Principles

Over the past few years the E-government Unit has been working with a range of public interest groups and agencies to examine what online authentication might mean for New Zealanders dealing with government agencies. We have analysed which services provided by government agencies in New Zealand require or are likely to require online authentication. We have also looked at overseas examples of online authentication both for government and commercial services.

You can read more about the work so far on the e-government website (see
www.e-government.govt.nz/authentication/). As a result of this work, in April 2002 Cabinet established a set of policy and implementation principles to guide the development of online authentication.

Policy principles for online authentication

Security

Suitable protection must be provided for information owned by both people and the Crown.

Acceptability

Ensuring that the proposed authentication approach is generally acceptable to potential users, taking into account the different needs of people and emerging industry standards, and avoids creating barriers.

Protection of privacy

Ensuring that the proposed authentication approach protects privacy appropriately.

All-of-government approach

Balancing public & agencies' concerns about independence with the benefits of standardisation while delivering a cost-effective solution.

Fit for purpose

Avoiding over-engineering, recognising that the levels of authentication required for many government to people [G2P] transactions will be relatively low.

Opt-in

Ensuring that members of the public retain the option of authenticating their identity and carrying out transactions offline and are not disadvantaged by doing so. However, it will not be possible for an individual to conduct secure online G2P transactions without the use of the appropriate authentication process.

Implementation principles for online authentication

User focus

Ensuring the recommended solutions are as convenient, easy to use and non-intrusive as possible.

Enduring solution

Providing a solution that is enduring yet sufficiently flexible to accommodate change and a wide range of current and future transactions.

Affordability and reliability

Ensuring the recommended solutions are affordable and reliable for the public and government agencies.

Technology neutrality

Ensuring a range of technology options is considered, and as far as possible avoiding 'vendor capture'.

Risk-based approach

Providing an approach based on agreed trust levels that protect identity and personal information.

Legal compliance

The solution must comply with relevant law, including privacy and human rights law.

Legal certainty

Relationships between the parties should be governed in a way that provides legal certainty.

Non-repudiation

The issue of non-repudiation must be considered for those transactions that require it, so that the risk of transacting parties later denying having participated in a transaction is minimized.

Functional equivalence

Authentication requirements should be similar to those that apply to existing transactions except where the online nature of the transaction significantly changes the level of risk.