IT Brief New Zealand logo
Technology news for New Zealand's largest enterprises
Story image

It's time for Kiwis to define the meaning of digital identity in Aotearoa

By Sara Barker
Thu 28 Oct 2021

In late September, the government introduced a new bill to parliament that would fundamentally pave the way to digital identity for citizens in Aotearoa, New Zealand. 

The Digital Identity Services Trust Framework (DISTF) Bill is the brainchild of Minister of Digital Economy and Communications, David Clark. Last week, the bill passed its first reading. So what is it, and what does it stand for?

Digital identity - an overview

Digital identity is any piece of data or information that helps to identify you as a person through digital services, particularly over the internet. For example, most people will have a digital identity linked to their bank account, Inland Revenue login, passport applications, and online shopping.

In May 2021, Clark said that digital identity is a crucial enabler to the overall Digital Strategy for Aotearoa. This strategy strives to turn New Zealand into a 'world class digital nation'. He believes that New Zealand can bank on its reputation as a nation of 'ethical innovators'.

He notes that other countries with mature economies have pegged the value of digital identity between 0.5%-3% of GDP. In New Zealand dollars, that could be between $1.5 billion to $9 billion.

"Whether it's opening a bank account, sharing our medical history, conducting business online, or applying for Government services like the wage subsidy, it's vital we trust the systems we use, and that service providers know what's expected of them."

But, he admits, it has been hard to roll out digital services because there are no consistent standards that govern digital identity.

"Without these solutions, people will continue to face difficulties sharing information about themselves. They are also more exposed to risks including online fraud and other privacy breaches."

The bill is designed to achieve a clear path to identity regulation and information security both for New Zealanders and the broader digital economy.

"We are working closely with our international partners so that New Zealanders' digital identities are recognised overseas, including places like Australia. A trusted modern digital identity system will help grow our digital economy, transform government services and ensure all New Zealanders can take part in the digital world," says Clark.

The business community also feels that the path to digital identity has been anything but straightforward because there isn't enough collaboration, innovation or interoperability within identity services.

We've had government services like the online verification platform RealMe since 2013, there aren't too many examples of strong digital identity services. However, the upcoming COVID-19 vaccine certificate and passport system will be linked to digital identity and the details are yet to be fully explored. 

Clark has a vision in which businesses and individuals can prove more things online, cutting down on paperwork. This is where the proposed legislation comes into play.

A closer look at the Digital Identity Services Trust Framework Bill

The bill aims to take digital identity services further by rolling out requirements for all service providers, both the public and private sectors, who need to use identity verification services as part of their business. The bill works hand-in-hand with the legislation set out in the Privacy Act 2020, and it gives digital identity service providers to opt-in once their systems are ready.

"The Government is committed to enhancing trust and confidence in how organisations handle personal and business identity information. The legislation will ensure that everyone is clear on their rights and obligations," says Clark.

The bill has four aims:

  • To help drive consistency, trust, and efficiency in the provision of digital identity services
  • To support the development of interoperable digital identity services
  • To provide people with more control over their personal information and how it is used
  • To enable the user-authorised sharing of personal and organisational information digitally to access public and private sector services.

According to the government, the bill means that Kiwis can have more trust that their data is protected and private, and it also provides more control over how and when they share their information. And, of course, it aims to provide easier access to digital services from from the public and private sector.

The DISTF bill also aims to boost business efficiency and deliver better, more accurate information with higher trust and lower risk, as well as giving businesses more confidence meet regulations as they invest in digital services.

The government also promises to better detect and prevent security and privacy breaches, deliver better services for citizen-consented information sharing, and provide better alignment with international peers.

A vital part of this is the bill is the Trust Framework (TF) - a set of legislation, rules and regulations that all accredited digital identity service providers must follow. A governance board will be responsible for educating, shaping, and monitoring the framework. Some of these board members need to understand te ao Māori approaches to identity, technology, and identity data management. The board will also work with the Office of the Privacy Commissioner, TF providers, and te ao Māori stakeholders to address identity, technology, and identity data management.

It's early days, but feedback is cautiously optimistic

Supporting the push for digital identity is Digital Identity New Zealand (DINZ), a member consortium of New Zealand technology and other businesses including Air New Zealand, Auckland Transport, Callaghan Innovation, Centrality, Google, IBM, Inland Revenue, The Ministry of Business, Innovation and Employment, the Ministry of Education, The University of Otago, and security firms including Okta and Red Hat, as well as many others.

