The purposes of this Act are—

The definition of the digital identity services trust framework is in section 8 along with a description of the main components of the trust framework. The definition of digital identity service is in section 10. The 3 types of trust framework participants are listed in section 11.

The ways in which the Act recognises and respects the Crown’s responsibility to give effect to the principles of te Tiriti o Waitangi/the Treaty of Waitangi are listed in section 9.

Part 3 relates to the TF rules, the accreditation of providers of digital identity services and the services they provide, and record-keeping and reporting by them once they are accredited. Part 3 also contains provisions relating to the TF register of accredited providers and services.

Part 4 relates to the TF board, the Māori Advisory Group, and committees of advisers to advise the board.

Part 5 relates to the TF authority.

Part 6 relates to complaints and offences. Part 6 also sets out remedies that may be granted by the TF authority following a finding of breach by a TF provider of the TF rules, regulations, terms of use of accreditation marks, or provisions of this Act.

Part 7 contains a miscellaneous group of provisions relating to regulations, immunity from liability, and reviews.

This overview is for explanation only and does not affect the meaning of this Act.

In this Act, unless the context otherwise requires,—

The transitional, savings, and related provisions (if any) set out in the Schedule have effect according to their terms.

This Act binds the Crown.

The digital identity services trust framework or trust framework means the legal framework established by this Act to regulate the provision of digital identity services for transactions between individuals and organisations.

The main components of the trust framework are—

The 2 administering bodies for the trust framework are the TF board (see Part 4) and the TF authority (see Part 5).

The accreditation regime is run by the authority (see sections 23 to 33).

The board recommends draft TF rules and regulations to the Minister (see sections 18 and 102), and the authority is responsible for enforcing the rules (see Part 6).

In order to recognise and respect the Crown’s responsibility to give effect to the principles of te Tiriti o Waitangi/the Treaty of Waitangi, this Act,—

In this Act, digital identity service means a service or product that, either alone or together with 1 or more other digital identity services, enables a user to share personal or organisational information in digital form.

Examples of digital identity services are services or products that—

The regulations must prescribe the types of digital identity services that may be accredited under this Act.

The participants in the trust framework are—

A single individual or organisation may be 1 or more of the participants listed in subsection (1) in the same transaction.

A TF provider must not collect, use, share, or otherwise deal with personal or organisational information in connection with the provision of an accredited digital identity service unless—

See section 17, which provides that nothing in this Act overrides the Privacy Act 2020.

TF providers may use accreditation marks approved by the TF board to identify the accredited services they provide as being accredited under this Act.

The board may approve the form and style of accreditation marks and may approve different accreditation marks to be used for different types of services.

The TF authority must set the terms of use of accreditation marks and must publish them on an Internet site maintained by or on behalf of the authority’s responsible department.

TF providers must comply with the relevant terms of use when using an accreditation mark.

A TF provider may provide both accredited services and digital identity services that are not accredited under this Act.

See section 96, which makes it an offence for a person to knowingly or recklessly represent a digital identity service to be an accredited service when it is not.

An individual or organisation may provide a digital identity service even if they and the service are not accredited under this Act.

See section 96, which makes it an offence for a person to knowingly or recklessly represent—

Nothing in this Act limits or otherwise affects the Electronic Identity Verification Act 2012 or the Identity Information Confirmation Act 2012.

The Minister may make rules for the matters listed in section 20.

The TF board may recommend draft TF rules to the Minister.

The Minister may make rules only if satisfied that the requirements for consultation under section 21 have been met.

Rules made under this section are secondary legislation (see Part 3 of the Legislation Act 2019 for publication requirements).

The TF rules apply to TF providers and the accredited services they provide.

The rules—

The TF rules must set requirements for all of the following:

Identification management

Privacy and confidentiality

Security and risk

Information and data management

Sharing and facilitation

The TF rules may set different requirements for the following:

If a TF rule is inconsistent with the regulations, the regulations prevail.

TF rules relating to personal information must be consistent with the Privacy Act 2020 (see also section 17).

Before recommending draft TF rules to the Minister, the TF board must consult and invite submissions from the following on the proposed content of the rules:

The Minister must decide which people or groups the board must consult under subsection (1)(b) after taking into account the particular subject matter of the proposed content of rules.

