3.1 Navigating the guidance material

3.2 Core concepts for establishing identity

3.3 Risk assessment phase

3.4 Design and operation phase

3.5 Service delivery phase

3.6 Monitoring and evaluation phase

Working group representation

Acknowledgement

Copyright

Referenced Documents

Latest Revisions

Review of Standards

Part 3 Guidance Material

3.1 Navigating the guidance material

Part 3 of the Standard provides detailed guidance to assist agencies to meet the minimum standard requirements outlined in Part 2. Guidance is provided on each of the required process steps to ensure that the EOI processes are appropriately implemented.

The following provides an overview of the guidance material with the relevant section references.

3.2 Core concepts for establishing identity

Identification is the process of associating identity-related data with a particular person. For many services, it is necessary for the agency to uniquely identify the individuals who are seeking to access services they provide. For such services, identity-related risk should be managed, in part, through an appropriate EOI process.

It is not feasible to prove the identity of individuals wanting to access services with complete certainty. This would require an EOI process so cumbersome and intrusive that the costs would greatly outweigh any benefits. This Standard provides a risk-based approach to establishing identity, whereby identity is established with a degree of confidence appropriate to the service being delivered.

The EOI processes outlined in this Standard are based on a component approach to establishing identity. This approach consists of three key components that, if applied as a whole to an individual case, provide confidence that a person actually owns the identity they claim to own.

The three components for establishing identity involve:

1. Evidence that the claimed identity is valid - i.e. that the person was born and, if so, that the owner of that identity is still alive.

2. Evidence that the presenter links to the claimed identity - i.e. that the person claiming the identity is who they say they are and that they are the only claimant of the identity.

3. Evidence that the presenter uses the claimed identity - i.e. that the claimant is operating under this identity within the community.

Agencies SHOULD assess individuals against each of the above components for services that require a moderate to high level of confidence in the individual's identity (see 3.4.6). This is because each component provides important evidence about distinct aspects of identity. On its own, each component only provides part of the evidential process required to provide confidence that an individual is the true 'owner' of their claimed identity.

3.3 Risk assessment phase

3.3.1 General

3.3.2 What is identity-related risk?

3.3.3 Identity-related risk assessment process

3.3.4 Step 1 - Context and objectives

3.3.5 Step 2 - Initial risk assessment

3.3.6 Step 3 - Formal risk assessment

3.3.7 Checklist for Phase 1 Risk Assessment

3.3.1 General

This section provides guidance for determining the level of identity-related risk within the services that an agency delivers. The results of the identity-related risk assessment will help determine what, if any, EOI process is required for a particular service.

NOTE - For services delivered across the Internet, the level of identity-related risk can also be used to determine the minimum authentication key requirements for ongoing confirmation of identity. Refer to 6.3 of the Guide to Authentication Standards for Online Services.

The material outlined in this section is consistent with the risk assessment process outlined in the Australian/New Zealand Standard Risk Management (AS/NZS 4360:2004) and associated Risk Management Guidelines (SAA/SNZ HB 436:2004) and Information Security Risk Management Guidelines (SAA/SNZ HB 231:2004). As such, this section can be read within the context of this overarching risk management standard. It is noted that for some services, such as those with an international context, other risk management standards (or similar) may be more appropriate.

It is important that identity-related risk assessments are applied to individual services. This is because agencies often carry out multiple services, which have differing types and levels of identity-related risks inherent in them. As such, each service carried out by an agency MUST be subject to an individual identity-related risk assessment. Public service departments are required to adhere to AS/NZS 4360:2004. Identity-related risk assessments should, therefore, be undertaken as part of the wider risk assessment process that agencies undertake in relation to any given service. Those agencies not required to use AS/NZS 4360:2004 and who apply a different risk assessment model, will need to tailor their identity-related risk assessments accordingly.

NOTE - While the identity-related risk assessment MUST be carried out for each service, an agency may then choose to maintain or implement a single EOI process that covers a range of services, providing these services have similar identity-related risks and risk levels.

3.3.1.1 The rationale for identity-related risk assessments

It is important that the New Zealand state sector maintains a high level of integrity in its processes and that only people entitled to certain services receive them. To this end, the identity-related risk assessment is critical so that appropriate EOI processes are designed in relation to the level of identity-related risk for a particular service.

This is important for the following reasons:

• if an agency is collecting too much identity-related information from an individual, relative to the level of identity-related risk in the service, this may be inconsistent with New Zealand's privacy requirements
• if an agency is collecting too little identity-related information from an individual, relative to the level of identity-related risk in the service, this may result in the agency not achieving its business objectives for the service (e.g. the erosion of confidence in government agencies or identity theft leading to entitlement fraud).

NOTE - In some instances an agency's EOI requirements may be prescribed in legislation (e.g. the issuance of the New Zealand driver licence provided for in the Land Transport Act 1998).

3.3.1.2 The importance of understanding identity-related risk

Understanding the identity-related risk associated with any given service is required to ensure that the appropriate EOI processes are designed and implemented to manage those identity-related risks.

Some services will have no inherent identity-related risk or will have an acceptable level of identity-related risk associated with them. Therefore, these services will not normally require EOI processes.

Other services will require an EOI process. These EOI processes will vary in their level of comprehensiveness depending on the level of identity-related risk contained in the particular service. In general, the greater the level of inherent identity-related risk for a service, the more comprehensive and stringent the EOI process will need to be.

Sections 0 to 0 provide guidance for agencies on how to determine what level, if any, of identity-related risk exists within their services.

Section 1.2 provides guidance for agencies on how to manage identity-related risk within a service through the selection of an appropriate EOI process.

3.3.2 What is identity-related risk?

Identity-related risk is the risk that corresponds to the incorrect attribution of an individual's identity. Identity-related risk is a component of the overall risk associated with any service.

3.3.2.1 What are some types of identity-related risk?

Types of risk consequences that can arise from the incorrect attribution of identity include, but are not limited to:

• Inconvenience, distress, or damage to standing or reputation (e.g. theft and subsequent use of an identity may have a significant impact on the true owner of that identity. The latter's ability to participate effectively in the community, and to receive the services they are entitled to receive is diminished. Likewise, if an agency provides services on numerous occasions to people claiming false identities, this can negatively affect that agency's reputation for being able to carry out its functions effectively)
• Financial loss or liability (e.g. payment of a financial benefit to any person using a stolen or fictitious identity, who is not entitled to receive that benefit, creates a direct financial loss to the Crown)
• Harm to agency programmes or the public interest (e.g. public or political perception that non-eligible people (i.e. those operating under fraudulent identities) are receiving services from agencies leads to loss of agencies' credibility with the public)
• Unauthorised release of sensitive information (e.g. personal information is released to an unauthorised person, thereby impinging on the privacy rights of the person who the information is about)
• Personal safety (e.g. theft of an identity enables access to information required to locate and harm a person whose location details are secret)
• Downstream effects external to the agency (e.g. an identity-related document issued to a person on the basis of a fictitious identity by one agency is then used to verify their identity for services with other agencies).

These types of risks can have significant impacts on numerous parties, including government agencies, the individuals whose identities have been stolen, other organisations (both government and non-government) and the public. These impacts may be extremely negative for those affected.

3.3.2.2 How can a false identity be established to misuse and abuse an identity?

Identifying identity-related risks requires an understanding of how a person can obtain a false identity to subsequently misuse and abuse an identity. Misuse and abuse of an identity refers to gaining money, goods, services, information or other benefits or the avoidance of obligations through the use of a false identity.

False identities can be established in the following ways:

• creating a fictitious identity
• alterating one's own identity (identity manipulation)
• stealing or assuming a pre-existing identity (identity theft)
• stealing or assuming a pre-existing identity, which is subsequently manipulated.

NOTE -

1. Identity theft is used to describe the theft or assumption of a pre-existing identity (or significant part thereof) with or without consent, and whether in the case of an individual, the person is alive or dead.

2. Identity manipulation involves the alteration of one or more elements of identity (e.g. name, date of birth) to dishonestly obtain dual or more access to services or benefits or to avoid establishing obligations.

3. False identities are created, in some cases, for genuine reasons (e.g. in order to protect an individual from physical harm).

3.3.2.3 Entitlement fraud

Fraud that is not identity-related also occurs but is outside the scope of this Standard. A person may fraudulently gain money, goods, services, other benefits or the avoidance of obligations through the use of their real identity. For example, false declarations of income or personal situation may be made to gain additional welfare benefits that a person is not entitled to. This Standard is not designed to help reduce entitlement fraud risks and agencies will need to have other strategies in place to deal with this type of fraud.

3.3.3 Identity-related risk assessment process

1. Process overview

Figure 2 provides an overview of the risk assessment process steps (see Steps 1 to 3) that agencies MUST follow in order to determine the level of identity-related risk associated with their particular services.

NOTE -

1. The process steps are broadly based on those outlined in AS/NZS 4360:2004. Refer to that Standard for more detailed information.

2. Risk assessments will still be required for other reasons (e.g. potential financial implications, potential reputation damage, etc), even if there is no identity-related risk.

Sections 0 to 0 provide guidance on how to carry out a risk assessment that focuses specifically on identity-related risk. Illustrative examples are used to assist agencies complete this assessment.

3.3.4 Step 1 - Context and objectives

3.3.4.1 Establish the context

For each service, the agency MUST establish the context in which that service is undertaken. Understanding the context is important for determining the service's exposure to identity-related risk, and the subsequent design of an appropriate EOI process. Agencies may need to balance EOI process design with conflicting objectives.

The context consists of a number of influencing factors. These include:

• the business, social, regulatory, cultural, competitive, financial and political environment in which the service exists
• the agency's key business drivers
• the resources available to the agency (people, systems, processes)
• the impact on stakeholders (both internal and external to the agency).

The following scenarios illustrate aspects of the context, and how context can impact on identity-related risk, for two services.

Scenario 1 - Grant of New Zealand citizenship

Context - New Zealand citizenship entitles the recipient to many benefits. The criteria for the grant of citizenship are prescribed by legislation.

Scenario 2 - Enrolment at university

Context - Enrolment at university entitles the individual to attend university in courses / programmes for which they qualify. Acceptance of an enrolment potentially entitles the individual to financial support and other benefits such as discounted services. Universities are large organisations that are partly funded by government and that have a strong interest in maintaining reputation and excellence.

