[ Next | Contents ]

Evidence of Identity Standard 2.0

Foreword and Contents

View printable pdf version of this section:

EOI v2 Foreword and Contents (.pdf) 247k*

View printable pdf version of the full EOI 2.0 document:

EOI v2.0(.pdf) 2581k*

View higher resolution printable pdf version of the full EOI 2.0 document:

EOI v2.0-highres(.pdf) 4842k*

*These documents are in Adobe Acrobat (.pdf) format. You need to have the Adobe Acrobat Reader installed on your computer. You can download a free version from the Adobe site.


In this section:

Contents

Foreword


Department of Internal Affairs
December 2009
Version 2.0
ISBN 978-0-478-29491-0 (html)
Crown Copyright ©

Creative Commons Copyright Creative Commons


Foreword

This Standard is part of the New Zealand E-government Interoperability Framework (NZ e-GIF) authentication standards. These standards outline good practice guidance for the design (or re-design) of the authentication component of online services that require confidence in the identity of the transacting parties. These standards give effect to the planning advice from the State Services Commission’s 2004 Authentication for e-government: Best Practice Framework for Authentication.

This Standard is intended to be used by New Zealand government agencies primarily. It sets out the process requirements for establishing and confirming the identity of individuals seeking government services. It should be used for all services that contain identity-related risk, regardless of the delivery channel (i.e. it applies to both online and offline service delivery).

Applying this Standard will help to ensure that agencies implement Evidence of Identity (EOI) processes that are appropriate to the services they deliver and that adhere to current accepted good practice.

EOI refers to the types of evidence that, when combined, provide confidence that individuals are who they say they are. All government services containing identity-related risk will require an EOI process. The comprehensiveness of each service’s EOI process will depend on the level of identity-related risk in that particular service. This Standard provides guidance on how to design and operate EOI processes appropriately.

Applying this Standard will assist with the management of identity crime, and the consequences that arise from these activities. However, application of this Standard does not guarantee complete mitigation of these risks, nor will it prevent cases of administrative error in relation to the establishment and confirmation of an individual’s identity. Agencies should, therefore, apply this Standard alongside other good practice initiatives that assist in the reduction of identity crime and which prevent administrative error.

This Standard supersedes the Evidence of Identity Framework published in October 2004 (www.dia.govt.nz) and the Evidence of Identity Standard (Version 1.0) published in June 2006.