The Minister must also consult the Ministers with portfolio responsibilities that relate to Māori development and Māori-Crown relations before deciding which people or groups will be consulted by the board under subsection (1)(b).

The Minister may decide that consultation under this section is not required if the proposed content of a rule or a proposed change to an existing rule is technical and non-controversial in nature.

Before recommending draft TF rules to the Minister, the TF board must report to the Minister on the consultation it has undertaken under section 21.

A digital identity service provider may apply to the TF authority to be accredited as a TF provider. That application must be accompanied by an application to have at least 1 digital identity service that they currently provide accredited as an accredited service.

A TF provider may apply at any time to have a digital identity service that is provided by them, and that is not an accredited service, accredited as an accredited service. That service must be in addition to the 1 or more accredited services they already provide.

See section 32 for applications for provisional accreditation of providers and services.

An application for accreditation must—

See section 99, which makes it an offence to fail to give key information or specified information in an application for accreditation.

The key information referred to in subsection (1)(b)(i) and the other information referred to in subsection (1)(b)(ii) may differ for—

The fee referred to in subsection (1)(d) may vary in amount to reflect the different costs of processing different types of applications.

The specified information referred to in section 24(1)(c) is whether the applicant (whether already a TF provider or not)—

In this section, applicant means the applicant and (as relevant) their officers and those involved in the management of, employed by, or contracted by, the applicant.

The TF authority may accredit a provider or service if it is satisfied that—

The authority may grant the application in full or in part. However,—

An application that meets the requirements of this section may be declined only if the authority is satisfied that the provider’s past conduct, or that of a related individual or organisation, indicates that the provider or a service they provide may pose a risk to—

For the purposes of this section, the authority may take into account information that it reasonably believes is likely to be accurate.

The TF authority must give notice of its decision to the applicant and if it declines the application (whether in full or in part), the authority must also—

If an application is successful in full or in part, the authority must give the applicant the following information along with its decision:

Regulations may prescribe—

Regulations referred to in subsection (1) may set different requirements or fees for the following:

An applicant may apply to the TF authority for it to reconsider—

The application for reconsideration must—

When assessing the application, the authority must consider any new, or additional, relevant information provided by the applicant.

A reconsideration decision by the authority is final. However, this section does not affect the right of an applicant to apply to a court for judicial review of the decision.

Except to the extent that this Act or the regulations set different requirements for applications for reconsideration, sections 23 to 25 apply to the making of an application under this section as if it were an original application for accreditation.

The accreditation of a TF provider or an accredited service commences on the date of the relevant accreditation decision by the TF authority and ends on the earliest of the following:

Under subsection (1)(c), the accreditation of a provider or service expires at the end of the relevant period set by the regulations. The regulations may set different periods for—

If the accreditation of a TF provider ends under subsection (1), all accredited services provided by that provider cease to be accredited services.

If a TF provider does not provide at least 1 accredited service in a 12-month period or a longer period agreed by the authority (the applicable period), their accreditation as a TF provider ends unless subsection (5) applies.

If a TF provider applies for or obtains provisional accreditation for a digital identity service in the applicable period, their accreditation continues,—

A TF provider may apply to renew their accreditation or the accreditation of an accredited service they provide.

If a renewal application is made before the accreditation of the provider or service expires, the accreditation continues to have effect until the renewal application is decided by the TF authority.

If the accreditation of a provider or service expires before a renewal application is made, instead of a renewal application, the provider must make a fresh application for accreditation under section 23.

A renewal application must be in the form, and be made in the manner, approved by the authority.

Except to the extent that this Act or the regulations set different requirements for renewal applications, sections 23 to 25 apply to the making of a renewal application as if it were an original application for accreditation.

The TF authority may grant provisional accreditation to a digital identity service provider or to a digital identity service.

A digital identity service provider that is not a TF provider may apply to the authority—

An application under subsection (2) must be for provisional accreditation for both the provider and at least 1 service they wish to develop.

A TF provider may apply to the authority for provisional accreditation for a service they wish to develop in addition to the 1 or more accredited services they already provide.

An application under this section must be in the form, and be made in the manner, approved by the authority.

Except to the extent that this Act or the regulations set different requirements for applications for provisional accreditation, sections 23 to 29 apply to the making and deciding of an application under this section with any necessary modifications.

