On 29 September 2021, the Digital Identity Services Trust Framework Bill (Bill) was introduced into Parliament. The Bill had its first reading on 19 October and has been referred to the Economic Development, Science and Innovation Select Committee for consideration and public submission.
The Bill will establish a trust framework governing the provision of secure digital identity services (the Trust Framework). The Bill’s introduction is timely, given the increasing need for consistent and trustworthy online identification services in this increasingly digital and physically distanced age.
In this article we explain the aims of the Bill, look at what a ‘digital identity’ is, where digital identity services fit in and summarise the key aspects of the Bill.
The Trust Framework
The creation of the Trust Framework aims to align New Zealand’s digital identity services landscape with that of Australia, Canada and the United Kingdom. This new Trust Framework is intended to not only ensure there is increased public trust in digital identity services, and users of these have more control over their personal information, but also to drive innovation and the creation of interoperable digital identity services that will increase efficiency in domestic and international transactions.
At this stage it is only proposed that the Trust Framework will be an opt-in regime.
Your digital identity and digital identity services
When an individual wishes to interact with an organisation, that organisation often needs to establish who they are dealing with. There are a couple of ways that can be done. For instance, the organisation can establish a registration process that involves the individual providing identification documents to that organisation, and the organisation checks those identification documents in order to verify the identity of the individual. An alternative is for the organisation to work with a party that has already obtained and checked the identification documents so that the organisation does not need to do so. In the online world, such a party is a digital identity services provider, and what has been verified is the individual’s ‘digital identity’.
An individual’s digital identity can consist of multiple types of verifying information (commonly referred to as ‘attributes’), for instance passport and drivers licence information. What a digital identity services provider does is establish that these attributes belong to a particular individual. A well-known example of a digital identity is a RealMe (Tēnei au) verified identity.
Where an organisation engages with a digital identity services provider, the individual can then permit those attributes of the individual’s digital identity to be shared with the organisation (or perhaps just have the digital identity services provider confirm that the individual’s digital identity contains those attributes) in order to access services or complete transactions. The organisation trusts the verification that the digital identity services provider has undertaken so that it does not need to do it as well.
Key elements of the Bill
In a nutshell, the Trust Framework proposed by the Bill will allow for rules to be developed that digital identity service providers can choose to follow, and if they have, organisations would have confidence that the digital identity service providers have correctly verified the identity of an individual. Privacy requirements in relation to digital identity services would remain covered by the Privacy Act 2020.
For readers who are interested in understanding the roles for each party and the benefits of a Trust Framework, the UK (who are also looking at putting a similar trust framework in place) have produced a useful resource covering these matters (and providing examples of the situations in which a digital identity is needed), which is accessible here.
The key elements of the Bill are:
- Voluntary rules will be established by the Government which set out certain minimum requirements in relation to the provision of digital identity services (Rules). These will cover areas such as:
- identification management;
- privacy and confidentiality;
- security and risk;
- information and data management; and
- sharing and facilitation.
- A provider of digital identity services (called a TF provider in the Bill) may become accredited if it meets those minimum requirements. Such TF providers would then have the right to use a ‘trust mark’ identifying this status.
- A Trust Framework Board would be established, tasked with monitoring the operation of the Trust Framework and recommending changes to the Rules as necessary.
- A Trust Framework Authority would also be established, which would be responsible for upholding the Trust Framework regime, making decisions on accreditation applications, maintaining a register of accredited TF providers and enforcing the Rules (including dealing with complaints).
- There will be offences for actions, including falsifying an accreditation application or misrepresenting oneself as a TF provider.
In addition, the Bill would also provide a degree of immunity from liability for TF providers in relation to claims arising from using an accredited digital identity service. This could impact uptake by organisations, as they would not be able to recover losses arising from use of the service by a user if the TF provider was negligent in providing the service. It will be interesting to see if this provision changes as the Bill progresses through Parliament.
Anyone that provides digital identity services or would wish to use such a provider should start to become familiar with the regime proposed by the Bill. Submissions on this Bill are also now open and can be made at any time up until 2 December.
If you are interested in how this Bill might affect you or want advice on drafting Select Committee submissions please contact us.
Click here for other Corporate Law articles.