Reprint
as at 1 April 2014

Coat of Arms of New Zealand

Electronic Identity Verification Act 2012

Public Act2012 No 123
Date of assent18 December 2012
Commencementsee section 2

Note

Changes authorised by subpart 2 of Part 2 of the Legislation Act 2012 have been made in this official reprint.

Note 4 at the end of this reprint provides a list of the amendments incorporated.

This Act is administered by the Department of Internal Affairs.


Contents

1 Title

2 Commencement

Part 1
Preliminary provisions

3 Purpose

4 Principles

5 Overview

6 Act binds the Crown

7 Interpretation

Part 2
Electronic identity verification

Subpart 1Electronic identity credential

General

8 Electronic identity credential: definition

9 Electronic identity credential: contents

10 Electronic identity credential: duration

11 Only 1 electronic identity credential per individual

12 Exception to section 11 for certain individuals with new identity information

13 Limits of exception in section 12

14 Electronic identity credential to be personal to individual

15 Individual has no property rights in electronic identity credential

Use

16 Restrictions on use of electronic identity credential by individual

17 Use of electronic identity credential by individual

18 Use of electronic identity credential by participating agency

19 Effect of using electronic identity credential

20 Effect of change in status of electronic identity credential

Access

21 Access to core identity information and status information

22 Access to photograph

23 Access to record of usage history via chief executive

24 Disclosure of record of usage history by chief executive

25 Access to record of usage history via search warrant

Applications

26 What applications may be made

27 Who may make application

28 Application for issue

29 Application for renewal

30 Application for amendment

31 Application for voluntary cancellation

Mandatory amendment or cancellation, suspension, or revocation

32 Mandatory amendment of electronic identity credential

33 Mandatory cancellation of electronic identity credential

34 Suspension of processing of application or electronic identity credential

35 Revocation of electronic identity credential

36 Process for suspension or revocation

Subpart 2Administrative provisions

Information matching

37 Definitions

38 Purpose of disclosure of identity-related information

39 Disclosure of identity-related information

40 Use of results of information matching

Functions of chief executive

41 Functions of chief executive

Duties of chief executive

42 Chief executive must take all reasonable steps to authenticate individual's identity

43 Chief executive must publish material

44 Chief executive must keep record of usage history for prescribed period

Powers of chief executive

45 Chief executive may approve manner in which applications to be made

46 Chief executive may specify information to be provided with applications

47 Chief executive may set standards or specifications for use of electronic identity credentials by participating agencies

48 Chief executive may require participating agencies to report on use of electronic identity credentials

49 Chief executive may suspend use of electronic identity credentials by participating agencies

50 Chief executive may delegate functions, duties, and powers

51 Chief executive may enter into agreement with third party for performance of functions and duties, or exercise of powers, under this Act

52 Application of Ombudsmen Act 1975 and Official Information Act 1982 to certain delegates of chief executive and to certain third parties

Reconsideration of decisions

53 Application of section 54

54 Reconsideration of decision

Electronic Identity Verification Service

55 Electronic Identity Verification Service

56 Function of Service

Reporting requirements

57 Privacy Commissioner may require periodic reports on operation of Service or of confirmation agreement

Part 3
Miscellaneous provisions

Relationship with other Acts

58 Official Information Act 1982

59 Privacy Act 1993

Offences and penalties

60 Offences relating to Service information and material

61 Offence relating to improper issue

62 Offences relating to improper access and use

63 Offences involving statements or documentation

Court orders

64 Court may make certain orders in relation to specified offence

Liability

65 Protection from liability

Notices

66 Giving of notices

Regulations

67 Regulations relating to participating agencies

68 When Minister may recommend certain regulations relating to participating agencies

69 Regulations relating to agencies for purposes of Schedule 1

70 Regulations relating to time periods

71 Regulations relating to fees

72 Other regulations

Transitional provisions

73 Pre-commencement electronic identity credential

74 Existing application for pre-commencement electronic identity credential

75 Pre-commencement third-party agreement

Consequential amendments

76 Consequential amendments

Schedule 1
Identity information checks

Schedule 2
Consequential amendments


The Parliament of New Zealand enacts as follows:

1 Title
  • This Act is the Electronic Identity Verification Act 2012.

2 Commencement
  • (1) Parts 2 and 3 (except sections 67 to 72) and Schedules 1 and 2 come into force on a date appointed by the Governor-General by Order in Council and 1 or more Orders in Council may be made appointing different dates for different provisions and for different purposes.

    (2) Any provisions of Parts 2 and 3 and Schedules 1 and 2 that are not in force on the day that is 12 months after the date on which this Act receives the Royal assent come into force on that day.

    (3) The rest of this Act comes into force on the day after the date on which it receives the Royal assent.

    Section 2(1): Parts 2 and 3 (except sections 67 to 72) and Schedules 1 and 2 brought into force, on 2 April 2013, by the Electronic Identity Verification Act Commencement Order 2013 (SR 2013/8).

    Section 2(2): Sections 67 to 72 brought into force, on 18 December 2013, by section 2(2).

Part 1
Preliminary provisions

3 Purpose
  • (1) The purpose of this Act is to facilitate secure interactions (particularly online interactions) between individuals on the one hand and participating agencies on the other.

    (2) To that end, this Act—

    • (a) ensures that participating agencies can achieve a high degree of confidence in an individual's identity by providing the individual with the option of verifying his or her identity authoritatively and in real time by electronic means if a degree of confidence is necessary for the interaction between the participating agency and the individual; and

    • (b) provides for a whole of government shared service to enable a centralised approach to be taken in relation to the verification of an individual's identity by electronic means while protecting the individual's privacy.

4 Principles
  • (1) This Act is based on the following principles:

    • (a) an individual has a complete discretion to decide whether to apply for an electronic identity credential to be issued to him or her and whether to use it at all if it has been issued:

    • (b) an individual may continue to access the services of a participating agency by means other than by using an electronic identity credential even though an electronic identity credential has already been issued to him or her:

    • (c) the use of an electronic identity credential does not, of itself, limit or affect the need for an individual, if required,—

      • (i) to show that he or she is qualified or eligible for a particular service offered by a participating agency; and

      • (ii) to authorise the agency to act on a particular matter or transaction:

    • (d) an individual's consent to the supply of his or her personal information to a participating agency must be obtained before the Service can supply the information to the agency and, even if the consent is obtained, the Service may supply only the minimum amount of personal information that is necessary for the agency to act as part of a given transaction or a series of transactions:

    • (e) an individual may check whether information held about him or her by the Service is correct and up to date:

    • (f) an individual may view the record of usage history for his or her electronic identity credential:

    • (g) the Service may disclose core identity information contained in electronic identity credentials, photographs, or records of usage history only in accordance with this Act.

    (2) The chief executive, the Service, every employee or contractor of the department, and every participating agency must, in making decisions, performing functions or duties, or exercising powers under this Act, take into account the principles specified in subsection (1) that are applicable, so far as is practicable in the circumstances.

    (3) Subsections (1) and (2) do not—

    • (a) override any other provision in this Act or any other enactment; or

    • (b) confer on any person any legal right that is enforceable, for example, in a court of law.

5 Overview
  • (1) Part 1 deals with preliminary matters, including the purpose of this Act, the principles on which this Act is based, the application of this Act to the Crown, and interpretation.

    (2) Part 2 deals with matters relating to electronic identity verification, including—

    • (a) provisions that set out requirements governing the use of electronic identity credentials for the purpose of verifying an individual's identity:

    • (b) provisions relating to administrative matters that underpin the substantive provisions dealing with electronic identity verification (for example, the disclosure of identity-related information to the chief executive and the Service, the functions, duties, and powers of the chief executive, the reconsideration of decisions made by the chief executive under this Act, and the function of the Service).

    (3) Part 3 deals with miscellaneous matters, including—

    • (a) this Act's relationship with other Acts:

    • (b) offences and penalties:

    • (c) court orders relating to specified offences:

    • (d) protection of the Crown and other persons from liability:

    • (e) requirements for notices given under this Act:

    • (f) regulation-making powers:

    • (g) transitional provisions:

    • (h) consequential amendments to other enactments.

    (4) Schedule 1 sets out a mechanism that allows the chief executive to authenticate an individual's identity for the purposes of this Act. It provides for identity information checks to be carried out by agencies (whether in the public sector or private sector) under confirmation agreements with the chief executive.

    (5) Schedule 2 sets out consequential amendments to other enactments.

    (6) This section is only a guide to the general scheme and effect of this Act.