NOTE -

1. Agencies are likely to have already identified the characteristics and nature of their context as part of their existing risk management practice and strategic planning.

2. SAA/SNZ HB 436:2004 provides a good overview of the aspects that, together, establish the context of a particular service - in particular aspects relating to external² and internal³ environments.

²  Includes factors listed in 3.3.4.1 and the organisation’s strengths and weaknesses, opportunities and threats. See section 4 (pp. 27-36) of SAA/SNZ HB 436:2004.

³  Includes factors listed in 3.3.4.1 and culture; structure and capital; and goals and objectives and the strategies that are in place to achieve them. See section 4 (pp. 27-36) of SAA/SNZ HB 436:2004.

3.3.4.2 Define the service's objectives

For each service the agency MUST determine the particular objectives to be achieved through that service. In addition to the context, this provides an important reference point for assessing identity-related risk.

The following are generic examples of different types of objectives for various services:

• that information is made freely available and is also disseminated (e.g. via mail drop) to a particular region
• that a financial benefit be paid only to people who can satisfy the agency of their identity and who meet specific eligibility criteria set by the agency (e.g. income within threshold levels)
• that a licence be issued only to those who have demonstrated they meet all required criteria (e.g. pass a competency test) and who can satisfy the issuing agency of their identity
• that personal information be provided only to a person authorised to receive that information.

The following scenarios illustrate the objectives for two particular services and how these objectives can impact on identity-related risk.

Scenario 1 - Grant of New Zealand citizenship Objectives for this service include:

• that citizenship is granted to only eligible applicants
• that the citizenship process is accessible, fair and user-friendly
• that all processes comply with the Privacy Act 1993
• that the international reputation of NZ citizenship is maintained.

Scenario 2 - Enrolment at university Objectives for this service include:

• to confirm eligibility for enrolment
• to confirm numbers of students for a range of administrative purposes (e.g. for funding allocation)
• to gather information about what students want, to obtain relevant personal information about the applicants to assist with other objectives (e.g. targeting information about courses on offer, etc).

NOTE - As with establishing the context for a service (see 0), it is likely that the objectives for services will already be well understood by the agency.

3.3.5 Step 2 - Initial risk assessment

For each service, the agency MUST carry out an initial assessment to determine whether any specific identity-related risk exists, unless it is obvious to the agency that the service does contain identity-related risk. In the latter case, the agency can progress directly to Step 3 (see 0).

The initial assessment is intended to determine whether progression with a formal identity-related risk assessment is required for a particular service. In practice, there are numerous services carried out by government agencies where it will be clear that they contain either negligible, or no, identity-related risk.

Consideration of the factors set out in Table 3 will assist agencies to identify whether a service has an identity-related risk associated with it.

Table 3 - Initial risk assessment

If none of the above applies to the service then it is likely that no EOI process will be required. Therefore, no further application of the EOI Standard is required for the service.

As a guide, services that are unlikely to contain identity-related risk (and, therefore, would not normally require an EOI process) include, but are not limited to:

• where the agency is providing non-sensitive information to an individual (e.g. an application form)
• where the agency is providing non-sensitive advice to an individual (e.g. information on how to access services)
• where the individual is making a payment to an agency (e.g. paying a parking fine).

Where a service meets one or more of the criteria in Table 3, a formal identity-related risk assessment is required. For these services, the agency MUST progress to Step 3 (see 0).

In situations where it is not entirely clear whether a particular service requires a formal identity-related risk assessment, the agency MUST progress that service through a formal identity-related risk assessment (i.e. Step 3 - see 0).

The following scenarios illustrate an initial risk assessment undertaken for two particular services.

Scenario 1 - Grant of New Zealand citizenship

• Financial benefit? No. There is no direct financial benefit resulting from the service.
• Non-financial benefit? Yes. The individual will become a New Zealand citizen and obtain all the rights associated with citizenship.
• Personal information? Yes. Personal information is collected as an integral part of this service.
• Subsequent use for EOI? Yes. Citizenship Certificate/record is used to establish identity for other services.

Given the above results, proceed to Step 3 and undertake a formal assessment of identity related risk.

Scenario 2 - Enrolment at university

• Financial benefit? No. There is no direct financial benefit resulting from the service.
• Non-financial benefit? Yes. The individual will be able to access a range of education services if enrolment is accepted.
• Personal information? Yes. Personal information is collected as an integral part of this service.
• Subsequent use for EOI? Yes. Proof of enrolment is used as a basis of making a claim to other related services (e.g. applying for a student benefit or loan).

Given the above results, proceed to Step 3 and undertake a formal assessment of identity-related risk.

3.3.6 Step 3 - Formal risk assessment

Step 3 requires the agency to undertake a formal assessment to determine the level of identity-related risk associated with a given service. The results of this assessment will provide the basis for considering how to manage any identity-related risks identified. This will include identification of the type of EOI process that should be applied for the service.

Figure 3 provides an overview of the process steps an agency needs to follow to carry out a formal identity-related risk assessment for any given agency service.

3.3.6.1 Identify identity-related risks

During this step, the agency MUST identify the identity-related risks for a particular service.

For each service, an agency needs to identify:

• how different parties may be affected
• which identity-related risk consequences could impact on achievement of its objectives
• the likelihood of those consequences eventuating.

3.3.6.2 Who can be affected by the incorrect attribution of identity?

The most obvious identity-related risk associated with services is that a person not entitled to that service receives the benefits of it. This occurs through the incorrect attribution of identity and can impact upon a number of different parties. As part of the identity-related risk assessment, it is important to identify who is affected and to what extent, by any incorrect attribution of identity. Affected parties may include (but are not limited to):

• Individuals (e.g. where entitled people apply for a government service and are deemed ineligible because their identity has been used previously by others to claim the same service)
• Non-government organisations (e.g. identity-related documents are mistakenly issued to people with false identities and are then used to commit fraud against other agencies)
• Public (e.g. where incorrect attribution of identity results in significant losses for agencies and institutions, causing countermeasures to be introduced by those agencies/institutions, with a downstream impact on public charges for those services)
• Agencies (e.g. detrimental effect on an agency's reputation can occur as a result of publicity that the agency has been defrauded by numerous individuals claiming false identities).

3.3.6.3 Analyse and evaluate identity-related risk

Overall risk levels are calculated as a combination of consequence and likelihood. This section outlines the process agencies SHOULD follow to determine the identity-related risk consequences (and their level of impact) for a given service.

Many potential risk consequences can arise from the incorrect attribution of identity. These will impact on the parties identified in 0 in a number of different ways and with differing levels of impact or severity.

Table 4 outlines the generic risk consequences⁴ that SHOULD be considered in an analysis of identity-related risk. It is not intended as a complete list of possible consequences and agencies MUST continue to be alert to other consequences that could arise. Each risk consequence can potentially impact on numerous parties (e.g. both agencies and individuals).

For each risk consequence identified three impact levels - low, moderate and high impact - are described in Table 4.

⁴  Based on Memorandum to the Heads of All Departments and Agencies from Joshua B. Bolten of the Executive Office of Management and Budget, Washington D.C. 20503 issued on 16 December 2003.(www.whitehouse.gov/omb/memoranda/fy04/m04-04.pdf,).

Table 4 - Identity-related risk consequences and impacts

It is important to recognise that these consequence categories are often interrelated. In addition, within each of the consequence categories there are likely to be a number of different specific consequences that are affected by factors such as the different customer groups that the agency deals with for the service. As part of any subsequent EOI process that is developed, additional processes based on risk profiling may also need to be developed.

The following scenarios show some of the potential consequences for two services and the level of impact for each consequence.

Scenario 1 - Grant of New Zealand citizenship

Scenario 2 - Enrolment at university

Having analysed the impact levels for each risk consequence category, the agency SHOULD then determine the overall impact level in relation to the risk consequences. In doing this evaluation the agency SHOULD determine if any risks are more significant than others for the particular service. As a general premise, however, the highest impact level for any of the risk consequence categories will indicate what the overall impact level for the service should be.

Scenario 1 - Grant of New Zealand citizenship

Avoiding loss of reputation will be particularly important. One of the reasons for this is that the maintenance of a good international reputation for New Zealand citizenship impacts positively on New Zealanders' ability to travel freely internationally. As such, this consequence category will need to be given considerable weighting within the overall risk evaluation.

The results shown in the previous citizenship scenario suggest that, overall, the identity-related risk consequences for this service are high.

Scenario 2 - Enrolment at university

Maintaining integrity in the New Zealand university system is important. One objective concerning this integrity is to ensure that only individuals who have met prerequisites for entry are enrolled. This will ensure that the correct individuals are matched with their evidence of achievement of those standards. In addition, it is important that the identity of individuals is correctly attributed, as being a student confers a wide range of non-financial (i.e. access to education services) and financial benefits.

The results shown in the previous education scenario suggest that, overall, the identity-related risk consequences for this service are moderate.

3.3.6.4 Evaluating likelihood

Overall risk levels are calculated as a combination of consequence and likelihood. Having evaluated the risk consequences for a particular service in 3.3.6.3 the agency SHOULD then assess the likelihood of these consequences occurring.

The extent to which an agency will be able to accurately establish the likelihoods associated with unwanted consequences will vary. However, the following methods may help:

• experience of other services conducted by the agency that have similar identity-related risk exposures
• experience of other agencies' services that have similar identity-related risk exposures
• relevant published data on the likelihood of particular identity-related consequences occurring for particular service types
• availability of specialist and expert advice.

An agency SHOULD make likelihood assessments according to whatever scale it deems most appropriate to the services being considered. Overall levels for consequence, likelihood and overall risk SHOULD be calculated using the agency's chosen risk methodology. Wherever possible scales SHOULD be consistent so that different identity-related risks can be compared and EOI processes tailored accordingly. Examples of such scales are included in section 6 of SAA/SNZ HB 436:2004.

Where an agency's identity-related risk assessments contain significant uncertainty, the agency SHOULD carry out a sensitivity analysis to test the effect of this uncertainty (see section 6 (pp. 46-61) of SAA/SNZ HB 436:2004 for more information on sensitivity analysis).

3.3.6.5 Assessing a service's overall identity-related risk level

The following scenarios provide an assessment of the overall identity-related risk associated with the granting of citizenship and enrolment at university. In addition to Not Applicable, a three-point scale of Unlikely, Possible and Likely is used in the following scenarios.

