New Zealand digital trust framework, associated rules coming into effect July 24

The government has published the Digital Identity Services Trust Framework Rules 2024 governing accredited digital identity services. The document refers to a number of standards both national and international, covering services for information, binding, authentication and digital credentials. Notably, all credentials issued must comply with one of the W3C Verifiable Credential Data Model, the ISO/IEC 18013-5: Mobile driving licence (mDL) application, or ISO/IEC 23220 series: Cards and security devices for personal identification – Building blocks for identity management via mobile devices.

There are more requirements for trust framework providers of facilitation services, who “must publish the standards their service supports on a publicly available website.” The framework also prohibits so-called “phone home” systems: “facilitation mechanisms must not allow server retrieval of any data contained in a credential presentation, at the time of the presentation.”

The rules prioritize privacy and the minimization of risk to personal data such as biometrics.

There are requirements for disclosure and consent in collecting personal information, and when and why providers can ask for it; they “must not require the user to provide authorization, consent or permission for any activity not directly related to completing the accredited digital identity service being undertaken.”

Providers are bound by New Zealand’s Privacy Act 2020, including the Information Privacy Principles. Accredited services must provide a privacy impact assessment and review it at regular intervals. There are requirements for training and personnel, including a designated individual who is directly responsible for overseeing privacy impact assessments.

Likewise for security and risk management, which require security management plans and a security risk assessment. Security must include mitigations for a variety of risks, including  unauthorized use of valid credentials or credentials that can’t be verified.

Finally, information and data management rules cover data storage and retention, and – unique to New Zealand – “practices for managing information ethically” with regards to “considerations of Māori cultural perspectives” and “specific kaitiakitanga requirements when handling Māori information,” referring to the traditional Māori concept of guardianship of the sky, the sea and the land.

An evaluation by BixeLab last year showed that the system’s biometric technology used for public service access is not biased, despite slightly higher false positive rates for Māori and Pasifika people.

New Zealand’s Department of Internal Affairs gave advance notice that it will soon launch an RFP for a digital credential issuance platform earlier this week.

Article Topics

biometrics  |  data privacy  |  digital ID  |  Digital Identity Services Trust Framework (DISTF)  |  New Zealand  |  trust framework