Key concepts of the Trust Framework
Read an overview of what the Trust Framework will and will not allow. This information addresses frequently asked questions and clarifies some misconceptions.
Key concepts of The Digital Identity Service Trust Framework include the following:
- Consent is always required
- Personal information will not be held in centralised database
- The system is opt-in
- Sharing between government departments remains controlled
- Privacy and security standards are built in
- Rules incorporate Te Ao Māori perspectives of identity
- Identity theft risks are managed
Consent is always required
People will always provide consent when they share their information within the digital identity system.
Sharing content means that digital identity service providers delivering accredited services within the trust framework must always seek the user’s consent before sharing personal or organisational information.
Requiring consent is a core rule that applies to all transactions.
This requirement supports and aligns with the principles of the Privacy Act 2020.
Personal information will not be held in a centralised database
The Digital Identity Services Trust Framework will not create a central repository or database to store people and organisations’ information.
The Trust Framework rules and regulations will not allow for the integration of data from multiple sources into a single location. The proposed new system will be decentralised.
Every transaction governed by the Trust Framework will be triggered by a one-off request from the person who needs the information to access a service. They nominate the piece of information and provide permission for the holder of that information to share it.
The Trust Framework rules will protect against connecting data in ways the user has not consented to.
The digital identity system is opt-in
People can still use physical credentials
It will not be compulsory for people to use the digital identity system.
People will still be able to apply for services in person, over the phone, or by using physical credentials to show who they are when applying.
Service provider accreditation is not compulsory
Digital identity service providers can still deliver their services without being accredited under the Trust Framework if they wish to.
A trust mark will enable people and businesses to distinguish between accredited and non-accredited digital identity service providers.
Sharing between government departments remains controlled
The Digital Identity Services Trust Framework will not change the way government departments currently share information.
This type of information sharing is governed by the Privacy Act. It says that government departments may only share information if there is an Approved Information Sharing Agreement (AISA) in place. These are covered under Part 7 of the Privacy Act: Sharing, accessing and matching personal information.
Information sharing arrangements, such as AISAs, will continue.
More information is available from the Office of the Privacy Commissioner.
- Approved Information Sharing Agreements
- Can one government agency share my information with another agency?
Privacy and security standards are built in
There are clear rules for how personal and organisational information can be handled when sharing information within the trust framework.
Digital identity services will be accredited against these rules.
They cover requirements for:
- collecting information — so that privacy is always ‘front of mind’. For example, there are rules on being clear about the purpose for collecting the information, and only collecting what is required
- holding information — so that the security of systems and processes for storing information are robust and meet industry standards
- sharing information — so that:
- there are expectations around the technical processes for sharing, for example, encryption standards
- there are ways to stop different parties being able to track information as it is shared
- disposing of information — so that necessary records are kept, but other information is disposed of safely and securely.
Rules incorporate Te Ao Māori perspectives of identity
Specific provisions in the Digital Identity Services Trust Framework Bill will ensure that Te Ao Māori approaches to identity are considered in trust framework governance and decision making.
Ways of embedding Te Ao Māori and Te Tiriti o Waitangi perspectives and requirements throughout the rules are being considered through the development and testing stages.
Identity theft risks are minimised
New Zealand’s current digital identity environment is unregulated, which means that people and businesses are exposed to an increasing risk of online fraud and breaches.
New Zealand has new identification management standards designed to help prevent identity theft, fraud and loss of privacy.
The standards underpin all transactions that occur within the trust framework and will be a key part of the new regulatory framework.