Privacy Analysis and Risk Assessment

Scope

3.0 A Privacy Impact Assessment of the authentication scheme cannot be confined solely to the role of the proposed new Authentication Agency (AA), or even to the interaction between the AA and other agencies. A full PIA for this scheme must necessarily look also at the proposed use of the Keys and ID data by Service Agencies (SAs), as this is where many of the significant privacy impacts will arise. However, the brief for this PIA, and the timescale, have allowed only a relatively superficial review of likely uses - it has only been possible, for instance, to interview a few SAs about their possible uses of the scheme.

3.1 It is also clear that many SAs are not able or willing to commit themselves at this stage - they will only make decisions about the utility of the scheme to their operations once the design has progressed, and in particular until uncertainties about liability have been resolved. It seems likely that some agencies will not commit themselves to use of the scheme until they are able to see how it operates in practice. It has therefore been necessary to speculate about other possible uses, based on overseas experience and knowledge of typical government and business needs.

Alternatives

3.2 It is not the function of this Privacy Impact Assessment to canvass all possible alternative ways of achieving the government's objectives ⁷⁹ . These alternatives may be more or less privacy intrusive. As noted earlier, the EGU considered a number of options, and Cabinet approved the current approach based partly on consideration of privacy concerns. There is some further discussion of the alternatives that remain open under 'Other Options' above (paragraphs 2.82-2.87).

3.3 Where an alternative is obviously available which could be accommodated within the current approach and design, and which is preferable from a privacy perspective, then it is mentioned in the analysis below. Where an alternative approach could resolve a major privacy issue it is also mentioned, such as under the One individual, one credential and Biometrics headings. But this report does not go back to first principles and look at all alternatives. This remains an option for the government, in light of both this Assessment and the Business Case.

General Issues

Issues arising from overall system design

Authentication both a positive and a negative for privacy

3.4 A national identity authentication scheme for on-line transactions would be both privacy enhancing and privacy diminishing. It could be a powerful tool to ensure both security and quality of personal information - directly contributing to compliance with IPPs 5 & 8, and indirectly to the other IPPs. On the other hand, the scheme will be perceived by some as introducing a significant infrastructure of surveillance, potentially facilitating the sharing and matching of personal information held for different purposes.

3.5 The scheme is also inherently privacy intrusive in requiring a level of identity verification that is unfamiliar to many New Zealanders ⁸⁰ . The potential extent of popular resistance to being asked, or in many cases required ⁸¹ to register should not be underestimated, and this will be compounded by the need, in the current design, for renewal of registration many times during an individual's lifetime. The extent to which the public may be prepared to accept this will depend on whether they can be persuaded:

• that better authentication is necessary for on-line transactions with government;
• that the benefits outweigh the immediately identifiable privacy costs, and
• that there are sufficient protections in place to ensure that the costs to privacy do not increase in future as a result of scope- or function-creep.

3.6 A similar benefit:cost case will need to be made in relation to financial and other costs, but these lie outside the scope of this report.

Project justification - Identity fraud and Identity theft

3.7 One of the justifications for this, and all, authentication and identification schemes is the alleged problem of identity fraud and identity theft. A recent US Federal Trade Commission report has estimated that 1 in 8 Americans has been the victim of identity theft in the last five years ⁸² . A recent Australian Government report identifies 'new generation fraud' - involving technology, e-commerce and identity, and asserts "The type of fraud of most concern is internet fraud or cyberfraud." ⁸³

3.8 Despite claims that ID fraud and theft are major and growing problems, there is a dearth of evidence - reasons for this include the reluctance of organisations to admit to security breaches ⁸⁴ , and the reluctance of government agencies to share information about the alleged problem. A new Australian report ⁸⁵ , based on responses from 120 organisations, estimates the cost of ID fraud in Australia in 2001-02 as AU$1.1 billion, although 57% of this was the resource cost of preventative measures, with only AU$420 million of actual financial losses. This compares with previous estimates of AU$2-4.5 billion. There is also some empirical evidence from the US and UK ⁸⁶ , although as the SIRCA report notes, figures on growth of ID fraud may partly reflect improved awareness and reporting.

3.9 There is some confusion and duplication in the use of the terms identity theft and identity fraud, not only in this project ⁸⁷ but worldwide. The EGU has touched on this issue ⁸⁸, reporting that the US government has defined identity theft as actual or attempted fraudulent use of identification information of another person, with the intent to obtain [benefit]. The UK government has proposed that the very act of using a false identity would be a criminal offence without the need to prove any criminal intent or conspiracy.

3.10 While relevant NZ criminal law currently focuses on property offences, the authentication project has a legal opinion to confirm that the Criminal Law covers the concept of identity fraud, specifically in an online environment. The EGU paper defines Identity fraud as occurring when someone uses a means of identification of another person or a fictitious person. This is however too broad a definition to be useful as it would catch both authorised actions on another person's behalf, and legitimate pseudonymous transactions.

3.11 Without going into greater detail, it is clear that both the definitions and the scale of the alleged problems are uncertain. This is not to deny that a real problem exists, merely that if significant costs (financial, privacy or other) are to be incurred to address the problem, it is desirable that there be greater certainty and more evidence as to the benefits, as well as a clear demonstration that the remedies proposed will actually work.

3.12 As well as limiting deliberate identity fraud and theft, a centralised all-of-government authentication system should have advantages in terms of limiting unauthorised access to information and consequential access to services by persons that are not eligible. But it also raises the stakes in terms of the consequences of such unauthorised access. There have been frequent anecdotal accounts of the cost to individuals of identity denial resulting from someone else having committed identity theft, particularly in the US ⁸⁹ .

3.13 The EGU paper accepts that:

"Online authentication is seen as having great potential for successfully reducing identity fraud, if implemented properly. Online authentication, implemented poorly, could exacerbate the growing problem of identity fraud." ⁹⁰

Related implications are explored further under Issues arising from failed transactions below.

Project justification - more accurate authentication of identity assertions

3.14 Apart from protecting against malicious actions such as identity fraud and theft, the other main justification for better authentication of identity assertions is the benefits of more accurate use of identifiers. The direct value of the authentication scheme is to ensure that information only goes to the 'right' person, but this is only an intermediate objective - the ultimate benefits include ensuring that individuals shoulder all of their obligations (taxation, payment of fines etc); seeking to deliver all services to which individuals are entitled; and ensuring that individuals do not receive services to which they are not entitled, or duplicate benefits (not all such results would necessarily involve deliberate fraud).

3.15 As with identity crime, there is a dearth of evidence of the potential scale and value of these benefits. Again, it is desirable that this evidence be produced and quantified to set against the disbenefits, including financial costs, of the authentication scheme.

Project justification - updating existing processes

3.16 Some agencies have suggested that the scheme should be seen merely as a technological updating of existing processes, with no new functions. We accept that identification is an existing issue for most agencies, and that concerns about identity fraud and theft, and the benefits of 'correct' identification, apply equally in off-line transactions, where authentication is also constantly under review. But the new scheme will do much more than simply replicate existing processes in the online environment. It represents a significant shift to greater centralisation, common infrastructure and cross-agency information exchange.

Recommendation 1. A clear articulation of the justification for the scheme, and a quantified analysis of the underlying problems it addresses, are necessary in order that the business case for the scheme can be assessed alongside the privacy impact.

One individual, one credential?

3.17 Many of the negative privacy consequences of the proposal (explained further below) stem from the initial policy choice, currently built into the design, to only allow one credential or record to be created and held by the Authentication Agency for each natural person. This is based on a conceptual model, consistent with the general NZ government approach to EOI which does not distinguish between entities and identities.

3.18 We suggest that an alternative conceptual model is preferable, and reflects more accurately the way in which identity operates in the real world ⁹¹ . Whilst each individual (entity) has only one physical existence, most of us have more than one identity, if identity is defined as a particular presentation of a person, especially a role that a person adopts. While there may be some statutory constraints on what identifier an individual may use for some purposes (citizenship, taxation etc) ⁹², it is possible in many jurisdictions, including New Zealand, for individuals to legitimately use different names (such as birth or married names) for a wide range of different purposes. ⁹³ Significantly, it appears that in most common law jurisdictions, the validity or criminality of any act is unaffected by the use of a name - the law looks to a person (entity), whatever they may have been known as when performing that act.

3.19 Understandably, bureaucratic systems find it difficult to deal with multiple identities and identifiers, and there has always been pressure to standardise labels, and to seek to uniquely identify individuals. However, any scheme which pushes or pulls individuals towards such an outcome will be seen by some as undesirable.

3.20 At the most general level, any privacy analysis of a scheme that supports identification and authentication must start by asking if the scheme will have the effect of requiring individuals to have, and to present themselves using, a single official identity, thereby denying them the option of multiple identities. The capacity of this scheme to admit and deal with 'alternate names' and multiple roles, whilst desirable, will not in itself be a sufficient response if the scheme also insists on linking all alternate names and roles to a single official identifier.

