Digital Identity Services Trust Framework Regulations 2024
Checking for alerts... Loading...
2024/197
Digital Identity Services Trust Framework Regulations 2024
Cindy Kiro, Governor-General
Order in Council
At Wellington this 23rd day of September 2024
Present:
Her Excellency the Governor-General in Council
These regulations are made under section 102(1) of the Digital Identity Services Trust Framework Act 2023—
(a)
on the advice and with the consent of the Executive Council; and
(b)
on the recommendation of the Minister for Digitising Government made—
(i)
with the approval of the Trust Framework Board under section 28(1)(b) of that Act; and
(ii)
after consulting the Office of the Privacy Commissioner in accordance with section 102(3) of that Act.
Contents
Regulations
1 Title
These regulations are the Digital Identity Services Trust Framework Regulations 2024.
2 Commencement
These regulations come into force on 24 October 2024.
3 Interpretation
In these regulations, unless the context otherwise requires,—
Act means the Digital Identity Services Trust Framework Act 2023
authentication service means a digital identity service (for example, a log-in service or a 2-factor authentication service) that enables a person to use an authenticator to access another service
authenticator means information or another thing (for example, a password or a fingerprint) that—
(a)
is known to, or possessed or controlled by, a person; and
(b)
is bound to the person during an interaction with a service; and
(c)
can be used by the person during subsequent interactions with the service to prove that they are the same person
bind, in relation to personal or organisational information, means to link securely to the correct individual or organisation by means of 1 or more checks that the information relates to that particular individual or organisation
binding service means a digital identity service that binds personal or organisational information
carrying on business in New Zealand has the meaning given in section 332 of the Companies Act 1993, except that the references to an overseas company must be treated as references to an organisation
credential means a digital record (for example, a digital vaccination record) that—
(a)
combines an authenticator and bound personal or organisational information; and
(b)
a relying party or another person can rely on without verifying the information
credential service means a digital identity service that creates a reusable credential
facilitation service means a digital identity service that enables a person to present a credential to a relying party
information service means a digital identity service that provides—
(a)
personal or organisational information; and
(b)
a level of assurance as to the accuracy of that information
New Zealand government agency means any part of the State services as defined in section 5 of the Public Service Act 2020
New Zealand resident means—
(a)
an individual who—
(i)
has a permanent place of residence in New Zealand, even if they also have a permanent place of residence elsewhere; and
(ii)
is a New Zealand citizen, holds a residence class visa granted under the Immigration Act 2009, or holds a visa granted under that Act that allows the individual to work or study in New Zealand; or
(b)
an organisation that is—
(i)
formed or incorporated in New Zealand; and
(ii)
carrying on business in New Zealand
service includes a product.
4 Transitional, savings, and related provisions
The transitional, savings, and related provisions (if any) set out in Schedule 1 have effect according to their terms.
Accredited services
5 Types of accredited services
The following types of digital identity services may be accredited under the Act:
(a)
information services:
(b)
binding services:
(c)
authentication services:
(d)
credential services:
(e)
facilitation services.
Key information to be provided by applicants
6 Key information required in provider accreditation applications
(1)
An application for accreditation as a TF provider under the Act must include the following key information:
(a)
the profile information about the applicant specified in Schedule 2:
(b)
information about whether the applicant is a New Zealand resident or a New Zealand government agency:
(c)
information about whether the applicant has any interests in overseas defence contracts or overseas government contracts:
(d)
information about any data breaches, data losses, or cybersecurity attacks previously experienced by the applicant, and any controls implemented following those events:
(e)
information about the applicant’s organisational capabilities, including information about the people, processes, and systems that are, or are proposed to be, used to—
(i)
deliver any service for which accreditation is sought; and
(ii)
protect personal and organisational information:
(f)
information about the applicant’s complaints and dispute resolution processes:
(g)
information about whether the applicant is in receivership, in liquidation, bankrupt, or subject to a no asset procedure under subpart 4 of Part 5 of the Insolvency Act 2006 (or a similar procedure under a law of an overseas jurisdiction):
(h)
information showing that the applicant has appropriate policies and processes for ensuring staff recruitment and service contracting are consistent with the TF rules and the regulations and will not pose a risk to—
(i)
the security, privacy, confidentiality, or safety of the information of any trust framework participants:
(ii)
the integrity or reputation of the trust framework:
(i)
a copy of the applicant’s criminal record, or an overseas equivalent if requested by the TF authority:
(j)
if the applicant is or has been the subject of a formal investigation or proceeding by or taken by the Privacy Commissioner, details of the status or outcome of the investigation or proceeding.
