[ Next | Previous | Contents ]

Part 1

Introduction and Overview

View printable pdf version of this section: EOI v2.0 Part 1 (.pdf) 237k*

*This document is in Adobe Acrobat (.pdf) format. You need to have the Adobe Acrobat Reader installed on your computer. You can download a free version from the Adobe site.


In this section:

1 Overview

1.1 Purpose

1.2 Objective

1.3 Standardising EOI business processes

1.4 Contextual factors

1.5 Authentication standards

1.6 Authoritative identity sources

1.7 Scope

1.7.1 Establishing identity and confirming identity

1.7.2 Establishing identity versus entitlement

1.8 Application of Standard

1.9 NZ e-GIF status

1.10 Accessing advice about this Standard

1.11 Document structure

1.12 Interpretation

1.12.1 Definitions



1 Overview

1.1 Purpose

The purpose of this Standard is to provide government agencies with good practice guidance about the required process for initial establishment and subsequent confirmation of an individual’s identity. The process applies to government services where confidence in the individual’s identity is required because of the types of risk contained within those services.

Use of this Standard will give agencies greater confidence in an individual’s identity, prior to delivery of a service to that person. This initial establishment of identity is an important means by which agencies can manage the risks to their business objectives that result from the incorrect attribution of identity.

Agencies that require third parties to follow the Standard can include a requirement to adhere to this Standard in the initial contract for services.

1.2 Objective

The objective of this Standard is to give the agency greater confidence in an individual’s identity, before the delivery of a service to that person. This will help to:

1.3 Standardising EOI business processes

Part 2 of this Standard outlines the minimum EOI process steps that an agency MUST follow. How these process steps are implemented may vary, depending on the individual agency’s context and objectives. Part 3 of this Standard provides guidance material to help agencies complete each of the required EOI process steps outlined in Part 2.

1.4 Contextual factors

There are a number of important contextual factors to be aware of when applying this Standard. These include:

1.5 Authentication standards

This Standard is part of the NZ e-GIF authentication standards for online service delivery. This suite of standards (see Table 1) provides detailed guidance for agencies to follow when designing authentication solutions. In particular, the standards enable agencies to determine the level of risk for each of their services and to identify appropriate EOI requirements and authentication key technologies.

Most online services delivered by government agencies are either anonymous (such as when someone downloads a brochure from an agency’s website) or have low levels of identity-related risk (such as when someone changes their address details). Services with low levels of identity-related risk are typically authenticated using minimal levels of EOI requirements and a username and password for ongoing confirmation of identity.

NOTE – Change of address is a generic example. For some services, change of address may have a High level of identity-related risk.

Table 1 describes the purpose of each of the authentication standards. The standards are listed in the order in which they are intended to be used by agencies.

Table 1 – Authentication standards and documents

Standard/Document name Purpose

Guide to Authentication Standards for Online Services

Provides a high-level overview of the NZ e-GIF authentication standards.

Evidence of Identity Standard

Specifies a business process for establishing the identity of government agency customers, and subsequent confirmation of their identity. Applies to services delivered through both offline and online channels.

Authentication Key Strengths Standard

Specifies the authentication keys to be used for online authentication and protections necessary for the authentication exchange.

Data Formats for Identity Records Standard

Specifies data formats for a set of customer information data elements that government agencies may use in customer identity records.

Password Standard

Specifies requirements for passwords used for online authentication.

Other authentication key standards (to be developed)

Specifies the requirements for two-factor authentication keys used for online authentication.

New Zealand Secure Web Services Framework and Standard (in preparation)

Specifies messaging standards and reference patterns for secure Web services and identity-related secure Web services.

New Zealand Security Assertion Messaging Standard

Specifies messaging standards for communicating authentication assertions.

Guidance on Multi-factor Authentication

Provides an overview of multi-factor authentication. May be superseded once other authentication key standards are developed. Not a NZ e-GIF standard.

Security Assertion Messaging Framework

Provides a general introduction to security assertion messaging. Not a NZ e-GIF standard.

1.6 Authoritative identity sources

New services have been introduced, or are under development, to make better use of government’s authoritative identity data sources. These services will support or complement EOI processes by reducing the amount of duplication of effort and investment in establishment of identity business processes within agencies, and reducing reliance on paper-based documents. The Identity Verification Service (IVS) and Data Validation Service (DVS) are two particularly relevant examples of these new services (see 7.10.6).