3.21 The rationale for the scheme, as expressed in various documents, is "to ensure that people who choose to transact with government electronically are who they say they are." (emphasis added) and to "allow [both parties to] have confidence in the identity of the other party" ⁹⁴ and the need for "individuals to prove who they are" ⁹⁵ . More recent working documents claim "[because] there can only be one identity for one person" ⁹⁶ and "This means providing evidence of your unique identity" ⁹⁷ . There is a logical gap between first three and last two of these statements. Neither of three objectives quoted above require that each individual can have only one identity (or ID credential). It should arguably be a sufficient objective and practical outcome that the scheme establish that a person is who they claim to be - a goal which allows for multiple identities and identifiers, not just multiple roles using a single identifier.

3.22 There may be a case to be made for why some government purposes require knowledge that claimed and supported identity A is actually the same natural person as claimed and supported identity B ⁹⁸ . But this case is not made convincingly in any of the documentation ⁹⁹ . It is strongly suggested that a more robust argument is made before the justification for the scheme is published.

3.23 Assuming such a case can be made, it does not necessarily follow that the scheme has to allow only one Credential per natural person. A viable alternative would be to allow an individual to hold multiple Credentials, whilst recording the links between them (not necessarily, and indeed preferably not, at the AA). Access to the linkage information could then be 'rationed' to only those government functions which could demonstrate a need for the extra information - most should be content to know that a client is who they say they are.

3.24 It could be argued that this alternative design, with linked multiple credentials, would not deliver any more real privacy to individuals, since all of the transactions relating to a single natural person could be brought together. However, such a rebuttal underestimates both the symbolic value of allowing multiple identities, and the practical protection afforded by putting barriers in the way of easy data sharing and matching, and by ensuring that linkages are held by different agencies in separate systems.

Recommendation 2. The conceptual basis of the scheme should be revisited with a view to allowing for registration of multiple identities, linked only where necessary and justified.

Confirmation vs release of information

3.25 The scheme has been designed around a model in which the AA simply releases information - ID data - to SAs in response to an RVI authorised by the Credential Holder. The SAs are left to make any decisions about authority or eligibility based on that information. Several parties, including the Office of the Privacy Commissioner, have suggested an alternative model in which the AA verifies information provided by an SA, without actually releasing any ID data to the SA. In this model, an SA would ask the AA if a client with a particular set of ID data (name, date and place of birth and/or gender) held a particular Key. The AA would simply confirm 'yes or no'. One privacy enhancing advantage of this model is that SAs would not find out what other names the individual had registered (for use with other agencies), and would not be told gender and date/place of birth unless they were relevant to the particular transaction.

3.26 The Project Team's response is that their preferred model leaves the decision-making authority (and presumably therefore any liability?) with the SAs, and also allows them to pre-populate forms. Neither of these reasons seem persuasive. It seems doubtful that any SA will use the scheme unless the AA accepts at least shared liability for any errors arising from reliance on the ID data. And most SAs will already have any of the items of ID data which are relevant to them in their own customer records, alongside a Key serial number, giving them another source for pre-populating forms.

3.27 There are other arguments against the simple yes/no verification. Firstly it would lead to the AA compiling a central record, in its audit logs, of which names were used by which individuals in relation to each SA. The preferred model in the current design initially had no such record, as all names, and other ID data, would have been given to an SA in response to an RVI request.

3.28 However, partly in response to privacy concerns, the revised design allows for Credential holders to specify in an RVI which items of ID data they authorise the AA to release. This means that the AA's records will show which names are passed to which SAs.

3.29 A second argument is that a simple binary response by the AA would inevitably mean that ID credential checks would need to be made more often. Instead of the SA receiving all of the relevant data from the AA and then being able to engage with the client over any discrepancies (e.g. Rachael spelt Racheal etc) all the SA would be able to say to the Client is "sorry your transaction has been declined because the data you have provided was not able to be matched with the AA data". The SA would have no way of determining how big or small the discrepancy was and would have to reject the transaction. If the client realised the error was their own and tried again then the SA would have to do another check with the AA so the RVI process would need to be repeated again. The approach is less customer friendly and would require far more ID credential checks to be carried out in total, increasing the overall exposure of Credential Holders information.

3.30 Another argument in favour of the 'release of ID data' model may lie in the business needs of SAs. Some SAs may have a need to know all of a client's registered names to prevent duplication and potential 'double dipping'. If so, however, this argument has not been clearly articulated to date. If it is the only convincing reason for the proposed model this should be clearly stated. This would then have implications for presentation of the authentication scheme as a neutral resource.

3.31 The design of the scheme clearly seeks to avoid any suggestion that it is in any way an eligibility checking system. It does this by confining itself to storing only a very limited set of ID data, and no information about individuals' relationships with particular Service Agencies. In the proposed model, individual Service Agencies are responsible for making decisions about eligibility or liability, based on their own business rules and relevant statutory criteria, once they have verified an individual's identity with the AA.

3.32 However, if SA rules require Credential holders to authorise release of all registered names, then it has been suggested ¹⁰⁰ that this clearly gives the AA database additional functionality - a role in eligibility checking - which should be recognised in public presentations of its character.

3.33 If on the other hand there are no SAs which would mount this argument in favour of releasing information, then serious consideration should be given to the alternative 'confirmation only' model.

Recommendation 3. Consideration should be given to varying the design so as to allow simple confirmation of the validity of a client name, rather than only release of all registered alternate names.

Freedom of choice and Universality - a population register?

3.34 One of the key assumptions in the recommended authentication model is an 'opt-in' principle' - that "members of the public should be able to choose whether or not they want to access services that require authentication over the Internet." ¹⁰¹ This has been translated into one of the Policy Principles for online authentication approved by Cabinet in April 2002.¹⁰²

3.35 It is however difficult to see how the authentication system could sustain the opt-in principle even in the short term.

3.36 Firstly, given the officially sanctioned trend towards e-government, it is inevitable that many categories of government clients will come under significant pressure to transact on-line, and therefore to obtain an ID Credential to allow them to do so. Government agencies will increasingly offer incentives to convert to on-line transactions, and alternative service channels will become less available over time as the take up of on-line services increases. Even if the letter of the commitment is honoured, and alternative channels continue to be available, off-line users will increasingly be placed at a disadvantage, at least in terms of convenience if not cost. This is not to necessarily criticise such trends, which are in many cases inevitable, but merely to encourage public acknowledgement that they are likely, and have consequences for the opt-in principle.

3.37 One of the factors that will influence perceptions of whether the scheme is genuinely 'voluntary' will be the strategies adopted both by individual agencies and at an all-of-government level to promoting registration. If there is a pro-active campaign to get clients to apply for ID Credentials, then there will be a greater perception of it being a register than if the facility is simply advertised as an option, for individuals to take up if and when they find it convenient. This will in turn depend partly on the financial basis of the scheme - see under Funding/charging below. If specific levels of registration are required to make the scheme financially viable, there will be a temptation to pro-actively promote it.

3.38 Secondly, one large category of initial users could be individuals in business roles who are required by their employers to obtain an ID credential so as to perform their duties (see Individuals not roles below). Experience around the world is that businesses and other non-individual entities, rather than consumers or citizens, have been the early adopters of online transactions with government.

3.39 Thirdly, most individuals needing to perform the role of Trusted Referees would be required to obtain an ID Credential ¹⁰³. It is argued that this is necessary so that the whole registration process can usually be completed on-line and for systems integrity, but these are not convincing arguments. The Business Process Design now accepts that there will need to be an off-line component to the registration process, and an exception process for Trusted Referees who do not have ID Credentials, but the intention remains for most Referees to already have a Credential.

3.40 It is also suggested that requiring individual Trusted Referees to have a credential could encourage friends and relatives of the applicants to apply ¹⁰⁴ . While the logic of this is not clear, it reflects the clear intention to encourage registration.

3.41 Another factor that would undermine the opt-in principle would be any arrangements for parents or guardians to conduct transactions on behalf of minors or other 'dependent' clients. The scheme will issue ID credentials to minors who can produce adequate EOI, and who have the capacity to accept the terms and conditions, and it is easy to see how pressure will grow for many SAs dealing with minors and other 'dependent' clients to be able to identify the clients themselves as well as persons acting on their behalf. The current design of the Authentication scheme deliberately tries to avoid any recording of 'relationships' between Credential holders - leaving any such linkage to SAs. But this is a limitation which is already coming under pressure ¹⁰⁵, and seems unlikely to survive in the medium term.

3.42 The difficulty of dealing with parental relationships is similar, but even more complicated, for persons acting on behalf of institutionalised individuals, including those in prisons, psychiatric institutions and senile dementia wards. They tend to have a power relationship greater than parents and guardians in loco parentis, and they commonly act on behalf of multiple individuals rather than just one or two children.

3.43 Whether the AA database is seen as the foundation of a population register will also depend partly on the details the way in which contact details are treated. The AA will need applicants' contact details during the registration process, and the Business Process Design currently anticipates using contact details subsequently to send confirmation of each Request for Verified Information (RVI), as a security measure. This implies indefinite storage of at least one contact item (phone or fax number or e-mail or postal address) However, they would soon become out of date for many individuals, given the level of mobility of the NZ population, unless steps are taken to encourage notification of changes. Making this a legal requirement would be the only way of ensuring a reasonable level of currency).

3.44 To the extent that contact details are kept up to date, then the value of the database for other purposes, the likelihood of function creep and its likely perception as a population register would all increase. Some SAs have already expressed interest in being notified by the AA of any changes to a Credential Holder's ID data, or at least being told that there had been changes, so that they could themselves ask the client. If no such services are intended, it would be preferable to consciously delete all contact information within a short time after a Credential confirmation had been issued, although this would mean abandoning the confirmation of RVI as a security measure (see also under IPP 4 - Security and IPP9 - Data retention).

