- TRUST FRAMEWORK FOR DIGITAL IDENTITY
- Share your information in a digital format
- Benefits of using digital identity services
- Trust Framework Authority
- Trust Framework Authority accreditation mark
- Purpose of the trust framework
- Key concepts and principles
- Trust Framework Legislation
- Trust Framework Governance
- Trust Framework Register
- Providers of digital identity services
- Templates and guidance
- Make a Complaint
Key concepts and principles
On this page:
Concepts of the trust framework
The trust framework helps to protect people’s information and privacy.
Trust framework gives people control over their information
Digital identity services allow people to complete tasks online or in person digitally. People can decide what personal information to share, including when, how, and who with.
The trust framework helps to protect information and privacy when using accredited digital identity services. There are rules and regulations to ensure that people have a choice about using digital identity services. This means consent is always needed and that someone’s information is not stored or held by an accredited digital identity service provider in a way that breaches privacy.
Key concepts of the trust framework
- Consent is always required
- Personal information will not be held in centralised database
- The system is opt-in
- Service provider accreditation is not compulsory
- Sharing between government departments remains controlled
- Privacy and security standards are built in
- Rules incorporate te ao Māori perspectives of identity
- Identity theft risks are managed
Consent is always required
People need to provide consent when they share their information using accredited digital identity services.
Requiring consent means that digital identity service providers delivering accredited services within the trust framework must always seek the user’s permission before sharing personal or organisational digital identity information.
Requiring consent is a core rule that applies to all transactions.
This requirement supports and aligns with the principles of the Privacy Act 2020.
Privacy Act 2020 and the Privacy Principles — Privacy Commissioner
Personal information will not be held in a centralised database
The trust framework does not create a central repository or database to store the information of people or organisations. The rules and regulations for the trust framework support a decentralised approach to the holding and sharing of information.
Every transaction with a trust framework provider will be initiated by a request from a person who needs to access a service or share information (for example: their name, qualification or age). The trust framework rules and regulations will not allow accredited providers to connect information in ways a person has not consented to.
Digital identity services are opt-in
People will always have a choice about whether they use digital identity services.
There will always be alternative ways to access government services, such as in-person or paper-based methods.
Service provider accreditation is not compulsory
Accreditation is not mandatory. Digital identity service providers can still deliver their services without being accredited under the trust framework.
The trust framework accreditation mark allows people and businesses to distinguish between accredited and non-accredited digital identity service providers.
Sharing between government departments remains controlled
The trust framework will not change the way government departments currently share information.
This type of information sharing is governed by the Privacy Act 2020. It says that government departments may only share information if there is an Approved Information Sharing Agreement (AISA) in place. These are covered under Part 7 of the Privacy Act 2020.
Information sharing arrangements, such as AISAs, will continue.
Part 7: Sharing, accessing and matching personal information — New Zealand Legislation
More information from the Office of the Privacy Commissioner
- Approved Information Sharing Agreements — Privacy Commissioner
- Can one government agency share my information with another agency — Privacy Commissioner
Privacy and security standards are built in
There are clear privacy and security rules for how personal and organisational information can be collected, retained and shared within the trust framework. Digital identity services will be accredited against these rules. The trust framework rules do not override the Privacy Act 2020.
Privacy and security rules cover requirements for the following areas.
Collecting information
The trust framework rules require accredited services to be clear about the purpose for collecting the information and only collecting what is required.
Holding information
Security of systems and processes for storing information must be robust and meet industry standards. There must be valid reasons for retaining any of the information collected.
Sharing information
Technical processes for sharing need to follow, for example:
- encryption standards
- ways to stop different parties being able to track information when it's shared
- minimising the amount of information that is shared, where appropriate.
Accredited providers need to have a process in place for disposing of information. This way, necessary records are kept, but other information is deleted safely and securely.
Rules incorporate te ao Māori perspectives of identity
Specific provisions in the Digital Identity Services Trust Framework Act 2023 ensure that te ao Māori approaches to identity are considered in trust framework governance and decision making.
