The Department of Internal Affairs

Te Tari Taiwhenua | Department of Internal Affairs

Building a safe, prosperous and respected nation



 

Resource material › Evidence of Identity Standard › Questions and Answers

What is the Evidence of Identity (EOI) Standard?


The Evidence of Identity (EOI) Standard is a good practice guide for organisations who need to establish and subsequently confirm the identity of individuals accessing their services. The Standard applies only for those services that have a degree of identity-related risk.

The Standard is part of the suite of New Zealand Authentication Standards for online service delivery designed to assist agencies to meet the goal of transforming government through the use of the internet. However, the EOI standard also applies to offline services.

What do we mean by evidence of identity?


EOI is the types of evidence that, when combined, provide organisations with confidence that an individual is who they claim to be.

The Evidence of Identity Standard is based on three components that, if applied as a whole to an individual case, provide confidence that a person actually owns the identity they require.

The three components for establishing identity are:
    • 1. Evidence that the claimed identity is valid – i.e. that the person was born and, if so, that the owner of the identity is still alive.
    • 2. Evidence that the presenter links to the claimed identity – i.e. that the person claiming the identity is who they say they are and that they are the only claimant of the Identity.
    • 3. Evidence that the presenter uses the claimed identity – i.e. that the claimant is operating under this identity in the community.
Evidence of identity is the combined evidence that individuals provide to organisations to show that they are who they say they are. The level of evidence that they have to provide will vary, depending on the level of potential risk of the service they require.

Why introduce an Evidence of Identity Standard?


Identity theft and fraud are becoming both easier and more prevalent. The introduction of a mandated Standard is one effective way to reduce the effects of identity crime and its consequences. It is not, however, the only mitigation. With Internet services, some people are becoming increasingly concerned about privacy. The Evidence of Identity Standard has been developed in consultation with the Office of the Privacy Commissioner to help ensure that the evidence being provided is appropriate for the service the public is receiving.

The Evidence of Identity Standard has been developed in response to the need to ensure organisations apply consistent, good practice methods of establishing and confirming the identity of individuals with whom they transact.

It is important that the correct level of evidence of identity is collected for the appropriate service. This is because:
    • If organisations collect too much identity related information this may be inconsistent with New Zealand’s privacy requirements.
    • If organisations collect too little identity related information then the organisation might not achieve its business objectives; the public’s confidence in the ability of the organisation might be eroded and identity theft might occur, which could lead to entitlement fraud.
The Standard will ensure consistency in the purposes for which particular documentation should, and should not, be used within an evidence of identity process.

The Standard was also introduced to assist with the transformation of government service delivery through the use of the internet. This aspect includes the goal of increased customer convenience through more efficient service delivery, and reduced cost by eliminating duplication of investment by agencies as they use RealMe services rather than invest in their own systems.

Who should be using the Evidence of Identity Standard?


The Standard has been developed primarily for use by New Zealand government agencies. However, private sector organisations may also choose to use the Standard for services that involve identity risk. These include applying for financial services or services that may entail a security risk.

The Standard applies to both online and offline services. Public and private sector organisations should also use the Standard when hiring staff when they need to be confident that the potential employee is who they say they are.

Why should organisations use the Evidence of Identity Standard? What does it mean for the public?


It will be useful for organisations that are large repositories of personal information, such as: banks, credit agencies, insurance companies, and telecommunications providers. The Evidence of Identity Standard stresses the need for the development of identity-related business processes that are privacy compliant. The development of consistent evidence of identity practices across sectors is likely to raise the overall level of public trust in identity verification and have a positive effect on prevention of identity theft.

The Evidence of Identity Standard will provide confidence that the information the public (individuals) are asked to provide is appropriate to the service requested. For example, the level of evidence required for a passport will be more than for a library card. People will not be asked for any more evidence than is necessary to mitigate the level of identity-related risk inherent in the service.

The Standard will therefore help to assure the public that privacy considerations have been addressed when organisations develop processes relating to identity establishment and/or confirmation.

The Evidence of Identity Standard will provide consistency in experience when people are using similar services.

The Standard will help to protect individuals from identity theft.

How is it used?