3.45 It seems likely that it will be suggested that the scheme could offer an optional 'change of address' service, on the basis that this be convenient for consumers and efficient for both government and business. Any such 'add on' would pose great practical difficulties while at the same time posing a major privacy risk. It is clear from experience of such schemes that many individuals do not have a single set of contact details suitable for all purposes. Attempts to cope with the diversity and complexity of individuals' circumstances would be fraught with difficulty. At the same time the attraction to many organisations of a central store of updated contact details would inevitably lead to major 'function creep', potentially compromising the core identity authentication purpose of the scheme.

3.46 For all of the above reasons, it is likely that the Authentication scheme could easily be seen as the foundation of a universal population register ¹⁰⁶ . To the extent that this could be an undesirable barrier to acceptance, very clear limits would need to be placed on the scheme. Alternatively, the government could choose to promote the advantages of a population register and argue that they outweigh any privacy and other risks.

Individuals not roles

3.47 The current design excludes role-based identities from the authentication system. This has both pro- and anti-privacy consequences. On the positive side, it means that the AA need not hold any information centrally about individual's various business or organisational roles. But on the negative side, it means that where an organisation requires its employees (or equivalents such as office holders) to obtain a Key to act on behalf of the organisation, they must provide personal details to the AA, even though they may have chosen not obtain a key in their personal capacity. This clearly compromises the 'opt-in' principle.

3.48 The Project Team take the view that there are many organisational contexts in which SAs do not actually need to identify individuals - only to authenticate authority to perform a certain role (eg: lodging official returns, authorising payments etc). Where this is the case, SAs should ideally be able to insist on client organisations carrying responsibility for any actions of authorised representatives, without needing to know their specific identities.

3.49 But it may be that there is a category of services where the client is an organisation, but the SA needs for various reasons to have a record of the specific person who took the action (legal requirements for individual civil or criminal liability, audit trails etc). Should such circumstances exist, it would be necessary for the individual to establish their identity to AA standards, which means giving the same basic set of personal ID data - there is no provision for the AA to issue a Credential to an organisational role.

3.50 The person requiring a Key in an organisational capacity could register with an organisational role as an unverified alternate name ¹⁰⁷ (if the AA allowed this ¹⁰⁸ ), and using their business address for contact purposes (a superficially privacy enhancing feature), but there would be no option for them but to give the same basic ID data as if they were registering for personal use. Any individual wanting separate Keys for personal and organisational use would have no choice but to have both Keys associated with the one Credential, issued to them as an identified individual ¹⁰⁹ .

3.51 It would be helpful if SAs could provide input on how many of their potential on-line services would require authentication of individuals, even where playing an organisational role, as opposed to authentication of roles alone. None of the SAs interviewed for this PIA have provided information that they have yet considered the proposal at this level of detail.

3.52 The scheme design assumes that it will be up to either client organisations or SAs to manage the relationship between individuals and roles. It may be that authentication of roles, with or without a link to identifiable individuals, is the biggest area of application at least in the short to medium term, but this scheme does not set out to meet that need.

3.53 A related issue that needs to be addressed is the potential for discrimination against employees who wish to exercise their right not to hold an ID Credential, but whose employer requires them to do so to perform a business role. It needs to be ascertained whether action against an employee for refusing to register with the AA (up to and including dismissal) would be lawful under both anti-discrimination and employment law.

3.54 This potential problem will be even greater for clubs and associations, which may find it advantageous to interact electronically with government agencies. Each new round of office-bearers would find themselves forced to register with the AA as an accidental by-product of volunteering. Voluntary organisations already have difficulty getting people to take on positions of responsibility, and this could be yet another deterrent.

Recommendation 4. There should be further analysis of the demand for authentication of roles as opposed to individuals.

Pseudonymity

3.55 It is generally accepted that there are a range of transactions for which identification is not routinely required - the 'trust levels' analysis used by the cross-agency EOI project include a category of 'pseudonymous'transactions, which do not require identification but do require a means of contacting the person concerned ¹¹⁰ .

3.56 Unfortunately, this is a somewhat narrow conception of pseudonymity which has led the Project Team to provide only a limited range of options in the design. An identifier that can be linked to the underlying entity only with considerable difficulty is commonly called a pseudonym. ¹¹¹ Most of the project documentation uses pseudonymous transactions as synonymous with role based authentication ¹¹² . Authentication of roles, as explained above, is seen as something that SAs can and should perform for themselves, and is not within the scope of the proposed scheme, which could more accurately be described as authentication of identity than simply authentication. ¹¹³

3.57 In contrast, a broader analysis would recognise the potential for individuals to operate pseudonymously using personal aliases that are distinct from any particular organisational role and affiliation. The constraints that the preferred design has imposed on individuals' choice in this respect has already been discussed under the

One Individual, One Credential heading above.

3.58 Partly in response to this issue, the design has been refined to allow some selective disclosure of ID data, so that not all SAs need obtain all of a Credential Holder's registered names in response to an RVI in all circumstances. But the practical effect of this element of choice will depend on the business rules of the SAs. It is important that the statutory framework re-inforces the Privacy Act principle of necessity (see under Collection - IPP 1 below), such that SAs can only require individuals to authorise release of multiple names and aliases where they can demonstrate that it is necessary, not just convenient.

Recommendation 5. The authorising legislation should require that service agencies expressly justify any requirement for clients to authorise release of all alternate names.

Disincentives to multiple Keys

3.59 While the scheme design allows for a Credential holder to have multiple Keys associated with their Credential, the process involved in associating a Key means that it will be easier for most individuals to make do with only one Key, using it even for unrelated transactions where it would be preferable, for both security and privacy reasons, to have separate Keys. Inertia and convenience will lead most individuals to settle for a single Key.

Recommendation 6. Publicity for the scheme should clearly outline the option of multiple keys and explain the privacy advantages.

Identity cards

3.60 The Summary of Recommended Approach ¹¹⁴ includes a key assumption endorsed by Cabinet, that "the model does not require a national identity card ...". This could be seen as a misleading assurance if, in practice, either the Credential confirmation or a token issued by a KP containing an individual's Key come to be required to be produced in a wide range of circumstances.

3.61 One difficulty faced by this analysis is the uncertainty surrounding the likely range and take-up of Key types, and their provision by independent Key Providers. The flexibility of the scheme design in accepting a wide range of Keys is admirable in many respects. But is does mean that there is the potential for the emergence of Keys involving tokens, perhaps in the form of a card, as a significant component of the scheme. There are pressures for individuals to hold a documentary form of identification for a range of different purposes - these are currently met to varying degrees by passports, driver licences, health cards, credit and bank cards, the HANZ 18+ card etc. There will be obvious attractions to one or more 'issuers' of EOI to offer a multi-function card, perhaps including a Key which could then be associated with an individual's AA issued ID credential. ¹¹⁵

3.62 One of the main reasons for resistance to an official Identity Card is the presentation of at least some ID data on the face of the card, which leads to demands for its production in more and more settings. This PIA is not the place to debate fully the pros and cons of Identity Cards. To satisfy the Cabinet requirement, the project design has carefully avoided the need for any card or token that includes ID data on its face. But the PIA must warn about the potential for Cards to emerge alongside the scheme.

3.63 The best way of dealing with fears that the authentication scheme may lead to an Identity card is for the authorising legislation to expressly rule it out, with statutory prohibition, or at least strict limitation, of physical cards or documents containing both an Individual's Credential confirmation number or Key Serial Numbers, and any of the ID data.

Recommendation 7. The authorising legislation should prohibit the production of cards or documents containing both Credential confirmation numbers or Key Serial Numbers and any ID data.

Biometrics

3.64 The enhanced role of photographs in the design ¹¹⁶ raises several privacy issues. One of the initial design assumptions endorsed by Cabinet was that the model does not require "the exchange of biometric data at the time of transaction". ¹¹⁷ It is not clear whether this was intended to mean at the time of service delivery, or included the transactions involved in registration and association of Keys. The overall impression created, although perhaps not intended, may have been that biometrics would play little or no part in the scheme.

3.65 - Biometrics raise significant privacy concerns, not just because of the personal information they involve, but also because of the intrusiveness of collection. The NZ Customs Service, which is now chairing an inter-agency forum on biometrics, has issued a useful briefing paper which identifies the privacy implications ¹¹⁸ . There are also analyses of the issue, and recommendations, from various privacy regulators. ¹¹⁹

3.66 A photographic image is a form of biometric, particularly where it is to be subjected to automated analysis such as face recognition software. The scheme will need to publicly acknowledge, and justify, the inclusion of biometric information.

3.67 Early versions of the design assumed that the photograph submitted by an applicant would be transformed into a biometric template, and that it would be possible to destroy the photograph after the registration process was completed. It would be impossible to re-construct a visual image from the template. This would be an admirable privacy-enhancing feature in that it would remove any possibility of subsequent pressure for use by other agencies, and would clearly demonstrate the limited value of the scheme as a population register.