Collectively, DINZ sees a future in which "people can express their identity using validated and trusted digital means in order to fully participate in a digital economy and society". To do that, a digital identity ecosystem must follow three criteria: It must enhance privacy, it must enhance trust, and it must improve access for all New Zealanders.

When we approached DINZ for this story, several DINZ members contributed their thoughts. However, due to tight deadlines, we quote DINZ in this story based on responses from individual, unnamed members. These responses do not represent a consensus from the membership as a whole.

Overall, feedback on the bill from DINZ members has been positive, but it will need tweaking. That is exactly what the consultation process is designed to achieve.

"It's exciting to see this take shape, and success will come through community and industry collaboration and consultation with government. Several of our members and stakeholders from their organisations took part in the mahi that resulted in the bill's formation. We're eager to keep contributing our members' ideas and experiences to the Select Committee process and what follows from it."

DINZ says the bill is on the right track, although it comes from a more 'government-centric perspective'.

"Some industry observers have already indicated the need for clarity between the role of the regulator providing the guardrails (assumed to be the government) and RealMe's participation in the ecosystem as an identity provider or verifier." 

"It's a small market, RealMe is a dominant player, and the government will be acutely aware of not only the need to separate its own interests, but also be open to suggestions that 'counter-balance' the understandable government-centricity."

That means the DISTF's scope needs to be adaptable and support many different use cases - it can't just be limited to government thinking.

DINZ also wants to encourage national and international service providers to get involved in the bill's consultation to ensure it works from an operational and people perspective. That could mean public-private investment partnerships in a similar vein to the Ministry of Business, Innovation and Employment (MBIE), which seeks assistance from IT professionals to understand what skills and experience potential immigrants in IT need to have.

"Members would like to see reflected in a future relationship between government agencies and the digital identity industry - for example, research, information & education dissemination to the private sector and wider community, perhaps extending to some role in the accreditation/certification function. "

Karaitiana Taiuru, a Māori academic, is at the forefront of Māori data sovereignty advocacy and change.

Taiuru says the bill is a great start and has potential, but it needs comprehensive and transparent consultation with communities, as well as Māori, hapū, iwi and Māori organisations. 

"In te ao Māori, our identity is our whakapapa – the most sacred aspect of all things that we are entrusting to a government framework."

"For those of us who are connected to the internet, it will be great to not have to fill in the same details multiple times in multiple forms and security checks should be a lot easier in addition to greater individual protections against things like fraud."

"I expect this will create a more streamlined process without the need to physically visit government agencies where staff may not have the cultural knowledge to be able to understand needs or provide the best services," says Taiuru.

How the bill wants to incorporate te ao Māori, values and culture

If there is one thing that sets this bill apart from other countries' digital identity systems: It considers how te ao Māori approaches to identity are considered in trust framework governance and decision making.

David Clark remains committed to ensuring that the digital identity system reflects Māori perspectives.

"Put simply, identity means different things to different people and cultures. That's why, my officials are engaging extensively with iwi to deliver this framework in a way that supports tikanga Māori."

DINZ believes it could be a once-in-a-lifetime opportunity to create a people-centric system underpinned by Te Tiriti (The Treaty of Waitangi) and indigenous values. Not only does it bring a Māori worldview to a discussion about digital identity and the country as a digital nation, but it also opens a door to other values and principles that represent who and what Aotearoa, New Zealand means for all communities.

"It's also important for Māori to be empowered to have Kāwantanga (governance) and Rangatiratanga (self-determination) regarding their digital identity. So it was good to see this aspect explicitly focussed on. Identifying oneself in terms of one's whakapapa, sensitivities and acknowledging 'rangatiratanga' in Article 2 of the Te Tiriti o Waitangi are all woven into the fabric of Māori culture."

"Consider the case of identity-related information form fields when enrolling with a service provider online today. Do they take these factors into account? One of the clearest themes emerging from hui on the digital strategy is that trust in digital services is earned by actively co-creating with communities on these services' design, delivery, and accountability mechanisms. 'Everything happens at the speed of trust.'

However, Taiuru notes, "The COVID-19 lockdowns are a reminder to some that Aotearoa, New Zealand still has a digital divide that primarily consists of Māori and Polynesian families and other low socio-economic groups as well as the elderly and some rural communities. My primary concern is for those in the digital divide and the potential to miss out on government services and benefits."

