Implementing the Information Assurance Standard
This guidance provides additional information and examples to aid with the understanding of and compliance with the controls in the Information Assurance Standard.
Help us create the best guidance possible
If you would like anything added to or clarified in this guidance, email the Identification Management team email@example.com.
Information Assurance is about the quantity and quality of information collected in relation to an Entity. It applies whether the information is being collected during the initial enrolment of the Entity or updated during subsequent interactions. Information Assurance does not make any judgement as to whether the Entity is using their own information or not, this is covered as part of Binding Assurance.
Definitions for key terms used in this guidance can be found in Identification terminology.
This is living guidance and will be evolved and expanded over time to meet the needs of users.
Objective 1 — Information risk is understood
Applying a risk-based approach to information assurance helps to identify the aspects of information that drive the level of risk. Understanding this enables the development of a wide range of mitigation strategies.
IA1.01 Guidance — risk assessment
Any robust risk assessment process may be used to identify the information risk posed. The guidance provided in Assessing identification risk has been developed to improve the quality of this assessment.
A workbook has also been developed to help with undertaking an identification risk assessment and to provide the optimum level of assurance as an output. For a copy email firstname.lastname@example.org.
If the assessment is being used for assessing the risk of providing a credential, consideration needs to be given to the accumulated risk posed by the reuse of the credential.
Objective 2 — Information is protected
Some information collected has little or no purpose for the service or transaction being provided. This is often due to the evolution of the service or transaction over time, where information becomes redundant, or through a lack of detailed scrutiny of the information being collected.
There are instances where information collection has been legislated.
The over-collection of information, especially identifying attributes, increases the likelihood of privacy breach or identity theft when that information is exposed.
For every piece of information collected, identify the purpose it serves. Also think about whether the full value is needed, or a derived value is enough. For instance:
- collecting date of birth when only confirmation of being over 18 is required
- collecting full address when just the town/city or postal code is enough
- collecting officially registered name when preferred (legal) name is enough.
Credential Providers may collect and/or link to a broad range of information to enable holders to use their credentials for a wide range of interactions. However, the establishment of these types of credentials creates large sets of information that will become targets for criminals. Even if these are in distributed systems, access is still available through the Entity’s Authenticator and any credential management interface.
IA2.01 Guidance — distinctive information
It’s desirable that there’s enough distinct information in an Entity’s Information for it to be determined as separate from another’s, without the need to rely on an assigned reference. This means that should anyone need to identify a specific set of Entity information it can be done so without the need to know the assigned reference.
Collecting information for distinction does not mean gathering additional identifying attributes other than those that serve a specific purpose.
Distinct Entity information does not ensure that an Entity is only enrolled once.
- email@example.com will be enough to distinguish between instances of Entity information within the context of domain.com if there’s a rule that each email address be unique.
- A mobile number will be enough to distinguish between instances of Entity information within a context if there’s a rule that an Entity only provides the number of a mobile to which they have sole use.
- Residential address and initials may also be enough to distinguish between instances of Entity Information in most contexts.
IA2.02 Guidance — justifiable need
This is the application of Information privacy principle 1 of the Privacy Act 2020.
The collection of information, especially identifying or otherwise sensitive information, without a purpose is both intrusive and poses risks to privacy and security.
When collecting information ensure that there’s an identified need for the information. This also includes considering if the full value of a piece of information is needed or just a value derived from the information.
Examples of derived values
- Age — derived from date of birth
- Adult Yes/No — derived from the date of birth being more than 18 years ago
- Salary range $50,000 and $60,000 Yes/No — derived from annual salary
IA2.03 Guidance — retention
This is the application of Information privacy principle 9 of the Privacy Act 2020.
Information is often collected for decision making purposes. Once the decision has been made, is the information still required or can a record or reference be kept instead?
This is an extension of the previous control, consider if the information collected needs to be retained once enrolment is complete.
Examples of noted information
- A check is made against evidence, and rather than retain a copy of the values from that evidence, a record is kept of the check being made and the outcome of the check.
