On 8 November 2024, the Government published the Digital Identity Services Trust Framework Rules 2024 (the Rules). The Rules, which form a key part of the Digital Identity Trust Framework (Framework), set out the operational requirements for how accredited services must be provided, in order to ensure a safe, secure and trusted digital identity ecosystem. You can read the Rules here.

What is the Digital Identity Trust Framework 

The Framework provides the regulatory oversight of digital identity services in New Zealand and is designed to protect information and privacy when using accredited digital identity services by both businesses and individuals. The Framework establishes a set of rules and standards for accredited digital identity services under the Digital Identity Services Trust Framework Act 2023 which came into effect on 1 July 2024. The purpose of the Framework is to ensure that digital identity services are secure, privacy-focused, and user-friendly. Accreditation requires providers to meet stringent standards in areas such as privacy, security, risk management, and data sharing.

The Rules, which have now been finalised and released, will be overseen by the Trust Framework Authority, a statutory entity within the Department of Internal Affairs. The Trust Framework Authority will ensure that service providers are compliant with the Framework, will manage any regulatory aspects, and will issue accreditation to providers. 

Some of the key categories within the Rules include: 

• Consent: Individuals must provide informed consent for their identity credentials to be used by service providers.
• Service standards: Service providers must have appropriate systems in place to accurately authenticate identity and manage credentials. 
• Privacy impact assessments: As well as complying with the requirements of the Privacy Act 2020, digital identity service providers will need to conduct a privacy impact assessment to assess the risks arising from their collection and use of the information used for digital identity purposes. 
• Security: All digital identity service providers must also have a risk management plan in place, use secure cryptographic methods to protect information and ensure that it sets up protocols for managing data breaches. 
• Data management: Service providers must also maintain a detailed information governance plan that considers ethical handling approaches, including considering taking a te ao Māori perspective. 

Digital identity service providers can apply to be accredited, which allows them to display an accreditation mark so individuals are aware that their service has been accredited by the Trust Framework Authority. Accreditation is not mandatory, but allows people and businesses to distinguish between different providers in the market. 

How can digital identity be used

Regulating digital identity services increases the trust that people and businesses have in sharing information online, which will allow for a range of use cases to arise such as: 

• Enabling patients to prove their eligibility for health services, prove their identity to securely access medical records online, or verify their vaccination status. 
• Streamlining the process of applying for benefits, permits or licences by allowing individuals and businesses to apply online, without having to be subject to additional checks.
• Improving workplace efficiency, such as in recruitment situations where individuals applying for jobs can provide verified qualification credentials. Employees can also use digital proof that they are authorised to act on behalf of their employer. 

The Commerce Commission expressly noted in its Market Study into personal banking services that digital identity was a fundamental building block to realise the full potential of open banking and recommended that banks actively participate in the digital identity eco-system to help make switching between banks easier, by streamlining AML/CFT authentication processes and negating the need for paper based, in person verification, and reduce fraud through the use of biometrics to verify identity. 

Our view 

The Framework represents an important step towards normalising digital identity services in New Zealand. For our technology clients, it offers opportunities to build or integrate compliant identity verification solutions. This also aligns with global trends towards secure and interoperable digital identity systems. 

We are looking forward to seeing the innovation that accompanies the regulation of the industry, and seeing more digital identity services enter the market. The Framework sets the foundation for not only simplifying identity verification but also significantly reduces certain risks associated with physical document management and identity fraud. Businesses can benefit from streamlined processes, while individuals enjoy greater control and confidence in their digital interactions.

By prioritising privacy and embedding principles aligned with te ao Māori, the framework reflects a progressive and inclusive approach to digital governance. We recommend our clients explore opportunities to integrate these services into their operations, enhancing both security and efficiency.

If you have any questions on the Framework or Rules, or would like assistance in managing your compliance obligations, please get in touch with one of our experts. 

This article was co-authored by Thomas Anderson, a Solicitor in our Technology team.