Ways of embedding te ao Māori and Te Tiriti o Waitangi perspectives and requirements throughout the rules are being considered through the development and testing stages.
Identity theft risks are minimised
New Zealand’s current digital identity environment is unregulated. This means that people and businesses are exposed to an increasing risk of online fraud and privacy breaches.
New Zealand has new identification standards designed to help prevent identity theft, fraud and loss of privacy.
The standards underpin all transactions that occur within the trust framework and will be a key part of the new regulatory framework.
Identification standards — Digital Government
Principles of the trust framework
These principles help to shape the trust framework, which sets out how accredited digital identity services should work in New Zealand.
Principles for an effective trust framework
The principles inform the rules and regulations. Digital identity service providers should strive to follow these principles.
The principles should be treated as in draft while the rules and regulations that will support the trust framework continue to be developed.
- People-centred
- Inclusive
- Secure
- Privacy-enabling
- Enabling te Ao Māori approaches to identity
- Sustainable
- Interoperable
- Open and transparent
People-centred
The rights and needs of people are of the highest importance, though not to the exclusion of the needs of other entities involved in the digital identity environment.
Key measures
- People’s participation in the use of digital identity services is voluntary, with the right to opt out without penalty.
- Digital identity services are convenient and straightforward for people to use.
- People retain control over their information in line with legislative requirements, including the Privacy Act 2020.
Inclusive
The trust framework aims to create a digital identity environment that is accessible and inclusive. Everyone has a right to choose whether they use digital identity services.
Key measures
- The digital identity environment reflects the needs and requirements of a broad range of stakeholders.
- Barriers to participation in digital identity services, whether they be social, financial or technical, are minimised without compromising security or privacy.
- Everyone is able to use digital identity services without risk of discrimination or exclusion.
Secure
Everyone has the right to expect that personal and organisational information will be stored, shared and used in a secure manner within the digital identity environment.
Key measures
- Systems and services are designed with the security of information in mind.
- Technology design, operational controls and regulations governing the use of personal and organisational information safeguard it from breaches, corruption or loss.
Privacy-enabling
Privacy is a critical part of digital identity services. Everyone’s privacy must be respected.
Key measures
- Approaches to privacy are proactive and preventative.
- Privacy is embedded in the design and maintenance of systems and services.
- There are no gaps in either protection or accountability — privacy is continuously protected.
- Obligations are met regarding the legislative requirements of the Privacy Act 2020.
Enabling te ao Māori approaches to identity
The digital identity environment is inclusive of Māori perspectives of identity and enables the needs and aspirations of Māori to be achieved.
Key measures
- Māori participate equitably in the digital identity environment.
- Māori perspectives and approaches to identity are enabled by the digital identity environment.
- The digital identity environment is developed and maintained in partnership with Māori.
- Māori are supported in leadership and decision-making roles to ensure Māori perspectives of data and identity are embedded in the digital identity environment.
Sustainable
The digital identity environment must be designed and maintained in a manner that supports its technical, social, and economic sustainability in the long term.
Key measures
- The digital identity environment generates value — for example, social, economic or fiscal — for those involved.
- Systems and services are sufficiently flexible to adapt to change — for example, social licence, government priorities, emerging technologies or regulatory developments — and support innovation.
- Systems and services are scalable, or able to be altered in size, in order to enable people-centred outcomes.
Interoperable
Personal and organisational information should be able to be re-used across services, sectors and geographies without security or privacy being undermined.
Key measures
- Common approaches such as open standards, frameworks or best practice guidelines are used to ensure consistency and facilitate interoperability nationally and internationally.
- Barriers to interoperability such as proprietary technology or the lack of portability of personal and organisational information are minimised.
- Consultation and collaboration occur between the public sector, private sector, Treaty partners, the wider community and international partners to identify and address interoperability issues.
Open and transparent
The digital identity environment is maintained in an accessible, responsive and accountable manner.
Key measures
- It’s clear how personal and organisational information is stored, used and shared, and for what purpose.
- The rules and standards governing the digital identity environment are available to all.
- Government is accountable to the public for its role in the digital identity environment.