Provisional accreditation expires—

A provider or service with provisional accreditation is not a TF provider or an accredited service for the purposes of this Act.

If any of the key information referred to in section 24(1)(b)(i), or the specified information listed in section 25(1), changes, the applicant or TF provider must tell the TF authority of the change within 5 working days of the change.

See section 100, which makes it an offence to fail to tell the authority of a change to key information or specified information.

The obligations under subsection (1) apply,—

The obligations under this section apply even if an applicant or a TF provider has previously failed to give key information or specified information to the authority as required by sections 24 and 25.

In this section, application for accreditation means—

The TF authority must establish and maintain a register of TF providers and accredited digital identity services.

In this section and sections 35 to 38,—

The purposes of the TF register are—

The TF register must be kept as an electronic register on a publicly accessible Internet site maintained by or on behalf of the TF authority or its responsible department.

The TF register must contain the following information for each TF provider:

For each TF provider, the register must also—

The register may also contain—

The TF authority may make amendments to the TF register at any time for the purposes set out in section 35, including amendments to—

The TF authority may certify an individual or an organisation as a third party assessor to carry out 1 or more of its functions relating to accreditation of providers or services if permitted by, and in accordance with, the regulations.

A third party assessor does not have, and nor may the authority delegate to them, the authority’s powers under sections 61 and 62 of this Act.

The regulations may prescribe circumstances under which the authority may suspend or cancel the certification of third party assessors.

This section applies to a third party assessor when intending to carry out or carrying out functions under this Act.

The Ombudsmen Act 1975 and the Official Information Act 1982 apply to them as if the third party assessor were an organisation named in Schedule 1 of the Ombudsmen Act 1975.

Information they hold is to be treated as also being held by the TF authority for the purposes of the Official Information Act 1982.

Section 104 of the Public Service Act 2020 applies to them as if they were a public service employee.

The regulations may prescribe record-keeping and reporting requirements for third party assessors, including for the collection and keeping of certain information, and for providing information to the TF authority.

A TF provider must—

In this section,—

The Trust Framework Board is established to carry out the board’s functions set out in this Act.

The Prime Minister must nominate a department to be the responsible department for the TF board.

The board is a body within the responsible department and is accountable to its chief executive.

The responsible department must include in its annual report a description of the board’s activities for the period covered by the report.

The TF board’s functions are to—

If any functions are conferred on the board by the Minister, this must be done in writing.

When performing its functions, the board must engage with Māori in the manner provided for under section 53(5) to recognise and provide for Māori interests in the operation of the trust framework.

The TF board has all the powers that are reasonably necessary to carry out its functions under this Act to the extent consistent with section 44(2).

The chief executive must appoint the members of the TF board. The members may include public service employees and individuals from outside the public service.

When selecting the board’s members, the chief executive must ensure that—

Only members of the TF board who are public service employees have voting rights on the board.

The chief executive may give written notice to a TF board member removing them from the board if they become bankrupt or neglect their duty, or for misconduct.

A TF board member who is a public service employee is entitled to be paid by their employer, as if they were undertaking their usual duties, for time reasonably taken by them away from their usual duties to undertake the work of the board.

Other board members are not public service employees as a result of their appointment to the board, and the responsible department must pay fees for their services, and expenses reasonably incurred by them in providing those services, in accordance with the fees framework.

The Māori Advisory Group is established to advise the TF board.

The Minister must appoint members to the Māori Advisory Group.

The Minister must consult the Ministers with portfolio responsibilities that relate to Māori development and Māori-Crown relations before making any appointments.

The Minister must appoint 1 of the members as chairperson of the Māori Advisory Group.

The Minister must appoint only people who, in the responsible Minister’s opinion, have the appropriate knowledge, skills, and experience to assist the Māori Advisory Group to perform its role.

The role of the Māori Advisory Group is to advise the TF board on Māori interests and knowledge, as they relate to the operation of the trust framework, and to do so in accordance with the engagement policy and terms of reference referred to in subsection (4).

The board must seek advice from the Māori Advisory Group if a matter the board is dealing with raises matters of tikanga Māori or Māori cultural perspectives.

The board must give effect to the advice of the Māori Advisory Group to the extent that it considers is reasonable and practicable after taking account of other relevant considerations.

