[ Next | Previous | Contents ]

Part 2

Minimum Standard Requirements

View printable pdf version of this section: EOI v2.0 Part 2 (.pdf) 285k*

* This document is in Adobe Acrobat (.pdf) format. You need to have the Adobe Acrobat Reader installed on your computer. You can download a free version from the Adobe site.


In this section:

2 EOI Process Overview

3 Minimum EOI Process Phases

4 Minimum Process Step Requirements

4.1 Risk Assessment Phase

4.1.1 Step 1 – Establish the context, objectives and risk appetite for the agency’s services

4.1.2 Step 2 – Carry out an initial risk assessment

4.1.3 Step 3 – Carry out a formal risk assessment

4.2 Design and Operation Phase

4.2.1 Step 1 – Determine required EOI Confidence Level

4.2.2 Step 2 – Design and implement EOI process

4.2.3 Step 3 – Ongoing operation of EOI process

4.3 Monitoring and Evaluation Phase

4.3.1 Step 1 – Develop Monitoring and Evaluation Plan

4.3.2 Step 2 – Implement Monitoring and Evaluation Plan

4.3.3 Step 3 – Modify EOI processes if required


2 EOI Process Overview

Figure 1 provides a high-level overview of the process steps that an agency MUST carry out when implementing any EOI processes for services that require an individual’s identity to be established.

Figure 1 – Overview of Evidence of Identity (EOI) model

EOI Figure 1


NOTE – Service delivery itself is not within the scope of this Standard. This Standard relates to service delivery only in cases where an EOI process is required before the service can be delivered to an individual.


3 Minimum EOI Process Phases

The main phases of the EOI process shown in Figure 1 are described in Table 2.

Table 2 – Phases of EOI process

Phase Description

Risk Assessment

This phase involves determining the level of identity-related risk within the services that an agency delivers. The results of the identity-related risk assessment will help determine what, if any, EOI process is required for a particular service.

Design and Operation

This phase involves designing EOI processes that are appropriate to the level of identity-related risk identified for that service during the Risk Assessment Phase. Guidance is provided to ensure operationally appropriate EOI processes are implemented.

Service Delivery

This phase involves the delivery of a service by an agency following confirmation of the individual customer’s identity. As such, it is outside of the scope of this Standard.

Monitoring and Evaluation

This phase involves the ongoing monitoring of EOI processes and periodic evaluation to ensure that each agency’s EOI business processes and associated outcomes remain consistent with the EOI process objectives that were established as a result of the Risk Assessment Phase.

4 Minimum Process Step Requirements

To achieve the minimum requirements of this Standard, agencies MUST ensure that they implement the following process steps. These process steps each form part of one of the process phases listed in Table 2.

Agencies SHOULD follow Part 3 of this Standard to guide implementation of the minimum process step requirements.

4.1 Risk Assessment Phase

The agency MUST undertake an identity-related risk assessment of each of its services. This risk assessment MUST involve the following steps:

4.1.1 Step 1 – Establish the context, objectives and risk appetite for the agency’s services

At a minimum, the agency MUST consider the following factors when defining the context within which a particular service sits:

NOTE – See 6.4 for guidance on how to establish the context, objectives and risk appetite of agency services.

4.1.2 Step 2 – Carry out an initial risk assessment

The agency MUST determine whether the service results in any of the following:

Financial benefit

Could the individual customer receive a financial payment as a result of the service (e.g. payment of a benefit or grant)?

Non-financial benefit

Could the individual customer receive other specific non financial benefits as a result of the service (e.g. training)?

Personal information

Could subsequent information about the individual customer be collected and stored by the agency?

Could the service result in the unauthorised release of personal or sensitive information?

Subsequent use for EOI

Could the service result in the issue of a document or data source that the customer could subsequently use as a form of EOI?

The agency MUST carry out a formal risk assessment (Step 3) if the answer to any of the above questions is ‘yes.’

If the initial risk assessment shows that the service does not contain identity-related risk, no further application of this Standard is required.

NOTE – See 6.5 for guidance on carrying out initial risk assessments.