Scenario 1 - Grant of New Zealand citizenship

Scenario 2 - Enrolment at university

3.3.6.6 Assigning a service risk category

Having determined the service's risk level, the agency MUST allocate the service to a service risk category. This will enable the agency to determine what level of stringency of EOI process is required for the particular service.

Table 5 outlines four service risk categories. This scale will later be used to align services with particular identity-related risk levels to the appropriate levels of required confidence in a customer's identity. To do this, the agency SHOULD use the overall level of risk associated with the service to assign the appropriate service risk category in Table 5.

NOTE - For services delivered across the Internet, these service risk categories can also be used to determine the minimum authentication key requirements for ongoing confirmation of identity. Refer to 6.3 of the Guide to Authentication Standards for Online Services.

Table 5 - Service risk categories

3.3.6.7 Translating service risk categories to appropriate EOI process

The service risk levels (as determined in 3.3.6.5) correspond with the levels of confidence required by the agency in the individual's identity.

Determining the level of confidence required in an individual's identity is based on the premise that a higher level of identity-related risk consequence in a service will require a correspondingly higher degree of confidence in the validity of the claimed identity. The following scenarios illustrate the overall assessment of service risk category for two services.

Scenario 1 - Grant of New Zealand citizenship

The service risk consequence level was assessed to be High. This indicates that a high level of confidence in the asserted identity's validity is required.

Scenario 2 - Enrolment at university

The service risk consequence level was assessed to be Low-Moderate. This indicates that a moderate level of confidence in the asserted identity's validity is required.

NOTE - Applying the appropriate (EOI) Confidence Level to a service is an important aspect of the management of identity-related risk. However, this is not the only means of managing identity-related risks, and agencies SHOULD also determine any other mitigation strategies required to manage the service's identity-related risk (see 3.4).

Table 6 outlines the translation between the service risk consequence level and the EOI Confidence Level required. Full descriptions of EOI Confidence Levels are outlined in 1.2.6 and the processes for each are outlined in 1.2.7.

Table 6 - Matching service risk categories to EOI Confidence Levels

NOTE - Services described as having Nil or negligible risk in Table 5 do not require an EOI process and, therefore, do not appear in Table 6.

The following scenarios illustrate the overall assessment of EOI Confidence Level required for two services.

Scenario 1 - Grant of New Zealand citizenship

The service risk level was assessed to be High. This translates to a requirement for a High EOI Confidence Level process.

Scenario 2 - Enrolment at university

The service risk level was assessed to be Low-Moderate. This translates to a requirement for a Moderate EOI Confidence Level process.

3.3.6.8 Services with existing EOI processes

Having completed an assessment of identity-related risk associated with a particular service, the agency SHOULD benchmark any existing EOI processes against those in 3.4 of this Standard to determine what, if any, change is required to bring the current EOI process into alignment with this Standard.

3.3.6.9 New services

Where an agency is implementing a new service, the agency SHOULD design EOI processes based on the assessment of identity-related risk for that service, as described in 0 and 0, and the relationship between such risks and levels of confidence shown in Table 6.

The types of EOI processes required to meet each of the EOI Confidence Levels are outlined in 1.2.7.

3.3.7 Checklist for Phase 1 Risk Assessment

Checklist for . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . (service name)

3.4 Design and operation phase

3.4.1 General

3.4.2 No 'one-size-fits-all' EOI process

3.4.3 Factors to balance when designing EOI processes

3.4.4 Minimum process steps required

3.4.5 Establishing an individual's identity

3.4.6 Step 1 - Determine EOI Confidence Level

3.4.7 Step 2 - Design and implement EOI processes

3.4.8 Name changes

3.4.9 Identity-related documentation

3.4.10 Verification of identity-related data against source data

3.4.11 Trusted referees

3.4.12 In-person verification processes

3.4.13 Dealing with discrepancies

3.4.14 Investigative interviewing processes

3.4.15 Handling individual exceptions

3.4.16 Privacy requirements

3.4.17 Risk profiling

3.4.18 Data quality issues

3.4.19 Agents/persons acting on behalf of individuals

3.4.20 Ongoing operation of EOI processes

3.4.21 Internal controls

3.4.22 Legal considerations

3.4.23 Transition of business processes

3.4.24 Complaints handling

3.4.25 Communication protocols between agencies

3.4.26 Checklist for Phase 2 Design and Operation

3.4.1 General

NOTE - A Monitoring and Evaluation Plan MUST be completed before an EOI process becomes operational (see 3.6.3).

This section covers the specific core areas that agencies need to be familiar with when designing their EOI processes and making them operational. These include:

• the EOI objectives to be met to identify an individual for particular services (see 3.4.5.1)
• generic EOI processes for providing three different levels of confidence in an individual's identity (see 3.4.7)
• operational considerations for EOI processes (see 3.4.20).

3.4.2 No 'one-size-fits-all' EOI process

There is no 'one-size-fits-all' EOI process that can be applied to all services requiring identity to be established. The reasons for this include:

• if a uniform approach were taken, it would risk 'ratcheting up' EOI processes for all government services to the level of services requiring a high level of confidence in an individual's identity. This would be unduly costly for lower risk services that do not warrant such a high level of confidence in an individual's identity (e.g. a 'passport' level EOI process would be inappropriate for joining a public library) and unnecessarily invasive of individuals' privacy
• not everyone can access the same identity documentation (e.g. non-New Zealand citizens who have different documentation available than New Zealand citizens). A set of uniform EOI requirements may unnecessarily restrict access to certain government services for some people
• each agency has different contexts and objectives that need to be considered when designing appropriate EOI processes.
• EOI processes lie across a wide spectrum of needs, ranging from a situation where relatively little EOI is required (e.g. applying for a library card) to one where a significant amount of evidence is required (e.g. applying for New Zealand citizenship). Accordingly, this Standard defines 'generic' EOI processes to meet three Confidence Levels - High, Moderate and Low - that are aligned to the assessed level of identity-related risk for a particular service.

3.4.3 Factors to balance when designing EOI processes

Agencies are expected to design EOI processes that are tailored to their own business requirements when deciding how to implement the relevant EOI confidence level requirements. This involves considering a number of factors and agencies SHOULD undertake a cost/benefit analysis to determine the design features of their EOI processes. Examples of the types of factors that SHOULD be considered as part of this analysis are:

• Acceptability - the EOI process SHOULD be generally acceptable to customers, taking into account the different needs of individuals and avoiding the creation of unnecessary barriers. The process SHOULD be convenient, easy to use and as non-intrusive as possible, with due regard to the level of identity-related risk for the service
• Legal compliance - the EOI process MUST comply with relevant New Zealand law, including the Privacy Act 1993, the Human Rights Act 1993, the Public Records Act 2005 and any authorising legislation for the particular service
• Security and privacy - suitable protection MUST be provided for information owned by both individuals and the Crown, and an individual's right to privacy MUST be appropriately protected
• Affordability, reliability and timeliness - the EOI process SHOULD be affordable, reliable and should not create unnecessary delays for either individuals or government agencies.

It is also likely that EOI processes will be subject to ongoing amendment and modification to take account of environmental changes (e.g. policy changes, new information about methods of misuse and abuse of identity, changes in the processes to obtain identity-related documents, new technologies, etc - see section 3.6).

3.4.4 Minimum process steps required

Figure 4 provides an overview of the steps that agencies MUST follow for design and operation of their EOI processes.

Where an agency already has an EOI process in place for a particular service, it MUST assess that process against the requirements set out in this section. If the current process does not meet the design and operational requirements herein, appropriate changes MUST be made.

3.4.5 Establishing an individual's identity

Establishing an individual's identity through business processes that are repeatable is challenging. This is particularly so given that:

• the person whose identity is to be established will generally not be known to the person(s) administering the EOI process
• not everyone will have the same documents/records available to assist in establishing their identity
• increasing the certainty about an individual's identity can involve increasing cost, time and effort for both the individual and the agency.

Further guidance on how identity can be established as a repeatable business process while not over-exposing the agency to excessive cost or risk is set out in 3.4.7 and 3.4.20.

3.4.5.1 EOI objectives

Verifying an individual's identity involves a number of different components, each of which achieves a different purpose. Figure 5 illustrates each of the components that form the foundation for an agency to establish an individual's identity.

Figure 5 - Evidence of identity objectives

Not all of the objectives in Figure 5 will necessarily need to be satisfied to establish an individual's identity. EOI requirements will depend on the level of confidence in the identity that is required for the particular service. For low risk services, not all objectives will need a separate process. For example, enough confidence will be gained in a customer's identity for a low risk service by just meeting objectives A, D, and E. However, all objectives will need to be specifically met for a high risk service. This is detailed in section 3.4.7 of this Standard.

3.4.6 Step 1 - Determine EOI Confidence Level

As part of the risk assessment process an assessment is required about the level of identity-related risk attributable in each service delivered by a particular agency. Four identity-related risk categories are described (see Table 5). Of these risk categories, the lowest category of risk (Category 0) requires no specific EOI process.

The risk level assessed for a given service corresponds to the level of confidence required by the agency in establishing the individual's identity. Table 7 outlines the EOI Confidence Level required for services where identity-related risk exists.

Table 7 - Matching risk level to appropriate EOI Confidence Level process

NOTE - For greater detail see Table 8.

It is important to recognise that risk categories and EOI Confidence Levels for services, as outlined in Table 7, are interdependent. In practice, each category and level sits on two continuums of 'identity-related risk' and 'confidence in identity' respectively. An agency's placement of a service in one of the above categories provides a useful way of determining what level of confidence is required in customer identities. However, where an agency's service does not fit neatly within one category, or where strict adherence to a particular EOI Confidence Level process is not possible (for example, due to a service's customer base being made up of minors), the agency will need to take a more practical approach.

NOTE - Where relevant, agencies will need to comply with any legislative requirements that prevent adoption of particular EOI processes (e.g. where the EOI requirements for a particular service are outlined in legislation and cannot be altered without legislative amendment).

3.4.7 Step 2 - Design and implement EOI processes

3.4.7.1 EOI requirements associated with each EOI Confidence Level

Figure 6 provides an overview of the generic processes that an agency will undertake when establishing an individual's identity. Each EOI Confidence Level requires identity-related objectives to be met to different degrees of assurance and with different levels of process complexity.