Agencies who make use of these services will still need to meet the evidential requirements for EOI Confidence Level processes set out in Table 8 of this Standard (see 7.7.1), but meeting these requirements may require less effort, and potentially provide greater confidence.

1.7 Scope

1.7.1 Establishing identity and confirming identity

This Standard’s primary focus is on an agency’s initial contact with an individual seeking a service or services that have a level of identity-related risk. After initial contact with the individual, the agency will need to have a means of confirming that the individual is the same person who established their identity with the agency at the outset. Detailed guidance on confirmation of identity is included in this Standard (see 7.9).

When designing EOI requirements for a service or services, agencies SHOULD determine the channels used to deliver the services and the methods to be used for confirming the identity of individuals. If the agency is delivering a particular service through an online channel, the suite of authentication standards MUST be referred to (see 1.5).

1.7.2 Establishing identity versus entitlement

The vast majority of services that require establishment of identity will also involve a need for the individual to meet eligibility or entitlement criteria. Entitlement criteria are directly linked to the type of service being provided. For example, an entitlement criterion for the issue of a New Zealand Passport is that the individual is a New Zealand citizen. In most cases, agency processes used to establish both identity and entitlement for particular services will be implemented simultaneously. However, agencies SHOULD undertake process design activities separately to ensure that the implemented process meets the objectives of both the EOI process and the entitlement testing process.

NOTE – While an EOI process will assist in the management of the identity-related risks associated with a particular service, it will not manage the risk of eligibility or entitlement fraud occurring.

1.8 Application of Standard

This Standard has been developed primarily for use by New Zealand government agencies that deliver services to the public that contain identity-related risk.

For guidance on agency responsibilities for compliance with NZ e-GIF standards at each status level, refer to the latest version of the NZ e-GIF (www.e.govt.nz).

This Standard is applicable whether a particular agency service is delivered through online and/or offline channels.

This Standard may also be used by agencies as part of the employment recruitment process if confidence in the identity of the person being recruited is required. Guidance on establishing identity as part of an employment recruitment process is included at 7.23.1.

Private sector organisations may choose to apply this Standard for the services they deliver to the public that contain identity-related risk.

NOTE – In some cases complete application of this Standard will not be suitable due to the nature of a service’s customer base (e.g. where the service’s customer base is made up of overseas-based customers, for a law-enforcement related service, or where the identities of certain customers are protected). In these cases, agencies SHOULD use exception processes that are aligned as closely as possible to the content of this Standard.

1.9 NZ e-GIF status

The initial version of this Standard (Version 1.0 - June 2006) entered the NZ e-GIF as Under development (U). This Standard will graduate to Recommended practice (R) after a successful, documented implementation and is expected to graduate to Adopted (A) once there is a track record of proven successful implementation.

Advice regarding the current e-GIF status of this Standard can be obtained from:

e-GIF Operations

State Services Commission

Postal: PO Box 329, WELLINGTON

Phone: 04 495 6600

Fax: 04 495 6669

Email: e-gif@ssc.govt.nz


1.10 Accessing advice about this Standard

The Department of Internal Affairs (DIA) is Custodian of this Standard and MUST be notified when:

Queries about this Standard should be directed to:

Email: eoistandard@dia.govt.nz


1.11 Document structure

This Standard consists of three parts as set out below:

Part
Title
Description

1

Introduction and Overview

Outlines the purpose, scope and application of this Standard.

2

Minimum Standard Requirements

Outlines the minimum process step requirements that agencies MUST follow to comply with this Standard.

3

Guidance Material

Provides guidance material for agencies on how to implement the minimum standard requirements outlined in Part 2. This guidance material is presented in order of the minimum process steps required of agencies. Agencies SHOULD follow this guidance material when implementing the minimum requirements set out in Part 2.

Additional guidance material, including factsheets on specific New Zealand-issued documents, can be found on the Public Sector Intranet’s EOI Standard subsite.

1.12 Interpretation

The following words, defined in Key Words for Use in RFCs to Indicate Requirement Levels (RFC 2119), are used in this Standard:

When cross-referencing other sections within this Standard, the number only is quoted.

The full titles of documents cited in this Standard are given in the list of referenced documents at the end of this Standard.

