The Government introduced the Digital Identity Services Trust Framework Bill (Bill) earlier this week, which will establish a legal framework for the provision of secure and trusted digital identity services for individuals and organisations.
The core objective of the Bill is to help develop digital identity services that are trusted and people-centric. While the primary obligations in the Bill will be on digital identity service providers, it will also have an impact on individuals and organisations in the digital identity ecosystem, including banks, government agencies, utility and telecommunications providers.
What is digital identity?
Digital identity is the user-consented sharing of personal and organisational information online to access services and complete transactions.
What are digital identity services?
The Bill defines digital identity services as "a service or product that, either alone or together with one or more other digital identity services, enables a user to share personal or organisation information in digital form in a transaction with a relying party". Examples of digital services provided by the Bill are services or products that:
check the accuracy of personal or organisational information;
check the connection of personal or organisational information to a particular individual or organisation;
provide secure sharing of personal or organisational information between trust framework participants.
This definition will capture a range of digital identity services in both the public and private sectors in New Zealand (and goes beyond RealMe, which is limited to digital identity verification for government and public sector services/products only).
Five key areas
The Bill introduces rules in five key areas, which we summarise as follows:
Trust Framework: The Bill establishes a trust framework made up of primary legislation, regulations and a set of rules, referred to as the "TF Rules", to apply to the provision of user-authorised digital identity services in New Zealand. The TF Rules will set out minimum requirements for security, privacy and confidentiality, identification management, data management and the sharing of information that providers of accredited digital identity services (TF Providers) must comply with.
Opt-in accreditation scheme: The Bill establishes an opt-in accreditation scheme consisting of minimum requirements for handing personal and organisational information that accredited TF Providers must comply with. TF Providers will be able to upgrade their systems for compliance with the TF Rules before applying for accreditation. If successful, accredited TF Providers may use approved "trust marks" to show their compliance with the TF Rules. Users will not need to be accredited to use accredited digital identity services.
Trust Framework Board: The Bill establishes a Trust Framework Board (TF Board), to provide education, publish guidance, and monitor the trust framework for performance and effectiveness. The TF Board will be responsible for recommending draft TF Rules to the Minister, following consultation with relevant stakeholders such as the Office of the Privacy Commissioner and TF Providers. Minister Clark has expressed his commitment to ensuring that the digital identity system reflects Māori perspectives and supports tikanga Māori and so the TF Board must include people with knowledge of te ao Māori approaches to identity, technology and identity data management.
Trust Framework Authority: The Bill establishes a Trust Framework Authority (TF Authority), that will be responsible for making decisions on applications for accreditations and renewals, investigating complaints, and issuing penalties for breaches. The TF Authority will also maintain a register of accredited providers.
Penalties: The Bill allows users to lodge complaints with the TF Authority if they believe a TF Provider has breached the TF Rules. The TF Authority will have the power to grant remedies, such as publishing a public warning and suspending or cancelling a TF Provider's accreditation. The Bill also contains offences such as falsifying accreditation.
The Bill will not limit or otherwise affect the Electronic Identity Verification Act 2012 or the Identity Information Confirmation Act 2012, and will not override the Privacy Act 2020.
Who will the trust framework apply to?
The TF Rules will apply to TF Providers. The Bill permits TF Providers to provide both accredited and non-accredited digital identity services, and does not restrict any individual or organisation from providing digital identity services outside of the trust framework.
The TF Rules will also have an impact on others in the digital identity ecosystem, including:
individuals supplying personal information;
organisations that provide information to TF Providers e.g. government agencies, financial institutions and utility providers; and
parties relying on information made available by TF Providers e.g. government agencies and organisations in the financial services, healthcare, telecommunications and travel sectors.
The Bill is currently undergoing its First Reading and, if successful, will be sent to the Select Committee for consideration. The full text of the Bill can be accessed here.
The Russell McVeagh team will be monitoring the developments and will provide a further update when the Bill is enacted into law. In the meantime, if you have any questions relating to the Bill, or how it may relate to you, please contact us on the details below.
This article is intended only to provide a summary of the subject covered. It does not purport to be comprehensive or to provide legal advice. No person should act in reliance on any statement contained in this publication without first obtaining specific professional advice. If you require any advice or further information on the subject matter of this newsletter, please contact the partner/solicitor in the firm who normally advises you, or alternatively contact one of the partners listed below.