"At first glance, there are a lot of positives to the Bill, and we are increasingly seeing Māori and Te Tiriti being considered into new legislation and bills. Te Ao Māori perspectives have been partially included and the opportunity for genuine co-design and some other Te Tiriti principles are recognised. However, I would have preferred to see a much wider acknowledgement and protection to Māori rights to data including the recognition of tikanga Māori/Māori philosophies than what is currently in the draft bill."

Taiuru believes that the government has missed an opportunity to recognise and legislate for Māori Data Sovereignty Principles.

"Some of the Te Tiriti principles are included in the Trust Framework principles, but not all, and they are not clearly identifiable. The principles do not mention Māori data sovereignty, even in the te ao Māori approaches to identity principle."

"The principles need some major rethinking from a te ao Māori perspective, and the principle should explicitly state that Māori data is a taonga. Instead, it will be left to Māori to at some stage make a Waitangi Tribunal claim to have Māori data recognised as a taonga."

"There is also no mention of the United Nations Declaration on the Rights of Indigenous Peoples, despite it being very relevant here and little consideration of the ongoing consultations of WAI 262 in the Waitangi Tribunal."

Taiuru also touches on another issue that the bill does not clarify: data storage, particularly in cases where data is stored overseas and subject to other countries security and privacy laws.

"It would be beneficial to have it legislated that the data would be stored in New Zealand, recognising Māori Data Sovereignty principles," argues Taiuru.

This brings up an important point about the role of Māori data sovereignty, which is a multi-faceted topic in its own right. It needs to be weaved into any conversation about digital identity.

Taiuru highlights the potential for issues around data use and misuse if the government requires all personal information to be in one place.

"There are risks of passport and driver licence photos being used and then for facial recognition, noting the current biases for Māori and Polynesians. There is also the risk that at some stage further bioinformatics such as Guthrie Cards could be sequenced for DNA and added to the system, noting this would be the safest way to prove the identity of an individual and their family."

"Births Deaths and Marriages are consulting about whether to use Māori individuals' iwi and hapū information on birth certificates. This just adds another complex layer of potential discrimination and Māori identity issues to a government that has intergenerationally not been trusted by Māori."

Trust, data use (and potential misuse) are valid concerns, which leads to another point - how data is used and protected.

What this all means for cybersecurity

As with any discussion about digital identity, there are important questions to be raised about cybersecurity, data privacy, and preventing potentially life-destroying issues such as identity theft and security breaches. The Trust Framework (TF) rules call for minimum security and risk requirements - namely, "ensuring that information is secure and protected from unauthorised modification, use, or loss". 

 DINZ says cybersecurity is a 'moving target' as attackers go after data at rest, and in transit. On top of that, legitimate businesses are trying to find new ways to use data they've already collected.

"People will need to be able to trust digital systems with their identities. They will need to see robust measures to monitor, notify, and remedy potential abuses of data inside any service provider's system. They will also need to know about specific social risks related to personal identification information such as biometric data capture. Further, the potential abuse of consent within personal relationships and guardianships should also be catered for."

Those participating in the TF must also analyse those within the digital identity scheme based on ensuring security, confidentiality and privacy of their information. That means those joining the scheme will be analysed based on their information and data security. If there are holes in these areas, likely, they would not be accredited.

In cases of identity fraud, economic loss, physical, or emotional harm caused by a TF provider, the TF authority could issue a public warning. However, in the event of security breaches, the TF authority won't post details of any vulnerabilities because people could exploit them.

DINZ also points to potential discrepancies and service levels between providers who adopt the TF within their businesses, and providers that choose not to.

"It's a delicate balancing act between raising the bar high enough to achieve trust through security and privacy, without unduly compromising levels of adoption by service providers in sufficient numbers to ensure the DISTF's success."

"Overseas there are examples of non-accredited/certified service providers typically with significant brand presence having higher adoption rates than accredited/certified service providers. It's in Aotearoa New Zealand's interest to see global brands that already operate here and those that are yet to arrive, be accredited/certified."

DINZ continues, "The interoperability with other Trust Frameworks and standards in force internationally is acknowledged in the bill. This is typically done as a series of mappings that help assessors determine the relative conformance of a service provider's service accredited/certified to one Trust Framework to another, such as the DISTF."