Table 8 outlines the evidential requirements for meeting each of the three EOI Confidence Levels. In some cases, such as when discrepancies are found in the identity-related details provided by an individual, an agency might have cause to suspect that claims of identity made by an individual are not genuine. In these situations, the agency may wish to apply requirements from a higher Confidence Level process to the individual case to resolve those discrepancies.

Table 8 - Evidential requirements for EOI Confidence Level processes

Further information on what is entailed in meeting the evidential requirements for each EOI objective in Table 8 is set out in 1.2.7.2 to 1.2.7.6. Appendices A to C also provide information on each document/record referred to in meeting Objectives A to E. Details include:

• features of the document/record
• operational and legislative requirements associated with the document/record (where applicable) and the processes involved before issue or registration
• how using the document/record will help meet the requirements in this Standard.

3.4.7.2 Objective A - The identity exists

For all Confidence Level Processes

Documents/records that can be used to satisfy Objective A include those set out in

Table 9. The number and type of documents required will vary depending on the EOI Confidence Level required for the service.

Table 9 - Documents/records used to satisfy Objective A

* Document/record contains a photograph of the holder.

For High and Moderate EOI Confidence Level processes

Staff SHOULD be specifically trained in document recognition (see 3.4.9).

For High EOI Confidence Level process only

Verification (where possible) of identity information with the primary source of records will provide added confidence for Objective A. This involves confirming with the issuing agency that the identity data contained on the identity document(s) or details provided correspond to a valid record.

NOTE -

1. Depending on the service, an agency may not require an individual to provide a document (i.e. it may be appropriate in some cases for an individual to just provide the agency with relevant data about their identity, which the agency then verifies against source records - for example birth details). However, this verification MUST be subject to legislative authority and electronic verification will require resolution of any technical issues (see 3.4.10).

2. Verification with an overseas primary data source will not be possible in most cases. Therefore, training in authentic document recognition is important for providing a high level of confidence.

3.4.7.3 Objective B - Identity is a 'living' identity

For Low and Moderate EOI Confidence Level processes

No specific process is required for this objective.

For Moderate EOI Confidence Level, this objective will be satisfied by the business processes undertaken to meet Objectives A and C.

For High EOI Confidence Level process only

Where possible an agency SHOULD verify against the New Zealand Death Register (administered by Department of Internal Affairs) that no death record matches the claimed identity. Checking the Death Register reduces the possibility of an individual using the identity of a deceased person.

Agencies need to be aware, however, that only deaths that occur within New Zealand are recorded on the Death Register. New Zealanders who die outside New Zealand will not necessarily be identified through a check against the New Zealand Death Register. Therefore, it is possible for New Zealand citizens who have died in another country to have their identities stolen and used by another individual.

Verification against the New Zealand Death Register MUST be subject to legislative authority and electronic verification will involve resolution of any technical and legislative issues (see 3.4.10).

3.4.7.4 Objective C - Presenter 'links' to identity

Determining that a presenter 'links' to an identity is particularly challenging, but is a vital aspect of identity verification processes.

Business processes used to satisfy Objective C include the following:

For Low EOI Confidence Level process

No specific process is required. For services where there is a low level of identity-related risk, enough confidence is gained in the individual's identity through their provision of documents/records that meet Objectives A and E. That is, the agency is able to gain enough confidence in their identity by the fact that an individual has been able to provide EOI to meet these objectives and the individual is not being inconvenienced to a level unreasonable for the low level of identity-related risk within the service being sought.

For High and Moderate EOI Confidence Level processes

One or both of the following may be used. For greater confidence both SHOULD be used.

Trusted referee corroboration (detailed in 3.4.11)

• This requires an individual to provide:

- photograph(s) verified by a trusted referee or

- verification by a trusted referee that the person applying for the service is the same person as indicated by the identification document(s)/records provided to satisfy Objective A.

In-person verification (detailed in 3.4.12)

• This requires an individual to appear in-person with:

- a recent photograph verified by a trusted referee or

- a photo identification document (from the list of photo identification documents/records used to satisfy Objective A).

Where a service requires individuals to physically present themselves to register for a particular service, then in-person processes for EOI may be desirable. Establishing an individual's identity can be undertaken as part of the overall service delivery process.

However, in many cases an individual is not required to be physically present in order to determine their entitlement for the particular service. In these cases service entitlement may be more efficiently determined through other channels (e.g. phone, email, mail, online applications). In addition, very few agencies support national networks of physical offices. Therefore, without creating widespread infrastructure, in-person verification processes will not be possible. In these cases, agencies SHOULD use other options for satisfying Objective C.

NOTE - Biometric recognition software may be used to assist with recognition processes, where the agency already has authorised access to trusted biometric information about the individual against which to match the individual.

For High EOI Confidence Level process only

Interviewing (detailed in 3.4.14)

- Where any discrepancy with a claimed identity is identified, and depending on the assessed level of risk associated with the individual case, the agency may require the individual to attend an interview with its staff.

3.4.7.5 Objective D - Presenter is sole claimant of identity

For all EOI Confidence Level processes

To fulfil this objective the agency SHOULD check the presenter's details (potentially including biometric information) against their customer records, to ensure that no other individual has claimed the same identity for that service.

Where a duplication of the claimed identity is discovered, the agency SHOULD refer the case for further investigation and, if necessary, amend its database records (see 3.4.21). It is important to be aware that duplication of identity records will not necessarily be the result of a fraudulent application. For example, it may have occurred through legitimately duplicate identity details or administrative error.

3.4.7.6 Objective E - Individual uses the identity in the community

For all EOI Confidence Level processes

The aim of Objective E is to provide further confidence about an individual's claimed identity. In particular, Objective E is concerned with demonstrating the consistent use of the claimed identity. Documents/records that are used to satisfy Objective E are intended to be used for the corroboration of identity information provided to meet Objective A. As a guide, these documents/records SHOULD be from a trustworthy source, be dated, and include the name and, where appropriate, address of the person applying for the service.

Table 10 lists documents/records that SHOULD be used, where possible, to meet Objective E. The process behind the issue of documents listed in Table 10 is outlined in Appendix A. Agencies SHOULD contact the Custodian of this Standard with any queries relating to the current issue status of any document listed in Table 10.

More information on handling identity-related documents is set out in 3.4.16.1.

Table 10 - Documents/records used to satisfy Objective E

* Document/record contains a photograph of the holder.

Table 11 lists documents/records that can be used to fulfil requirements for Objective E, where documents/records listed in Table 10 cannot be provided. Some of the listed documents may also be used where address details are required. Further details about these documents/records is provided in Appendix B. Agencies SHOULD contact the Custodian of this Standard with any queries relating to the current issue status of any document listed in Table 11.

Table 11 - 'Supporting' documents/records used to satisfy Objective E

* Document/record contains a photograph of the holder.

Tables 10 and 11 do not provide a complete list of documents/records that could be used to meet Objective E. Agencies may choose to accept other types of documents/records to meet Objective E. The issuing process behind documents/records accepted by an agency is analysed to ensure a particular document/record provides adequate confidence to the agency regarding Objective E.

Some of the documents listed in Tables 10 and 11 provide information about a person (such as their bank account or academic record) that is not core identity information (e.g. name, date of birth and place of birth). Agencies need be particularly careful to ensure that only information appropriate to establishing identity is accessed. In cases where the agency requires certain documentation to establish both identity and entitlement to the service, the individual MUST be made aware of the dual purposes for which the documentation is required.

For a number of services, a person's address may be required in order to progress to service delivery. For such services, requiring individuals to provide documents/records that meet Objective E but that also contain address information will both add confidence in the person's identity, while at the same time providing address information. This can reduce the total number of documents/records that the person has to provide for a particular service.

The Objective E requirements SHOULD also be flexible enough to ensure a reasonable amount of choice for the individual. For example, individuals SHOULD be able to choose to provide alternative information as EOI rather than provide sensitive personal information such as financial or health information.

Agencies SHOULD also assess the appropriateness of keeping copies of identity-related documents against either recording the core identity-related information from those documents or simply recording that the document or data source was sighted, on what date, and by which staff member. Keeping such copies imposes a responsibility on the agency to protect the copies and the information they contain, while simply recording that the document has been sighted carries no additional responsibility.

3.4.8 Name changes

In many situations it is legitimate for individuals to use whatever name they choose. For moderate to high-risk services, agencies will need to balance this choice against their objective of ensuring that the presenting person is the legitimate claimant of a particular identity. Therefore, where an individual is operating under a different name to that on a document they have provided to meet Objective A, the individual SHOULD also be asked to provide information that links their current name to their previous name. The documents/records listed in Table 12 are forms of evidence that will, in many cases, enable this linkage to be made.

Table 12 - Documents/records used to establish name usage

While an agency may need to establish the linkage between the names originally and currently used by an individual, this should not prevent the individual's ability to be known by their 'preferred name' during subsequent contact with the agency.

See Appendix C for further information regarding name change.

3.4.9 Identity-related documentation

Technological advancements such as digital colour printers facilitate the alteration or forging of identity documents. In order to establish individual identities, agencies often require more than one identity-related document, as no single document can currently meet all of the objectives required to establish identity to any level of confidence. For example, a passport does not provide evidence that an individual uses their claimed identity within the community, just as a birth record does not link an individual to the particular identity listed in a record.

3.4.9.1 Types of identity-related documents

For convenience, identity-related documents can be categorised into two types:

• evidence that the identity exists (Objective A documents/records)
• evidence the identity is being actively used within the community (Objective E documents/records).

Identity-related documents are official documents that record a person's attributed identity, such as a birth certificate, or which contain an individual's signature and/or photograph (the validity of which has been verified in some way) such as a passport. Documents/records that provide evidence that the person uses the claimed identity in the community are required to provide further corroboration of the individual's identity.

NOTE - Agencies will need to set their own policies on the specific document/record combinations required (for meeting Objectives A and E). It is important that agencies develop processes for exceptions, where the documents required to meet Objectives A and E cannot be provided by certain individuals or groups of individuals. Agencies SHOULD also design their documentation requirements in line with other documentation requirements for determining eligibility for the particular service (i.e. wherever possible, agencies SHOULD choose identity-related documentation requirements that can also be used to satisfy eligibility requirements).

3.4.9.2 Training for staff - document recognition

Agencies that provide services with moderate to high identity-related risk SHOULD provide their staff with document examination training. Agencies will have to determine for themselves how in-depth this training should be and whether it should be provided by internal staff or by a specialist agency such as the New Zealand Police.