6 Act binds the Crown
  • This Act binds the Crown.

7 Interpretation
  • In this Act, unless the context otherwise requires,—

    applicable transaction or service means a transaction or service chosen by a participating agency under section 18(4)(a) as a transaction or service for which the identity of an individual may be verified by electronic means

    applicant, except in section 54, means—

    • (a) an individual who makes or has made an application; and

    • (b) an individual under 14 years of age on whose behalf an application is or has been made

    application, except in sections 19(2)(a) and 54, means any of the applications referred to in section 26

    authenticated means the state of having been confirmed, to the reasonable satisfaction of the chief executive, as being authoritative

    cancellation, in relation to an electronic identity credential, means—

    chief executive means the chief executive of the department

    core identity information means the information specified in section 9(1)

    current, in relation to an electronic identity credential, means that the electronic identity credential has been issued and has not expired and is not cancelled, suspended, or revoked

    department means the department of State that is, with the authority of the Prime Minister, for the time being responsible for the administration of this Act

    electronic includes electrical, digital, magnetic, optical, electromagnetic, and photonic

    electronic identity credential has the meaning given to it by section 8

    electronic signature, in relation to information in electronic form, means a method used to identify an individual and to indicate that individual's approval of that information

    identity-related information

    • (a) means any or all of the following:

      • (ii) citizenship information (within the meaning of section 26A(6) of the Citizenship Act 1977):

      • (iii) identifying information (within the meaning of section 303(8) of the Immigration Act 2009, except that it also includes the expiry date of any visa granted to the individual (if applicable)):

      • (iv) New Zealand travel document information of a kind referred to in section 37 of the Passports Act 1992:

    • (b) includes a photograph of the individual to whom the information referred to in paragraph (a) relates

    individual means a natural person, except a deceased natural person

    law enforcement agency means—

    • (a) the New Zealand Police; or

    • (b) any government department declared by the Governor-General, by regulations made under section 72(a), to be a law enforcement agency for the purposes of this Act

    legal requirement

    • (a) means a requirement that is in an enactment administered by a participating agency or is otherwise imposed under the general law; and

    • (b) includes a provision that sets out consequences that depend on whether or not the provision is complied with

    Minister means the Minister of the Crown who is, with the authority of the Prime Minister, for the time being responsible for the administration of this Act

    organisation includes—

    • (a) a person as defined in section 29 of the Interpretation Act 1999; and

    • (b) a partnership; and

    • (c) a government department named in Part 1 of Schedule 1 of the Ombudsmen Act 1975; and

    • (d) a Crown entity as defined in section 10(1) of the Crown Entities Act 2004

    participating agency means a body, office, or officer declared by the Governor-General, by regulations made under section 67, to be a participating agency for the purposes of this Act

    personal information has the meaning given to it by section 2 of the Privacy Act 1993

    photograph includes any electronic record of the photograph

    pre-commencement electronic identity credential has the meaning given to it by section 73

    Privacy Commissioner means the Privacy Commissioner appointed under section 12 of the Privacy Act 1993

    record of usage history means the record that the chief executive is required to keep under section 44 about the usage history of each electronic identity credential

    Registrar-General has the meaning given to it by section 2 of the Births, Deaths, Marriages, and Relationships Registration Act 1995

    Service means the Electronic Identity Verification Service described in section 55

    Service database means an electronic file, register, or device in or on which information is or is to be recorded or stored by the Service or employees of the department for the purposes of this Act

    specified individual has the meaning given to it by section 12(2)

    specified offence means—

    • (a) an offence against this Act:

    • (b) an offence against any other enactment involving the use of an electronic identity credential:

    • (c) an offence against any other enactment involving a computer system on which the operation of the Service database relies

    State services has the meaning given to it by section 2 of the State Sector Act 1988

    status, in relation to an electronic identity credential, means the currency, expiry, amendment, cancellation, suspension, or revocation of the electronic identity credential

    technical code means a code to which the following apply:

    • (a) it is randomly generated by the Service for an individual's electronic identity credential; and

    • (b) it is associated with the individual's electronic identity credential; and

    • (c) it is used for 1 or more of the applicable transactions or services that the individual engages in with the participating agency; and

    • (d) it is different from the technical codes generated by the Service for other individuals' electronic identity credentials and other participating agencies; and

    • (e) it is additional to the unique code assigned by the Service to the individual's electronic identity credential under section 8

    usage history means information about each occasion that—

    • (a) an individual uses the individual's electronic identity credential:

    • (b) a participating agency uses an individual's electronic identity credential:

    • (c) any of the persons referred to in section 23(1) accesses the information referred to in paragraph (a) or (b)

    use,—

    • (a) in relation to the use of an electronic identity credential by an individual, means to use the credential as described in section 17; or

    • (b) in relation to the use of an electronic identity credential by a participating agency, means to use the credential to obtain or verify information about the identity of an individual by electronic means.

    Section 7 conviction on indictment: repealed, on 1 July 2013, by section 413 of the Criminal Procedure Act 2011 (2011 No 81).

Part 2
Electronic identity verification

Subpart 1Electronic identity credential

General

8 Electronic identity credential: definition
  • An electronic identity credential is a record kept in electronic form that—

    • (a) contains authenticated core identity information about an individual; and

    • (b) is assigned a unique code by the Service.

9 Electronic identity credential: contents
  • (1) An electronic identity credential may contain as much of the following core identity information about an individual as it is possible to authenticate:

    • (a) the individual's full name:

    • (b) the individual's sex:

    • (c) the individual's date of birth:

    • (d) the individual's place of birth.

    (2) The following table sets out details that may be included in an electronic identity credential under each of the paragraphs in subsection (1):

    Core identity information Details that may be included
    Full name 

    May include all or any of the following:

    • (a) the individual's current name (that is, the individual's name at the time of applying for an electronic identity credential to be issued):

    • (b) the individual's full name at birth (if different from the current name):

    • (c) other names the individual has used before applying for an electronic identity credential to be issued or renewed:

    • (d) other names the individual may use while an electronic identity credential is current (for example, a name change registered under section 21B of the Births, Deaths, Marriages, and Relationships Registration Act 1995 or under a corresponding provision in overseas legislation)

    Sex 

    May include all or any of the following:

    • (a) the individual's sex as recorded at birth:

    • (b) the individual's nominated sex if the individual can provide to the chief executive evidence of a sex change (for example, a declaration of the Family Court under section 28 or 29 of the Births, Deaths, Marriages, and Relationships Registration Act 1995)

    Date of birth May include day, month, and year of birth
    Place of birth 

    May include all or any of the following details about the individual's place of birth:

    • (a) locality or town or city:

    • (b) state or province or territory:

    • (c) country

10 Electronic identity credential: duration
  • (1) An electronic identity credential is effective for the period prescribed in regulations made under section 70(1).

    (2) Subsection (1) applies unless the electronic identity credential—

    • (a) is cancelled by the chief executive under section 31 or 33; or

    • (b) is revoked by the chief executive under section 35; or

    (3) An electronic identity credential may be renewed, in accordance with section 29, for a further period or periods prescribed in regulations.

11 Only 1 electronic identity credential per individual
  • (1) There must be no more than 1 electronic identity credential for each individual at any given time.

    (2) This section is subject to section 12.

12 Exception to section 11 for certain individuals with new identity information
  • (1) Section 11 does not apply to an individual who is specified in subsection (2) for whom new identity information has been created under section 65 of the Births, Deaths, Marriages, and Relationships Registration Act 1995 (which relates to the protection of certain witnesses, undercover police officers, and other protected persons).

    (2) An individual referred to in subsection (1) (a specified individual) is a person who is, has been, or will be—

    • (a) an undercover police officer; or

    • (b) an officer or employee of the New Zealand Security Intelligence Service; or

    • (c) approved by the Director of Security to undertake activities for the New Zealand Security Intelligence Service.

    (3) Accordingly, a specified individual who already has a current electronic identity credential at the time the new identity information is created may, on application under section 28, be issued another electronic identity credential in respect of his or her new identity.

    (4) If subsection (3) applies and the other electronic identity credential is issued, the specified individual may choose to use either or both of the electronic identity credentials in question.

    (5) However, a specified individual who does not have a current electronic identity credential at the time the new identity information is created may, on application under section 28, be issued an electronic identity credential in respect of—

    • (a) his or her original identity; or

    • (b) his or her new identity; or

    • (c) both identities.

    (6) If subsection (5)(c) applies and 2 electronic identity credentials are issued, the specified individual may choose to use either or both of the electronic identity credentials in question.

    (7) A specified individual who uses either or both of the specified individual's electronic identity credentials as contemplated by subsections (4) and (6) is not excused from any criminal liability in respect of any act or omission involving the use of those credentials that would otherwise constitute an offence against any other enactment.

    (8) However, subsection (7) does not limit or affect the provision of any other enactment or rule of law that confers protection on a specified individual against criminal liability and, if there is any inconsistency between that subsection and that provision, the latter prevails.

    (9) In this section,—

    • (a) Director of Security has the meaning given to it by section 2 of the Births, Deaths, Marriages, and Relationships Registration Act 1995; and

    • (b) employee, officer, and undercover Police officer have the meanings given to them by section 65(5) of that Act.

13 Limits of exception in section 12
  • (1) The following individuals for whom new identity information has been created under section 65 of the Births, Deaths, Marriages, and Relationships Registration Act 1995 do not come within the exception set out in section 12:

    • (a) an individual who is, has been, or will be a witness in any proceeding and who is not a specified individual:

    • (b) an individual who needs protection because of his or her relationship to an individual who is, has been, or will be a witness in any proceeding.

    (2) For an individual referred to in subsection (1), the chief executive—

    • (a) may, on application under section 28, issue an electronic identity credential in respect of the individual's new identity; and

    • (b) if applicable, must cancel, in accordance with section 33, an electronic identity credential that has been issued in respect of the individual's original identity.

14 Electronic identity credential to be personal to individual
  • An electronic identity credential is personal to the individual to whom it has been issued and may not be transferred or vest by operation of law in any person other than that individual.

15 Individual has no property rights in electronic identity credential
  • An individual does not have any legal or beneficial interest in an electronic identity credential that has been issued to him or her.

Use

16 Restrictions on use of electronic identity credential by individual
  • An individual may use an electronic identity credential only if—

    • (a) it has been issued to him or her; and

    • (b) it is current.