(2)
The information provided under subclause (1)(h) must include information showing that the applicant has arrangements for checking whether the people involved, or proposed to be involved, in the governance, management, design, or delivery of any service for which accreditation is sought—
(a)
have been convicted of a criminal offence in New Zealand or overseas:
(b)
have been, or are currently, the subject of a formal investigation or proceeding by or taken by the Privacy Commissioner.
(3)
In subclause (1)(c), (i), and (j),—
applicant has the same meaning as in section 25 of the Act
applicant’s criminal record means a document giving all details recorded in law enforcement information held by or on behalf of the Ministry of Justice of any criminal conviction of the applicant (whether a conviction in New Zealand or overseas).
(4)
See also section 25(1) of the Act, which requires the applicant to provide additional specified information.
7 Key information required in digital identity service accreditation applications
(1)
An application for accreditation of a digital identity service as an accredited service must include the following key information:
(a)
the profile information about the service specified in Schedule 3:
(b)
information as to how the applicant will meet the service standards, and comply with the processes, specified in TF rules in relation to the service.
(2)
See also section 25(1) of the Act, which requires the applicant to provide additional specified information.
Requirement for independent evaluations
8 Applicants must obtain independent evaluations
(1)
An application for accreditation under the Act must include an evaluation from an independent evaluator in each of the following areas:
(a)
security:
(b)
privacy:
(c)
identification management.
(2)
The evaluation must state whether, in the opinion of the independent evaluator, the criteria in regulation 9 or 10 for the assessment of the application are met in that area.
(3)
In this regulation, independent evaluator, in relation to an area, means an individual or organisation considered by the TF authority to have the skills, knowledge, and experience necessary to carry out evaluations in that area to a reasonable standard.
Assessment of applications
9 Assessment criteria for providers
The criteria under section 26(1)(b) of the Act for the assessment of an application for accreditation as a TF provider are that the applicant—
(a)
is a New Zealand resident or a New Zealand government agency; and
(b)
will not pose a risk to New Zealand’s national security or national interests; and
(c)
has a complaints process that meets the requirements in regulations 14 to 17; and
(d)
is not in receivership, in liquidation, bankrupt, or subject to a no asset procedure under subpart 4 of Part 5 of the Insolvency Act 2006 (or a similar procedure under a law of an overseas jurisdiction); and
(e)
has appropriate policies and processes for ensuring staff recruitment and service contracting are consistent with the TF rules and the regulations and will not pose a risk to—
(i)
the security, privacy, confidentiality, or safety of the information of any trust framework participants:
(ii)
the integrity or reputation of the trust framework.
10 Assessment criterion for digital identity services
The criterion under section 26(1)(b) of the Act for the assessment of an application for accreditation of a digital identity service is that the service is a service that the applicant can provide in a way that meets the service standards, and complies with the processes, specified in the TF rules.
11 Authority may seek advice from Privacy Commissioner
(1)
When assessing an application under section 26 of the Act, the TF authority may request information from the Privacy Commissioner about—
(a)
whether the applicant is or has been the subject of a formal investigation or proceeding by or taken by the Privacy Commissioner; and
(b)
the status or outcome of any such investigation or proceeding.
