Overview of the Identification Management Standards
The New Zealand Identification Management Standards work together to provide assurance that an organisation has the right information about the right entities, helping minimise the risk of identity fraud.
Who should use these standards
These standards are intended for use by public and private sector organisations and individuals who perform the role of a Relying Party and/or Credential Provider.
Organisations or individuals who carry out activities, such as providing entitlements, care, services, employment, and education, where they collect, store and maintain information about an entity.
This includes issuing or utilising authenticators — such as a swipe cards, pin numbers or passwords — to recognise those entities when they return in the future.
Table 1 describes the 3 assurance standards and the aspect of identification they relate to.
|Robustness of the process to establish the quality and accuracy of Entity Information|
|Robustness of the process to bind the Entity to Entity Information and/or Entity to Authenticator|
|Robustness of the process to ensure an Authenticator remains solely in control of its holder|
Organisations that establish credentials — such as documents, licences and authenticators — that may be used to facilitate identification processes across multiple contexts.
In addition to the standards in Table 1, Table 2 describes an additional assurance standard.
|Additional steps undertaken to maintain the integrity, security and privacy of a credential used in many contexts|
The approach to the standards development
The Identification Management Standards have been developed using the following overarching principles.
- Risk-based approach — balancing effort with the risks posed by the service being delivered to the incorrect person.
- Objective-based controls — controls that allow for multiple and evolving ways to meet them.
- Channel and technology neutral — creating an environment where rules can be applied at a consistent level across delivery channels where environments and technologies change rapidly.
- Privacy centric — supporting minimal data collection and consent-based information sharing.
- No National ID — supports New Zealanders’ position regarding National ID.
Review of the standards
The Department of Internal Affairs (DIA) is responsible for the Identification Management Standards and continuously monitors developments in the field in order to identify business risks and improve practices.
If significant changes are identified, research may be undertaken, additional controls identified, and implementation timeframes specified.
Less significant changes and improvements may be addressed in updated guidance.
We welcome suggestions for how to improve these standards and guidance. Email your suggestions to firstname.lastname@example.org.