"Developing and maintaining these mappings helps international service providers by reducing the incremental time and cost for compliance with an additional Trust Framework - whether it is international seeking to operate in New Zealand, or a local business seeking to operate internationally. This is another area where members are keen to discuss industry's operational knowledge and experience."

Submissions for the DISTF bill close at 11PM on Thursday, 2nd December 2021. More information here.

Public Interest Journalism Fund logo
Public Interest Journalism funded through NZ On Air.
Related stories
Top stories
Story image
The 'A-B-C' of effective application security
Software applications have been a key tool for businesses for decades, but the way they are designed and operated has changed during the past few years.
Story image
Commerce Commission
ComCom welcomes new marketing codes for the telecom industry
The Commerce Commission is welcoming the creation of new marketing codes for the telecommunications industry.
Story image
Artificial Intelligence
SAS unveils AI experience to improve kids' batting abilities
SAS has created The Batting Lab, an interactive experience using AI, computer vision and IoT analytics to help kids improve their baseball and softball swings.
Story image
Voxel hits total funding of $18M following ongoing wins
Since raising its seed round in September, Voxel has grown at pace, by decreasing on-site injuries by upwards of 80% and increasing operational productivity.
Story image
Public Cloud
Cloud adoption still a work in progress, NetApp finds
NetApp has announced the results of the annual Cloud Infrastructure Report based on a survey of public cloud business and IT decision makers.
Story image
Ingram Micro Cloud adds Bitdefender solutions to marketplace
Ingram Micro Cloud has announced the expanded availability of Bitdefender solutions on the Ingram Micro Cloud Marketplace.
Story image
Digital Transformation
Unlocking the next digital frontier for educational institutions
Understanding where to invest in technology can be challenging for education institutions, especially after the COVID-19 disruptions.
Story image
Fortinet's Security Fabric hits new record for integrations
The Fortinet Security Fabric has surpassed 500 technology integrations with more than 300 Fabric-Ready Technology Alliance Partners.
Story image
SmartCIC, BICS partner to expand wireless service options
SmarCIC has partnered with BICS to increase choice for organisations using fixed wireless services, expanding existing carrier relationships for its CELLSMART division.
Story image
Hawaiki Cable
BW Digital completes acquisition of Hawaiki Submarine Cable
BW Digital has completed its full acquisition of Hawaiki Submarine Cable, with all applicable regulatory filings and approvals now received.
Story image
Microsoft unveils adaptive accessories for disability access
Microsoft is introducing an expansive Inclusive Tech Lab to give people with disabilities greater access to technology through new software features and adaptive accessories.
Threat actors are exploiting weaknesses in interconnected IT/OT ecosystems. Darktrace illuminates your entire business and takes targeted action to stop emerging attacks.
Link image
Story image
Microsoft backing Māori and Pacific wāhine in tech industry
A new initiative focused on getting Māori and Pacific wāhine into the tech industry and backed by Microsoft, NZTech and the government is calling for tech companies to get involved.
Story image
Cybersecurity starts with education
In 2021, 80% of Australian organisations responding to the Sophos State of Ransomware study reported being hit by ransomware. 
Story image
Power / Energy
SmartCIC report reveals top five 5G carriers in the world
The Global Cellular Performance Survey also found that 5G networks are delivering high download speeds but lagging in upload speeds.
Story image
Grasping the opportunity to rethink the metrics of a sustainable data centre
A data centre traditionally has two distinct operations teams: the Facility Operations team, and the IT Operations team. Collaboration between them is the key to defining, measuring, and delivering long-term efficiency and sustainability improvements.
Story image
Could your Excel practices be harming your business?
While Excel has been the de-facto standard for budgeting, planning, and forecasting, is it alone, enough to support organisations in the global marketplace that’s facing rapid changes due to digital transformation?
Story image
Power / Energy
Keysight Technologies introduces new next-gen DPT solution
Keysight Technologies has announced its new next-generation Double-Pulse Tester (DPT) with the PD1550A Advanced Dynamic Power Device Analyser.
Story image
Siemens showcases new automated solutions for data centers
Siemens has implemented new automated solutions and AI in the Baltic region's largest data center, providing insight into the future of data center management.
Story image
SAS Viya on Microsoft Azure to deliver 204% return - study
The Forrester Total Economic Impact study finds SAS Viya on Microsoft Azure brings a 204% return on investment over three years.
Story image
Data Center