3.68 A feature of the proposal that has recently emerged is the use of photographic images during the registration process for one-to-many matching, i.e. for identification rather than for identity authentication. The purpose of this would be to detect individuals seeking to register more than one identity. It is important to note that little evidence exists that one-to-many matching is a feasible technique, whether conducted manually or using so-called 'facial recognition' technology ¹²⁰ .

3.69 If this approach were adopted, then the volumes are likely to be such that it would be necessary to automate the process. The automated matching can be performed using templates alone. Assuming manual checks will need to be performed in order to deal with the inevitable large numbers of false positive matches, access to the original full photographic image will be necessary. There may be other alternatives, e.g. to require all applicants to re-apply with another photograph and keep doing so until the resulting biometric does not match an existing record ¹²¹ . But not only would this be highly inconvenient, it could also embody an unwarranted assumption of fraudulent intent.

3.70 A current design assumption is that Credential holders would need to periodically renew their registration, with a new photograph. This requirement, which clearly adds significantly to the cost, intrusion and inconvenience to all registered individuals, would appear to rest partly on the known degradation in the reliability of facial recognition as people age; partly on the need for periodic 'proof of life'; and partly the need to combat the ever-increasing skills of hackers and forgers. The overall pros and cons of retaining photographs or biometrics derived from them have not been set out in detail.

Recommendation 8. Further consideration should be given to the overall costs and benefits of retaining the biometric template and/or the photographic image itself.

3.71 If the AA needs to retain the original photographic image indefinitely for the operation of the authentication scheme, the possibility of use by other agencies arises. A range of agencies could mount a case for clients to submit to a comparison of their current appearance with either the full digital image or the biometric template held by the Authentication Agency ¹²² . While this is not envisaged in the design, if it happened, it would clearly undermine the design assumption "no biometric data to be exchanged at the time of transaction". This is an area of potential function creep which will need to be addressed by both assurances and firm safeguards.

3.72 It is observed that there are strict limits on access to existing driver licence photos held by the LTSA, with even law enforcement agencies needing a warrant, and a purpose related to road traffic offences, to obtain access. (See discussion of access controls under IPPs 10 & 11 - Use and Disclosure, below).

Recommendation 9. The authorising legislation should expressly limit the purposes for which the photograph, digital image or biometric of the image can be used.

3.73 Reliance on face recognition technology to match photographic images raises the issue of the accuracy and reliability of the technology. There are very different opinions about this, and unfortunately little empirical evidence and few dispassionate commentaries. There is general agreement that one-to-one matching is significantly easier than one-to-many, but very different views as to such variables as the false acceptance and false rejection rates, quality of image and conditions required, and decay of matching accuracy with elapsed time since the image was taken.

3.74 In some jurisdictions, face recognition technology has been embraced enthusiastically - trials are under way at Australian airports ¹²³ and the NZ Passports processing system is at the leading edge of the technology - more than 2.5 million photographs have been digitally encoded based on the bone structure of the face, and are used to match against renewal applications, with high levels of accuracy claimed ¹²⁴ . In contrast, some applications in the US have recently been abandoned, allegedly due to poor accuracy and limited effectiveness. ¹²⁵ Despite doubts, it should be noted that New Zealand is playing a leading role in responding to a US government requirement for a biometric of a digital image for passport holders from 27 visa-waiver countries by October 2004.

3.75 Nevertheless, even small error rates would create significant difficulties with a large applicant population. There are also practical issues concerning individuals who for religious or other reasons wish to keep their face partially covered. The scheme needs to be able to respond convincingly to questions about how face recognition errors will be handled without either inconveniencing individuals, unreasonably discriminating against minorities or destroying trust and confidence in the system.

Recommendation 10. Before any further commitment is made to the scheme, a detailed analysis of the role of the photo/biometric should be carried out, addressing the reasonable doubts about the accuracy and reliability of face recognition technology and the practical difficulties that will arise.

3.76 Other biometrics, such as iris recognition or hand geometry may offer higher levels of accuracy than face recognition from photos, but are not yet as readily available or affordable, and have significant disadvantages in terms of acceptability, typically requiring a more intrusive scanning process. The project team are not currently considering the use of any biometric other than one based on photographic images. Any departure from this position would raise significant additional privacy issues.

Recommendation 11. There should be a clear commitment that the scheme will not develop to involve any other biometric without separate legislative authorisation following a full privacy impact assessment.

Government uses only?

3.77 The scheme has been variously described as 'authentication for e-government', and 'all of government authentication'. This may have been used as a re-assurance as to the limited scope of the proposal, and to differentiate it from agency-specific schemes. However, it seems clear that the scheme is likely to involve use by the private sector, at least for those functions which the private sector performs on behalf of government (eg financial transactions reporting (money laundering) and income reporting). There is also likely to be private sector involvement in the scheme through outsourcing - this is discussed separately below (paragraphs 3.200-3.205)

3.78 It is also very likely that private sector organisations will seek to take advantage of the new system to replace existing commonplace reliance on existing forms of government ID - drivers licence, passport etc. Project documentation to date has only hinted at private sector use - it needs to be more open and either accept that the scheme is likely to be used widely by the private sector, or specify limits and how they will be enforced. If private sector use is anticipated, the scheme should avoid using descriptions, or terms such as "All of government (AOG) ID credential" which could be seen as misleading.

Recommendation 12. The authorising legislation should clearly specify limits on the scope of the authentication scheme.

Other issues concerning identifiers

3.79 A privacy enhancing features of the current design is that it allows for individuals holding a username/password Key to choose their own username, which need not be unique. There will be some centrally set standards for username/password pairs, but provided these allow for individuals to use their 'common' name, the scheme will have avoided a major perceived failing of some identification systems which force users to add characters to their name to achieve uniqueness ¹²⁶ .

3.80 A possible adverse consequence could arise from the assignment of a unique Credential serial number to each ID Credential (which means each registered natural person); and a unique Key Serial Number to each Key. The scheme design seeks to minimise the risk of the ID Credential serial number becoming an identifier by reserving it for use within the Authentication Agency. Neither the individual nor any SA or KP will have any need to record the Credential serial number. It is very important that this feature be confirmed in the authorising legislation.

Recommendation 13. The authorising legislation should reserve the Credential serial number for use only by the Authentication Agency for internal administrative purposes.

3.81 In contrast, Key Serial Numbers will be exchanged between the AA, SAs and KPs. While it is understood that individual Key Holders will have no need to record, or even know, the serial number of their Key(s) ¹²⁷, there is a risk that the Key Serial Number could become a de-facto personal identifier, unless organisations are specifically precluded from using it in this way ¹²⁸ . For most individuals who will only ever hold one Key, the risk is greater, but even for those who hold multiple Keys, each one will uniquely identify the Holder. Allowing multiple Keys avoids a one-to-one link between Key and Credential, but does not address this problem. The Unique Identifier Principle (IPP12) in the Privacy Act, discussed below (see paragraphs 3.121-3.132), may serve to limit this risk, but for technical reasons is not currently a sufficient safeguard, and will require amendment to fulfil this role ¹²⁹ .

3.82 A similar risk arises from the issue of a Credential confirmation notice to each Credential Holder. Depending on what information this notice contains, it too could become a de facto ID document. If it is to be sent by different channels (post, email, SMS) at the Holder's choice, this risk will be lessened, as only a proportion of Holders will have a standardised written confirmation. It will nevertheless be necessary to proscribe the use of the confirmation notice or reference number as an Identifier, either directly in the legislation or by ensuring that Information Privacy Principle 12 applies to it.

Recommendation 14. The authorising legislation should proscribe the use of any Credential confirmation notice or administrative reference number issued by the Authentication Agency by other organisations as an identifier.

Issues arising from 'failed' transactions

3.83 It is inevitable that automated systems applying business rules will lead to rejection of some transactions, including applications for Credentials and Keys, attempts to associate a Key with a Credential, and subsequent authorisations of RVI. There will also be at least occasional technical failures. Mention has already been made of the unproven accuracy of face recognition technology, particularly in relation to one-to-many matches.

3.84 An important issue will be what the individuals affected by rejections or failures are told, and what opportunity they will be given to resolve the problems arising. This is partly a data quality issue (see under IPP 8), and partly one of use and disclosure (IPPs 10 & 11) if rejections lead to actions such as referral for investigation ¹³⁰ .

3.85 If individuals lose their only Key, they may have to re-present at an AA shopfront with evidence of having a Credential, in order to have their identity verified and a new Key associated with the Credential ¹³¹ . If they have also lost their Credential confirmation notice, the shopfront may be able to find the appropriate customer record by searching on ID data items ¹³² . A Credential holder who still has at least one associated Key will be able to associate other Keys more easily - although either a face to face encounter or a challenge-response process would probably be required.

3.86 An acceptable set of rights and administrative remedies will be required to deal with errors and system failures. These should include reasons for decisions, in sufficient detail to enable the individual to understand them and work out what steps to take; a hold on administrative action; internal review and appeal rights to an external Review body; with the prospect of meaningful remedies, including payment of compensation for loss and damage including distress and inconvenience.

Recommendation 15. Before any further commitment is made to the scheme, analysis of all the possible points of failure, and how they will be addressed, should be carried out.