As a minimum, new frontline staff SHOULD be trained to recognise the types of documents that they will most frequently be presented with and shown what features to look for when examining them.

3.4.9.3 Protocols for acceptance of documentation

For services with moderate to high levels of identity-related risk, adherence to the following protocols will provide a higher level of confidence in a presenting individual's identity, as these protocols make it more difficult for forged or altered documents to be accepted as genuine by agency staff:

• Accept only original documents or copies certified by the issuing authority of the particular document - this allows examination of all security features that are not immediately obvious and are difficult to replicate, such as watermarks and embossing. Photocopied documents are relatively easy to alter and should, therefore, not be accepted as evidence of identity
• Preferably accept only documents that are currently valid - a valid document is one that has an expiry date that has not yet passed. Documents that are not valid tend to be relatively old and are less likely to contain security features, making them easier to forge or tamper with. Where documents that are not valid are accepted, consideration needs to be given to requiring additional documents/records to corroborate the details contained in the older document
• Accept only full birth certificates - many government agencies worldwide no longer issue short birth certificates as they contain less identity-related information and are less reliable. Full birth certificates, in addition to name, date, place and country of birth, also list gender and parental details. The extra information contained on the full birth certificate can prevent duplication of agency records, where two individuals have the same name and biographical information, and gives additional avenues of investigation in cases where an individual's claimed identity seems dubious
• For services requiring Moderate and High EOI Confidence Level processes (see Table 8), at least one form of required identification should be a trusted form of photographic identification (e.g. Passport or Certificate of Identity - see 1.2.7.2).
• Unless confirmation of long-term name usage is required, only accept evidence of 'use in the community' documents (documents/records used to meet Objective E) that are less than one year old
• Require documented evidence of any name change - (e.g. deed poll, marriage certificate, and statutory declaration)
• Where the authenticity of a particular document is questionable, verify the authenticity of that document with the issuing authority.

3.4.9.4 Overseas-issued documents

Documentation from other countries can vary widely with respect to the issue processes and security features associated with them. For example, a birth certificate from Country A might be computer printed on special paper and contain a watermark and an embossed seal, while a birth certificate from Country B might be handwritten on regular paper with a stamp. Both may be authentic documents. Such variations can be problematic for government agencies that have to determine an individual's identity without discriminating against them because of their country of origin.

When an individual provides overseas-issued documents, the agency SHOULD ensure that up-to-date advice is available to front-line staff on how to recognise authentic documentation. The following business guidelines should be adopted for EOI Confidence Level A and B processes:

• Non-New Zealand Citizens SHOULD provide evidence of their lawful permit status (e.g. a passport containing a valid permit) - residence permits SHOULD be considered superior to work or study permits as more vetting of the applicant is undertaken before the residence permit is issued
• Only accept translations if they are carried out by the issuing authority of the particular document, an embassy of the issuing country or an authorised translation service in New Zealand - many countries have no regulations regarding the translation of documents, which means that even the presence of stamps and seals gives little assurance as to the authenticity of the translation
• Only accept English translations if they are accompanied by the original document. - originals can be re-translated if doubt exists
• Refugees SHOULD be asked to supply a statutory declaration for high-risk services if they do not possess any EOI documents - refugees usually do not have EOI documents other than a New Zealand-issued Certificate of Identity
• Only accept official documents as identity-related evidence - in many countries affidavits and church-issued baptismal certificates are used in lieu of birth certificates. Provided their birth was registered, most people SHOULD be able to obtain official birth certificates from their country of origin (see 1.2.9.5 for further guidance).

3.4.9.5 Resources to assist with document recognition

The following resources are available to assist agencies with the verification of identity-related documents:

• advice about security features of identity-related documents issued by the Department of Internal Affairs (Identity Services) is available to agencies on request from: eoistandard@dia.govt.nz
• advice about the features of authentic identity-related documentation issued overseas is available to agencies on request from: eoistandard@dia.govt.nz
• agencies which deal with overseas-born applicants can visit the following official website run by the United States Department of State: travel.state.gov/visa/reciprocity/index.htm. It has a comprehensive list, by country, of the types of documents that individuals should be able to provide, what they should look like, and where applicants can obtain them from
• the Document Examination Section of the New Zealand Police provides a wide range of services, including training staff in document examination techniques. Contact the Document Examination Section, Office of the Commissioner New Zealand Police c/- Wellington Central Police Station, Corner Harris and Victoria Streets, PO Box 693, Wellington. Email: newzealand.doc.exam@xtra.co.nz.

3.4.10 Verification of identity-related data against source data

Verifying information with the primary data source (i.e. source of issue) reduces the likelihood of individuals successfully presenting counterfeit or altered documents as genuine and is the method that provides the greatest amount of confidence for Confidence Level A processes, although there is still potential for data entry error and internal misconduct. Verification of details with the issuing source provides evidence that:

• the identity details on a document or service application form provided by the applicant have not been altered between creation of the original record and presentation of the information to the service agency
• the presented document or identity details provided by the individual are not counterfeit/fictitious.

Although it is anticipated that information will be collected from the individual concerned, that information may only be verified with a third party if such verification complies with the provisions of the Privacy Act 1993. For example, agencies might verify birth information with the Registrar-General, Births, Deaths and Marriages (BDM) to avoid the need for the individual to obtain a birth certificate or where there is concern that a false birth certificate may have been provided by the individual. Agencies SHOULD consult with their privacy officer or legal advisers to ensure that any business processes of this nature comply with the Privacy Act 1993.

3.4.10.1 Authorised information matching programmes

Part 10 of the Privacy Act 1993 provides a regulatory regime that permits information matching in circumstances where it would otherwise constitute a breach of the Information Privacy Principles. Each authorised information matching programme is established by statute. For example, if an agency wishes to establish an information matching programme to match against registered birth information, this would require an amendment to the BDM Registration Act 1995. As legislation is required for authorised information matching programmes, agencies are advised to involve their legal advisers and privacy officers early in the process. In addition, early consultation with the Office of the Privacy Commissioner is strongly recommended as the Commissioner's functions include examination of any proposed legislation where "the information might be used for the purposes of an information matching programme..." Agencies can find information about these issues on the Privacy Commissioner's website (www.privacy.org.nz), particularly the "Information Matching" fact sheet and "Guidance Note for Departments Seeking Legislative Provision for Information Matching: Information Matching Privacy Impact Assessments".

3.4.11 Trusted referees

Trusted referees are a vital component of the EOI process. In particular, trusted referees can assist an agency with determining whether the presenting person links to the claimed identity.

For the purpose of the EOI Standard, a trusted referee is a person who:

• confirms the accuracy of information supplied by an individual
• confirms that the information, to their knowledge, belongs to that person (this may include biographical and biometric (usually a photograph) information).
• The two key elements that should exist for a trusted referee process to be effective are that the referee:
• has the personal knowledge required to verify the individual's identity
• is trusted by the agency (according to the agency's own criteria).

3.4.11.1 Criteria for trusted referees

Agencies will need to determine who qualifies as trusted referees for a particular service. Ideally a trusted referee will be known to the agency. This means they will have previously had their identity established by the agency, thereby creating a level of trust between the agency and the referee.

In addition, further criteria will need to be set around who qualifies as a trusted referee for specific services. The criteria chosen SHOULD be widely enough defined so that individuals can reasonably be expected to find referees to fulfil the criteria.

Criteria could include that a trusted referee:

• is not related to the applicant
• is not a partner or spouse of the applicant
• is not resident at the same address as the applicant
• has known the applicant for a specific amount of time (e.g. at least 12 months)
• holds a particular position of standing in the community (e.g. registered professional, kaumatua⁵ , religious or community group leader)
• has an accessible contact address and phone number
• is registered with the agency as per that agency's criteria.

NOTE - To meet the High EOI Confidence Level process, there SHOULD be a process allowing the agency to contact the trusted referee directly to confirm their details. At a minimum, trusted referees SHOULD be contacted if any discrepancy is identified as part of EOI checking processes.

⁵  Criteria for who is recognised as a kaumatua are determined at the individual agency level.

3.4.11.2 Legislative implications for trusted referee processes

The practice of using trusted referees can be established through operational procedures and may not necessarily need to be enshrined in legislation. Current passport administration in New Zealand provides a precedent for this approach being introduced without legislation.

Agencies SHOULD liaise with their legal advisors when considering implementing a trusted referee process, to ensure that the process is legitimate in regard to the particular legislation that the agency operates within.

3.4.11.3 Privacy implications for trusted referee processes

A potential privacy issue arises with agencies requiring the use of trusted referees for particular services, given that the individual will be required to disclose to a trusted referee the service that he/she wishes to access, i.e. should an individual have to let a third party know that he/she is applying for an unemployment or sickness benefit in order to meet the agency's trusted referee requirements?

It is advisable, if customers are expected to face personal costs or risks (of any nature) from disclosing to a third party the service that they are applying for, that the agency design service application forms in a manner that does not associate the core application data with the trusted referee's input to the application.

3.4.11.4 Strengths and limitations of trusted referees

Use of trusted referees can be a cost-effective way to provide confidence that an individual 'links' to the identity they have claimed as their own.

For a High EOI Confidence Level process, agencies SHOULD contact trusted referees for validation of the information that the applicant, and possibly the trusted referee, has provided, at least for a percentage of applications. In addition, a profiling approach SHOULD be considered for services for which an agency cannot justify contacting each referee for further validation or for services for which the identity of some applicants should be subjected to more rigorous verification than others. This SHOULD include contacting trusted referees where discrepancies in individual applications are detected and on the basis of other risk indicators. Any trusted referee who verified the identity of an allegedly fraudulent customer SHOULD also be investigated.

Specific risk indicators will need to be determined by the individual agency in relation to the nature of particular services. If there is an unacceptable level of doubt in the validity of either the individual's claimed identity or that of the trusted referee, the agency SHOULD subject the case to more thorough investigation.

3.4.12 In-person verification processes

In-person verification involves the individual appearing in person at a public counter with a photograph verified by a trusted referee, or with a trusted document that contains a photograph (such as a passport). Staff members then assess whether the person in front of them matches the person in the photograph, and/or whether the person before them appears to correspond with the biographical data on the document (e.g. whether they appear to be the correct age and gender).