The board and the Māori Advisory Group, acting jointly, must—

The engagement policy must include details of how and when consultation with iwi and hapū will be undertaken by—

The board must publish on an Internet site maintained by or on behalf of the board’s responsible department—

The board and the Māori Advisory Group, acting jointly, must review both the engagement policy and the terms of reference at intervals of not more than 3 years.

The following provisions of the Crown Entities Act 2004 apply to members of the Māori Advisory Group as if they were members of the board of a Crown agent:

The members are entitled to fees for their services, and expenses reasonably incurred by them in providing those services, in accordance with the fees framework.

The Minister may give written notice to a member of the Māori Advisory Group removing them as a member if they become bankrupt or neglect their duty, or for misconduct.

The TF board may establish committees of advisers of public service employees and individuals from outside the public service to give advice and make reports to the board.

An adviser who is a public service employee is entitled to be paid by their employer, as if they were undertaking their usual duties, for time reasonably taken by them away from their usual duties to undertake the work of a committee.

Other advisers are not public service employees as a result of their appointment to a committee, and the board’s responsible department must pay fees for their services, and expenses reasonably incurred by them in providing those services, in accordance with the fees framework.

The TF board may give written notice to a committee member removing them from a committee if they become bankrupt or neglect their duty, or for misconduct.

The Trust Framework Authority is established to carry out the authority’s functions set out in this Act.

The Prime Minister must nominate a department to be the responsible department for the TF authority.

That department may be the same as the responsible department nominated for the TF board under section 44.

The authority is a body within the responsible department and is accountable to its chief executive. However, the authority must act independently in respect of its enforcement functions under Part 6.

The responsible department must include in its annual report a description of the authority’s activities for the period covered by the report.

The TF authority’s functions are to—

The TF authority has all the powers that are reasonably necessary to carry out its functions under this Act to the extent consistent with section 59(3).

The TF authority may, by written notice and without charge, require an individual or organisation to provide to it information or a document in their possession or control if satisfied that the information or document is necessary for, and relevant to, 1 or more of the purposes listed in subsection (3).

The notice may set a date by which the information or document must be provided to the authority. This must not be sooner than 5 working days after receipt of the notice by the individual or organisation.

The purposes for which the authority may issue a notice are—

The individual or organisation that receives a notice must comply with it within the period stated in the notice.

However, an individual or organisation that receives a notice need not comply with it in relation to any information or document if—

The authority must not release any information or document received by it under this section if the information or document is commercially sensitive, unless the release is required by an enactment.

In this section, information means any information, whether contained in a document or not.

An individual or organisation that receives a notice under section 62 may apply to the TF authority for an extension of time to provide the information or document, and the authority may extend the time for a period it considers to be reasonable in the circumstances.

The application must set out the reasons for requesting the extension of time.

The chief executive must appoint the members of the TF authority. The members may include public service employees and individuals from outside the public service.

When selecting the authority’s members, the chief executive must ensure that the authority has—

The chief executive may give written notice to a member of the TF authority removing them from the authority if they become bankrupt or neglect their duty, or for misconduct.

A member of the TF authority who is a public service employee is entitled to be paid by their employer, as if they were undertaking their usual duties, for time reasonably taken by them away from their usual duties to undertake the work of the authority.

Other members of the authority are not public service employees as a result of their appointment to the authority, and the responsible department must pay fees for their services, and expenses reasonably incurred by them in providing those services, in accordance with the fees framework.

The purpose of this Part is to promote confidence in the trust framework by establishing processes for dealing with complaints.

In carrying out its functions under this Part (except when granting remedies or prosecuting offences), the TF authority must be guided by the following principles:

Any person may complain to the TF authority if they believe there has been a breach by a TF provider.

Breach means a breach of the TF rules, the regulations, terms of use of accreditation marks, or provisions of this Act.

A complaint must—

A complainant is entitled to reasonable assistance from the TF authority to meet the requirements of subsection (1).

As soon as practicable after receiving a complaint, the TF authority must—

If part of a complaint is referred to an office holder, the authority must make a preliminary assessment of the remaining part of the complaint unless it decides not to consider that part of the complaint further under section 73.

This section applies if the TF authority considers that a complaint (in full or in part) may be more appropriately dealt with by:

The authority must consult the relevant office holder about whether the complaint—

The decision about whether a complaint is within the jurisdiction of an office holder is a matter solely for the relevant office holder.

