GEA-NZ dimension: Identity, privacy and security
The identification, security and privacy dimension represents 3 critical capabilities that must be preserved across all other dimensions of GEA-NZ.
Identification, security and privacy are represented as a separate dimension in GEA-NZ as they enable and constrain all other layers of the architecture. They can be viewed as interrelated foundational business capabilities that agencies need to have in place to operate safely.
Privacy and security are essential to trust in government, and robust identification of staff, customers and suppliers is a critical enabler of privacy and security. It is important to understand, nevertheless, that ‘identification’ does not necessarily imply explicit naming of parties to an interaction: modern privacy-by-design focuses on ensuring that interactions are authorised and comply with policy, without requiring the unnecessary disclosure of information. So, for example, a person should be able to identify themselves to a trusted party and prove their eligibility for a service, and then present that proof to a service provider without disclosing their identity directly.
An agency enterprise architecture might choose to broaden this dimension to cover all capabilities relating to the management of risk. In any case, a mature and business-driven approach to risk is essential for the effective management of identification, privacy and security: all risk-management involves prioritisation, trade-offs and risk acceptance which require domain expertise and judgment; simple checklist or rules-based approaches will not suffice and may impose unsustainable cost for no effective benefit.
|Strategy, investment and policy||Identification, privacy and security are strategic capabilities that need targeted investment. They are fundamental to trust in government and a prerequisite for digital transformation.|
|Governance and performance||
Privacy and security are primary focus areas in corporate governance. Every agency is required to nominate accountable executive roles.
Performance monitoring is required, and robust identification of customers, staff and suppliers is a critical enabler.
Privacy and security also impose constraints on some aspects of monitoring.
|Standards||Standards created or selected to support an agency's business must meet identification, privacy and security requirements.|
|Business||Identification, privacy and security are business functions in their own right, but are also considerations that enable and constrain customer interaction, channel design, sourcing, service design and process design.|
|Data, information and analytics||Identification, privacy and security provides access, security and privacy input and constraints for collection, storage and exchange of information.|
|Application and software services||Identification, privacy and security drive requirements in the selection and operation of technology services.|
|Infrastructure||Identification, privacy and security are capabilities that require infrastructure investment, and also represent requirements that other infrastructure elements must not compromise.|
Identity, privacy and security resources
Below are examples of what you may find in your agency, and across government, that will help guide your enterprise architecture.
Agency and sector resources
- Agency corporate policies for information security, privacy and risk management.
- Privacy impact assessments.
- Security risk assessments.