For an in-person verification process to be effective it should be of the highest integrity. For example, staff SHOULD be trained in person recognition. The costs involved in carrying out a high integrity in-person verification process for all customers are high. Costs include financial cost to the agency and compliance costs for customers (e.g. inconvenience and accessibility issues). Therefore, when deciding whether in-person verification should be adopted by the agency, consideration SHOULD be given to whether the agency requires the individual to appear in-person for other reasons (e.g. to determine the individual's entitlement to the particular service).

Agencies need to assess the benefits of seeing an individual in person. Factors for consideration include:

• costs and benefits (e.g. whether the compliance costs such as agency infrastructure and travel for the individual is unreasonably high in relation to the benefits gained)
• whether an alternative process will achieve the same result, such as having a trusted referee verify the individual's identity by signing the back of their photo
• whether in-person contact can fulfil objectives additional to meeting EOI requirements (a number of services already require face-to-face contact with individuals).

3.4.12.1 Strengths and limitations of in-person verification

In-person verification provides potential 'barriers' for a person attempting to misuse or abuse identity. This is particularly likely to be the case where an individual is attempting to use a stolen identity.

However, there are also limitations to the effectiveness of in-person verification. Although research has found that photographic facial recognition is not 100% accurate, its success rate is high enough to add a significant degree of confidence to the EOI process, as long as it is used in combination with other forms of EOI. What is unclear, however, is whether face-to-face contact with an individual is any more successful in meeting Objective C (presenting person links to identity) than using other processes, such as using trusted referees.

3.4.13 Dealing with discrepancies

This section outlines secondary EOI processes that SHOULD be used where a discrepancy is detected in the EOI documentation provided by an individual or trusted referee. The process is similar to that required in situations where discrepancies are identified during in-person verification processes (see 1.2.12).

• Staff SHOULD first seek an explanation from the applicant for the service, unless it is clearly apparent that it is a fraudulent matter, in which case the matter SHOULD be forwarded directly to investigations staff.
• If the applicant's explanation is not satisfactory, then the application SHOULD be investigated further. This may be referred to investigations staff.
• Discrepancies between documents/records regarding names or dates/places of birth SHOULD be resolved before continuing with a service. Agencies should not issue any documents that could be used to subsequently establish identity without resolving such discrepancies, as this may allow an individual to operate fraudulently under more than one identity.
• Agencies SHOULD refer applicants back to the issuing authority to seek amendment and/or replacement of a document if it is incorrect.
• Agencies SHOULD consult with their internal teams who deal with investigating discrepancies about what information from a document is useful to retain for investigative purposes e.g. retain a photocopy or record date of issue and serial number.
• Where documents are suspected to be fraudulent, agencies should not return the documents to an applicant until the individual's identity has been fully established, unless it is unlawful for the agency to do so. Loss of evidence could significantly jeopardise any action an agency may wish to take against a fraudulent applicant.

3.4.14 Investigative interviewing processes

Investigative interviewing offers a higher degree of confidence than the in-person verification process outlined in section 1.2.12. An investigative interview involves the interviewer collecting identity-related information about an individual prior to the interview and preparing questions that the person claiming that particular identity should reasonably be expected to answer correctly.

Because of the cost, both for the agency and the individual, and the level of agency staff training involved, investigative interviews SHOULD only be used where other EOI processes have not achieved the required level of confidence in an individual's identity.

3.4.15 Handling individual exceptions

In some cases, individuals will be unable to meet the requirements of EOI processes. For these cases, agencies need to have exception-handling protocols in place. What these protocols involve will be determined by the agency in relation to the particular service and customer base.

Where possible, exception processes SHOULD be as functionally equivalent as possible to a service's standard EOI processes. If a service requires a Moderate EOI Confidence Level process, the agency SHOULD attempt to meet the objectives for the Moderate EOI Confidence Level process by requiring alternative forms of EOI from the individual. For example, where an individual is unable to provide the required documentation to meet Objective A (i.e. evidence that the claimed identity exists) due to accidental destruction of all documentation, then the agency SHOULD contact the issuing agency of those documents, with the consent of the individual, to verify the existence of the claimed identity.

3.4.16 Privacy requirements

The Privacy Act 1993 covers the collection, disclosure and use of personal information. In designing and implementing an EOI process, agencies MUST ensure that the process implemented is consistent with the Privacy Act 1993. Any consideration of the Act should be on the basis of agencies' specific legal and privacy advice (see 1.2.22). The information that follows is not intended to substitute for that professional advice but is included to provide agencies with some preliminary guidance on the issues that may need to be considered. The Office of the Privacy Commissioner has developed a "Privacy Impact Assessment Handbook" to assist agencies in examining proposals that involve the collection, use, or disclosure of personal information (available from: www.privacy.org.nz).

3.4.16.1 Key considerations

Privacy issues are integral to the design and implementation of any EOI process. Key responsibilities that agencies SHOULD build into their EOI business processes include ensuring:

• in cases where the customer gives consent to the access of data, that this is supported by adequate proof of that consent through a physical or digital signature (where allowed under the Electronic Transactions Act 2002)
• that individuals have access to and can correct any personal information held about them by the agency
• that information collected for the purpose of verifying an individual's identity is not used for any other purpose. However, in practice, personal information may be collected for several purposes at the same time. For example, an agency may collect evidence of an individual's name, address, and date and place of birth in order to verify the individual's identity, determine their eligibility for the service applied for, and ensure they can contact the individual in future. Agencies using the information for more than one purpose MUST ensure that each purpose for which the information is being collected is clearly explained to the individual (e.g. purposes could be outlined on the application form for the relevant service)
• that information is not disclosed to another person or agency - with limited exceptions. If the EOI process includes the use of trusted referees as a way to verify identity, agencies MUST ensure that personal information is not unnecessarily disclosed to the trusted referee if the latter is contacted to verify identity information provided by the individual
• that information systems (electronic or human-based) are secure from inappropriate access by others. For example, agencies need to ensure identity information held on a database is not vulnerable to unauthorised access, or that frontline staff do not disclose identity-related information without sufficient checks to confirm the identity of the person requesting it. Agencies SHOULD periodically review the degree to which their systems and processes achieve the level of security that they have been designed to achieve. Adjustments to systems and processes SHOULD be made where required
• that the appropriate level of an applicant's consent is obtained consistent with the need to acquire the data relevant for determining the applicant's identity

Some of the information collected from individuals during the EOI process will be necessary for agency records (e.g. name and address) and other information may be provided to confirm a person's identity but does not need to be retained by the agency after the EOI process has been completed. Agencies are responsible for ensuring that they do not keep information that is irrelevant or for which there is no legitimate reason for retention. Agencies need to consider whether there is a legitimate business reason for retaining identity-related information collected from individuals or whether it is sufficient to simply record that the information was sighted.

For information on privacy considerations refer to privacy officers or legal advisers in the first instance. Agencies may also wish to consult the Privacy Commissioner's website ( www.privacy.org.nz).

The Privacy Act 1993 is available from www.legislation.govt.nz.

3.4.16.2 Collection of identity-related information from individuals

At the heart of the Privacy Act 1993 are the notions of transparency and autonomy. People cannot exert any control over the accuracy of their data or use of it until they know when data is being collected, who will have access to it and how it will be used. Transparency is central to building customer trust.

The Privacy Act requires agencies to advise individuals about the following:

• why identity-related evidence is being collected
• whether the information is required by law and, if so, which law
• whether the supply is voluntary
• the consequences if the required information is not supplied (e.g. that service provision may be withheld from the individual).

The rationale for meeting objectives within an EOI process, and the documents/records that meet particular EOI objectives, could usefully be provided to the public to aid transparency of the process. For example, utility bills provide confirmation that the person uses that identity in their daily life, and may be used to confirm the person's current address. Agencies that request these documents SHOULD advise their customers that this is why these documents have been requested.

3.4.17 Risk profiling

Where appropriate, agencies may use risk profiling as a tool to reduce identity-related risk in addition to the EOI process requirements specified in this Standard. Any risk profiling tool considered for adoption by the agency SHOULD be considered from a human rights perspective. The agency SHOULD seek legal advice in the first instance, particularly in regard to any human rights issues that may arise from use of a particular profiling tool.

Risk profiling involves using information collected by an agency about previous cases where misuses or abuses of identity (or other types of crime) were detected and from other sources (such as other government agencies, overseas counterparts and other intelligence sources), to highlight characteristics that are more likely to involve false identities.

Agencies that use risk profiling may need to develop risk profiles as part of the process for establishing an individual's identity. A risk profile highlights aspects about an individual that may indicate an increased risk of their perpetrating an identity crime. Where an individual application or the particular service fits within a risk profile, an agency may undertake additional processes to further verify the individual's identity. For example, additional processes could include contacting trusted referees directly to validate information supplied by that referee, requiring the customer to attend an investigative interview, etc. The type of additional processes an agency chooses to undertake will need to be established as part of the overall EOI process design.

Risk profiles SHOULD be updated to ensure their ongoing currency. Relevant incident and/or intelligence information will provide valuable input to the refinement of agency risk profiles. As such, accountability mechanisms within agencies will be required to ensure updating happens in a timely manner.

3.4.18 Data quality issues

Accuracy of identity data is of key importance for any EOI process that an agency operates. EOI processes, once implemented, SHOULD be periodically audited for accuracy of identity information produced. Where unacceptable inaccuracies are found, the cause of the inaccuracies SHOULD be identified and resolved wherever possible.

As a general rule, the greater the risk associated with inaccuracies in the identity data, the greater the effort that should be expended to improve and maintain the accuracy of the identity data held. This will also help to ensure that agency practices comply with Information Privacy Principle 8 of the Privacy Act 1993.

3.4.19 Agents/persons acting on behalf of individuals

EOI processes SHOULD be designed on the basis that personal information will be collected from the individual concerned when that individual applies for a government service. Agencies that receive service applications from agents or caregivers who are acting on behalf of an individual need to have processes in place to ensure that the agency/caregiver has authority to act for the recipient and that any personal information is provided with the individual's consent or some lawful authority (e.g. power of attorney or order issued by the Family Court under the Protection of Personal and Property Rights Act 1988).

Where an agent is a named individual, agencies SHOULD consider whether they SHOULD verify that the agent is the named agent of the customer. This is recommended for services with moderate to high levels of identity-related risk.