If the complaint is within the jurisdiction of the office holder and the authority decides that it would be more appropriately dealt with by that office holder, the authority must as soon as practicable—

The TF authority may decide not to consider a complaint or part of a complaint further if it considers—

The authority may also decide not to consider a complaint further if, after having regard to all of the circumstances of the case, the authority is of the opinion that considering the complaint further is unnecessary or inappropriate.

If the authority decides not to consider a complaint further, it must tell the complainant and TF provider in writing of the decision and give its reasons.

When making a preliminary assessment of a complaint, the TF authority must take into account—

The authority may, for the purpose of making a preliminary assessment, in its absolute discretion, decide—

See section 62(6), which limits the release of any information or document that is commercially sensitive. The authority must also not provide any information or document to a complainant that is confidential.

If the authority obtains information or documents under section 62 from an individual or organisation that is not the TF provider, it must give the TF provider copies and a reasonable opportunity to comment on them.

The authority may, when making a preliminary assessment, regulate its procedure as it considers appropriate and in a way that is consistent with this Act and the regulations (if any).

The TF authority must give the complainant and the TF provider—

The TF authority may, in accordance with any requirements and criteria prescribed in the regulations, recommend a dispute resolution scheme for the Minister’s approval.

The dispute resolution scheme must not deal with the following:

The chief executive may employ or engage persons or organisations to provide dispute resolution services to support the resolution of complaints under this Part.

The Minister may approve a dispute resolution scheme if satisfied that—

The TF authority may commence an investigation—

As the first step of an investigation, the TF authority must notify the TF provider that it is commencing an investigation.

A notice given under subsection (1) must—

The TF authority must conduct an investigation in a timely manner.

During an investigation, the authority may—

At any time during an investigation, the authority may decide to take no further action on a complaint or matter if it—

As soon as practicable after making a decision under subsection (3), the authority must notify the complainant (if any) and the TF provider of—

It is not necessary for the authority to hold a hearing, and no person is entitled as of right to be heard by the authority.

Any investigation conducted by the authority must be conducted in private.

When conducting an investigation, the TF authority may regulate its procedure as it considers appropriate and in a way that is consistent with this Act and the regulations (if any).

If the TF authority is satisfied, on the balance of probabilities, that a breach has occurred, it must give the complainant (if any) and the TF provider written notice of its decision, including its reasons.

The authority may also grant 1 or more of the remedies listed in section 83 but must first give the TF provider a reasonable opportunity to make submissions on the issue of remedies.

The authority may find that a breach has occurred even if it is of the view that the breach was unintentional or without negligence on the part of the TF provider. However, the authority must take the conduct of the TF provider into account when deciding what, if any, remedy or remedies to grant.

If the TF authority finds a breach by a TF provider, it may do 1 or more of the following:

If the authority is satisfied that a TF provider has failed to comply with a compliance order or give the notice required by section 89, it may suspend or cancel the accreditation of the provider or the relevant service.

The TF authority may issue a public warning under section 83(1)(a) only if it is satisfied on reasonable grounds that—

Before making a decision under this section, the authority must—

The authority may require additional record-keeping or reporting requirements under section 83(1)(b) for any period that the authority considers appropriate, but it may lift those additional requirements earlier if satisfied that they are no longer needed.

Before issuing a compliance order under section 83(1)(c), the TF authority must consider all of the following:

However, each of those factors need be considered only to the extent that—

Before issuing a compliance order, the authority must also—

A compliance order must—

A compliance order may also—

A TF provider that is issued with a compliance order must comply with it, including by taking any particular steps to remedy the breach specified in the order.

The TF provider must remedy the breach,—

A TF provider must tell the TF authority when it has complied with a compliance order and must do so within 5 working days of doing so.

A TF provider that receives a draft compliance order or a compliance order may elect to forfeit their accreditation or the accreditation of the relevant service, whichever is the subject of the draft order or order.

The TF provider must tell the TF authority that it wishes to do so within 5 working days of receiving the draft order or order.

If the authority receives the advice referred to in subsection (2) for a draft compliance order, it must cancel the accreditation in place of issuing a compliance order.

If the authority receives the advice after issuing a compliance order, it must cancel both the accreditation and the compliance order.