(2)
In this regulation, applicant has the same meaning as in section 25 of the Act.
Third party assessors
12 Certification as third party assessor
(1)
The TF authority may certify an individual or organisation as a third party assessor to carry out accreditation assessments in 1 or more of the following areas:
(a)
security:
(b)
privacy:
(c)
identification management.
(2)
An individual or organisation may apply in writing to the TF authority to be certified as a third party assessor.
(3)
The application must—
(a)
specify the area to which it relates; and
(b)
include information showing that the applicant has the skills, knowledge, and experience necessary to carry out accreditation assessments in that area to a reasonable standard.
(4)
The TF authority may certify an individual or organisation as a third party assessor in relation to an area only if satisfied that the individual or organisation has the skills, knowledge, and experience necessary to carry out accreditation assessments in that area to a reasonable standard.
(5)
In this regulation, accreditation assessments means the TF authority’s function of assessing whether an individual or organisation meets the criteria in regulation 9 or 10 for the assessment of an application for accreditation.
Duration of accreditation
13 Accreditation expiry date
An accreditation expires under section 30(1)(c) of the Act at the end of the 3-year period beginning with the date on which the accreditation commenced or was renewed.
Complaints process and dispute resolution
14 Complaints process must be established
(1)
A TF provider must establish and maintain an accessible complaints process for dealing with complaints fairly, promptly, without undue formality, and with regard to tikanga Māori where applicable.
(2)
A TF provider must consider any complaint in accordance with their complaints process.
(3)
In this regulation, complaint means a complaint made to the TF provider about an alleged breach by the TF provider of the TF rules, the regulations, terms of use of accreditation marks, or provisions of the Act.
15 Complaints process must incorporate industry-specific dispute resolution scheme or process
(1)
This regulation applies if a TF provider is a party to a dispute resolution scheme or process because of the TF provider’s membership of a particular industry.
(2)
The TF provider’s complaints process must include the use of that industry-specific dispute resolution scheme or process.
16 Complaints process must be publicly available
A TF provider must publish their complaints process on a publicly accessible internet site maintained by or on behalf of the TF provider.
17 Information must be given to complainants
A TF provider must tell complainants that they may complain to the TF authority if they are dissatisfied with the outcome of the TF provider’s complaints process.
Record-keeping and reporting
18 Information to be collected and kept
(1)
A TF provider must collect and keep the following information under section 42 of the Act:
(a)
information showing that the provider has provided their accredited services in accordance with the requirements of the Act, the TF rules, and the regulations:
(b)
information required to be included in reports under regulation 19:
(c)
information required to be included in incident notifications under regulation 20.
(2)
The information collected and kept under subclause (1)(a)—
(a)
must include records of transactions, events, and actions occurring in the normal course of users starting, progressing, and completing their digital transactions; but
(b)
must not include personal information.
19 Six-monthly reports and annual reports
(1)
After the end of each 6-month period, a TF provider must give the TF authority a report about the use of their accredited services during that period, including the types and volume of services provided and the number of credentials issued by the TF provider.
(2)
After the end of each 12-month period, a TF provider must give the TF authority a report about—
(a)
the delivery of their accredited services during that period, including—
(i)
steps taken by the TF provider to ensure accredited services are delivered in accordance with the TF rules and the regulations; and
(ii)
any breaches of the TF rules and the regulations; and
(iii)
action taken to remedy any breaches of the TF rules and the regulations; and
(iv)
steps taken to improve delivery of the accredited services; and
(b)
complaints and dispute resolution during the 12-month period, including—
(i)
the number and types of complaints made to the TF provider; and
(ii)
the outcomes of complaints, including details of any remedies; and
(c)
the status or outcome during the 12-month period of any incidents reported to the TF authority under regulation 20.
(3)
In this regulation,—
6-month period means a period of 6 months beginning on 1 January or 1 July
12-month period means a period of 12 months beginning on 1 January.