17 Use of electronic identity credential by individual
  • (1) An individual may use an electronic identity credential for the purpose of verifying his or her identity by electronic means in order to meet the identification requirements of a participating agency in relation to any applicable transaction or service.

    (2) An individual may give consent for the Service to supply to a participating agency some or all of the core identity information contained in the individual's electronic identity credential for the purpose of verifying the individual's identity.

18 Use of electronic identity credential by participating agency
  • (1) The Service may supply any of the information described in subsection (2) to a participating agency if the participating agency has paid or has made arrangements to pay any fees or charges prescribed by regulations made under this Act or set by an agreement referred to in section 71(4)(a)(ii) or (b)(ii).

    (2) The information is as follows and must, if supplied, be accompanied by the technical code for the individual's electronic identity credential:

    • (a) core identity information contained in the individual's current electronic identity credential:

    • (b) information derived from, or based on, core identity information referred to in paragraph (a) (for example, the individual's age as derived from his or her date of birth):

    • (c) information about the status of the individual's electronic identity credential.

    (3) A participating agency that is supplied by the Service with any of the information referred to in subsection (2) may use the information to verify the identity of the individual concerned by electronic means.

    (4) For the purposes of subsections (1) to (3), a participating agency may—

    • (a) choose the types of transactions or services offered by the agency that are to be applicable transactions or services (as long as the choice of those transactions or services is consistent with achieving the purpose of this Act); and

    • (b) choose the types of core identity information that the agency will accept or require for the purpose of verifying an individual's identity; and

    • (c) for a continuing service, determine the frequency at which an individual will be required to verify his or her identity in order to continue to receive the service from the agency.

    (5) This section is subject to this Act and any other enactment.

19 Effect of using electronic identity credential
  • (1) Subsections (2) and (3) apply to—

    • (a) a legal requirement for an individual to supply information about the individual's identity to a participating agency:

    • (b) a legal requirement for a participating agency to obtain or verify information about an individual's identity.

    (2) A legal requirement to supply information or to obtain or verify information about an individual's identity includes, for example, a legal requirement arising in the course of—

    • (a) making an application:

    • (b) making or lodging a claim:

    • (c) lodging a return:

    • (d) making a request:

    • (e) lodging an objection:

    • (f) making a complaint:

    • (g) providing access to information:

    • (h) providing access to a benefit, service, or transaction:

    • (i) establishing a relationship with an individual:

    • (j) monitoring or maintaining a relationship with an individual or an individual's transactions.

    (3) The legal requirement is met—

    • (a) if the individual gives consent for the Service to supply all or some of the core identity information contained in the individual's current electronic identity credential to the participating agency; and

    • (b) if the Service supplies the information to the participating agency; and

    • (c) even if the requirement does not specify that information contained in an individual's electronic identity credential may be used; and

    • (d) only to the extent to which the information that is required to be supplied is the same as the information that the individual consents to the Service supplying.

    (4) Subsections (5) and (6) apply to a legal requirement for an individual to supply a signature to a participating agency.

    (5) The legal requirement is met—

    • (a) if the individual gives consent for the Service to supply the individual's current electronic identity credential to the participating agency; and

    • (b) if the Service supplies the individual's current electronic identity credential to the participating agency; and

    • (c) even if the requirement does not specify that an individual's electronic identity credential may be used; and

    • (d) for matters that are additional to those addressed by the individual's current electronic identity credential and are the subject of information supplied to the participating agency by the individual,––

      • (i) the individual adequately indicates to the participating agency the individual's approval of the information that the individual supplies; and

      • (ii) alterations subsequently made in the information are detectable.

    (6) In interpreting subsection (5)(d)(i), reference may be made to sections 6 and 22(1)(a) of the Electronic Transactions Act 2002.

20 Effect of change in status of electronic identity credential
  • (1) A change in status of an electronic identity credential does not, of itself, affect the validity of any applicable transaction or service that was completed or provided before the change even if the identity of the individual to whom the transaction or service relates was verified using the credential.

    (2) Nevertheless, the chief executive—

    • (a) must give written or electronic notice of the revocation of an electronic identity credential to each participating agency with which an individual has used the credential; and

    • (b) may provide information about any other change in the status of an electronic identity credential to a participating agency with which an individual has used the credential if, in the chief executive's opinion, it is in the participating agency's interest to receive that information.

    (3) Subsection (1) is subject to any direction that a court may give under section 64(1)(c).

Access

21 Access to core identity information and status information
  • An individual may access—

    • (a) the core identity information contained in the individual's electronic identity credential:

    • (b) information about the status of the individual's electronic identity credential.

22 Access to photograph
  • (1) Only the following persons may access a photograph of any individual stored in the Service database:

    • (a) the individual who is the subject of the photograph:

    • (b) the chief executive or an employee of the Service or department who is authorised by the chief executive for the purpose:

    • (c) an officer of a law enforcement agency for the purpose of any proceedings relating to a specified offence.

    (2) A person who has access to a photograph under subsection (1)(b) or (c) may use the photograph only in the course, and for the purposes, of the person's official duties.

23 Access to record of usage history via chief executive
  • (1) Only the following persons may access an individual's record of usage history:

    • (a) the individual to whom the electronic identity credential that is the subject of the record has been issued:

    • (b) a person who satisfies the chief executive that access to the record is required for the conduct of proceedings before a court or tribunal relating to electronic identity credentials or the Service:

    • (c) a person who satisfies the chief executive that information obtained from accessing the record is to be used only for statistical or research purposes and will not be published in a form that could reasonably be expected to identify the subject of the information:

    • (d) a person authorised by the chief executive who is carrying out administrative, technical, or other functions relating to the management, maintenance, and use of the Service.

    (2) A person described in subsection (1) may be refused access to the record if the chief executive considers that access—

    • (a) may prejudice an investigation or prosecution against an individual for a specified offence; or

    • (b) may prejudice the security or integrity of the Service; or

    • (c) cannot be given for technical or practical reasons.

    (3) The person described in subsection (1)(c) may be granted access to the record only if the chief executive makes the record available in a form that protects the privacy of the individual concerned.

24 Disclosure of record of usage history by chief executive
  • The chief executive may disclose an individual's record of usage history to a law enforcement agency if the chief executive believes on reasonable grounds that—

    • (a) a specified offence has been or may be committed; and

    • (b) the law enforcement agency cannot investigate the offence without the record of usage history.

25 Access to record of usage history via search warrant
  • An issuing officer may issue a search warrant under the Search and Surveillance Act 2012 to access an individual's record of usage history.

    Section 25: amended, on 1 April 2014, by section 239A of the Search and Surveillance Act 2012 (2012 No 24).

Applications

26 What applications may be made
  • An application to the chief executive may be made for an electronic identity credential—

    • (d) to be voluntarily cancelled under section 31.

27 Who may make application
  • (1) An individual may make an application on his or her own behalf.

    (2) If the individual is under 14 years of age,—

    • (a) the individual—

      • (i) may make the application on his or her own behalf; and

      • (ii) must include in it the written or electronic consent of at least 1 of his or her parents or guardians; or

    • (b) 1 of the individual's parents or guardians may make the application on the individual's behalf.

    (3) Subsection (2)(b) describes the only situation in which an individual may make an application for someone else.

28 Application for issue
  • (1) An application for an electronic identity credential to be issued must—

    • (a) be made in a manner approved by the chief executive under section 45; and

    • (b) include any information specified by the chief executive under section 46; and

    • (c) include any other prescribed information or documentation; and

    • (d) be accompanied by any prescribed fee.

    (2) The chief executive may grant the application only if—

    • (a) the application complies with subsection (1); and

    • (b) the chief executive is satisfied by 1 or more of the following sources that the identity of the applicant has been authenticated:

      • (i) the information included with the application:

      • (ii) a comparison of the information undertaken in accordance with section 39(4):

      • (iii) proper inquiries; and

    • (c) the chief executive is satisfied, if an item of core identity information is absent, that the absence does not derogate from the authentication of the identity of the applicant; and

    • (d) subsection (3) does not apply.

    (3) The chief executive must refuse the application if—

    • (a) it is made by, or on behalf of, an individual under 14 years of age and it does not include the written or electronic consent of at least 1 of the individual's parents or guardians; or

    • (b) the applicant has already been issued with an electronic identity credential and it is suspended under section 34; or

    • (c) an order made by a court under section 64(1)(a) in respect of the applicant has not expired; or

    • (d) the chief executive has not completed any action necessary to give effect to an order made by a court under section 64(1)(b); or

    • (e) the chief executive—

      • (i) knows that the applicant is under investigation, liable to prosecution, or the subject of a charge for a specified offence; and

      • (ii) is satisfied that refusing the application will not prejudice the investigation into or proceedings about the offence.

    (4) If the chief executive refuses the application, he or she must, as soon as practicable, give the applicant written or electronic notice of the decision and the reason for it.

29 Application for renewal
  • (1) An application to renew an electronic identity credential may be made either before or after the expiry of the electronic identity credential (as provided in section 10).

    (2) Section 28 applies, with any necessary modifications, to the application as if it were an application for an electronic identity credential to be issued.

30 Application for amendment
  • (1) An application to amend an electronic identity credential may be made if—

    • (a) an individual has changed his or her name; or

    • (b) an individual's core identity information has changed as a result of the individual's adoption under any of the following:

      • (ii) an adoption order that has the same operation and effect as an adoption order under that Act:

      • (iii) an adoption to which section 17 of that Act or section 11 of the Adoption (Intercountry) Act 1997 applies; or

    • (c) an individual has assumed and intends to maintain the gender identity of a person of a different sex from the sex that is included in the individual's electronic identity credential; or

    • (d) an individual considers, on reasonable grounds, that there is an error or omission in the core identity information contained in his or her electronic identity credential.