1.12.1 Definitions

For the purposes of this Standard, the following definitions1 apply:


Term Definition

agency

Any government organisation that applies this Standard.

anonymous service

A service that does not require the user to be identified or require protection of a user’s identity. For example, access to publicly available online publications.

attributed identity

The identity that an agency assigns to an individual based on its EOI process.

authoritative identity information

Identity information that can be relied upon across government for most administrative purposes. For any given identity attribute, the government often has one agency that has the best capability of collecting, verifying, maintaining and asserting that attribute.

benchmark

Evaluate or check a process by comparing with a standard point of reference.

biographical information

Record of the events that occur during a person’s lifetime, (e.g. birth registration, employment history and marriage or civil union registration).

biometric characteristics

Physiological or behavioural aspects of an individual that can be measured and used to identify or verify that individual (e.g. iris or fingerprints).

biometric information

Measurements of an individual’s physiological or behavioural characteristics that can be recorded and used for comparison and automated recognition of that individual (e.g. iris structure or fingerprint information such as arch, whorl and lop types).

biometric recognition

The process of matching an input biometric to stored biometric information. In particular, biometric recognition refers to comparing the biometric input from an individual to the stored biometric template about that individual. Examples of biometrics include face images, fingerprint images, iris images, retinal scans, etc.

biometric technology

The automated use of physiological and behavioural attributes (biometric information) to establish or verify an individual’s identity (biometric recognition).

business processes

A series of steps (i.e. related activities) followed to achieve a given outcome. A process has several key characteristics including:

specific measures that determine if it is done correctly and that enable it to be repeated multiple times

it consumes resources such as time, money and/or energy

it responds to quality control mechanisms that can help the process be done more efficiently.

confirm identity

Determine, to a level of confidence, that the individual is the same person who established their identity with the agency at the outset.

confirmation of identity

See ‘confirm identity.’

consequence

Outcome or impact of an event.

NOTE –

(1) There can be more than one consequence from one event.

(2) Consequences can range from positive to negative.

(3) Consequences can be expressed qualitatively or quantitatively.

(4) Consequences are considered in relation to the achievement of objectives.

Data Validation Service (DVS)

The DVS is a secure Web browser-based service that enables information on documents issued by the Department of Internal to be validated against the source data in the Department’s systems.

discrepancy

Situations where an individual has supplied identity-related documents or information that may have an inconsistency requiring further investigation.

e-GIF

E-government Interoperability Framework – a collection of policies and standards endorsed for New Zealand government information technology (IT) systems.

electronic verification

Verification of the accuracy of information through electronic checks of information records such as electronic databases.

establish identity

An agency or organisation may ‘establish an identity’ as an output of an evidence of identity (EOI) process performed to a specific level of confidence.

The results of an EOI process can be considered accurate to a specific level of confidence and at a specific point in time. ‘Establish identity’ differs from ‘verify’ or ‘strengthen’ identity in that the EOI process relates to a natural person the agency has not interacted with before.

NOTE – Each agency must consider its own legislative context to determine whether an identity can be established once for the agency as a whole. In some instances, there will be legislative requirements for the activities and data within different parts of the same agency to remain isolated.

establishment of identity

See ‘establish identity.’

evaluation

Systematic review of processes to ensure that business processes are still effective and appropriate.

event


Occurrence of a particular set of circumstances.

NOTE –

(1) The event can be certain or uncertain.

(2) The event can be a single occurrence or a series of occurrences.

evidence of identity (EOI)

The types of evidence that, when combined, provide confidence that an individual is who they say they are.

evidence of identity (EOI) process

The process by which an agency establishes, verifies or strengthens confidence in an individual’s identity.

evidence of identity (EOI) process risks

Any risk created through an EOI process.

exceptions/exception case

Individuals (or a group of individuals) who, for genuine reasons, are unable to meet the EOI requirements set out in this Standard.

false identities

Situations where a person uses an identity that is not their own. In some cases, this can be for legitimate reasons.

frequency

A measure of the number of occurrences per unit of time.

identification

Process of associating identity attributes with a particular person.

identity

A person’s ‘identity’ is their unique self and so each person has one and only one identity.

identity attributes

Identity attributes describe a person’s identity and these attributes constitute ‘identity information.’

Examples of identity attributes include:

attributes that describe the claimant of the identity in terms of physiological attributes (e.g. height, eye colour, photo, biometrics)

identity-related life event attributes relating to the creation/or termination of the identity (e.g. date of birth, date of death)

name attributes relating to the identity (e.g. first name, family name)

unique identifiers used by a source of authoritative identity information (e.g. Immigration New Zealand client number, visa number or passport number.)

identity crime

A broad term used to describe the misuse and abuse of identity, including identity fraud and the impersonation of an individual (which is sometimes referred to as ‘identity theft’). Identity crime can underpin and facilitate a range of other criminal activity.

identity information

Information that describes a person’s identity. Identity information typically includes a number of identity attributes.

identity information management

The gathering, verification, storage, use and disposal of identity information.

identity manipulation

Alteration of one or more elements of identity (e.g. name, date of birth) to dishonestly obtain an advantage.

identity-related risk

Any risk for a particular service that results from an individual’s identity being incorrectly attributed. See 6.2.1.