Preventing downtime costs and damage with Distributed Infrastructure Management
Distributed Infrastructure Management (DIM) can often be a lifeline for many enterprises that work with highly critical ICT infrastructure and power sources.
For every 10PB of storage run on HyperDrive vs. comparable alternatives, an estimated 6,656 tonnes of CO₂ are saved by reduced energy consumption alone over its lifespan. That’s the equivalent of taking nearly 1,500 cars off the road for a year.
Link image
Story image
Ivanti and Lookout bring zero trust security to hybrid work
Ivanti and Lookout have joined forces to help organisations accelerate cloud adoption and mature their zero trust security posture in the everywhere workplace.
Find out how a behavioural analytics-driven approach can transform security operations with the new Exabeam commissioned Forrester study.
Link image
Story image
Google reveals new safety and security measures for users
Google's new measures include automatic two step verification, virtual cards and making it easier to remove contact information on Google Search results.
Story image
Artificial Intelligence
Updates from Google Workspace set to ease hybrid working troubles
Google Workspace has announced a variety of new features which will utilise Google AI capabilities to help make hybrid working situations more efficient and effective.
Story image
Sift shares crucial advice for preventing serious ATO breaches
Are you or your business struggling with Account Takeover Fraud (ATO)? One of the latest ebooks from Sift can provide readers with the tools and expertise to help launch them into the new era of account security.
Story image
Power at the edge: the role of data centers in sustainability
The Singaporean moratorium on new data center projects was recently lifted, with one of the conditions being an increased focus on power efficiency and sustainability.
Story image
Tech job moves
Tech job moves - Datacom, Micro Focus, SnapLogic and VMware
We round up all job appointments from May 6-12, 2022, in one place to keep you updated with the latest from across the tech industries.
Story image
Talend introduces new data health solutions for businesses
Talend has announced its latest version of Talend Data Fabric, with the release of Talend Trust Score enabling data teams to establish a foundation for data health.
Story image
Artificial Intelligence
ANU and Seeing Machines to use AI to improve driver safety
The Australian National University and Seeing Machines have won a grant to develop AI systems monitor human behaviour while driving.
Story image
Artificial Intelligence
SAS launches human-focused responsible innovation initiative
SAS has launched a responsible innovation initiative, furthering its commitment to equity and putting people first.
Story image
Digital Transformation
Physical security systems guide the hybrid workplace to new heights
Organisations are reviewing how data gathered from their physical security systems can optimise, protect and enhance their business operations in unique ways.
Story image
CyberArk launches $30M investment fund to advance security
CyberArk has announced the launch of CyberArk Ventures, a $30 million global investment fund dedicated to advancing the next generation of security disruptors.
Story image
Adyen expands partnership with Afterpay as BNPL payments increase
Adyen has expanded its partnership with AfterPay allowing more of Adyen’s merchants in more countries worldwide to use the BNPL provider.
Story image
Energy storage demand momentum continues, says BYD
BYD has announced an expansion of its production capacities and will deliver 250,000 units of its energy storage system, BYD Battery-Box Premium.
Story image
A10 Networks finds over 15 million DDoS weapons in 2021
A10 Networks notes that in the 2H 2021 reporting period, its security research team tracked more than 15.4 million Distributed Denial-of-Service (DDoS) weapons.
Story image
New digital traffic light system to tackle construction defects
Smarter Defects Management launches its PaaS digital system and says it will revolutionise managing defects in the construction industry.
Story image
Palo Alto Networks says ZTNA 1.0 not secure enough
Palo Alto Networks is urging the industry to move to Zero Trust Network Access 2.0 because previous versions have major gaps in security protection.
Story image
Hands-on review: STM laptop bags
The advent of hybrid working has meant we need laptop bags. We got our hands on two of the most popular laptop bags from STM.
Story image
New SAS service overcomes subscription fatigue for media companies
SAS has launched SAS 360 Match which helps media companies move towards a AVOD model to generate revenue as subscribers cancel.
Story image
IT budget
$20m boost for digital technologies announced
The government is spending an extra $20m over four years on its plan to transform the digital technologies industry.
Story image
Application Security
What are the DDoS attack trend predictions for 2022?
Mitigation and recovery are vital to ensuring brand reputation remains solid in the face of a Distributed Denial of Service (DDoS) attack and that business growth and innovation can continue.
Booster Innovation Fund. A fund of Kiwi ingenuity – for Kiwi investors.
Link image