The focus of the Standard is on an organisation’s contact with an individual accessing a service or services. This applies to both initial establishment of identity and/or subsequent confirmation of that individual’s identity during later contacts with the organisation in relation to that service.
There are three components for establishing an individual’s identity. The Evidence of Identity Standard maintains that all three must be verified for moderate to high risk services before being confident that an individual is who they claim to be.
    1. Is the identity valid? Was the person born? Are they still alive?
    2. Does the presenter have links to the identity? Is this their identity information?
    3. Does the presenter use the identity? Is this how they’re known in the community?
The Standard takes an organisation through the process to establish the level of identity-related risk in the service, or services, they provide. This is undertaken through a risk assessment. The results of the risk assessment will enable an agency to determine how the three components for establishing identity can be best met.

Does the Evidence of Identity Standard eliminate identity crime? HOW does the Evidence of Identity Standard protect us against the threat of terrorism and organised crime?


The newest growth sector for organised crime is identity theft and this is an international problem. The Evidence of Identity Standard will not entirely eliminate identity crime. The Standard aims to reduce risks by providing organisations with good practice guidance on evidence of identity requirements for services with varying degrees of identity-related risk.

If an appropriate standard is established from the start, then organisations will be able to gain a higher degree of confidence that the person presenting to them for a service is the person they claim to be. This will reduce the risk of identity theft, along with the associated downstream consequences (identity crime).

In addition the Standard will help ensure organisations ask only for the identity information they really need for the service being delivered. This is known as ‘fit for purpose’.

Is it compulsory for government agencies to use the Evidence of Identity Standard?


The Standard was developed principally for use by New Zealand government agencies. Currently this Standard is 'recommended' for all services delivered to the public that contain identity-related risk. The Standard will apply to both online and offline services provided by agencies.

Private sector organisations can also choose to use the Standard for services that involve identity risk.

What happens if a government agency already has a process in place?


If a government agency already has an evidence of identity process in place for a service, it will need to assess that process against the requirements of the Evidence of Identity Standard. If the current process doesn’t meet the design and operational requirement of the Evidence of Identity Standard, then appropriate changes should be made when the agency is next making changes to those services.

Is there an extra cost if agencies use the Evidence of Identity Standard?


There is no extra cost in the Standard itself. Extra costs may be incurred by organisations when internal resources are used in the implementation of the Standard, and any associated costs resulting from the need to amend business processes. It is also possible that some costs could reduce if an organisation has been using more complex processes than absolutely necessary.

What information can be held by organisations using the Evidence of Identity Standard? Who has the right to see the information held about me? Can I check the information held about me?


Regulations setting out what personal information can be held by organisations (agencies) are governed by the Privacy Act 1993. The Privacy Act also governs who has the right to see individual’s personal information and how that individual might get access to the information.

For information about the Privacy Act see the Privacy Commissioner’s website: www.privacy.org.nz

Does the Evidence of Identity Standard apply to visitors to New Zealand, permanent residents who were not born in New Zealand and foreign nationals?


Yes, the Evidence of Identity Standard applies to anyone accessing services with a degree of identity-related risk, not the ‘types’ of individual customers.

There was a new version of the Evidence of Identity Standard released in 2009, what is the difference and why was a new version released?


The Evidence of Identity Standard was originally published in 2006, as Version 1.0 and piloted be some government agencies. After these pilots the Standard was evaluated and additional guidance was developed for some areas, such as document recognition of overseas documents and identifying children (who commonly have few identity documents).

Version 2.0 is not a fundamental change from Version 1.0 but just provides more clarification and guidance to assist agencies in implementing the standard.

The original framework and concepts from Version 1.0 remain along with much of the original content; however, Version 2.0 provides clarification of some of this original content, with enhancement through the inclusion of new areas of guidance. This includes guidance on confirmation of a person’s identity.

What guidance is there available?


The Evidence of Identity Standard contains a section of guidance on implementation; however other separately produced guidance is also available including:
    • Risk assessment guidelines and tool
    • Factsheets about commonly used identity document
    • Pre-employment screening / recruitment information
In addition, the Department of Internal Affairs (DIA), as Custodian of the Evidence of Identity Standard can provide further advice and education. The EOI Standard Custodian can be contacted via email: eoistandard@dia.govt.nz