Issues arising from choice of agency to perform Authentication Agency role

3.87 The identity of the Authentication Agency will have a bearing on the nature and strength of some privacy issues.

3.88 Independence of the AA has already been recognised as very important, although it begs the question independence from what? - a host agency?, SAs?, the government of the day? etc. The perception will be different with different agencies under consideration - eg: the Births Deaths and Marriages (BDM) Registry (within Identity Services Division of DIA) has a clearly related purpose but there may be problems of perception given the openness of the births register (the opposite image from the high security required for authentication).

3.89 Passports (also within DIA ISD) is clearly a service delivery affecting only a sub-set of the population, as is driver licencing (LTSA). This could be seen as inappropriate linkage to 'end-uses' of the authentication system. Both could also be seen as having an unfortunate association with identity cards (drivers licences more so given their common usage in community as ID, and strong links to law enforcement in the context of road traffic offences). Other operational agencies would inevitably be seen as a self-interested end-users with negative associations - no amount of re-assurance would dispel the impression that authentication was assisting with their other functions.

3.90 A new agency entirely separate from any existing government entity would best satisfy the objective of independence, but has been ruled out as inconsistent with recent government policy on structure of government. ¹³³

3.91 The next best option is a statutory function with a separate independent 'registrar' within an existing agency (the BDM model). Arguments put in favour of locating the AA within the Identity Services Division of DIA ¹³⁴ , and the DIA responses, are convincing - this appears to be the best fit of any existing Department or agency. Notwithstanding the possible perceptions referred to above, public consultation in April 2003 identified DIA as an agency that the public would be comfortable to have as an Authentication Agency.

3.92 However, if the AA is to be located within DIA or any other agency, the authorising legislation should clearly specify the parameters that ensure independence, such as terms and appointment of a 'registrar', reporting - preferably directly to Parliament, etc. It would also be essential for staff of the AA, if they are employees of an agency with wider functions, to be subject to confidentiality provisions relating specifically to the AA functions. This would be to avoid any suggestion that 'wearing another hat' they could access or use AA data for other purposes.

Recommendation 16. The authorising legislation should clearly establish the Authentication Agency as an independent function with appropriate status, structure and accountability.

Issues arising from funding models

3.93 Funding arrangements for the authentication scheme have yet to be specified. Options clearly include central funding of the infrastructure and administration of the scheme, or a user-pays model, in which Service Agencies and/or individuals pay for their use of the system. To the extent that SAs have to pay for their use of the system, this could either be funded by additional resources or have to be met out of existing budgets or compensating savings elsewhere. If there is any suggestion of private sector contribution to funding (a partnership approach), the question would arise what would they gain in return. Given that the authentication scheme could be seen as 'critical infrastructure', it may be desirable to expressly rule out private sector funding.

3.94 While the funding arrangements have no direct implications for privacy, they will of course influence the uptake and usage of the scheme, thereby indirectly affecting the scope and universality of the system. A model which cost individuals little or nothing to obtain a Credential and associate a Key would encourage registration, while appropriate funding arrangements for SAs could encourage them to adopt the central all-of-government authentication system as a supplement or alternative to their own authentication initiatives.

Recommendation 17. Further privacy impact assessment should be undertaken once the details of the proposed funding model are clear and design work has progressed.

Privacy Act Compliance

Introduction

3.95 The purpose of this section of the PIA is not to identify in detail how the agencies involved would comply with their obligations under the Privacy Act, including the Information Privacy Principles (IPPs). It is to identify any broad areas of difficulty or special issues that might be encountered in so complying.

3.96 The Privacy Act primarily deals with 'information privacy'. ¹³⁵ Other dimensions of privacy, such as privacy of the person (e.g. concerns about capture of biometrics including photographs), privacy of behaviour (e.g. tracking of people's activities across multiple walks of life), and privacy of communications - some of which have been discussed above - are not regulated by the Privacy Act ¹³⁶ . This section accordingly only addresses those aspects of privacy that are currently subject to express statutory regulation. It also does not encompass any aspects of the common law that may be relevant, such as the law of breach of confidence and the tort of passing off.

3.97 Where possible, issues of compliance with the Privacy Act IPPs and other issues are dealt with separately for the AA and SAs. In some cases, compliance and other issues arise from the interface between the AA and an SA, and it is necessary to deal with these issues in an integrated way.

3.98 It should be noted that there are a number of ways in which conduct that is not in accordance with the IPPs can still be lawful. These include waivers granted by the Privacy Commissioner either under a Code of Practice (s.46) or under a specific authorisation (s.54) (Conditions apply to both); or specific statutory authority, which overrides some of the IPPs (s.7). Where a difficulty in otherwise complying with an IPP is identified below, the appropriateness and likelihood of one of these 'overrides' is discussed.

3.99 In the health field, the Health Information Privacy Rules (HIPRs) in the Health Information Privacy Code 1994 ¹³⁷ substitute for the default Information Privacy Principles. The brief for this PIA did not extent to reviewing how compliance with the Rules might differ from compliance with the Principles in relation to the use of authentication in health applications. This will be the responsibility of any health agency that is subject to the Rules.

3.100 Similarly, some businesses in the telecommunications industry are now subject to the Telecommunications Information Privacy Code, issued by the Privacy Commissioner in May 2003. For these businesses, the Information Privacy Principles are replaced by the Telecommunications Information Privacy Rules (TIPRs). While Service Agencies and the proposed Authentication Agency are not likely to be affected by this Code, some Key Providers may be ¹³⁸ . Key providers may also be subject to relevant provisions in Telecommunications law, which will apply to the telecommunications businesses whose facilities will be used by the scheme.

3.101 It must be recognised that commitments to comply with Privacy Act ¹³⁹ are not necessarily what they seem, as the IPPs (or HIPRs or TIPRs) can always be overridden by other statutory changes - in which case the action in question is still compliant with Privacy Act even though the practical effect is reversed.

3.102 The public is likely to assume that statements by Ministers and agencies that a new scheme will comply with privacy legislation means that the Principles will be applied; whereas what those statements may actually mean is that the scheme will take full advantage of the available exemptions and exceptions, and may even create new ones, which render the Principles irrelevant.

3.103 Public acceptance of the scheme may therefore be dependent upon carefully expressed statements, which avoid misleading the public about what protections do and do not apply.

Recommendation 18. Public presentation of the scheme needs to be careful in explaining the issue of compliance with privacy laws, and what this means.

Personal Information involved

3.104 The main category of persons about whom the AA will collect and hold personal information is individuals applying for an ID Credential (Registration). Personal information held will include the ID data, administration data (including contact details and the photograph and biometric template), the Credential Number and the Key serial numbers of any associated Keys. Further information will be held about the subsequent transactions of Credential holders.

3.105 Since any Credential Holder over 18 can act as a Trusted Referee, there is no need for the AA to pre-identify TRs as such, although the AA's records will show which Credential Holders have acted as TR for one or more other Holders.

3.106 The AA will of course also hold employee records and administrative records containing personal information, but in these respects the AA would be no different from other government agencies - all of which must comply with the Privacy Act in respect of such records. No further consideration is given in this PIA to such records.

Collection (IPPs 1-4)

Justification

3.107 The AA's collection of personal information about registrants will clearly be for a lawful purpose connected with a function or activity of the agency (IPP1(a)) ¹⁴⁰ . Provided the collection of all items of personal information can be justified it will also comply with IPP 1(b) (necessary for that purpose).

3.108 It will however be necessary for the AA to justify the collection of all the types of information it requires for registration. The current scheme is likely to use the EOI framework being developed by an inter-agency committee ¹⁴¹ , but as discussed above under the 'One Individual, One Credential' heading, it has not yet been adequately demonstrated that that framework is soundly based conceptually, or that all of its elements are necessary.

3.109 The AA will collect personal information directly from individuals registering for the issue of an ID Credential (see project description above). Direct collection is the preferred option under IPP2.

3.110 Personal information about registrants will also be collected by the AA from third party trusted referees. Collection from third parties is an 'exception' to IPP 2 which is permitted under certain conditions - there will be multiple bases for this (eg: authorisation by individual (b); necessary for ... (d); avoid prejudice to purpose (e)).

3.111 It is assumed that all SAs will also be able to justify the collection of personal information about clients registering for on-line transactions, and the collection of personal information about those clients from the AA, and from other Key Providers, both during First Time Service Registration, and during Service Delivery, satisfying both IPP1 and IPP2.

3.112 The draft EOI framework requires information sufficient to pass five tests (see paragraph 2.17). While the AA may need to apply all five tests (subject to the issue of multiple identities discussed above), SAs may not need to apply to tests of Objective A (identity not claimed before) and of E ('evidence of the use of the [claimed] identity in the community'), as they will often only need to satisfy themselves that the identity exists and that the client links to it (tests of Objectives B & C), which they should be able to do by checking the validity and currency of a Key presented by a registered client. This should result in SAs needing to collect relatively little personal information (in the form of EOI) for many transactions.

Notification

3.113 Where personal information is obtained directly from registrants, the AA will have the opportunity to meet its notification obligation under IPP 3, and should also take this opportunity to explain the role of the trusted referee and the information flows involved in the scheme.

3.114 A comprehensive 'package' of information to registrants may also serve to satisfy at least some of the IPP3 obligations of SAs in relation to their subsequent use of the scheme and of Identity keys.