3.4.20 Step 3 - Ongoing operation of EOI processes

Sections 1.2.21 to 1.2.25 provide guidance on areas that agencies MUST consider prior to EOI processes becoming operational.

3.4.21 Internal controls

Internal controls are an agency's first line of defence in safeguarding assets and preventing and detecting errors and fraud. Poor internal controls can jeopardise the effectiveness of any EOI process.

Agencies SHOULD analyse their EOI process to determine the points at which internal controls need to be implemented to prevent process failure. EOI internal control activities are any policies, procedures, techniques, and mechanisms that minimise the risk that EOI processes will not meet their objectives. They include a diverse range of activities, such as:

• controls over information processing
• physical control over vulnerable assets
• segregation of duties
• access restrictions to, and accountability for, resources and records.

There are a range and variety of EOI control activities that SHOULD be adopted by agencies carrying out EOI processes. An agency's internal controls SHOULD be flexible enough to allow control activities to be tailored to fit particular contexts. The specific control activities used by one agency may be different from those used by other agencies, due to a number of factors. These factors could include specific threats faced by the agency and risks incurred, differences in agency objectives, size and complexity of the agency, operational environment, sensitivity and value of data, and requirements for system reliability, availability, and performance.

3.4.21.1 Operational considerations

An agency's human resource planning SHOULD allow for adequate EOI checking to be undertaken by staff. Agencies need to ensure that the workload given to staff is manageable. If staff members are unduly pressured for time or to meet targets there is a risk that their vigilance in identifying discrepancy cases may diminish. Complaints and errors SHOULD be analysed to determine their cause so that remedies can be applied appropriately and in a timely manner (see 1.2.24).

Agencies SHOULD also ensure that they have adequate controls in place to prevent staff members perpetrating internal fraud, which can undermine the integrity of an agency's EOI processes.

3.4.21.2 Staff training

Staff training SHOULD be comprehensive to ensure staff have an adequate understanding of a service's EOI requirements and of the potential consequences should they fail to follow proper procedures. Specific areas where training is likely to be required include (but is not limited to):

• document recognition and using resources to assist with document recognition (see 1.2.9.2 and 1.2.9.5)
• in-person verification processes (see 1.2.12)
• the Privacy Act 1993 (see 1.2.16)
• dealing with cases where individuals cannot meet EOI requirements (see 1.2.15 and 1.2.19).

3.4.21.3 Physical control over vulnerable assets

An agency SHOULD establish physical control to secure, limit access to, and safeguard vulnerable assets such as documents or records that might be vulnerable to risk of loss or unauthorised use. Physical files and records SHOULD be tracked in such a way that an audit trail clearly indicates where and with whom the files are located. Audit trails in computer systems SHOULD show records of all users, access information, the time and date of access, and before and after images of any changes.

3.4.21.4 Segregation of duties

Key duties and responsibilities SHOULD be divided or segregated among different people to reduce the risks of error and internal fraud. This SHOULD include separating the responsibilities for authorising services, processing and recording them, reviewing the services, and handling any related assets. No one individual should control all key aspects of a service's delivery. This is especially important when issuing any record that may potentially be used as evidence of identity for subsequent services.

3.4.21.5 Accurate and timely recording of services

Service delivery SHOULD be promptly recorded and processed to maintain its relevance and value to the control of operations and for later evaluations. This applies to the entire process or life cycle of a service from the initiation and authorisation through to its final classification in summary records.

3.4.21.6 Access restrictions to and accountability for identity-related records

Access to resources and records SHOULD be limited to authorised individuals, and accountability for their custody and use SHOULD be assigned and maintained. Periodic reviews and monitoring of data are necessary to help reduce the risk of errors, fraud, misuse, or unauthorised alteration.

3.4.21.7 Appropriate documentation of service delivery and internal controls

Internal controls and all services need to be clearly documented and the documentation SHOULD be readily available for examination. All documentation and records SHOULD be properly managed and maintained. Internal control monitoring SHOULD assess the quality of performance over time and ensure that the findings of audits and other reviews are promptly resolved.

3.4.21.8 Records management

Records of EOI processes SHOULD be captured into a corporate records system, maintained for as long they are required, then disposed of legally and in accordance with the Public Records Act 2005.

3.4.22 Legal considerations

In identifying and implementing any changes to business processes to meet the requirements of this Standard, agencies SHOULD identify any legal issues that might need to be addressed and ensure that they are dealt with appropriately. Examples of such issues include:

• the need to make amendments to any Act or Regulation concerning the information to be collected from the applicant or the processes that applicants undergo in order to receive a particular service from the agency
• the need to obtain and act on legal advice associated with any changes in business processes, such as the introduction of more stringent identity verification checks that require the collection and sharing of greater amounts of personal information, and the implications of the Privacy Act 1993 on the range of strategies that the agency might consider to enable the carrying out of these verification checks.

3.4.23 Transition of business processes

The extent to which agencies will need to alter their current EOI processes to comply with this Standard will vary widely between agencies and, in some cases, between different business groups within agencies.

Agencies SHOULD identify the optimum transition strategy, given the particular type and extent of changes that need to be implemented by their organisation. Key considerations in planning the transition will include whether:

• any changes to existing Acts or Regulations are required to implement the changes to EOI processes required
• the changes to business processes require action by other agencies in order to give effect to these new business processes (for example, the introduction of automated information matching by another agency). If so, the transition plan needs to address these dependencies
• the changes will impact on the functions of another agency or service. If so, the changes SHOULD be discussed with the relevant agency or service unit before they are made
• there are any other issues that could constrain or prevent the agency from implementing the required changes. If so, these issues need to be investigated and addressed before the agency finalises its transition plan so that implementation of the changes can occur effectively.

3.4.24 Complaints handling

It is possible that changes to EOI processes to ensure compliance with the EOI Standard will result in changes to the number and/or type of complaints from individuals transacting with the agency. For example, individuals may consider the EOI requirements to be overly intrusive, unnecessary and so on. Each agency SHOULD make appropriate resource provision for this possibility when designing and testing these new EOI processes.

Although most agencies are likely to already have appropriate mechanisms in place for handling complaints from customers, the need for expertise to process/investigate some types of complaints, such as complaints concerning potential breaches of the Privacy Act 1993, may be greater with the introduction of EOI processes.

Agencies SHOULD also have procedures in place for dealing with complaints where they have incorrectly recorded identity-related information about an individual. Under the Privacy Act 1993 agencies SHOULD correct any personal information they hold about the individual. Alternatively, the agency can include a statement of changes sought by the individual and the reasons why it was not deemed appropriate to make the changes.

If an agency fails to put in place appropriate administrative procedures for dealing with errors in identity details, or does not deal with any such complaints according to its procedures, this may result in an investigation by an Ombudsman, pursuant to the Ombudsmen Act 1975.

3.4.25 Communication protocols between agencies

Agencies SHOULD ensure that they monitor and evaluate the performance of their EOI processes and act in a timely manner on any issues that may need to be communicated to other agencies. Agencies SHOULD ensure, however, that any communications between agencies are in compliance with the Privacy Act 1993.

Examples of such situations include:

• the discovery of an EOI document issued by another agency that is found to be:

- fraudulently obtained

- falsified in some way

- fraudulently used

• the discovery of evidence (such as credible information) indicating that one or more EOI documents issued by another agency has been, or is likely to be, fraudulently obtained, falsified in some way, or fraudulently used
• the discovery of personal information regarding the activity of any person who is found to have committed or who is suspected of any illegal activity in relation to identity or the use of identity-related documentation.

3.4.26 Checklist for Phase 2 Design and Operation

Checklist for . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . (service name)

3.5 Service delivery phase

The service delivery phase is not in scope of this Standard, with the exception of any EOI process that is required before the service can be delivered to an individual. Information on EOI processes is covered in 1.2.

3.6 Monitoring and evaluation phase

3.6.1 Continual improvement of EOI processes

3.6.2 Monitoring and evaluation approaches

3.6.3 Step 1 - Develop Monitoring and Evaluation Plan

3.6.4 Evaluation processes

3.6.5 Step 2 - Ongoing monitoring and evaluation

3.6.6 Step 3 - Amend EOI processes

3.6.1 Continual improvement of EOI processes

Agencies need to modify their EOI processes where monitoring and evaluation results indicate that EOI process objectives are not being satisfactorily met and are consequently exposing the agency to unacceptable identity-related risk. This is an iterative process, as shown by the ongoing cycle of monitoring, evaluation and process improvement in Figure 7.

In carrying out EOI process evaluation, agencies need to systematically consider what their objectives are in relation to their EOI processes, and what might adversely influence the achievement of those objectives (i.e. the EOI process risks). Just as the context and nature of the risks dictate the types of risk analysis and risk evaluation carried out, context also dictates the design and implementation of appropriate monitoring and evaluation procedures.

Events such as the use of forged EOI documents allow an agency to improve its understanding of the likelihood and consequences of the risks, and influence the ongoing maintenance of appropriate business processes to address them. In essence, monitoring processes provide this information and evaluation processes analyse it in order to identify any required improvements. For example, risk profiles (see 3.4.17) may be modified on the basis of information collected as part of monitoring processes in place of an EOI process.

Figure 7 - Monitoring and evaluation cycle

3.6.2 Monitoring and evaluation approaches

Identity-related risks vary between services. Monitoring and evaluation processes should, therefore, be tailored to the individual contexts of each agency.

This Standard does not prescribe maximum or minimum intervals between monitoring and evaluation cycles. These decisions are the responsibility of each individual agency. However, agencies SHOULD ensure they document the basis for their approach to monitoring and evaluation and SHOULD maintain up-to-date documentation for auditing and quality assurance purposes. It is recommended that agencies review their EOI process monitoring and evaluation practices at least every two years.

3.6.3 Step 1 - Develop Monitoring and Evaluation Plan

A Monitoring and Evaluation Plan SHOULD be completed prior to an EOI process becoming operational. This Plan SHOULD be completed as part of the Design and Operation Phase. If this is not practical, information about monitoring and evaluation processes SHOULD be incorporated into the business and risk management documentation that relates to the particular service.

3.6.3.1 Monitoring processes and performance indicators

Selecting appropriate indicators to measure the effectiveness of EOI processes is extremely important. Performance indicators need to inform assessments about the degree to which the EOI processes meet the agency's EOI-related objectives.