4.1.3 Step 3 – Carry out a formal risk assessment

The agency MUST identify the consequences that could result from the service being delivered to a person whose identity is incorrectly attributed by the agency. Potential consequences MUST be considered from agency, individual, non-government organisation and general public perspectives.

At a minimum, the agency MUST consider the following risk consequences in relation to the particular service:

After determining whether any of these consequences apply for the particular service, an evaluation of the impact level for each consequence MUST be made.

The agency MUST consider any specific vulnerabilities it has that would increase the impact or likelihood for any consequences.

The agency MUST determine the overall level of identity-related risk in the service, based on the evaluation of the above risk consequences and analysis of the likelihood of these consequences occurring. Following this, the agency MUST align the service’s overall risk rating with one of the following Identity Service Risk Categories.

Identity Service Risk Categories Description

Nil or Negligible

Nil identity-related risk consequence in the service

or

Negligible level of identity-related risk consequence in the service.

Low

Low level of identity-related risk consequence in the service.

Moderate

Moderate level of identity-related risk consequence in the service.

High

High level of identity-related risk consequence in the service.

If the service fits within the Nil or Negligible risk category, no further application of this Standard is required.

If the service fits within Low to High risk categories, the agency MUST progress to the Design and Operation Phase of the EOI process.

NOTE – See 6.6 for guidance on how to carry out a formal identity-related risk assessment.

4.2 Design and Operation Phase

4.2.1 Step 1 – Determine required EOI Confidence Level

The agency MUST determine the level of confidence required in the identity of the individual, in relation to the level of identity-related risk contained in the particular service.

The risk level assessed for a given service corresponds to the level of confidence required by the agency in establishing the individual’s identity.

The following table illustrates the different EOI Confidence Levels for services where identity-related risk exists.

Low identity risk service

Low EOI Confidence Level required

Moderate identity risk service

Moderate EOI Confidence Level required

High identity risk service

High EOI Confidence Level required

4.2.2 Step 2 – Design and implement EOI process

The agency MUST design an EOI process that meets the minimum evidential requirements for the required confidence level identified in Step 1.

NOTE –

Descriptions of evidential requirements are outlined in Table 8 in Part 3. See 7.7 to 7.10 for guidance on good practice processes to support these evidential requirements.

If an agency currently has an EOI process in place for the particular service, the design step MUST be used to identify and close any gaps between current processes and the minimum requirements of this Standard.

4.2.3 Step 3 – Ongoing operation of EOI process

At a minimum, the agency MUST ensure that its EOI processes meet good practice requirements in each of the following operational aspects:

NOTE – See 7.18 to 7.27 for guidance on these considerations.

4.3 Monitoring and Evaluation Phase

4.3.1 Step 1 – Develop Monitoring and Evaluation Plan

Before the EOI process is implemented, the agency MUST ensure that monitoring and evaluation processes are in place to enable ongoing effectiveness of operational EOI processes.

4.3.1.1 Step 1.1 – Design monitoring plan

The agency MUST select appropriate performance indicators for monitoring the EOI process. These performance indicators will form the basis for later evaluation. At a minimum, the agency’s choice of performance indicators MUST take the following into account:

For each performance indicator, the agency MUST determine:

4.3.1.2 Step 1.2 – Design evaluation plan

At a minimum, the agency MUST document the following when carrying out an evaluation:

Agencies MUST determine the frequency with which evaluation activities will take place. This decision MUST be made before any EOI processes become operational.

4.3.2 Step 2 – Implement Monitoring and Evaluation Plan

The monitoring and evaluation processes outlined in the Monitoring and Evaluation Plan MUST commence as soon as the EOI process becomes operational.

4.3.3 Step 3 – Modify EOI processes if required

If evaluation suggests EOI processes are not adequately meeting objectives, the agency MUST consider modifying the EOI processes. At a minimum, the following actions MUST be undertaken whenever an EOI process is modified:

NOTE – See 9 for guidance on monitoring and evaluation of EOI processes.

[ Next | Previous | Contents ]