    (2) The application must—

    • (a) be made in a manner approved by the chief executive under section 45; and

    • (b) include any information specified by the chief executive under section 46; and

    • (c) include the written or electronic consent of at least 1 parent or guardian of an individual under 14 years of age; and

    • (d) include any other prescribed information or documentation; and

    • (e) be accompanied by any prescribed fee.

    (3) The chief executive may grant the application only if—

    • (a) the chief executive is satisfied that the application complies with subsection (2); and

    • (b) the chief executive is satisfied by 1 or more of the following sources that good reason for the amendment exists:

      • (i) the information included with the application:

      • (ii) a comparison of the information undertaken in accordance with section 39(4):

      • (iii) proper inquiries.

    (4) If the chief executive refuses an application because he or she is not satisfied as required by subsection (3)(a), he or she must, as soon as practicable, give the individual written or electronic notice of—

    • (a) the refusal; and

    • (b) the reason for the refusal.

    (5) If the chief executive refuses an application because he or she is not satisfied as required by subsection (3)(b), he or she must, as soon as practicable, give the individual written or electronic notice of—

    • (a) the refusal; and

    • (b) the reason for the refusal; and

    • (c) the individual's right in subsection (6).

    (6) The right is to request the chief executive to take steps to indicate that the information is contested when the Service supplies the information to a participating agency.

    (7) If an individual exercises the right, the chief executive must take the steps that the chief executive considers reasonable.

    (8) Subsection (9) applies if the chief executive is satisfied about an application as required by subsection (3) but knows that the individual is under investigation, liable to prosecution, or the subject of a charge for a specified offence.

    (9) The chief executive—

    • (a) may grant the application; or

    • (b) may refuse the application and, if he or she does so, may comply with subsection (4) or (5) or neither.

31 Application for voluntary cancellation
  • (1) An application for an electronic identity credential to be voluntarily cancelled must—

    • (a) be made in a manner approved by the chief executive under section 45; and

    • (b) be accompanied by any prescribed fee.

    (2) If an application complies with subsection (1), the chief executive must—

    • (a) grant the application; and

    • (b) give to the applicant, as soon as practicable, written or electronic notice of the cancellation of the applicant's electronic identity credential.

Mandatory amendment or cancellation, suspension, or revocation

32 Mandatory amendment of electronic identity credential
  • (1) The chief executive must amend an electronic identity credential if the chief executive is satisfied, after proper inquiries, that—

    • (a) the core identity information of the individual to whom it has been issued has changed as a result of the individual's adoption under any of the following:

      • (ii) an adoption order that has the same operation and effect as an adoption order under that Act:

      • (iii) an adoption to which section 17 of that Act or section 11 of the Adoption (Intercountry) Act 1997 applies; or

    • (b) there is an error or omission in the core identity information contained in the electronic identity credential; or

    • (c) the core identity information contained in the electronic identity credential needs to be updated.

    (2) Subsection (1)—

    • (a) applies whether or not an application to amend the electronic identity credential is made to the chief executive under section 30; and

    • (b) does not limit the grounds for making an application to amend an electronic identity credential under section 30.

    (3) If subsection (1)(b) applies, the chief executive must remove any incorrect information and replace it with new information, but only if he or she is satisfied that the new information in his or her possession is correct.

33 Mandatory cancellation of electronic identity credential
  • (1) The chief executive must cancel an electronic identity credential if the chief executive is satisfied, after proper inquiries, that the individual to whom it has been issued—

    • (a) has died; or

    • (b) is a specified individual who is exempted under section 12(1) from the requirements of section 11, but is no longer using the credential because it relates to 1 of his or her identities that is no longer required; or

    • (c) is an individual referred to in section 13(1) and the credential is in respect of his or her original identity.

    (2) Subsection (1)—

    • (a) applies whether or not an application to voluntarily cancel the electronic identity credential is made to the chief executive under section 31; and

    • (b) does not limit the grounds for making an application to voluntarily cancel an electronic identity credential under that section.

34 Suspension of processing of application or electronic identity credential
  • (1) This section applies if—

    • (a) an individual is under investigation for a specified offence; or

    • (b) the chief executive has reasonable grounds to believe that an individual is liable to prosecution, or is the subject of a charge, in respect of a specified offence.

    (2) The chief executive may suspend—

    • (a) the processing of an application relating to the individual; or

    • (b) the individual's electronic identity credential.

    (3) The chief executive may withdraw the suspension at any time by written or electronic notice to the individual concerned if he or she is satisfied that the reason for the suspension no longer applies.

    (4) An individual whose electronic identity credential is suspended may not apply for the credential to be renewed or for a further credential to be issued during the period of the suspension.

    (5) The suspension of an electronic identity credential does not affect its expiry.

35 Revocation of electronic identity credential
  • (1) The chief executive may revoke an individual's electronic identity credential if the chief executive is satisfied, after proper inquiries, that the credential—

    • (a) was issued, renewed, or amended on the basis of any false or fraudulent representation or declaration, made either orally or in writing; or

    • (b) was issued or renewed in error.

    (2) An individual whose electronic identity credential is revoked may apply for another electronic identity credential to be issued to him or her.

36 Process for suspension or revocation
  • (1) Before exercising the power of suspension conferred by section 34 or the power of revocation conferred by section 35, the chief executive must give the individual—

    • (a) written or electronic notice of the proposed suspension or revocation and the reason for it; and

    • (b) a reasonable opportunity to make written or electronic submissions.

    (2) However, subsection (1) does not apply if the chief executive considers that giving written or electronic notice to the individual—

    • (b) is not practicable because the individual cannot be located and his or her contact details cannot readily be established; or

    • (c) may compromise the security or integrity of the electronic identity credential in question or of the Service and immediate suspension or revocation is necessary to avoid or lessen that risk.

    (3) If the chief executive decides to exercise the power of suspension or revocation after considering any written or electronic submissions made by the individual, the chief executive must, as soon as practicable, give written or electronic notice of the suspension or revocation to the individual.

    (4) The written or electronic notice must specify—

    • (a) the reason for the suspension or revocation; and

    • (b) the date on which and the time at which the suspension or revocation commences; and

    • (c) for a suspension, the period of the suspension.

Subpart 2Administrative provisions

Information matching

37 Definitions
38 Purpose of disclosure of identity-related information
  • The purpose of section 39 is to facilitate the disclosure of identity-related information to the chief executive and the Service for the purpose of helping the chief executive to—

    • (a) authenticate an individual's identity; and

    • (b) keep the core identity information contained in an individual's electronic identity credential accurate and up to date.

39 Disclosure of identity-related information
  • (1) The chief executive and a responsible authority may enter into an agreement for the disclosure by the responsible authority to the chief executive of identity-related information in respect of an individual who has applied for or been issued with an electronic identity credential.

    (2) Subsection (1) applies even though the chief executive is the same person as the responsible authority.

    (3) A responsible authority may disclose identity-related information only in accordance with an agreement entered into under subsection (1).

    (4) The chief executive or the Service may cause a comparison to be made of any identity-related information disclosed under an agreement entered into under subsection (1) with information held in the Service database.

40 Use of results of information matching
  • (1) The chief executive may keep and maintain information produced by a comparison undertaken in accordance with section 39(4) for use in auditing the access and use of that information by the Service or employees of the department for the purposes of this Act.

    (2) This section applies despite rule 6 of the information matching rules set out in Schedule 4 of the Privacy Act 1993.

Functions of chief executive

41 Functions of chief executive
  • The functions of the chief executive under this Act are the following:

    • (a) to establish and maintain the Service database:

    • (b) to provide advice and information to participating agencies on matters relating to the use of electronic identity credentials:

    • (c) to enter into and carry out any agreement with a third party under section 51(1)(b) for the performance of any function or duty, or the exercise of any power, imposed or conferred on the chief executive by this Act:

    • (d) to prepare reports required by the Privacy Commissioner under section 57:

    • (e) to perform any other functions and duties and exercise any other powers specified in this Act or in regulations made under this Act:

    • (f) to administer this Act:

    • (g) to perform any functions that are incidental and related to, or consequential upon, the functions set out in paragraphs (a) to (f).

Duties of chief executive

42 Chief executive must take all reasonable steps to authenticate individual's identity
  • (1) The chief executive must take all reasonable steps to ensure that the identity of an individual has been authenticated before an electronic identity credential is issued to the individual.

    (2) Without limiting subsection (1), examples of reasonable steps that the chief executive could take to authenticate an individual's identity include the following:

    • (a) to cause a comparison to be made of any identity-related information disclosed under an agreement entered into under section 39(1) with information held in the Service database:

    • (b) to ask for an identity information check to be carried out in accordance with Schedule 1.

43 Chief executive must publish material
  • (1) The chief executive must publish the material described in subsection (2)—

    • (a) on an Internet site maintained by or on behalf of the chief executive; and

    • (b) by any other means he or she considers appropriate.

    (2) The material is—

    • (a) approvals given by the chief executive under section 45:

    • (b) requirements for information specified by the chief executive under section 46:

    • (c) standards or specifications set by the chief executive under section 47:

    • (d) reports required by the chief executive under section 48.

    (3) The chief executive may publish the material described in subsection (2)(c) or (d)—

    • (a) in its entirety; or

    • (b) with information withheld—

      • (ii) to protect the security or integrity of the Service.