3.115 Individuals will need to be reminded at appropriate points in the various transactions about what is happening to their personal information. This is particularly important in the context of a Common Logon Site, or of other arrangements for seamless multiple transactions from within a single Internet session. The desire for 'efficiency' reasons to hide the actual nature of the transactions will need to be balanced against Privacy Act obligations to be transparent.

Other collection issues

3.116 The AA will keep records of transactions involving its records - notably of requests from SAs for verification. These will progressively accumulate into a very comprehensive database of some of the interactions with government of individual Key Holders ¹⁴² , and with any private sector organisations which are authorised to use the services of the AA. This information about the subsequent transactions, even though it arises from an RVI authorised by an individual, is clearly not collected directly from the individual and is arguably not even collected from the SA - it is internally generated by the AA. The main implications of this data arise in relation to retention (IPP 9) and use and disclosure (IPPs 10 & 11), discussed below.

3.117 The AA should have no difficulty satisfying IPP 4 in relation to both registration and transaction information - collection by lawful means that are fair and do not unreasonably intrude; assuming the overall scheme justification is accepted, and provided there are clearly no less intrusive means of implementing it.

3.118 One specific collection issue relates to Māori stakeholders. The work programme's Tikanga strand has recognised a need to assess whether there is a widespread view that government agencies should not collect or store whakapapa and, if appropriate, ensuring that whakapapa is not included directly in the authentication model ¹⁴³ . However, the requirements for evidence of identity (EOI) during registration, for example for Māori, will need to be culturally sensitive.

3.119 If any of the transactions between individuals and the other parties (AA, SAs or Key Providers) involved multiple on-line sessions, then the issues of 'cookies' arises. Many Internet users are suspicious of the use of cookies, which a web-site server places on a user's computer to allow sessions to be linked and previously collected or stored information to be retrieved for re-use. Some users deliberately block the placement of cookies on their computers, and for many users accessing the Internet from their place of work the cookies may be blocked by the corporate firewall. It is not yet clear if cookies would be required - there may be alternative ways of providing the required functionality with appropriate security (see under IPP 4 below). If cookies are to be required (and this can be justified in terms of IPP1), the AA will need to ensure that this is transparent to users, both in its privacy policy and in explanations to users who attempt to use the AA site with cookies disabled.

3.120 A further consideration in relation to cookies is that many circumstances would arise in which an individual would start a session on one workstation and complete it on another. Examples include; start at home but finish at work, start at work but finish at home, start in one workstation in an Internet café or library and finish on another workstation in that or another Internet café or library. The design cannot therefore depend on cookies in order to enable continuation of a suspended session.

Unique Identifiers (IPP 12)

3.121 The Unique Identifier (UI) Principle (IPP12) is obviously directly relevant.

3.122 A threshold question is whether the ID Credential (the basic data set explained in the Project Description) is a UI as defined in the Act. ¹⁴⁴ While the combined effect of the data set is to 'uniquely identify' an individual (at least to a very high level of probability), the set contains the individual's name, which is expressly excluded from the definition of UI. The preferable meaning of this is that name alone cannot be a UI - but the ID Credential including a name can be and is a UI. The rest of this analysis proceeds on this assumption.

3.123 It is also arguable whether Keys themselves (eg: username/password pairs or digital certificates) will be UIs. While a Key associated with a Credential will 'uniquely identify' that individual Credential Holder in the sense that the Key Provider will have associated it with a specified person, it fails another part of the test in the definition - it need not uniquely identify the person in relation to [the assigning] agency ¹⁴⁵ (emphasis added). Also, where a Key is issued by a third party Key Provider, it is not assigned 'for the purposes of the operations of [that] agency' ¹⁴⁶ - rather it is assigned for the purpose of use with other agencies unrelated to the Key Provider.

3.124 However, the ID Credential serial number, and any serial numbers assigned to Keys in accordance with AA standards will, under the current design, all be 'unique identifiers' under the Privacy Act. The fact that an individual may have more than one Key and therefore more than one Key serial number will not prevent each one 'uniquely identifying' that individual.

3.125 The 1998 Review of the Privacy Act identified two issues in relation to the operation of IPP 12. The first is the meaning of 'assign' and the second is whether the Principle should apply to identifiers assigned by the private sector (it does at present).

3.126 The first issue raises some doubt about whether an ID Credential serial number or Key serial number would be a UI in the hands of any user which merely records that number, or only in the hands of a user which utilises the number to refer to an individual. It would be useful if this could be clarified in any amending legislation, preferably to ensure that the numbers are brought within the scope of IPP12 - see below for reasons why amendments will be required in any case in relation to this Principle.

3.127 The second issue is also relevant, as IPP 12(2) may interfere with the ability of the AA to lawfully record a Key issued by another Key Provider against an individual's Credential. The Privacy Commissioner recommended in 1998 that IPP 12(2) be limited to government-issued identifiers, with a specific discretion to be able to extend the controls to specific private sector identifiers through a Code of Practice if the need arose ¹⁴⁷ . However, the design of this scheme intentionally uses a range of private sector issued Keys as identifiers, which may suggest that IPP 12 (suitably amended) should apply to both government-issued and private-issued Keys.

3.128 The intention of IPP 12 is precisely to limit the development and use of multi-function unique identifiers (UIs) without appropriate authority ¹⁴⁸ . The AA should be able to meet this principle since its entire (statutory) purpose will be the assignment and management of identifiers; i.e. the scheme quite precisely sets out to stimulate the use of multi-function identifiers; but it will be expressly authorised by law. In particular a central mission of the AA should satisfy IPP 12(3) - reasonable steps to assign UIs only to individuals whose identity is clearly established. However, any breakdown in the scheme or administrative failure that resulted in incorrect assignment of Identity credentials or of Keys could demonstrate a breach of IPP 12(3).

3.129 Under the proposed design, the ID Credential number assigned and held by the AA is never recorded by any other agency. But both SAs and the AA will record the serial number assigned to a particular Key by the Key Provider.

3.130 The use of Key Serial Numbers by SAs will have to satisfy IPP12. The proposed model involves SAs assigning persons' Keys (issued by the Key Providers) to their own customers, presumably using Key Serial Numbers, which will be UIs. ¹⁴⁹ . This would only be permitted by IPP 12(2) if the SAs were 'associated persons' under the Income Tax Act - they are not. Therefore, either specific statutory authority ¹⁵⁰ , or a Privacy Commissioner issued Code of Practice ¹⁵¹ or authorisation ¹⁵² will be required to override IPP 12(2).

3.131 It would be invidious to expect a Privacy Commissioner to be the instrument of relaxing the UI Principle in the context of a major national authentication scheme. Authorisation should therefore be given by means of express statutory provision. This clear need for amendment of the Privacy Act will however have to be publicly justified in terms of the commitment in the Legal Compliance Implementation Principle to 'comply with relevant law, including privacy .. law' ¹⁵³ .

3.132 The 1998 Review of the Privacy Act recommended amendment of s.66 to make a wilful breach of IPP 12(2) an 'interference with privacy' irrespective of the absence of any harm or detriment ¹⁵⁴ . On the assumption that statutory amendments will authorise the use of Key Serial Numbers by SAs which would otherwise breach IPP 12(2), it might be appropriate to revisit this recommendation, so that any wilful use by an organisation not expressly permitted to use Keys would be a breach, thereby invoking the civil law remedies under the Privacy Act.

Recommendation 19. Legislation should clarify the application of the Unique Identifier Principle (UIP- Principle 12) of the Privacy Act to the various identifiers and numbers involved in the scheme. Existing issues about the application of the UIP should be resolved at the same time, after consultation with the Privacy Commissioner.

Storage and security (IPP 5)

3.133 It has not been possible to make a sufficiently detailed assessment of security issues because the process design for the scheme is not yet sufficiently fully articulated, nor stable. In particular, the concept of a Centralised Authentication Hub or common log-on site (see paragraphs 2.50 and 2.65) has only been developed towards the end of this assessment, and this has major implications for security and privacy. It is not clear that risk assessments have been performed across the full range of circumstances that will arise, and hence it is not clear that the security requirements for communications between the parties and for stored data have been established. In these circumstances, the comments provided in this section are of necessity preliminary only. It is very important that all the as-yet-unresolved security matters be kept under review.

3.134 IPP 5 requires agencies to protect personal information against loss, unauthorised access etc, and other misuse with security safeguards that are reasonable in the circumstances. Security will of course also be required for other reasons such as to ensure the integrity, functionality and availability of the systems involved. Often, the level of security required for these other reasons is at least equivalent to, or exceeds, what is required to safeguard privacy. But this cannot be assumed, as in various circumstances, compliance with this privacy principle can require additional safeguards.

3.135 The NZ Government addresses the confidentiality, integrity and availability of all official information through the Security in the Government Sector policy. This includes Minimum Standards for Internet Security in the NZ Government. The EGU have issued more specific advice in Online Authentication - Internet Security

3.136 Guidance on security from a specific privacy perspective is available from the Australian Federal Privacy Commissioner ¹⁵⁵. This refers to three relevant NZ standards:

• AS/NZS ISO/IEC 17799:2001 Information technology - Code of practice for information security management
• AS/NZS 7799.2:2000 (Previously known as 4444.2) Information security management - Specification for information security management systems
• AS/NZS 4360:1999 Risk management

3.137 Many other text-books and technical publications provide guidance on these matters.¹⁵⁶ In view of the extreme sensitivity of the operation of the scheme, and of the information stored and transmitted, it is essential that the highest information security standards be applied to the scheme's design, construction and operation. On the basis of the documents available during the period in which the PIA was conducted, it is far from clear that the project had met those expectations. As the relevant documents become available, it is vital that they be carefully assessed from both the security and privacy perspectives.

