current digital identity environment is unregulated, which means that people and businesses are exposed to an increasing risk of online fraud and breaches.

New Zealand has new identification management standards designed to help prevent identity theft, fraud and loss of privacy.

The standards underpin all transactions that occur within the trust framework and will be a key part of the new regulatory framework.

Identification management standards

Utility links and page information

Was this page helpful?
Thanks, do you want to tell us more?

Do not enter personal information. All fields are optional.

Last updated