44 Chief executive must keep record of usage history for prescribed period
  • (1) The chief executive must keep a record of usage history for each electronic identity credential (whether the credential is current or otherwise).

    (2) The record of usage history—

    • (a) must include, subject to subsection (3), information about which participating agency has used an individual's electronic identity credential to verify the identity of the individual; and

    • (b) must include information about each occasion that any of the persons referred to in section 23(1) accesses the record; and

    • (c) must be available for access at all times by the individual whose electronic identity credential it is (subject to section 23(2)); and

    • (d) may be kept in electronic form so long as it is readily retrievable.

    (3) The record of usage history must not include details about any transaction between an individual and a participating agency.

    (4) The chief executive must delete the record of usage history at the end of the period for which the Service may retain the record of usage history, if a period has been prescribed in regulations made under section 70(3).

Powers of chief executive

45 Chief executive may approve manner in which applications to be made
  • (1) The chief executive may approve the manner in which applications must be made.

    (2) Without limiting subsection (1), the chief executive may—

    • (a) allow applications to be lodged electronically or by any other means; and

    • (b) specify the electronic format for applications that may be lodged electronically.

46 Chief executive may specify information to be provided with applications
  • (1) The chief executive may specify what information must be provided with an application.

    (2) Without limiting subsection (1), the chief executive may—

    • (a) issue standard forms (including electronic forms) requiring information or setting out information that must be provided with an application; and

    • (b) specify requirements in connection with the use of standard forms, including requirements relating to electronic signatures on electronic forms; and

    • (c) specify what evidence of identity is required to be provided with an application.

    (3) Any evidence of identity requirements under subsection (2)(c) may apply—

    • (a) generally or in respect of a specified class or classes of applicants:

    • (b) differently to different applicants in different circumstances.

    (4) Those evidence of identity requirements may also include a requirement that every applicant must submit, or allow the Service to take, a photograph of the applicant.

    (5) The chief executive may compare the photograph with information held in the Service database or with information disclosed under an agreement entered into under section 39(1) to ensure that the applicant is not—

    • (a) applying for more than 1 electronic identity credential to be issued to him or her at any given time (subject to section 12); or

    • (b) applying for an electronic identity credential to be issued or renewed on the basis of any false or fraudulent representation or declaration; or

    • (c) an individual to whom an electronic identity credential must not be issued because of a court order under section 64(1)(a).

    (6) A comparison under subsection (5) may be carried out manually or electronically (for example, using facial recognition software).

47 Chief executive may set standards or specifications for use of electronic identity credentials by participating agencies
  • (1) The chief executive may set standards or specifications that participating agencies must comply with in respect of the use of electronic identity credentials by those agencies.

    (2) Without limiting subsection (1), the standards and specifications may relate to 1 or more of the following:

    • (a) measures to protect the privacy of individuals:

    • (b) measures to protect and enhance the security of information supplied to participating agencies:

    • (c) minimum requirements for the storage of information supplied by the Service.

48 Chief executive may require participating agencies to report on use of electronic identity credentials
  • (1) The chief executive may require a participating agency to provide to the chief executive, by a given date and time or at specified intervals, a written or an electronic report on the use of electronic identity credentials by the agency.

    (2) Without limiting subsection (1), the chief executive may require the report to include information about 1 or more of the following:

    • (a) the numbers and types of applicable transactions or services offered by the participating agency:

    • (b) the types of core identity information that the participating agency is accepting or requiring for the purpose of verifying an individual's identity:

    • (c) how the participating agency proposes to comply, or is complying, with the standards or specifications set by the chief executive under section 47.

    (3) The chief executive may also require a participating agency to include an auditor's report on the information contained in the written report.

    (4) A participating agency must comply with a requirement made under this section.

49 Chief executive may suspend use of electronic identity credentials by participating agencies
  • (1) The chief executive may suspend the use of electronic identity credentials by a participating agency if satisfied that—

    • (a) the participating agency has failed to comply with—

      • (i) the standards and specifications set by the chief executive under section 47:

      • (ii) a reporting requirement under section 48; or

    • (b) the suspension is necessary to protect the security or integrity of the Service in respect of an investigation that it is undertaking into the possible misuse of electronic identity credentials by that participating agency or any other participating agency.

    (2) Before exercising the power of suspension conferred by subsection (1), the chief executive must give the participating agency—

    • (a) written or electronic notice of the proposed suspension and the reason for it; and

    • (b) a reasonable opportunity to make written or electronic submissions.

    (3) However, subsection (2) does not apply if subsection (1)(b) applies and the chief executive considers that giving written or electronic notice to the participating agency may prejudice the investigation in question.

    (4) If the chief executive decides to exercise the power of suspension conferred by subsection (1) after considering any written or electronic submissions made by the participating agency, the chief executive must, as soon as practicable, give written or electronic notice of the suspension to the agency.

    (5) The written or electronic notice must specify—

    • (a) the reason for the suspension; and

    • (b) the period of the suspension; and

    • (c) the date on which and the time at which the suspension commences.

    (6) Despite the suspension, the participating agency continues to be subject to the provisions of this Act and, among other things, remains liable to pay any outstanding fees or charges prescribed by regulations made under this Act or set by an agreement referred to in section 71(4)(a)(ii) or (b)(ii).

50 Chief executive may delegate functions, duties, and powers
  • (1) The chief executive may delegate to any person (whether an employee of the State services or not), either generally or particularly, any of the chief executive's functions, duties, and powers under this Act.

    (2) However, the chief executive must not delegate any function, duty, or power to a person or class of persons who are employed outside the State services without the written consent of the Minister.

    (3) A delegation may be made to—

    • (a) a specified person; or

    • (b) a person belonging to a specified class of persons; or

    • (c) the holder of a specified office or appointment; or

    • (d) the holder of an office or appointment of a specified class.

    (4) A delegation—

    • (a) must be written; and

    • (b) may not include a power to further delegate any function, duty, or power; and

    • (c) may be made subject to any restrictions and conditions that the chief executive thinks fit; and

    • (d) is revocable at any time, in writing; and

    • (e) does not prevent the performance of a function or duty, or the exercise of a power, by the chief executive.

    (5) A person to whom any functions, duties, or powers are delegated may perform and exercise them in the same manner and with the same effect as if they had been conferred directly by this Act and not by delegation.

    (6) A person who appears to act under a delegation is presumed to be acting in accordance with its terms in the absence of evidence to the contrary.

    (7) This section does not limit or affect the chief executive's power of delegation under section 41 of the State Sector Act 1988.

51 Chief executive may enter into agreement with third party for performance of functions and duties, or exercise of powers, under this Act
  • (1) The chief executive may perform his or her functions and duties, or exercise his or her powers, under this Act—

    • (a) through the employees of the department:

    • (b) by entering into an agreement with a third party (whether corporate or unincorporate).

    (2) The chief executive must not enter into an agreement under subsection (1)(b) or agree to an extension of the term of an agreement without the written consent of the Minister.

    (3) Nothing in this section or in any agreement entered into under subsection (1)(b) relieves the chief executive of the obligation to perform any function or duty, or to exercise any power, imposed or conferred on the chief executive by this Act.

52 Application of Ombudsmen Act 1975 and Official Information Act 1982 to certain delegates of chief executive and to certain third parties
  • (1) This section applies to the following:

    • (a) a person to whom the chief executive has delegated, under section 50(1), the chief executive's functions, duties, or powers under this Act and who is not an employee of the State services:

    • (b) a third party with whom the chief executive has entered into an agreement under section 51(1)(b) for the performance of the chief executive's functions and duties, or the exercise of the chief executive's powers, under this Act.

    (2) For the purposes of the Ombudsmen Act 1975 and the Official Information Act 1982, a person or third party to whom this section applies is to be treated as part of the department when performing the chief executive's functions and duties, or exercising the chief executive's powers, under this Act.

Reconsideration of decisions

53 Application of section 54
  • Section 54 applies to the following decisions that are made by the chief executive:

    • (a) a decision to refuse to issue an electronic identity credential under section 28; or

    • (b) a decision to refuse to renew an electronic identity credential under section 29; or

    • (c) a decision to refuse to amend an electronic identity credential under section 30; or

    • (d) a decision to refuse to cancel an electronic identity credential under section 31; or

    • (e) a decision to amend an electronic identity credential under section 32; or

    • (f) a decision to cancel an electronic identity credential under section 33; or

    • (g) a decision to suspend the processing of an application under section 34(2)(a); or

    • (h) a decision to suspend an electronic identity credential under section 34(2)(b); or

    • (i) a decision to revoke an electronic identity credential under section 35; or

    • (j) a decision to suspend the use of electronic identity credentials by a participating agency under section 49.

54 Reconsideration of decision
  • (1) A person dissatisfied with a decision to which this section applies may apply to the chief executive for a reconsideration of the decision.

    (2) An application under subsection (1) must be made in a manner approved by the chief executive and, for the purposes of this subsection, section 45 applies with any necessary modifications.

    (3) If the original decision was made by the chief executive personally, it must be reconsidered by the chief executive personally.

    (4) If the original decision was made by a person acting under the delegated authority of the chief executive under section 50 or by a third party under an agreement made under section 51, it must be reconsidered by—

    • (a) a person not involved in making the original decision; or

    • (b) the chief executive.

