Skip to main content

Assessing identification risk

Understand how to conduct an identification risk assessment for your service or transaction. Use this to calculate the right strength of identification processes to protect against information fabrication and identity theft.

Understanding identification risk

Identification has 2 risks:

Risk 1 — incorrect information is provided for a service or transaction.

This is the risk of providing or denying a service or transaction to a person based on someone giving incorrect information during enrolment for or later use of a service or transaction.

Risk 2 — someone is incorrectly linked to or associated with the information and/or authenticator used in a service or transaction.

This is the risk that by using someone else’s information and/or authenticator, a person could gain an advantage they are not entitled to, avoid obligations (such as paying fines), or impact the entitlement of someone else.

Who engages in information fabrication or identity theft, and why

Considering the types of people who give incorrect information or carry out identity theft, and why they do this, helps in assessing identification risk.

Table 1 gives a list of the 4 main motives behind giving incorrect information and identity theft, and the types of people who do this.

Table 1: Main motives for identify theft 

Motive Motive description Parties

Gain

To get access to money, goods, services or information People who understand the value of the service or transaction (for example, other customers or scammers)

Misrepresentation

To use someone else’s identification information and associated things like qualifications and reputation
to carry out an activity a person would not otherwise be able to do

or

to avoid obligations that are associated with their own information

People with a particular agenda (for example, competitors, egotists, cheats, criminals, terrorists)

Personal attack

To cause someone financial loss, damage to reputation, physical or emotional harm, or embarrassment

People with a grudge against someone (for example, ex-partners, colleagues, competitors)

People with a grudge against the service provider (for example, competitors, former employees)

Nuisance

To have fun or do something because of feeling bored. This motive is less likely to target a specific person
and does not carry an intention to harm someone
People with no particular agenda

Establishing if there is identification risk

To check if identification risk exists in a situation, ask these 5 questions:

  • Can anyone receive money or incur a cost through using the service (for example, a benefit, a grant or a debt)?
  • Can anyone receive other benefits through using the service (for example, a product, training or access)?
  • Is information about an entity being collected and stored by the service?
  • Can the service result in the release of their personal or sensitive information?
  • Can the service result in a document or data source being issued (for example, a licence or a digital ID) that could subsequently be used as a form of evidence of identitification, qualification or reputation?

If you answer ‘Yes’ to any of these questions, then you should undertake a full identification risk assessment.

Situations that are not identification risks

Transactions that have no identification risk

Conducting an identification risk assessment

To establish which identification processes to put in place to protect your service or transaction, and to determine the ideal assurance level or strength of these processes, you first need to conduct an identification risk assessment.

An identification risk assessment is part of wider risk management and should be conducted alongside Privacy and Security assessments. Even if you’ve already built risk management into your service, effective identification management needs a more detailed understanding of the scope of your service and of each of the transactions within it.

To conduct an identification risk assessment, you need to understand the:

  • information the service collects and uses
  • consequences of an event happening
  • impact levels for each consequence
  • controls that are in place to prevent or reduce a consequence, and how strong they are
  • level of likelihood that a consequence will occur, given the controls in place
  • the resulting level of identification risk for a service or transaction.

Categories of identification risk consequences

Assessing the consequences and impact level of each category

Identifying controls and assessing their effectiveness

Assessing the likelihood of a consequence occurring

Plotting the level of risk

Applying risk treatment

Risk treatment is a process of managing a risk for a service or transaction by choosing and implementing options to change the consequences that could happen or the likelihood of them happening.

Risk treatment options

Choosing the appropriate risk treatment options

Responsibility for implemented risk treatment options

Monitoring and reviewing identification risk

It’s important to consistently monitor and review the identification risks for your service or transaction as part of the wider risk management programme. This includes reviewing:

  • how the service or transaction operates to check whether the controls and risk treatments are performing appropriately
  • the identification risk assessment and identification processes to make sure they still align with current standards and best practice.

Tools for assessing identification risk

The Department of Internal Affairs has developed some workbooks to help with completing identification risk assessments.

The Service Assessment Workbook assesses the overarching service and focuses on Risk 1.

The Transaction Assessment Workbook is used for each transaction within a service and focuses on Risk 2. To make it easier to assess a large volume of transactions, a summary form of assessment can be done using the Bulk Transaction Workbook.

Advice or help — contact the Identification Team

Identification Team
Te Tari Taiwhenua
Department of Internal Affairs
Email: identity@dia.govt.nz

Utility links and page information

Was this page helpful?
Thanks, do you want to tell us more?

Do not enter personal information. All fields are optional.

Last updated