Identity Verification Service (IVS)

A proposed all-of-government shared service that provides individuals with the option to verify their identity authoritatively, online and in real time with participating agencies to a passport-level of confidence.

internal controls

Any policies, procedures, techniques and mechanisms put in place to minimise process failure and help ensure that actions are taken to address risks.

likelihood

Used as a general description of probability or frequency.

NOTE – Can be expressed qualitatively or quantitatively.

monitor/monitoring

To check, supervise, observe critically or measure the progress of an activity, action or system on a regular basis in order to identify change from the performance level required or expected.

primary data source

The original (i.e. issuing) source of identity data/information.

primary documents

Documents that can be used as part of a process for establishing an individual’s identity (e.g. birth certificate, Community Services Card, New Zealand Citizenship Certificate).

pseudonymous service

A service that does not require a person to be uniquely identified but requires that the service agency is able to respond to the user. For example, ‘recognise’ the person when he/she accesses the service on return visits.

risk

The chance of something happening that will have an impact on objectives.

NOTE –

(1) A risk is often specified in terms of an event or circumstances and consequences that may flow from it.

(2) Risk is measured in terms of a combination of the consequences of the event and their likelihood.

risk appetite

The level of risk an organisation is prepared to accept in the pursuit of its strategic objectives.

risk profiling

The process of gathering data on characteristics (e.g. customer behaviours) in order to identify categories of risk.

service

An activity conducted between a customer and a government agency, in accordance with the functions for which that agency is accountable.

sources of authoritative identity information

Organisations that establish identity on a national, authoritative basis.

In New Zealand there are two sources of authoritative identity information: Department of Internal Affairs for New Zealand citizens and Department of Labour (Immigration New Zealand) for non-New Zealand citizens.

strengthen identity confidence

Perform an EOI process on an established identity to a higher lever of confidence than the level used to initially establish that identity. In some cases this may involve re-verifying or re-validating individual identity attributes. In other cases, completely different checks may be required.

NOTE – The result of an EOI process can be considered accurate to a specific level of confidence and at a specific point in time.

supporting documents

Documents that can be used to assist in establishing or confirming an individual’s identity where an individual is unable to provide primary documents (e.g. bank statement, student ID card, utility account. Other types are set out on the Public Sector Intranet’s EOI Standard subsite.)

trusted referee

A person who is asked to confirm the accuracy of identity information supplied by an individual and who confirms that, to their knowledge, the information corresponds to that individual.

The two key elements that should exist for a person to be a trusted referee are that the person:

has personal knowledge of the individual being identified

meets the agency’s criteria of sufficient trust.

validation of identity attributes

The process of seeking corroboration of identity attributes from an authoritative source. This typically involves an agency requesting validation from a source of authoritative identity information (e.g. Passport Data Validation and other data validation services).

verify identity

Performing an EOI process on an established identity to the same level of confidence as used to initially establish that identity. The EOI process used to verify identity may include a subset of the checks required to establish an identity, so long as the agency or organisation achieves the specified level of confidence.

In practical terms ‘verify identity’ involves re-verifying or re-validating the set of identity attributes, relating to a natural person, to the specified level of confidence.

‘Verify identity’ differs from ‘strengthen identity’ in that the EOI process performed is at the same specified level of confidence.

The result of an EOI process can be considered accurate to a specific level of confidence and at a specific point in time. Depending on the needs of the agency, identities may need to be verified on an ongoing basis.

verification of identity attributes

The process of an agency taking responsibility for verifying the accuracy or reality of the data or claim. This may involve using information or services from other agencies (including validation services), however the agency ultimately makes a determination regarding the accuracy or reality of the identity attributes.

1 The terms consequence, event, frequency, likelihood, monitor and risk are taken from AS/NZS 4360. The terms biometric characteristics and biometric information are taken from ISO/IEC FDIS 19792:2009(E), Information technology — Security techniques — Security evaluation of biometrics. The concept of strengthening identity confidence is taken from Identity Information Management Principles, Border Sector Work Programme, May 2009.

[ Next | Previous | Contents ]