    (5) The person undertaking the reconsideration—

    • (a) may take into account any new or additional information supplied by the applicant for reconsideration; and

    • (b) must complete the reconsideration within 20 working days after the date on which the chief executive receives the application for reconsideration under subsection (1); and

    • (c) must, as soon as practicable, give the applicant written or electronic notice of—

      • (i) the decision on the reconsideration; and

      • (ii) the reasons for the decision on the reconsideration.

    (6) The decision on the reconsideration is final and no further application for reconsideration of that decision can be made.

    (7) This section does not affect the right of any person to apply, in accordance with law, for judicial review.

Electronic Identity Verification Service

55 Electronic Identity Verification Service
  • The Electronic Identity Verification Service is the same service as the Identity Verification Service that—

    • (a) was operating immediately before the commencement of this Act; and

    • (b) issued pre-commencement electronic identity credentials.

56 Function of Service
  • (1) The function of the Service is to support the chief executive in performing his or her functions or duties, and in exercising his or her powers, under this Act.

    (2) The Service and, in particular, the employees of the department, perform functions or duties, and exercise powers, that the chief executive may from time to time delegate to those employees under section 50.

Reporting requirements

57 Privacy Commissioner may require periodic reports on operation of Service or of confirmation agreement
  • (1) The Privacy Commissioner may, at intervals not shorter than 12 months, require the chief executive to provide the Privacy Commissioner with a report on—

    • (a) the operation of the Service or any aspect of the Service:

    • (b) the operation of a confirmation agreement entered into in accordance with Schedule 1.

    (2) Without limiting subsection (1)(a), the Privacy Commissioner may require the chief executive to include information about the following matters in a report under that subsection:

    • (a) the number of participating agencies:

    • (b) the number of electronic identity credentials that have been issued or cancelled:

    • (c) the types of transactions or services for which electronic identity credentials are used:

    • (d) the number of times electronic identity credentials have been used by all or any classes of individuals:

    • (e) the number of times that persons have accessed individuals' records of usage history under section 23(1)(b) to (d):

    • (f) any issues that have arisen, or that are likely to arise, in the use of the Service.

    (3) A single report may address the matters in subsection (1)(a) and (b) if reports on both of those matters are required by the Privacy Commissioner to be the subject of a report.

Part 3
Miscellaneous provisions

Relationship with other Acts

58 Official Information Act 1982
59 Privacy Act 1993
  • (1) In this section, PA means the Privacy Act 1993.

    (2) When an individual's application to amend his or her electronic identity credential is refused, the right in section 30(6) applies instead of information privacy principle 7(3) in section 6 of the PA.

    (3) Section 40(2) excludes a provision of the PA.

    (4) If regulations are made under section 70(3), the regulations apply instead of information privacy principle 9 in section 6 of the PA.

    (5) If core identity information held in electronic identity credentials, photographs, and records of usage history held in accordance with the provisions of this Act are to be disclosed, the disclosure is made in accordance with this Act, instead of information privacy principle 11 in section 6 of the PA, as required by the precedence given to this Act by section 7(1) and (2) of the PA.

    (6) For the purposes of the PA, Part 8, a person is taken to have breached an information privacy principle under its section 66(1)(a)(i) if the person contravenes a provision of this Act that—

    • (a) imposes a prohibition or restriction in relation to the use or availability of personal information; or

    • (b) regulates the manner in which personal information may be obtained, used, or made available.

    (7) Section 65(2) saves the PA, Part 8, from the exclusion of civil liability.

    (8) Neither the Service database nor the record of usage history is a public register within the meaning of section 58 of the PA.

Offences and penalties

60 Offences relating to Service information and material
  • (1) A person commits an offence who knowingly—

    • (a) deletes, alters, or copies any information recorded in or on the Service database; or

    • (b) allows any information recorded in or on the Service database to be deleted, altered, or copied; or

    • (c) records or stores any information (whether correct or incorrect and including software) in or on the Service database; or

    • (d) allows any information (whether correct or incorrect and including software) to be recorded or stored in or on the Service database; or

    • (e) causes the operation of the Service database to—

      • (i) fail; or

      • (ii) deny service to any authorised users; or

      • (iii) provide service to any unauthorised users.

    (2) Subsection (1) applies to—

    • (a) the deletion or alteration of information recorded in the Service database, or the recording or storage of information in the Service database, whether it is achieved directly or by altering or damaging the database, its programming, another device, the programming of another device, or any electronic storage; and

    • (b) the copying of information recorded in the Service database (whether it is achieved directly from the database, by means of another device, by the interception or copying of an electronic message, or from any form of electronic storage).

    (3) A person who commits an offence against this section is liable on conviction to,—

    • (a) if an individual,—

      • (i) imprisonment for a term not exceeding 10 years; or

      • (ii) a fine not exceeding $250,000; or

      • (iii) both:

    • (b) if an organisation, a fine not exceeding $1,000,000.

    Section 60(3): amended, on 1 July 2013, by section 413 of the Criminal Procedure Act 2011 (2011 No 81).

61 Offence relating to improper issue
  • (1) A person commits an offence who intentionally or recklessly issues an electronic identity credential to an individual to whom it does not relate.

    (2) A person who commits an offence against this section is liable on conviction to imprisonment for a term not exceeding 10 years, or to a fine not exceeding $250,000, or to both.

    Section 61(2): amended, on 1 July 2013, by section 413 of the Criminal Procedure Act 2011 (2011 No 81).

62 Offences relating to improper access and use
  • (1) A person commits an offence who knowingly—

    • (a) accesses the Service database directly or indirectly to obtain any of the following information:

      • (i) core identity information contained in an individual's electronic identity credential; or

      • (ii) information about the status of the individual's electronic identity credential; or

      • (iii) the technical code for the individual's electronic identity credential; or

    • (b) supplies to any other person or otherwise uses or discloses the information.

    (2) A person other than a participating agency commits an offence who knowingly asks another person to use an electronic identity credential to verify that other person's identity in relation to any transaction or service (whether the transaction or service is offered online or not).

    (3) A person commits an offence who knowingly uses an electronic identity credential that has not been issued to him or her.

    (4) A person who commits an offence against this section is liable on conviction to,—

    • (a) if an individual,—

      • (i) imprisonment for a term not exceeding 2 years; or

      • (ii) a fine not exceeding $50,000; or

      • (iii) both:

    • (b) if an organisation, a fine not exceeding $200,000.

    Section 62(4): amended, on 1 July 2013, by section 413 of the Criminal Procedure Act 2011 (2011 No 81).

63 Offences involving statements or documentation
  • (1) A person commits an offence who, in making an application (either for himself or herself or for an individual under 14 years of age),—

    • (a) makes a written or oral statement knowing that it is false or misleading in a material particular; or

    • (b) makes a written or oral statement that is recklessly false or misleading in a material particular; or

    • (c) provides any means of identification knowing that it is false or having reason to suspect that it has been forged or falsified.

    (2) A person who commits an offence against this section is liable on conviction to imprisonment for a term not exceeding 5 years, or to a fine not exceeding $50,000, or to both.

    Section 63(2): amended, on 1 July 2013, by section 413 of the Criminal Procedure Act 2011 (2011 No 81).

Court orders

64 Court may make certain orders in relation to specified offence
  • (1) When sentencing an individual for a specified offence, a court may make all or any of the following orders:

    • (a) an order that an electronic identity credential must not be issued to the individual, either indefinitely or for any period that may be specified in the order:

    • (b) an order that an electronic identity credential that has been issued to the individual be revoked:

    • (c) an order giving any direction that the court thinks fit about the validity of any applicable transaction or service that was completed or provided as a result of, or in connection with, the commission of the specified offence.

    (2) The court may make an order under subsection (1)(a) or (b) if satisfied that it is desirable to do so for reasons of the security or integrity of the Service or of the Service database.

    (3) An order under subsection (1)(a) or (b) may be in addition to, or instead of, any other penalty the court may impose under this Act or any other enactment.

    (4) If the court makes an order under subsection (1), the Registrar of the court must ensure that a copy of the order is given to the chief executive within 5 working days after the making of the order.

    (5) The chief executive must, as soon as practicable, take any action that is necessary to give effect to the order.

Liability

65 Protection from liability
  • (1) Subsection (2) applies to any act or omission by the chief executive, an employee of the department, or another person acting on behalf of the chief executive in the course of—

    • (a) performing functions or duties or exercising powers under this Act; or

    • (b) purporting to perform functions or duties or exercise powers under this Act.

    (2) The persons referred to in subsection (1) are subject to Part 8 of the Privacy Act 1993 in respect of the act or omission, but—

    • (a) have no other civil liability for the act or omission; and

    • (b) have no criminal liability for the act or omission.

    (3) There is no cause of action against the Crown or a Minister of the Crown, or against any other person, to recover damages for any loss or damage that is due directly or indirectly to the use of an electronic identity credential to verify an individual's identity.

    (4) Subsection (3) applies whether the loss or damage is caused by any person’s act or omission, so long as the act or omission occurred in the course of—

    • (a) performing functions or duties or exercising powers under this Act; or

    • (b) purporting to perform functions or duties or exercise powers under this Act.

    (5) A person is not exempted from liability under this section for any act or omission that constitutes bad faith or gross negligence on the part of that person.

Notices

66 Giving of notices
  • (1) Any notice or any other document required to be given to any person under this Act, or any regulation made under this Act, may be given by—

    • (a) delivering it to that person; or

    • (b) delivering it to that person's usual or last known place of residence or business; or

    • (c) posting it to that person's usual or last known place of residence or business; or

    • (d) sending it by fax, if the person has nominated a fax address; or

    • (e) sending it by email or other similar means of communication, if the person has provided an email or similar address.