Security of information flows

3.138 The scheme design provides that all information exchanges between AA and SAs (and Trusted Referee agencies) would use the NZ government secure network (SEE), with server to server encryption. It is understood that exchanges between Key Providers and both the AA and SAs would be required to use similar security. However, it is not clear from the SEE site ¹⁵⁷ what mechanism is used, or proposed to be used, to achieve server-to-server security. Hence it is not clear that this vital issue has yet been addressed within the proposed design. It is very important that all the as-yet-unresolved security matters be kept under review.

3.139 Internet transactions between individuals and Trusted Referees, the AA and SAs would utilise Secure Sockets Layer (SSL), which provides encryption of messages passing between the client software on the workstation (generally thought of as being a web-browser) and the servers running applications for the relevant agencies. The possibility of telephone transactions has been raised recently (see for example paragraph 2.59), and this would raise an entirely new set of security issues, which cannot be assessed either for security or privacy implications without further detail.

Security of information within workstations

3.140 Individuals will use workstations within agencies for some purposes, and for others will utilise workstations in their homes, their workplaces, and public places such as libraries and Internet cafes. Workstation operating systems and applications are inherently insecure, and despite this having finally become a matter for discussion in the media, and despite public undertakings recently given by some vendors, that situation is unlikely to change in the short-to-medium term.

3.141 It is therefore critical that the scheme's design include:

• in relation to the public use of workstations made available by agencies - risk assessment and risk management measures to address the security risks; and
• in relation to public use of other workstations, risk assessment - to the extent practicable risk management measures, and public warnings and advice about the risks involved and how to manage them.

It is not clear that this vital issue has yet been addressed within the proposed design. It is very important that all the as-yet-unresolved security matters be kept under review.

Security of information within servers

3.142 All agencies participating in the scheme, and to the extent that Key Providers are corporations private sector participants as well, will store a considerable amount of sensitive personal data. This data is attractive to both insiders and outsiders. There are various threats, including:

• accidental disclosure;
• intentional access by an authorised user, but for unauthorised purposes;
• intentional access by an unauthorised user, by means of an authorised username and password pair; and
• intentional access by an unauthorised user, by means of circumvention of the access control mechanism, e.g. physical or logical break-in / cracking / hacking.

3.143 All parties to the system need to implement appropriate measures to ensure that the data that they store is protected by security measures commensurate with the sensitivity of the data involved. SAs hold personal data of varying sensitivity. The AA would hold data of the most extreme sensitivity, including all name variants, recorded aliases and at least some kinds of contact information. The KPs would hold personal data of varying degrees of sensitivity, but also identification data associated with the Key which is of highly sensitive.

3.144 It is therefore critical that the scheme's design include:

• in respect of the AA, risk assessment and risk management measures to address the security risks; and
• in respect of SAs and KPs, guidance in relation to the risk assessment and risk management measures that are needed in order to address the security risks.

It is not clear that this vital issue has been adequately addressed within the proposed design. It is very important that the as-yet-unresolved security matters be kept under review.

Security of personal data stored by Trusted Referees

3.145 TRs may also hold data of considerable sensitivity. It is not clear that risk assessment has been performed, and that the security requirements for data storage by these parties have been established. The organisations and individuals would be highly diverse in their size, and in their professionalism in matters of data storage and data security. Moreover, many of them may prove to be difficult to influence in relation to their data practices.

Security of data used in discontinuous sessions

3.146 If, as proposed, the registration process can be discontinuous; ie: spread over time or over several on-line sessions, a security issue arises over authorising the applicant to return and pick up a partially completed process, which will inevitably include personal information lodged at a previous stage. The scheme proposes to address this issue partly through the use of additional 'shared secrets' eg: temporary passwords or access codes issued to applicants to allow them to return and complete a process. However, shared secrets are a relatively low-security device, and a detailed analysis will be required of the threat that this might pose to the integrity of the system. This is one of many ways in which the scheme, unless very carefully designed, would be likely to contribute to the risk of identity fraud rather than reducing it.

Security of Keys stored by agencies

3.147 In the case of digital signature key pairs it is not necessary for the Key Provider to record the private key, and indeed essential that it does not for security reasons.

3.148 In the case of username/password, the Key Provider, unless they are also an SA conducting transactions with the Key holder, may not need to record the password, and might be satisfied with a hash (mathematical transformation) of it (see privacy analysis below). This protects against the risks of a workstation being used by an officer of the agency, or by a person who gains access to the stored password, in order to masquerade as the individual. (It does not protect against simulation by transmitting the hashed password in a stream of traffic purporting to come from a workstation).

3.149 Under the proposed scheme, the same Key is to be used for authorising the AA to release the holder's ID credential and as a log-on ID for Service agencies. This will inevitably give rise to security concerns as the Key Serial Number will need to be stored in multiple agencies and locations, thereby increasing its exposure and vulnerability. This is a serious privacy concern, because the Key Serial Number is at risk of becoming used as a general-purpose identifier, which would enable correlation of personal data from many sources.

3.150 A further vulnerability may exist. The design documents are far from clear as to the use of the Key Serial Number by the AA and by the SAs. There is a possibility that anyone gaining unauthorised access to another individual's Key Serial Number could use it as a means of masquerading as that person in relation to a range of government services. If such a vulnerability exists, then the impostor might also be able to authorise release of the 'real' person's ID Credential, potentially allowing the impostor to commit identity theft.

3.151 A comprehensive assessment of the privacy impact of this aspect of the design cannot yet be performed. It is critical that this matter be carefully re-assessed when the design is complete and stable. One possible solution would be to provide for the use of a Key to generate a different Key Serial Number for different agencies; ie: there would be multiple KSNs for each Key.

Recommendation 20. Consideration should be given to varying the design such that the use of the same Key with different agencies would result in the issue of a different Key Serial Number.

3.152 The design provides for Confirmation of a Request for Verified Information (RVI) to be sent to the Credential holder concerned by a separate channel from that used for the RVI transaction itself. This is a security measure in that it provides some assurance that unauthorised RVIs will be detected, but it also requires contact details to be kept - see paragraph 3.43.

Security of personal data and Keys held by individuals

3.153 Individuals who participate in the scheme are required to store data. This includes one or more Keys.

3.154 The security considerations arising in relation to the storage of Keys depends on what kind of Key they are.

3.155 In the case of a Username and Password, the Username does not have to be kept secret, but the Password has to be, because capture of the Password combined with capture, interpolation or guessing of the Username is sufficient to enable a third party to masquerade as the individual.

3.156 The scheme envisages that individuals would be permitted to change Passwords to a string that they can remember, but there appears to be no requirement to avoid easily-discovered passwords, such as those uncovered through dictionary attacks. In any case, it is not clear to what extent the scheme will be able to impose standards on all Key Providers.

3.157 In the case of a digital signature regime, it is critical that the private key be only ever accessible by, and only ever able to be invoked by, the Key holder. This has implications for key-generation, for the storage location of the key, for the physical protections for the storage location and the key, and for the software protection for the key. The IQA Interim Report 2 acknowledges a further aspect of the risks involved: "In the event that the user has two or more keys, then their data at the AA and their SAs will be as secure as the security of their weakest key".

3.158 It is not clear that risk assessments of the various circumstances have been performed, and hence it is not clear that the security requirements for data storage by individuals have been established. Still less does it appear that the practicalities of large numbers of people possessing and protecting highly sensitive data have been appreciated and addressed. It is very important that all the as-yet-unresolved security matters be kept under review.

Recommendation 21. A comprehensive and continuing security review and risk assessment should be undertaken to address the many security issues as yet unresolved.

Access and Correction (IPPs 6 & 7)

3.159 It is assumed that the AA will either be subject to the Privacy Act or to equivalent access and correction rights ¹⁵⁸ . The existing withholding grounds (Part 4) and procedural provisions (Part 5) will presumably apply, and the former should accommodate all the countervailing public and private interests.

Recommendation 22. Legislation should amend the Privacy Act to grant all Credential Holders, wherever they are located, the same rights under that Act.

3.160 One issue that will need to be resolved is whether any part of the information held by the AA and/or SAs will be exempt from access on security grounds (eg: serial numbers). Ideally, the scheme should be completely transparent and allow individuals to know/see all numbers or labels assigned to them. While any withholding of information would inevitably fuel suspicion, there may be overriding security arguments for not disclosing some details (see under IPP 5). There are currently no grounds under ss.27-29 which would obviously meet this need, and it seems likely that express statutory authority (invoking s.7) would be required. ¹⁵⁹ ).

3.161 Another issue to be resolved is the appropriate balance between the privacy of Credential holders (or applicants) and of Trusted Referees in the event that a person making an access request wanted to know what had been said about them in the context of a declined application. ¹⁶⁰

Recommendation 23. Legislation should specify any additional grounds for withholding Authentication Agency information in response to access requests needed to ensure adequate security, and to protect the privacy interests of third parties.