Contents

Foreword

Part 1 – Introduction and Overview

1 Overview

1.1 Purpose

1.2 Objective

1.3 Standardising EOI business processes

1.4 Contextual factors

1.5 Authentication standards

1.6 Authoritative identity sources

1.7 Scope

1.7.1 Establishing identity and confirming identity

1.7.2 Establishing identity versus entitlement

1.8 Application of Standard

1.9 NZ e-GIF status

1.10 Accessing advice about this Standard

1.11 Document structure

1.12 Interpretation

1.12.1 Definitions

Part 2 – Minimum Standard Requirements

2 EOI Process Overview

3 Minimum EOI Process Phases

4 Minimum Process Step Requirements

4.1 Risk Assessment Phase

4.1.1 Step 1 – Establish the context, objectives and risk appetite for the agency’s services

4.1.2 Step 2 – Carry out an initial risk assessment

4.1.3 Step 3 – Carry out a formal risk assessment

4.2 Design and Operation Phase

4.2.1 Step 1 – Determine required EOI Confidence Level

4.2.2 Step 2 – Design and implement EOI process

4.2.3 Step 3 – Ongoing operation of EOI process

4.3 Monitoring and Evaluation Phase

4.3.1 Step 1 – Develop Monitoring and Evaluation Plan

4.3.2 Step 2 – Implement Monitoring and Evaluation Plan

4.3.3 Step 3 – Modify EOI processes if required

Part 3 – Guidance material

5 Overview

5.1 Navigating the guidance material

5.2 Core concepts for establishing identity

6 Risk Assessment Phase

6.1 General

6.1.1 The rationale for identity-related risk assessments

6.1.2 The importance of understanding identity-related risk

6.2 What is identity-related risk?

6.2.1 What are some types of identity-related risk?

6.2.2 How can a false identity be used to commit identity crime?

6.2.3 Entitlement fraud

6.3 Identity-related risk assessment process

6.3.1 Process overview

6.4 Step 1 — Context and objectives

6.4.1 Establish the context

6.4.2 Define the service’s objectives

6.4.3 Define the service’s risk appetite

6.5 Step 2 – Initial risk assessment

6.6 Step 3 – Formal risk assessment

6.6.1 Identify identity-related risks

6.6.2 Who can be affected by the incorrect attribution of identity?

6.6.3 Analyse and evaluate identity-related risk

6.6.4 Evaluating likelihood

6.6.5 Assessing a service’s overall identity-related risk level

6.6.6 Assigning an Identity Service Risk Category

6.6.7 Translating Identity Service Risk Categories to appropriate EOI process

6.6.8 Services with existing EOI processes

6.6.9 New services

6.7 Checklist for Phase 1 — Risk Assessment

7 Design and Operation Phase

7.1 General

7.2 No ‘one-size-fits-all’ EOI process

7.3 Factors to balance when designing EOI processes

7.4 Minimum process steps required

7.5 Establishing an individual’s identity

7.5.1 Establishing the identity of children

7.5.2 EOI objectives

7.6 Step 1 – Determine EOI Confidence Level

7.7 Step 2 – Design and implement EOI processes, including establishment and confirmation of identity requirements

7.7.1 EOI requirements associated with each EOI Confidence Level

7.7.2 Application of Table 8

7.7.3 Single document serving multiple Table 8 objectives

7.7.4 Objective A – The identity exists

7.7.5 Objective B – Identity is a ‘living’ identity

7.7.6 Objective C – Presenter ‘links’ to identity

7.7.7 Objective D – Presenter is sole claimant of identity

7.7.8 Objective E – Individual uses the identity in the community

7.8 Name changes

7.9 Confirmation of identity

7.9.1 Determining confirmation of identity requirements

7.9.2 Designing a confirmation of identity process

7.9.3 Service transaction considerations

7.9.4 Creation of a customer’s identity record

7.9.5 Maintenance of a customer’s identity record

7.9.6 Strengthening identity confidence

7.9.7 Channel considerations

7.10 Identity-related documentation

7.10.1 Types of identity-related documents

7.10.2 Protocols for acceptance of documentation

7.10.3 Training for staff – document recognition

7.10.4 Resources to assist with document recognition

7.10.5 Overseas-issued documents

7.10.6 New services

7.11 Verification of identity-related data against source data

7.11.1 Authorised information matching programmes

7.12 Biometrics

7.12.1 Considerations for agencies

7.13 Trusted referees

7.13.1 Criteria for trusted referees

7.13.2 Legislative implications for trusted referee processes

7.13.3 Privacy implications for trusted referee processes

7.13.4 Strengths and limitations of trusted referees

7.14 In-person verification processes

7.14.1 Strengths and limitations of in-person verification

7.15 Dealing with discrepancies

7.16 Investigative interviewing processes

7.17 Handling individual exceptions

7.18 Privacy requirements

7.18.1 Key considerations

7.18.2 Collection of identity-related information from individuals

7.19 Risk profiling

7.20 Data quality issues

7.21 Agents/persons acting on behalf of individuals

7.22 Step 3 – Ongoing operation of EOI processes

7.23 Internal controls

7.23.1 Establishing identity as part of an employment recruitment process

7.23.2 Operational considerations

7.23.3 Staff training

7.23.4 Physical control over vulnerable assets

7.23.5 Segregation of duties

7.23.6 Accurate and timely recording of services

7.23.7 Access restrictions and accountability for identity-related records

7.23.8 Appropriate documentation of service delivery and internal controls

7.23.9 Records management

7.24 Legal considerations

7.25 Transition of business processes

7.26 Complaints handling

7.27 Communication protocols between agencies

7.28 Checklist for Phase 2 — Design and Operation

8 Service Delivery Phase

9 Monitoring and Evaluation Phase

9.1 Continual improvement of EOI processes

9.2 Monitoring and evaluation approaches

9.3 Step 1 – Develop Monitoring and Evaluation Plan

9.3.1 Monitoring processes and performance indicators

9.3.2 Collection of data/information

9.3.3 Appropriateness of monitoring

9.4 Evaluation processes

9.4.1 Designing evaluation processes

9.4.2 Issues for evaluation

9.5 Step 2 – Ongoing monitoring and evaluation

9.5.1 Frequency of monitoring and evaluation activities

9.5.2 Changing monitoring processes

9.6 Step 3 – Amend EOI processes

Notes

Governance Group representation

Acknowledgement

Copyright

Referenced documents

Joint Australian/New Zealand standards

New Zealand legislation

Other

Related websites

Latest revisions

Review of standards

Information on New Zealand-issued documents

Appendices

Appendix A - EOI ‘primary’ documents/records referenced in this Standard

Tables

Table 1 – Authentication standards and documents

Table 2 – Phases of EOI process

Table 3 – Initial risk assessment

Table 4 – Identity-related risk: consequences and impacts

Table 5 – Identity Service Risk Categories

Table 6 – Matching Identity Service Risk Categories to EOI Confidence Levels

Table 7 – Matching risk level to appropriate EOI Confidence Level process

Table 8 – Evidential requirements for EOI Confidence Level processes

Table 9 – Documents/records used to satisfy Objective A

Table 10 – Documents/records used to satisfy Objective E

Table 11 – ‘Supporting’ documents/records used to satisfy Objective E

Table 12 – Documents/records used to establish name usage

Table 13 – In-person confirmation of identity: Evidential requirements for EOI Confidence levels

Table 14 – Phone confirmation of identity: Evidential requirements for EOI Confidence Levels

Table 15 – Postal mail confirmation of identity: Evidential requirements for EOI Confidence Levels

Table 16 – Performance indicators

Table 17 – Issues for evaluation

Table A1 – Documents used for EOI processes


Figures

Figure 1 – Overview of Evidence of Identity (EOI) model

Figure 2 – Overview of risk assessment process

Figure 3 – Initial assessment of identity-related risk

Figure 4 – Formal assessment of identity-related risk

Figure 5 – Overview of the Design and Operation Phase

Figure 6 – EOI objectives

Figure 7 – Overview of generic business processes for establishing an individual’s identity

Figure 8 – Generic business processes for confirmation of identity

Figure 9 – Monitoring and evaluation cycle



Checklists

Checklist for Phase 1 — Risk Assessment

Checklist for Phase 2 — Design and Operation


[ Next | Contents ]