    (2) A notice or document that is sent to a person at a fax number or an email address must be treated as received by that person not later than 2 days after the date on which it is sent.

    (3) A notice or document that is posted to a person must be treated as received by that person not later than 7 days after the date on which it is posted.

    (4) However, a notice or document must not be treated as received if the person to whom it is posted or sent proves that it was not received, otherwise than through fault on the person's part.

Regulations

67 Regulations relating to participating agencies
  • (1) The Governor-General may, by Order in Council, make regulations declaring any of the following to be a participating agency for the purposes of this Act:

    • (a) a government department named in Part 1 of Schedule 1 of the Ombudsmen Act 1975:

    • (b) an organisation named in Part 2 of Schedule 1 of the Ombudsmen Act 1975:

    • (c) a local organisation named in Part 3 of Schedule 1 of the Ombudsmen Act 1975:

    • (d) any other organisation, whether part of the State services or not:

    • (e) a statutory office or statutory officer established or appointed by or under an Act administered by a body referred to in paragraphs (a) to (d).

    (2) The Governor-General may, by Order in Council, make regulations amending any regulations made under subsection (1) to—

    • (a) add the name of a body, office, or officer declared to be a participating agency under that subsection:

    • (b) omit the name of a participating agency and substitute the name of another participating agency:

    • (c) omit the name of a participating agency and substitute another name in recognition of a change in the participating agency's name:

    • (d) omit the name of a participating agency.

    (3) Regulations made under subsection (1) may specify a particular body, office, or officer or a class or classes of bodies, offices, or officers.

    (4) Regulations under subsection (2)(d) may be made only on the recommendation of the Minister made in accordance with section 68.

68 When Minister may recommend certain regulations relating to participating agencies
  • The Minister may recommend the making of regulations under section 67(2)(d) to omit the name of a participating agency if, among other things,—

    • (a) the agency has persistently failed to comply with—

      • (i) the standards and specifications set by the chief executive under section 47:

      • (ii) a reporting requirement under section 48; or

    • (b) the agency's use of electronic identity credentials has been suspended by the chief executive for an indefinite period under section 49.

69 Regulations relating to agencies for purposes of Schedule 1
  • (1) The Governor-General may, by Order in Council, make regulations declaring any organisation, whether in the public sector or private sector, to be an agency for the purposes of Schedule 1.

    (2) The Governor-General may, by Order in Council, make regulations amending any regulations made under subsection (1) to—

    • (a) add the name of a person or body of persons declared to be an agency under that subsection:

    • (b) omit the name of an agency and substitute the name of another agency:

    • (c) omit the name of an agency and substitute another name in recognition of a change in the agency's name:

    • (d) omit the name of an agency.

    (3) Regulations made under subsection (1) may specify a particular organisation or a class or classes of organisations.

70 Regulations relating to time periods
  • (1) The Governor-General may, by Order in Council, make regulations for the purposes of section 10

    • (a) prescribing the period for which an electronic identity credential is effective for all individuals; or

    • (b) prescribing different periods for which an electronic identity credential is effective for—

      • (i) an individual under 14 years of age; and

      • (ii) an individual of 14 years of age or above.

    (2) The Governor-General may, by Order in Council, make regulations under subsection (3) that deal with—

    • (a) the following kinds of electronic identity credentials:

      • (i) those that are cancelled by the chief executive under section 31 or 33:

      • (ii) those that are revoked by the chief executive under section 35:

      • (iv) those that expire because the periods for which they are effective expire; and

    • (b) the following kinds of information:

      • (i) core identity information:

      • (ii) records of usage history:

      • (iii) photographs:

      • (iv) information about the status of electronic identity credentials:

      • (v) technical codes.

    (3) The regulations may do 1 or more of the following for 1 or more kinds of electronic identity credentials and 1 or more kinds of information:

    • (a) prescribe the information that the Service may retain:

    • (b) prescribe the period or periods for which the Service may retain the information:

    • (c) prescribe the period or periods for which the Service may retain different kinds of information:

    • (d) prescribe a period or periods for which the Service may retain information according to the ground in section 33(1) on which the electronic identity credential is cancelled:

    • (e) specify that the chief executive may authorise the extension of a prescribed period to enable the completion of an investigation into and, if applicable, a prosecution for the commission of a specified offence.

    (4) The Minister must consult the Privacy Commissioner before recommending to the Governor-General the making of regulations under subsection (3).

71 Regulations relating to fees
  • (1) The Governor-General may, by Order in Council, make regulations prescribing the fees or charges payable to enable the recovery of direct and indirect costs of the department in administering this Act that are not provided for by—

    • (a) money that is funded by the Crown for the purpose; or

    • (b) money payable to the chief executive under an agreement entered into under section 51(1)(b) or an agreement referred to in subsection (4)(a)(ii).

    (2) Examples of the costs that may be recovered include—

    • (a) the costs of processing applications:

    • (b) the costs of issuing electronic identity credentials:

    • (c) the costs of providing, operating, and maintaining the Service, the Service database, or other processes in connection with the administration of this Act.

    (3) Regulations made under subsection (1) may specify—

    • (a) the matters for which fees or charges are payable:

    • (b) the amounts of fees or charges or the method or rates by which they are to be assessed:

    • (c) the individuals or participating agencies, or classes of individuals or participating agencies, liable for payment of the fees or charges:

    • (d) the conditions or circumstances for which the fees or charges must be paid:

    • (e) how the fees or charges are to be paid.

    (4) Without limiting subsection (3)(a), regulations made under subsection (1)—

    • (a) may provide that they do not apply to any fees or charges that—

      • (i) are payable to the chief executive by a participating agency or a class of participating agencies for the use of electronic identity credentials under section 18; and

      • (ii) the chief executive may set in accordance with an agreement between the chief executive and the participating agency or participating agencies:

    • (b) do not apply to any fees or charges that—

      • (i) are payable to a third party by any person other than the chief executive for the performance of any of the chief executive's functions or duties, or the exercise of any of the chief executive's powers, under this Act in accordance with an agreement entered into under section 51(1)(b); and

      • (ii) may be set by the third party in accordance with a separate agreement between the third party and the other person.

    (5) Nothing in subsection (4) prevents regulations being made under subsection (1) prescribing the fees or charges that are payable for applications to which any of sections 28(1)(d), 30(2)(e), and 31(1)(b) apply even though the agreement referred to in subsection (4)(b)(i) provides for a third party to perform functions or duties, or exercise powers, in relation to those applications.

72 Other regulations
  • The Governor-General may, by Order in Council, make regulations—

    • (a) declaring any government department to be a law enforcement agency for the purposes of this Act:

    • (b) prescribing any other information or documentation that must be included in an application:

    • (c) providing for any other matters contemplated by this Act that are necessary for its administration or necessary for giving it full effect.

Transitional provisions

73 Pre-commencement electronic identity credential
  • (1) This section applies to an electronic identity credential (a pre-commencement electronic identity credential) that—

    • (a) was issued before the date of commencement of this section under an agreement between the department and any individual; and

    • (b) is current or suspended as at that date.

    (2) On and from the commencement of this section, a pre-commencement electronic identity credential must be treated as if it were an electronic identity credential that had been issued under this Act and, subject to subsection (3), the provisions of this Act apply accordingly with all necessary modifications.

    (3) A pre-commencement electronic identity credential expires at the time at which it would have expired if this Act had not been enacted.

    (4) Without limiting subsection (2), a pre-commencement electronic identity credential may be renewed, amended, cancelled, suspended, revoked, or otherwise dealt with in accordance with this Act.

74 Existing application for pre-commencement electronic identity credential
  • (1) This section applies to an application for a pre-commencement electronic identity credential to be issued that—

    • (a) had been received by the Service before the date of commencement of this section; and

    • (b) had not been granted, refused, or withdrawn before that date.

    (2) On and from the commencement of this section, the application must be dealt with as if it were an application for an electronic identity credential to be issued under section 28.

75 Pre-commencement third-party agreement
  • (1) This section applies to an agreement (a pre-commencement third-party agreement)—

    • (a) between the chief executive and a third party for the third party to perform the chief executive's functions and duties, or exercise the chief executive's powers, under this Act; and

    • (b) that was entered into before the date of commencement of this section; and

    • (c) that is in force as at that date.

    (2) On and from the commencement of this section,—

    • (a) the pre-commencement third-party agreement must be treated as if it were an agreement entered into under section 51(1)(b) (except that section 51(2) does not apply); and

    • (b) a reference in this Act to an agreement entered into under that section must be taken to include a reference to the pre-commencement third-party agreement; and

    • (c) a reference in this Act to a third party must be taken to include the third party that entered into the pre-commencement third-party agreement.

Consequential amendments

76 Consequential amendments
  • The enactments specified in Schedule 2 are consequentially amended as indicated in that schedule.


Schedule 1
Identity information checks

ss 42(2), 69

Preliminary

1 Purpose of schedule
  • The purpose of this schedule is to facilitate the authentication of an individual's identity by providing a mechanism for the chief executive to confirm whether an individual's identity information is consistent with any information recorded by an agency.

