- TRUST FRAMEWORK FOR DIGITAL IDENTITY
- Trust Framework Authority
- Share your information in a digital format
- NZ Verify
- Benefits of using digital identity services
- Trust Framework Authority accreditation mark
- Trust Framework legislation
- Trust Framework Regulatory bodies
- Trust Framework Register
- Accreditation & maintenance
- Forms and guidance
- Independent evaluators
- Resources
- Make a complaint
Accreditation of digital identity providers and services
The Digital Identity Services Trust Framework Act 2023 sets out a legal framework for providing secure and trusted digital identity services in Aotearoa New Zealand.
It also establishes the Digital Identity Services Trust Framework Authority (Trust Framework Authority) as the regulator for accredited digital identity service providers in Aotearoa New Zealand. The Trust Framework Authority administers the accreditation process, and assesses and decides on applications for Trust Framework accreditation.
Providers of digital identity services are encouraged to contact the Trust Framework Authority at TFA@dia.govt.nz to discuss their application prior to starting.
Requirements
To be accredited, providers must demonstrate that they and the service(s) for which accreditation is sought meet the requirements of the:
- Digital Identity Services Trust Framework Act 2023 — New Zealand Legislation website
- Digital Identity Services Trust Framework Regulations 2024 — New Zealand Legislation website
- Digital Identity Services Trust Framework Rules in place at the time of accreditation
- Identification standards - Digital Government website
All application templates and guidance can be found on the forms and guidance web page.
About the application form
Providers seeking accreditation under the Act must complete the Digital Identity Services Trust Framework Authority application form.
The form requires you to gather evidence to show your service meets the Digital Identity Services Trust Framework Act Regulations and Rules. It should be read and completed in conjunction with the Trust Framework Authority application guidance.
A quick checklist is also included, to support providers with their application.
The application form is structured as follows:
- questions about the provider
- questions about the services for which the accreditation is sought
- declarations
- documents to provide.
There are four key areas for the assessment
The Trust Framework Authority will assess the following four areas:
1 — Provider
An assessment of the provider, including their operational capability, confirming they meet the requirements set out in the legislation.
2 — Identification management
Independent evaluation
An independent evaluation of the digital identity service against the New Zealand Identification Standards completed by the identification team at the Department of Internal Affairs or by an identification management evaluator.
Trust Framework Authority Assessment
The Trust Framework Authority will complete a service assessment. This requires a detailed description of the service, provision of specified documentation and a demonstration of the digital identity service. The provider may also be invited to a question and answer session to answer questions in relation to the application.
3 — Privacy
An independent evaluation of the provider’s compliance with the privacy part of the Digital Identity Trust Framework Rules and with the Privacy Act 2020.
4 — Security
An assessment of the provider’s compliance with the Digital Identity Services Trust Framework Rules for security and risk management.
Successful accreditation
If accredited, you can deliver the accredited service(s) under the Trust Framework and display an accreditation mark in relation to each accredited service.
When to renew your accreditation
Accreditation of a Trust Framework provider or service expires three years after the date accreditation was granted by the Trust Framework Authority.
Notification of changes to your application
Providers are required to inform the Trust Framework Authority of when a change takes place to information provided in the application. It is an offence under section 33 of the Digital Identity Services Trust Framework Act 2023 to fail to tell the Trust Framework Authority of changes to key information or specified information. Notification must be within 5 working days of a change.