An agency will need to factor in the following considerations when choosing its performance indicators:

• cost to the agency
• ability to collect the required data/information
• reliability of the performance indicators.

Table 13 provides a list of types of performance indicators that could be used for monitoring EOI processes. It is not an exhaustive list. Agencies SHOULD select performance indicators most relevant to their specific risks and desired outcomes, ensuring that they only monitor performance against a manageable number of indicators.

Table 13 - Performance indicators

The examples of performance indicators contained in Table 13 highlight the importance of identifying specific cause and effect relationships between the achievement of business objectives and the indicators being measured. Where strong cause and effect relationships exist, changes in the results of data collection will indicate corresponding changes in the achievement of business objectives. Each agency's choice of performance indicators SHOULD enable the agency to remain informed about the degree to which its business objectives are being met.

3.6.3.2 Collection of data/information

Various methods can be used to collect monitoring data/information. These range from simply gathering feedback or descriptions of success or failure, to systematically gathering qualitative and/or quantitative data for statistical analysis. Collection methods include:

• routine checks of EOI process steps
• audit of EOI processes
• maintenance of a risk register for EOI processes
• maintenance of a database recording details of EOI process errors or failures
• costing information about EOI processes
• collection of customer complaints regarding EOI processes, and any other customer feedback
• surveys of customer satisfaction.

3.6.3.3 Appropriateness of monitoring

The types and amount of monitoring chosen SHOULD provide agencies with information in a timeframe and format that allows decisions about the suitability of the EOI processes to be assessed.

In the event of any unacceptable departure from, or mismatch between, these EOI processes and objectives, the monitoring processes SHOULD allow process changes to be designed and implemented before significant problems arise.

3.6.4 Evaluation processes

The following aspects of evaluation MUST be taken into account during plan development.

3.6.4.1 Designing evaluation processes

As a general rule, an agency's EOI processes SHOULD be changed when the criteria for success of those processes are not met and the expense and/or effort required to improve the outcomes is justified. Evaluation processes allow assessment of adequacy and identification of appropriate improvements.

In carrying out evaluation processes, agencies MUST document the:

• rationale for all EOI business processes
• key EOI process objectives to be achieved and the context within which the evaluation is conducted
• performance indicators used (see 1.4.3) as a basis for the evaluation
• results (against those performance indicators) that the agency considers represent contribution to outcomes - successful or otherwise.

Evaluation processes SHOULD be designed to properly inform decisions about the appropriateness of the EOI processes so that those processes can be amended as appropriate. Evaluation processes SHOULD be tailored to the specific situation in which they are being carried out. These processes SHOULD be designed in conjunction with the monitoring processes for agency EOI processes.

The design of evaluation processes is particularly important if specific interventions are to be assessed. For example, if a new business process is introduced in order to reduce the number of processing errors, the effect of the new process on the number of errors will need to be measured to gauge the success of the new process. Information will also need to be retained about the previous process so improvements can be measured. Where such changes to process are expected to affect another agency, the changes SHOULD be agreed on by all affected agencies prior to implementation.

It is important that agencies identify and document the factors that will be taken into account during the evaluation of EOI processes. This assists any external review of the appropriateness of the EOI processes and helps the agency to implement and maintain appropriate EOI processes.

3.6.4.2 Issues for evaluation

Table 14 provides examples of the types of issues that an agency may evaluate in relation to its EOI processes. This is not a complete list and the issues chosen for evaluation will need to take into account the agency context and objectives within which particular services operate.

Table 14 - Issues for evaluation

Where evaluation results in information that may be of use to other agencies or to the Custodian of the standard, and which can appropriately be shared, agencies are encouraged to share the results of their evaluations (e.g. where an agency's evaluation activities identify changes in the nature of methods of misusing or abusing identity being perpetrated by individuals).

3.6.5 Step 2 - Ongoing monitoring and evaluation

Once an EOI process becomes operational, the monitoring and evaluation processes SHOULD commence.

3.6.5.1 Frequency of monitoring and evaluation activities

Monitoring and evaluation will be undertaken at different frequencies depending on the particular context within which a service exists. Monitoring and evaluation can be undertaken:

• Continuously - in some situations, such as in rapidly changing environments, it may be appropriate to monitor the adequacy of EOI processes, more or less continuously (e.g. in cases where a particular service results in the issue of identity documentation that can be used subsequently)
• Periodically (on a discrete-interval basis) - this approach is likely to be appropriate for the evaluation of most services
• Episodically (event dependent) - this is likely to be the most appropriate approach after the completion of major changes to business processes.

In all situations the underlying rationale for the choice of frequency is the need to keep pace with the rate of change in the data or information that is being measured, so that any unacceptable deviations from desired performance of the EOI processes are avoided wherever possible, or resolved where this has not been possible.

The frequency of monitoring and evaluation needs to be influenced by both the rate at which the identity-related risks can change and the extent to which any changes are important. In many cases, a change in one of these factors also affects the other.

The intervals between evaluation cycles can be increased when the circumstances being evaluated have not materially changed from the circumstances that were evaluated last. Accordingly, each agency SHOULD revise its evaluation processes in light of experience gained from previous monitoring and evaluation cycles.

NOTE - Episodic evaluation can be either in addition to or instead of periodic evaluation, depending on the extent to which outcomes may deviate from business objectives.

3.6.5.2 Changing monitoring processes

The type of monitoring SHOULD be changed if the current monitoring does not allow a timely and adequate assessment of the appropriateness and effectiveness of the EOI processes relative to the EOI objectives being assessed.

More monitoring SHOULD be undertaken when additional monitoring of the same type is expected to yield additional information that justifies the additional effort. Justification relates to how valuable the additional monitoring is expected to be relative to the expense or effort of conducting it.

Changes to monitoring regimes often involve changes to both the types of monitoring and the overall amount of monitoring that is undertaken, particularly until the agency establishes a good understanding of its exposure to identity-related risk and the extent to which its EOI processes address it. Once these positions have been established, agencies will be able to more efficiently adjust their monitoring and evaluation activities to maintain the identity-related risks associated with their services at an acceptable level.

3.6.6 Step 3 - Amend EOI processes

Where evaluation processes indicate that EOI processes are not sufficiently reducing identity-related risk or meeting objectives, consideration MUST be given to amending EOI processes.

Any amendments to an agency's EOI process MUST be subject to the same consideration as the initial design (see 3.4.7). In addition, any amended process SHOULD be fully tested before becoming part of the ongoing operation.

Working group representation

The following agencies/organisations were represented on the EOI Standard Working Group:

Department of Internal Affairs

Ministry of Justice

Department of Labour

Inland Revenue

Land Transport New Zealand

Ministry of Education

Ministry of Health

Ministry of Social Development

New Zealand Police

Office of the Privacy Commissioner (Observer status)

State Services Commission

Acknowledgement

The Department of Internal Affairs and the State Services Commission gratefully acknowledge the contribution of time and expertise from all those involved in developing this Standard.

Copyright

This document is subject to Crown copyright. This material may be used, copied and redistributed free of charge in any format or media, provided that the source and copyright status is acknowledged (i.e. this material was produced by the Department of Internal Affairs © Crown copyright 2006).

Referenced documents

Joint Australian/New Zealand Standards

AS/NZS 4360:2004 Risk Management (Australian/New Zealand Standard)

www.standards.co.nz

SAA/SNZ HB 231:2004 Information Security Risk Management Guidelines (Australian/New Zealand handbook).

www.standards.co.nz

SAA/SNZ HB 436:2004 Risk Management Guidelines - Companion to AS/NZS 4360:2004 (Australian/New Zealand Standard)

www.standards.co.nz

New Zealand Legislation

Adult Adoption Information Act 1985

Arms Act 1983

Births, Deaths and Marriages Registration Act 1995

Citizenship Act 1977

Civil Union Act 2004

Electoral Act 1993

Electronic Transactions Act 2002

Human Rights Act 1993

Immigration Act 1987

Land Transport Act 1998

Land Transport (Driver Licensing) Rule 1999

Ombudsmen Act 1975

Passports Act 1992

Protection of Personal and Property Rights Act 1988

Privacy Act 1993

Public Records Act 2005

Sale of Liquor Act 1989

Social Security Act 1964

Tax Administration Act 1994

Other

Bradner, S. March 1997. Key words for use in RFCs to indicate requirement levels (RFC 2119). www.ietf.org

Department of Internal Affairs. 2004. Evidence of identity framework. www.dia.govt.nz

Office of Management and Budget. 2003. E-authentication guidance for federal agencies (M-04-04). www.whitehouse.gov

Office of the Privacy Commissioner. 2002. Privacy impact assessment handbook. www.privacy.org.nz

Office of the Privacy Commissioner. 1998. Fact sheet no. 5, Information matching. www.privacy.org.nz

State Services Commission. 2006. Authentication key strengths standard. Version 1.0. www.e.govt.nz

State Services Commission. 2006. Data formats for identity records standard. Version 1.0. www.e.govt.nz

State Services Commission. 2006. Guidance on multi-factor authentication. www.e.govt.nz

State Services Commission. 2006. Guide to authentication standards for online services. Version 1.0. www.e.govt.nz

State Services Commission. 2006. New Zealand e-government interoperability framework (NZ e-GIF). Version 3.0. www.e.govt.nz

State Services Commission. 2006. Password standard. Version 1.0. www.e.govt.nz

State Services Commission. 2006. Security assertion messaging framework. www.e.govt.nz

State Services Commission. 2005a. Development goals for the State Services. www.e.govt.nz

State Services Commission. 2004. Authentication for e-government: best practice framework for authentication. www.e.govt.nz

State Services Commission. Security assertion messaging standard. (In preparation.) www.e.govt.nz

Related Websites

www.dia.govt.nz

www.legislation.govt.nz

www.privacy.org.nz

www.ssc.govt.nz

www.travel.state.gov/visa/reciprocity/index.htm

Latest revisions

This Standard is to be reviewed from time to time by the working group, so that it keeps up to date with changes in the sector.

Users should ensure they access the latest revisions of the NZ e-GIF authentication standards, including amendments (if any). These can be found at www.e.govt.nz. Users should also access the latest revisions of the documents included in the list of referenced documents set out in this Standard.

Review of standards

Suggestions for improvement of this Standard are welcomed. They SHOULD be sent to the Department of Internal Affairs (the EOI Standard Custodian) at:

Email: eoistandard@dia.govt.nz