2 Interpretation
  • (1) In this schedule, unless the context otherwise requires,—

    action

    • (a) includes failure to act; and

    • (b) also includes any policy or practice

    adverse action means any action that may adversely affect the rights, benefits, privileges, obligations, or interests of any specific individual

    agency means a person or body of persons declared by the Governor-General, by regulations made under section 69, to be an agency for the purposes of this schedule

    database, in relation to an agency, means any file, register, device, or computer system in or on which information is recorded by the agency

    identity information

    • (a) means core identity information as defined in section 7; and

    • (b) includes any other information relating to an individual (for example, a document or part of a document relating to the individual) that the individual provides to the Service for the purpose of authenticating the individual's identity with the Service; and

    • (c) also includes any information about the status of any other recorded information referred to in paragraph (b)

    identity information check means a check that is carried out for the purpose described in clause 1

    recorded information means information that is recorded in or on an agency's database.

    (2) Any term that is defined in section 7 and used, but not defined, in this schedule has the same meaning as in that section.

Identity information checks

3 Conditions for carrying out identity information check
  • (1) An agency may carry out an identity information check for the chief executive if—

    • (a) the individual who is or will be the subject of the check has consented (in written or electronic form) to the check before it is carried out; and

    • (b) the chief executive has given the agency an assurance (in written or electronic form) that the individual has consented to the check; and

    • (c) the chief executive and the agency are parties to a confirmation agreement that complies with clause 6; and

    • (d) the check is carried out in accordance with the agreement; and

    • (e) the chief executive has paid or has made an arrangement to pay any fees and charges payable under the agreement.

    (2) For the purposes of subclause (1)(a), an individual may consent to an identity information check on—

    • (a) a one-off basis (that is, for each identity information check); or

    • (b) an ongoing basis (that is, for a series of identity information checks, whether repeated or otherwise).

    (3) An individual who consents to an identity information check may withdraw the consent before—

    • (a) the check is carried out, in the case of a consent given on a one-off basis; or

    • (b) all of the checks, or any further checks, are carried out, in the case of a consent given on an ongoing basis.

4 How identity information check is carried out
  • (1) In order for an identity information check to be carried out by an agency, the chief executive must submit an individual's identity information to the agency by any electronic or other means specified in the relevant confirmation agreement.

    (2) On receiving the individual's identity information, the agency must carry out a search of its database for any recorded information about the individual.

    (3) If it is impracticable for the agency to comply with subclause (2) for any reason, the agency must advise the chief executive that the identity information check cannot be carried out and may ask the chief executive to resubmit the individual's identity information.

    (4) The agency must not, at any stage, supply to the chief executive any recorded information about the individual who is the subject of the search.

    (5) However, subclause (4) does not limit or prevent the disclosure of any information about the status of any recorded information in relation to the individual.

    (6) After carrying out the search referred to in subclause (2), the agency must supply to the chief executive information about the search result and, in particular, whether any or all of the individual's identity information submitted to the agency is consistent with any recorded information.

    (7) Without limiting subclause (6), the information that may be supplied under that subclause generally includes, subject to subclause (4), one of the following search results:

    ResultDescription
    Consistent

    Identity information is consistent with recorded information

    Not consistent

    Identity information is not consistent with recorded information

    Exception

    Information about the status of recorded information is available

    (8) For the purposes of subclauses (6) and (7), identity information may be treated as consistent with recorded information despite any variation between them because of pronunciation or punctuation.

Confirmation agreements

5 Parties to confirmation agreement
  • The chief executive may enter into a confirmation agreement with any agency.

6 Form and content of confirmation agreement
  • (1) A confirmation agreement must be in writing.

    (2) A confirmation agreement must—

    • (a) state the purpose of the agreement; and

    • (b) specify which database it applies to.

    (3) In addition, a confirmation agreement must specify the following terms or conditions:

    • (a) the conditions for carrying out identity information checks, including the conditions specified in clause 3; and

    • (b) the manner in which the chief executive may obtain an individual's consent for an identity information check; and

    • (c) the circumstances in which an individual's consent for an identity information check that is given on an ongoing basis must be treated as having expired; and

    • (d) the procedures that the chief executive must follow before taking adverse action against an individual as a result of carrying out an identity information check, including the requirement to give the individual a reasonable opportunity to make submissions or to be heard; and

    • (e) an alternative process for dealing with an individual whose identity information cannot be confirmed using an identity information check because, for example, there is no recorded information about the individual or the individual has not given his or her consent to an identity information check; and

    • (f) the fees and charges payable for identity information checks and the manner in which those fees and charges are to be paid; and

    • (g) the grounds on which the agreement may be terminated; and

    • (h) the process that must be followed by the parties before exercising any right to terminate the agreement; and

    • (i) the process for monitoring the parties' compliance with the terms or conditions of the agreement, including the requirement for the parties to keep, for monitoring purposes, records in respect of identity information checks and the requirement to provide those records to the Privacy Commissioner if requested; and

    • (j) the requirement that the chief executive must consult the Privacy Commissioner about the terms or conditions of confirmation agreements, including the consultation requirements in clause 7.

    (4) A confirmation agreement may specify any other terms or conditions that the parties consider to be appropriate.

    (5) A confirmation agreement may specify different terms or conditions from those contained in another confirmation agreement even though the agencies concerned belong—

    • (a) in the same class; or

    • (b) in different classes.

    (6) A confirmation agreement may be varied by further agreement between the parties.

7 Standard terms or conditions for confirmation agreement
  • (1) The chief executive may develop standard terms or conditions for a confirmation agreement that apply, or are proposed to apply, to particular agencies or classes of agencies, but must consult the Privacy Commissioner before or while doing so.

    (2) If the chief executive is proposing to enter into a confirmation agreement that will contain terms or conditions that are materially different from the standard terms or conditions developed under subclause (1), the chief executive may develop alternative terms or conditions for the proposed agreement, but must consult the Privacy Commissioner about those terms or conditions before entering into the agreement.

    (3) If the chief executive is proposing to vary a confirmation agreement by amending any terms or conditions developed under subclause (1) or (2) that are contained in the agreement, the chief executive must consult the Privacy Commissioner about the proposed amendments to those terms or conditions before varying the agreement.

    (4) However, the requirement to consult the Privacy Commissioner under subclause (3) does not apply if the variation relates to—

    • (a) the fees and charges payable under the agreement; or

    • (b) terms or conditions that are minor or incidental in nature.

    (5) If subclause (1) or (2) does not apply, the chief executive must consult the Privacy Commissioner about the terms or conditions of a confirmation agreement.

8 Periodic review of terms or conditions of confirmation agreements generally
  • (1) The Privacy Commissioner may, at intervals not shorter than 12 months, require the chief executive to—

    • (a) review the terms or conditions of any confirmation agreement (whether or not they are standard terms or conditions developed under clause 7); and

    • (b) report on the outcome of the review to the Privacy Commissioner.

    (2) If, after a review under subclause (1), the Privacy Commissioner and the chief executive agree that amendments to the terms or conditions of a confirmation agreement are required, the chief executive must vary the confirmation agreement to include the amendments to the terms or conditions.

    (3) A variation to a confirmation agreement under subclause (2) applies only if the agency that is party to the agreement agrees to it.

Information requirements

9 List of agencies
  • The chief executive must publish a list of agencies that are party to a confirmation agreement on an Internet site maintained by or on behalf of the chief executive in an electronic form that—

    • (a) is publicly accessible (at all reasonable times); and

    • (b) is free of charge.


Schedule 2
Consequential amendments

s 76

Part 1
Amendments to Acts

Criminal Procedure Act 2011 (2011 No 81)

Schedule 3: insert:

Electronic Identity Verification Act 2012 (2012 No 123)

Section 7: omit the definition of conviction on indictment.

Section 60(3): omit on indictment.

Section 61(2): omit on indictment.

Section 62(4): omit on indictment.

Section 63(2): omit on indictment.

Privacy Act 1993 (1993 No 28)

Schedule 3: insert in its appropriate alphabetical order:

Electronic Identity Verification Act 2012Section 39
Search and Surveillance Act 2012 (2012 No 24)

New section 239A: insert:

239A Amendments to Electronic Identity Verification Act 2012
  • (1) This section amends the Electronic Identity Verification Act 2012.

    (2) In section 25, replace A District Court Judge or Justice or Community Magistrate or Registrar who is not a constable may issue a search warrant under the Summary Proceedings Act 1957 with An issuing officer may issue a search warrant under the Search and Surveillance Act 2012.

Summary Proceedings Act 1957 (1957 No 87)

Part 2 of Schedule 1: insert in its appropriate alphabetical order:

Electronic Identity Verification Act 201260 

Offences relating to Service information and material

 61 

Offence relating to improper issue

 62 

Offences relating to improper access and use

 63 

Offences involving statements or documentation

Part 2
Amendment to regulations

Customs and Excise Regulations 1996 (SR 1996/232)

Regulation 74(3)(b): revoke and substitute:

  • (b) any of the following:

    • (i) a passport:

    • (ii) a New Zealand driver licence:

    • (iii) a current electronic identity credential issued to the applicant (if applicable in terms of the Electronic Identity Verification Act 2012):

    • (iv) any other form of official identification bearing a photo of the applicant that is acceptable to the chief executive as a comparable form of official identification.


Notes
1 General
  • This is a reprint of the Electronic Identity Verification Act 2012 that incorporates all the amendments to that Act as at the date of the last amendment to it.

2 Legal status
  • Reprints are presumed to correctly state, as at the date of the reprint, the law enacted by the principal enactment and by any amendments to that enactment. Section 18 of the Legislation Act 2012 provides that this reprint, published in electronic form, has the status of an official version under section 17 of that Act. A printed version of the reprint produced directly from this official electronic version also has official status.

3 Editorial and format changes
4 Amendments incorporated in this reprint