- A licence is sighted but is not photocopied or information on the licence recorded. A note is made that the licence was sighted on a specific date (and time) by a staff member.
- An online information verification is done. Once the verification has occurred a transaction record is kept but the information values that were verified are not retained.
Example of referenced information
- With the Entity’s consent (which can be limited or ongoing), a reference to a source of information can be retained to be used when required, rather than storing the information directly.
IA2.04 Guidance — discarding
This a further application of Information privacy principle 9 of the Privacy Act 2020.
It’s important that any information collected where the sole purpose is to provide a link to another source in order to verify something is discarded once this has occurred. If there’s a reason it needs to be retained, then IA2.03 applies.
- A driver licence number and version are collected in order to check if information on a licence is consistent with that stated. Once this is done there’s no reason to retain those values.
- An online information verification is done which needs a unique identifier in order to locate the information to be verified. Once the verification has occurred, the unique identifier and any information verified that is not required for a purpose is deleted.
Objective 3 — Information is accurate
Information accuracy is essential for effective information exchange and decision making. This is distinct from whether the information belongs to the Entity who claims it is theirs. This is covered in Binding Assurance.
Currently, there are limited resources to support standards in information accuracy. Planning is underway for a resource that defines information and data, their formats and the various authorities for the values associated with them. A link to that resource will be added when it becomes available.
IA3.01 Guidance — data formats
Using recognised and consistent data format standards makes the exchange of information easier, increases the likelihood of matching and the quality of information in systems.
Examples of standards resources
Examples of data format standards and guidance
Address — email
RFC 5322 Section 3.4.1
Address — geospatial
Address — residential
Bank account number
Country names and codes
ISO 3166 (all parts) Codes for the representation of names of countries and their subdivisions
|ISO 8601: 2019 Date and time — Representations for information interchange — Part 1: Basic rules|
|New Zealand Government OASIS CIQ Name Profile|
IA3.02 Guidance — determine level of information assurance
The Identification risk assessment process can be used to determine the level of information assurance (IA) required for information collected.
Alternatively, use an analytical assessment considering the following:
- the key business drivers and outcomes
- risk of financial loss or liability
- risk to the privacy, standing, reputation or safety of people
- harm to agency programmes or the public interest
- any direct downstream effects — this could include other parties that will rely on the outcome (for example, a credential).
Not all information will need the same level of assurance.
Example of some general levels
Level 4 — Information critical to decision making that has severe risk and the values are changeable (for example, COVID-19 status).
Level 3 — Information that is critical to decision making that is high risk and the values are changeable (for example, residency status) or severe risk and values are static (for example, a non-renewable qualification). Information required to meet legislative requirements (for example, age for purchasing alcohol).
Level 2 — Information for non-critical decision making.
Level 1 — Information for personalisation, administration and statistics.
IA3.03 Guidance — evidence selection
Evidence for the purposes of information accuracy typically includes 1 or more of the following:
- information provided by the Entity
- evidence containing or linking to Entity information from another context (for example, credentials)
- databases and registers containing Entity Information
- information provided by other entities (for example, someone acting on behalf of another).
The more critical the information for decision making and the risks associated with it, the higher the level needed and therefore the quality of the source.
At level 1 the information is collected from the Entity and is accepted without any attempt to seek assurance. However, there are several instances where the Entity is the authority for their information which makes these instances also qualify as level 4. This is important to note if there’s an intention to become a Credential Provider, in which case Federation Assurance also applies.
At levels 2 and 3 information is copies taken at a moment in time. The criticality of the information for decision making and the likelihood the information will change over time will be considerations at these levels.
Level 4 represents the most up-to-date and accurate source of information.
A resource including authorities and evidence levels is planned.
General examples of authorities and other sources of evidence
NZ Post is the authority on who owns a PO Box or Private Bag. Land Information New Zealand is the authority on who owns a residence but that does not mean the Entity lives there. The Entity is the authority on where they live and where they can receive mail. Sending a message to the address and asking the Entity to repeat the message back provides assurance that the Entity can access mail at the address.
