Your browser currently has JavaScript turned off, which means that Digital.govt.nz might not display properly on your device. It’s easy to turn JavaScript on - find out how to enable JavaScript in your browser.

Concepts of the trust framework

The trust framework helps to protect people’s information and privacy.

Trust framework gives people control over their information

Digital identity services allow people to complete tasks online or in person digitally. People can decide what personal information to share, including when, how, and who with.

The trust framework helps to protect information and privacy when using accredited digital identity services. There are rules and regulations to ensure that people have a choice about using digital identity services. This means consent is always needed and that someone’s information is not stored or held by an accredited digital identity service provider in a way that breaches privacy.

Key concepts of the trust framework

People need to provide consent when they share their information using accredited digital identity services.

Requiring consent means that digital identity service providers delivering accredited services within the trust framework must always seek the user’s permission before sharing personal or organisational digital identity information.

Requiring consent is a core rule that applies to all transactions.

This requirement supports and aligns with the principles of the Privacy Act 2020.

Privacy Act 2020 and the Privacy Principles — Privacy Commissioner

Personal information will not be held in a centralised database

The trust framework does not create a central repository or database to store the information of people or organisations. The rules and regulations for the trust framework support a decentralised approach to the holding and sharing of information.

Every transaction with a trust framework provider will be initiated by a request from a person who needs to access a service or share information (for example: their name, qualification or age). The trust framework rules and regulations will not allow accredited providers to connect information in ways a person has not consented to.

Digital identity services are opt-in

People will always have a choice about whether they use digital identity services.

There will always be alternative ways to access government services, such as in-person or paper-based methods.

Service provider accreditation is not compulsory

Accreditation is not mandatory. Digital identity service providers can still deliver their services without being accredited under the trust framework.

The trust framework accreditation mark allows people and businesses to distinguish between accredited and non-accredited digital identity service providers.

The trust framework will not change the way government departments currently share information.

This type of information sharing is governed by the Privacy Act 2020. It says that government departments may only share information if there is an Approved Information Sharing Agreement (AISA) in place. These are covered under Part 7 of the Privacy Act 2020.

Information sharing arrangements, such as AISAs, will continue.

Part 7: Sharing, accessing and matching personal information — New Zealand Legislation

More information from the Office of the Privacy Commissioner

Privacy and security standards are built in

There are clear privacy and security rules for how personal and organisational information can be collected, retained and shared within the trust framework. Digital identity services will be accredited against these rules. The trust framework rules do not override the Privacy Act 2020.

Privacy and security rules cover requirements for the following areas.

Collecting information

The trust framework rules require accredited services to be clear about the purpose for collecting the information and only collecting what is required.

Holding information

Security of systems and processes for storing information must be robust and meet industry standards. There must be valid reasons for retaining any of the information collected.

Sharing information

Technical processes for sharing need to follow, for example:

encryption standards
ways to stop different parties being able to track information when it's shared
minimising the amount of information that is shared, where appropriate.

Accredited providers need to have a process in place for disposing of information. This way, necessary records are kept, but other information is deleted safely and securely.

Rules incorporate te ao Māori perspectives of identity

Specific provisions in the Digital Identity Services Trust Framework Act 2023 ensure that te ao Māori approaches to identity are considered in trust framework governance and decision making.

Ways of embedding te ao Māori and Te Tiriti o Waitangi perspectives and requirements throughout the rules are being considered through the development and testing stages.

Identity theft risks are minimised

New Zealand’s current digital identity environment is unregulated. This means that people and businesses are exposed to an increasing risk of online fraud and privacy breaches.

New Zealand has new identification standards designed to help prevent identity theft, fraud and loss of privacy.

The standards underpin all transactions that occur within the trust framework and will be a key part of the new regulatory framework.

Identification management standards

JavaScript is currently turned off in your browser — this means you cannot submit the feedback form. It’s easy to turn on JavaScript — Learn how to turn on JavaScript in your web browser.

If you’re unable to turn on JavaScript — email your feedback to info@digital.govt.nz.

Was this page helpful?

Yes No Partly

Thanks, do you want to tell us more?

Do not enter personal information. All fields are optional.

What did you come here to do?

How can we improve this information?

Last updated 27 June 2024