(4)
A report required by this regulation must be given to the TF authority—
(a)
no later than 1 month after the end of the period to which it relates; or
(b)
if a later date is agreed by the TF provider and the TF authority, by that date.
(5)
Reports under this regulation must be in the form, and be made in the manner, approved by the TF authority.
20 Incident notification
(1)
A TF provider must notify the TF authority of any incident relating to the TF provider, or to an accredited service of the TF provider, as soon as practicable.
(2)
In this regulation, incident means an actual or a suspected event, including a cybersecurity event or fraud, that does or would do any of the following:
(a)
adversely affect privacy or confidentiality:
(b)
adversely affect the integrity or availability of an accredited service:
(c)
cause, or risk causing, serious harm to a trust framework participant.
(3)
See also section 114 of the Privacy Act 2020, which requires TF providers to also notify the Privacy Commissioner of some incidents.
21 Retention period
A TF provider must keep information collected under section 42 of the Act until the later of the following:
(a)
12 months from the date on which the TF provider’s accreditation as a TF provider ends:
(b)
12 months from the date on which the TF provider last used that information.
22 Secure storage and disposal of information
(1)
A TF provider must securely store any information kept under section 42 of the Act, in a manner that ensures that the information—
(a)
remains unaltered; and
(b)
is readily retrievable in a timely manner on request by the TF authority.
(2)
A TF provider must have a secure way of disposing of any records that are no longer required.
Complaints to TF authority
23 Complaints to TF authority must be in writing
A complaint made to the TF authority under section 69 of the Act must be in writing.
Schedule 1 Transitional, savings, and related provisions
Part 1 Provisions relating to these regulations as made
There are no transitional, savings, or related provisions in these regulations as made.
Schedule 2 Profile information about applicant
Information to be provided by every applicant:
the applicant’s name and any trading names of the applicant:
the applicant’s New Zealand Business Number (if any):
whether the applicant is an individual or an organisation:
the applicant’s address and internet site address:
details of individuals with material control over the applicant (for example, board members and chief executives).
Additional information to be provided by an applicant that is an organisation (excluding a New Zealand government agency):
the type of organisation:
whether the organisation is registered or incorporated in New Zealand:
the organisation’s registered address:
whether the organisation is a subsidiary of an overseas organisation or has offices overseas:
information on the ownership structure (if any) of the organisation.
Schedule 3 Profile information about digital identity service
Information to be provided about every service for which accreditation is sought:
the applicant’s name and any trading names of the applicant:
the applicant’s New Zealand Business Number (if any):
the name (if any) and general description of the service:
details of individuals involved, or proposed to be involved, in the governance of the service:
details of individuals involved, or proposed to be involved, in the management, design, or delivery of the service.
Nicola Purvis,
Acting Clerk of the Executive Council.
Explanatory note
This note is not part of the regulations but is intended to indicate their general effect.
These regulations, which come into force on 24 October 2024, prescribe the following matters for the purposes of the Digital Identity Services Trust Framework Act 2023 (the Act):
the types of digital identity services that may be accredited under the Act:
key information to be provided by people making accreditation applications:
a requirement for providers and services to be independently evaluated before applications to accredit them are made:
the criteria that the Trust Framework Authority will use to assess applications for accreditation:
the requirements for certification of third party assessors:
the duration of an accreditation under the Act:
requirements for trust framework providers’ complaints processes:
record-keeping and reporting requirements for trust framework providers:
requirements for complaints made to the Trust Framework Authority about trust framework providers.
Regulatory impact statement
The Department of Internal Affairs produced a regulatory impact statement on 15 December 2023 to help inform the decisions taken by the Government relating to the contents of this instrument.
A copy of this regulatory impact statement can be found at—
Date of notification in Gazette: 26 September 2024.
These regulations are administered by the Department of Internal Affairs.
Versions
Digital Identity Services Trust Framework Regulations 2024
RSS feed link copied, you can now paste this link into your feed reader.