One of the Government's key priorities for the next three years is the delivery of a more efficient public service. This has resulted in a review of Government technology systems and a focus on how technology can be used to improve customer service.
One means of improving customer access to public services is to offer more online functionality. However, a recognised constraint on being able to do so is the need to verify an individual's identity for certain services. The Electronic Identity Verification Service (Electronic IVS) has been developed to address this constraint.
The Electronic IVS has been operated on a limited basis, as the igovt logon and igovt identity verification services, by the Department of Internal Affairs (DIA) since December 2009. The government is of the view that this will become a significant service and therefore introduced the Electronic Identity Verification Bill (Bill) to Parliament in February 2012 to regulate and enhance the Electronic IVS.
Electronic IVS and Electronic Identity Credentials
The current igovt logon service allows individuals to use the same logon to access various government online services and avoids the need to create and remember multiple user names and passwords for every government service accessed online. The current igovt verification service allows individuals to create an electronic igovt ID. However, it can currently only be used by people wanting to order non-historical birth, death and marriage information online.
Under the Bill, the Electronic IVS an individual can apply for an electronic identity credential (Credential), which will be issued only after his or her identity has been verified to a standard comparable to that used for the issue of New Zealand passports. A Credential may contain an individual's full name, date and place of birth, and gender. Generally only one Credential may be created for each person (exceptions include undercover police officers, members of the SIA and protected witnesses).
The Bill does not specify the actual procedure to be followed by individuals applying for a Credential. This is to be determined by the Chief Executive of the DIA. The Chief Executive has the ability to require a broad range of information and evidence of identity to be provided by persons applying for a Credential. The Chief Executive may match the information provided against identity-related information held by government agencies under the Citizenship Act 1997, the Immigration Act 2001, and the Passports Act 1992, and information held by the Registrar General of Births, Deaths and Marriages. An applicant may also be required to provide a photograph or allow his or her photograph to be taken.
An individual who has a Credential may use it to verify his or her identity by electronic means to satisfy the identification requirements of a "participating agency" for services provided by that agency.
A participating agency is an agency authorised through regulations made under the Bill to use the Electronic IVS. While a key driver for establishing the Electronic IVS is to provide a whole-of-government shared service, the Bill provides for both public and private agencies to potentially become participating agencies.
The Bill sets out a number of principles which must be taken into account by the DIA, the Electronic IVS and any participating agency when making decisions, performing functions or duties, or exercising powers under the Bill. The principles include:
- individuals have complete discretion to opt in to the Electronic IVS, and whether to use it - they can continue to access a participating agency's services by other means;
- the use of a Credential does not make an individual automatically qualified or eligible for a particular service offered by a participating agency, nor does it authorise that agency to act on a matter or transaction;
- the Electronic IVS cannot supply information to an agency without the relevant individual's consent and, even then, only the minimum amount of information that is necessary may be provided; and
- individuals may check that the information held about themselves is correct and up to date and also view the usage history of their Credentials.
The benefits of the Bill are readily identifiable and the Bill was fully supported in principle in its first reading in Parliament. Providing individuals with the ability to verify their identity electronically will enable the scope of online services to be expanded. By enabling individuals to use a Credential that participating agencies can have confidence in relying upon, the time and cost to individuals of having to prove their identities multiple times will be reduced, along with the time and cost to agencies of checking and verifying a person's identity.
Checks and Balances
The success of the Electronic IVS will depend on how well it is taken up by the public and participating agencies. This is likely to be influenced by ease of use, how confident participating agencies can be that the Credentials can be relied upon, how secure the system is and how confident people can be that their privacy will be maintained.
While the DIA remains responsible for the issue of Credentials, the DIA has entered a contract with NZ Post to assist. It is expected that people may apply for a Credential online and then go to a NZ Post post shop to have a photograph taken (see government website).
The Chief Executive has a duty under the Bill to take all reasonable steps to ensure that the identity of an individual has been authenticated before a Credential is issued to the individual. This may include the requirement for an identification check to be carried out in accordance with the process set out in Schedule 1 of the Bill, which involves an authorised agency checking the information supplied by an applicant against information held by that agency. These checks can only be undertaken if the relevant individual consents, and may only be undertaken by an agency authorised to do so by regulations issued under the Bill.
In terms of security and data protection, the Privacy Commissioner is given the power to require regular reports (at least annually) on the operation of the Electronic IVS and it is expected the operation of the Electronic IVS will comply with the Privacy Act. Use of a Credential, or accessing the usage history of a Credential, in contravention of the Bill will be a breach of the Privacy Act. It is anticipated the Privacy Commissioner will proactively monitor the operation of the Electronic IVS.
The Bill also creates a number of offences, which can result in imprisonment on conviction, for terms of up to 2 to 10 years, or fines of up to $50,000 to $250,000. These offences include making false or misleading statements in an application for a Credential, improperly issuing a Credential and improper use of a Credential.
In addition, not only are the agencies entitled to use the Electronic IVS limited to those authorised through regulations made under the Bill, the Chief Executive of the DIA has the power to set standards or specifications for the use of Credentials by participating agencies. These can include measures relating to the security of the information provided and the protection of privacy.
Public submissions for the Bill closed on 30 March 2012, and the Bill will be subject to review by a select committee before being referred back to Parliament.
Based on comments made by various members of Parliament at the first reading of the Bill, while there appears to be widespread support for the Bill, there will be close scrutiny of provisions regarding security, appropriate use and protection of privacy.