There are many authorities for bank account. Each financial institution is the authority on the bank accounts they administer. Several other organisations may have a copy of the number, which may or may not have been verified with the authority.
The Entity is the authority for their biometric. Samples and the templates extracted from them are copies.
Birth information (birth name, date of birth, sex at birth, place of birth)
The authority for New Zealand born people is the NZ Birth Register held by Internal Affairs. For others, generally it’s the birth registry for the country where they were born, though Immigration New Zealand acts as a proxy for them for the NZ context. Documents issued by overseas authorities are copies, as is anything that uses these copies or Immigration NZ as a source.
Note: Not all information in the Birth Register is authoritative, for example the occupation of parents.
Work is needed to standardise the definitions and use of the terms Gender and Sex, as these are often used interchangeably.
The New Zealand Transport Agency is the authority for licence type, number, card version, classes and endorsements. The licence card is a copy of these and other information at a lower level.
The Entity is the authority for self-identification of gender.
An employer is the authority for income from work related to them. A financial institution is the authority for income (such as interest and dividends) related to them. Inland Revenue has the potential to be a source of combined income, but they would not be an authority.
NZ Business Number
The Companies Office is the authority for the NZ Business number. Several other organisations may have a copy of the number, which could have been verified with the Companies Office.
Preferred (legal) name
In New Zealand an Entity can use any name they want providing it’s not for deceit, making them the authority for this name type. See also Good Practice Guidance for the Recording and Use of Personal Names.
There are many authorities for qualifications. Each educational institution is the authority for the qualification they administer.
Tax file number
Inland Revenue is the authority on New Zealand tax file numbers (IRD numbers). Several other organisations may have a copy of the number, which may or may not have been verified with Inland Revenue.
Refer to the guide Using documents as evidence for more information.
IA3.04 Guidance — verifying
If the information is not verified against any evidence, then the level achieved is usually 1. Where the Entity is the authority, it may be acceptable to consider the level to be 4.
IA3.05 Guidance — level assumptions
If the Credential Provider has not indicated the level/s of assurance of their credential, it can be risky to assume what these might be. Ideally, they should be treated as level 1. However, until declaration of levels of assurance becomes embedded, a pragmatic approach to accepting Credentials as having higher levels will need to be taken.
Estimation of levels of assurance, where not declared, need to be done in conjunction with the Credential Provider and expertise in the application of the Identification standards.
Objective 4 — Quality of evidence
The quality of the evidence determines an aspect of the level that cannot be achieved by the assessment of accuracy. A Credential Provider can issue credentials and provide services for directly accessing their databases and registers but if there’s no check that they are using the genuine evidence, the levels declared will not be achievable.
IA4.01 Guidance — level
The quality of the evidence needs to be consistent with the level of information assurance (IA) required.
- Documents can have a variety of security features that can be manually assessed. Some have more sophisticated features that need specialist devices and permissions to access.
- Digital certificates can be used to ensure online access to evidence (credentials or databases) has not been fabricated.
IA4.02 Guidance — status
Establishing if evidence has a status of suspended or revoked can be difficult if it’s not online and in real time. There are various services that provide catalogues of compromised evidence and Credential Providers also may provide a service for checking a credential (often a document) is still valid.
An expiry date on a document does not necessarily mean it has been revoked or suspended for all the aspects for which it may provide evidence.
- An expired passport is no longer valid for travel but could still serve as evidence of certain information.
- A watchlist may provide information about compromised credentials for those who have access to it.
IA4.03 Guidance — counter-fraud
Counter-fraud techniques are those activities that contribute to information assurance after the decision to accept evidence and the enrolment of the Entity.
IA4.04 Guidance — investigation
Regardless of the way in which information assurance is carried out, it’s important to keep good records. The ability to investigate the processes is a contributing element to building trust in those processes.
What and how much information is recorded about the processes undertaken will depend on the risk behind the need for enrolling the Entity plus any requirements under legislation, such as the Public Records Act 2005.
If there’s an intention to provide information assurance or other identification services to other parties, the requirements for Federation Assurance should also be applied.
The following resources are also related to this topic:
Department of Internal Affairs