A TF provider may apply to the TF authority to vary or cancel a compliance order on the ground that there has been an error of fact or law.

The authority may do so on terms it considers appropriate.

This section applies if the TF authority has suspended the accreditation of a TF provider or a service they provide—

The suspension may be for any period the authority considers appropriate, but it may reinstate the accreditation earlier if it is satisfied that—

However, before making a decision under this section, the authority must—

This section applies if the TF authority has cancelled the accreditation of a TF provider or a service they provide—

However, before making a decision under this section, the authority must—

If a TF provider is found to have breached any of the following on at least 3 separate occasions in a 12-month period, the TF authority may suspend or cancel their accreditation or the accreditation of the relevant service they provide:

The suspension may be for any period the authority considers appropriate, but it may reinstate the accreditation earlier if it is satisfied the suspension is no longer needed.

The authority must take reasonable steps to give notice to the TF provider of the suspension or cancellation, but need not give them an opportunity to comment before suspending or cancelling the accreditation.

The accreditation of a TF provider or of a service they provide may be suspended or cancelled by the TF authority if the TF provider—

This section applies whether or not the authority has found a breach by a TF provider.

The suspension may be for any period the authority considers appropriate, but it may reinstate the accreditation earlier if it is satisfied the suspension is no longer needed.

However, before making a decision under this section, the authority must—

For the purposes of subsection (1), the authority may take into account information that it reasonably believes is likely to be accurate.

In this section, TF provider means the TF provider and (as relevant) their officers and those involved in the management of, employed by, or contracted by, the TF provider.

A person who knowingly or recklessly represents themselves to be a TF provider when they are not commits an offence and is liable on conviction to,—

A person who knowingly or recklessly represents a digital identity service to be an accredited service when it is not (including using an accreditation mark when not entitled to do so) commits an offence and is liable on conviction to,—

A person who knowingly or recklessly uses an accreditation mark in a manner that is contrary to the terms of use set by the TF authority commits an offence and is liable on conviction to,—

A person who knowingly or recklessly gives false information to the TF authority in an application for accreditation commits an offence and is liable on conviction to,—

In this section, application for accreditation means—

A person who makes an application for accreditation and who fails without reasonable excuse to give the TF authority key information or specified information in the application commits an offence and is liable on conviction to,—

In this section and section 100,—

A person who makes an application for accreditation and who fails without reasonable excuse to tell the TF authority of a change to key information or specified information, as required by section 33, commits an offence and is liable on conviction to,—

A TF provider that fails without reasonable excuse to tell the TF authority of any change to key information or specified information, as required by section 33, commits an offence and is liable on conviction to,—

A person who, without reasonable excuse, obstructs the TF authority when it is carrying out its functions or exercising its powers commits an offence and is liable on conviction to,—

The Governor-General may, on the recommendation of the Minister, by Order in Council, make regulations for 1 or both of the following purposes:

The TF board may recommend draft regulations to the Minister.

Before regulations are made under this section, the Minister must consult the Office of the Privacy Commissioner.

Regulations made under this section are secondary legislation (see Part 3 of the Legislation Act 2019 for publication requirements).

This section applies to a member of the TF board, the TF authority, the Māori Advisory Group, and any advisory committee, and a staff member of the board or the authority, who is not a public service employee.

Section 104 of the Public Service Act 2020 applies to a person listed in subsection (1) as if they were a public service employee.

A TF provider is immune from liability in civil proceedings for a claim that a user, when using an accredited digital identity service provided by the TF provider, has caused harm or damage to an individual or organisation or has themselves suffered harm or damage.

However, subsection (1) does not apply—

In this section,—

A review of the TF board’s operation must be commenced by its responsible department as soon as practicable after the second anniversary of the commencement of section 43.

As soon as practicable after that date, the Minister must set a date for completion of the review.

The review must include—

The review may include other matters as the department considers appropriate.

The Minister must present a copy of the review to the House of Representatives as soon as practicable after receiving it from the department.

A first review of the complaints process and dispute resolution scheme operated by the TF authority under this Act (including if this is done by persons or organisations under section 76(3)) must be undertaken by the TF board as soon as practicable after the second anniversary of,—

Subsequent reviews of that process and scheme must be undertaken by the authority at 5-yearly intervals from the date on which the first review (in each case) is commenced.