Data quality (IPP 8)

3.162 Data quality will be a primary concern/function of the AA for operational reasons. While the AA should have no difficulty in showing that it is attempting to take reasonable steps to ensure accuracy etc, objectively achieving adequate data quality will be a major and continuing challenge.

3.163 One issue will be how the AA deals with unavailable or unknown identity facts - eg: birth dates/places, or with individuals who for various reasons are unable to produce EOI to meet the normal standards ¹⁶¹ . To what extent will the AA be given discretion to assign credentials on a 'best endeavours' or 'near enough' basis, and what are the implications of this for the integrity and security of the scheme overall?

3.164 Initial registration relies to a large extent on checks against other databases. The IQA consultants have identified as an issue the quality of the data in those databases, and the PIA consultant's own experience of matching programs suggests that there will be some significant problems arising from the use of data collected for one purpose in one context for an entirely different purpose/context.

3.165 The scheme will also have to be able to deal with changes to the items of ID data for a Credential holder. Individuals can lawfully adopt multiple names, and change not only their name(s) but also their gender, and both date and place of birth may need to be corrected on the production of new evidence. All such changes create difficulties for a scheme which presumes that each person has a unique and unchangeable set of ID data, and also opens up opportunities for illicit manipulation of the database in connection with Identity theft or fraud. The project will need to specify in some detail what rules it will apply to changes of ID data to provide re-assurance not only that genuine changes can be accommodated, but also that the risk of unauthorised changes can be managed.

3.166 Another data quality issue is the quality of photographic images and their use - despite the claims of technology providers, there is considerable doubt about the reliability and accuracy of face recognition systems. The government will have to show that the use of photographs in the proposed system can reach acceptable levels of accuracy and reliability, avoiding too many incorrect acceptances and erroneous rejections (false positives and negatives) (see discussion under Biometrics above).

3.167 Any automated system encounters issues around acceptable levels of data quality. At every stage of processing, there are likely to be criteria and thresholds of acceptability (for example, see data validation stage of Registration in the project description above). There is always a balance to be struck between setting criteria too tight, leading to rejections and inconvenience, and setting them too loose, compromising quality, integrity and security.

3.168 Accepting that automated systems applying business rules will lead to rejection of some transactions, including applications for Credentials and Keys, an important issue will be what the individuals concerned are told, and what opportunity they will be given to resolve the problem - perhaps by correcting or clarifying the information they have provided. (An associated issue of referral for investigation is discussed under the heading of the Use and Disclosure Principles) (See also discussion under Issues arising from 'failed' transactions above, and Accountability mechanisms and safeguards below.)

Data retention (IPP 9)

3.169 Data retention will be a significant privacy issue. The best privacy protection is often destruction of information, although this sometimes has to be balanced against the contribution that data retention can make to security. There is inevitable conflict between the tendency of historians to seek retention and accessibility of everything, and the privacy interest of individuals in suppression and destruction. The government agencies involved in the scheme will be bound by the Archives Act 1957 - a preliminary appraisal is under way with National Archives assistance but is not yet available.

3.170 The AA would keep personal information collected for registration indefinitely. It is proposed that the data set forming the ID Credential, once recorded, would be permanent, to ensure uniqueness, and to ensure that any associated Key(s), once issued, are never assigned to another individual, and to ensure future non-repudiation of a 'past' identity, and of past transactions by a particular identity. A record could be 'de-activated' if Keys were revoked or otherwise withdrawn (due to death of holder, compromise etc), but would never be deleted.

3.171 The permanence of the AA records could contribute to fears of the surveillance and control implications of the scheme. While it would be easy to satisfy the letter of IPP 9 by specifying indefinite storage in the authorising statute; justifying the need for permanence, and balancing it with an appropriate range of safeguards, will be an important part of the communication strategy for the project.

3.172 Of particular concern is the retention of the transaction information. The record of checks against the AA database will build up into a comprehensive, if superficial, profile of an individual's on-line transactions ¹⁶² . While there is a case for retention of these records, in the form of a log or audit trail, for systems integrity and auditing purposes, there will inevitably be pressure for access to the data for a range of other purposes, including law enforcement, revenue protection etc (see below under IPP 11). The longer the data is retained the more that pressure will grow and the more likely it is that the data will be accessed for these secondary purposes. The scheme needs to specify, and justify, retention periods for transaction information.

3.173 A further practical issue is the extent to which records will be kept of partial or failed applications that do not result in the issue of a Credential, or the binding of a Key to a Credential. There will no doubt be arguments in favour of retention of all such information for security purposes - particularly for subsequent analysis of fraud attempt etc. On the other hand, such records could accumulate into quite detailed patterns of activity by particular individuals which, whilst of little or no value to the Authentication scheme, could be of intelligence value to other authorities. If records of incomplete transactions were to be retained, then there must be clear justification for it, and appropriate controls on access to them.

Recommendation 24. The authorising legislation should set the parameters for retention of various categories of data held in connection with the scheme.

Use and Disclosure (IPPs 10 & 11)

3.174 The project design and documentation to date emphasise the role of consent, and this could be the basis of compliance both by the AA and SAs with IPPs 10 (exception (b)) & 11 - (exception (d)) - 'authorised by the individual concerned'. However, great care should be taken to avoid the inappropriate use of the word 'consent' in circumstances where an individual has no real choice but to authorise a particular use or disclosure. See the discussion above about the credibility of the 'opt-in' principle under the heading 'Universality - a population register?'.

3.175 It would be preferable for the basis of use and disclosure of personal information in the authentication scheme to be clearly set out in law as part of the authorising legislation. This would avoid any uncertainty about the way in which the various exceptions to IPPs 10 and 11 would be interpreted in relation to the scheme. This in turn would allow the scheme to be promoted publicly with firm and unequivocal assurances as to the way in which the scheme would operate, and equally importantly what would not be permitted.

3.176 It is important that the provisions authorising use of information are clear about when a use becomes a disclosure - releases of information should not escape controls applying to inter-agency transfers just because they are to unrelated parts of the same agency (intra-agency) and therefore technically a 'use' rather than a 'disclosure'.

3.177 A detailed regime for use and disclosure in the statute authorising the scheme would effectively supercede IPPs 10 and 11 ¹⁶³ . There would be increased risk to public support for the scheme for every aspect of the new regime that is weaker than the existing one. The authorising legislation would need to ensure that a new use and disclosure regime, even if 'tougher' than the IPPs, did not have the effect of denying individuals access to the remedies available for 'interferences with privacy' under the Privacy Act.

Use and Disclosure of Registration information and of Credential data

3.178 There should be specific authority for all of the uses and disclosures of information necessary for the operation of the scheme (once they have all been identified). This authority would need to cover the information exchanges between the various participants - individuals; the AA; SAs; Key Providers, and Trusted Referees (including other databases (see under Information Matching below).

3.179 A strictly limited range of exceptions for other public interests (such as emergencies, law enforcement etc) should be specified, with appropriate safeguards. While these would provide for some of the interests allowed for in the exceptions to IPPs 10 & 11, they could do so in a much more rigorous and certain manner. All other uses and disclosures should be expressly prohibited. It is not acceptable in relation to this scheme for additional uses to be founded on an individual's consent where this is extracted effectively under duress, and is not free as well as informed. .

3.180 The possibility of criminal penalties for breaches of these rules should be considered ¹⁶⁴ rather than simply civil remedies as in the Privacy Act, to reflect the importance of public confidence in the scheme - see paragraphs 3.224-3.225.

Use and Disclosure of revocation/suspension lists

3.181 This is a sub-set of the previous category - a form of operational use, but with external consequences. Presumably, any attempted use of the scheme by an SA which found that either the Credential or the Key in question was invalid would prompt some form of action or investigation ¹⁶⁵ . Clear criteria and guidelines need to be established for any such action, given the potential consequences for individuals (including denial of identity; allegations of Identity fraud or theft, criminal investigation etc) (see also Issues arising from 'failed' transactions above).

3.182 As with transaction information (discussed below), there would also need to be clear and specific rules about access by third parties for purposes not directly associated with the operation of the authentication system, with very high standards of justification required.

Use and Disclosure of transaction information

3.183 There should be specific authority for the allowable uses of the AA's transaction records during their lifetime (see retention discussion under IPP 9) - uses/disclosures both by the AA itself, and the permitted circumstances, conditions and other safeguards for third party access (such as for law enforcement).

3.184 Another category of third party access that may need to be allowed, subject to conditions, may be access by SAs in relation to their own use of the scheme, such as for reconciliation of audit trails, or in relation to specific investigations - any such access should be restricted to transactions involving the SA in question, but even this should not be an unconditional right.

Use and Disclosure of information for law enforcement purposes

3.185 Distinctions need to be drawn firstly between law enforcement purposes connected with the operation of the authentication system (eg: investigation of identity theft or fraud) and other unrelated investigations; and secondly between purposes connected with specific investigations and speculative or intelligence purposes. Ideally there should be a hierarchy of access, with use or disclosure for investigation of abuse of the authentication being easier than for the other purposes, and intelligence uses being the most strictly controlled.

3.186 Assuming that the scheme will be governed by detailed statutory authority, a tiered approach to law enforcement access could be built in.

Use of information for statistical purposes

3.187 Cabinet has acknowledged, as one of the Māori issues raised during consultations, the need to explore the implications of protecting authentication data so that it cannot be used for statistical purposes (for example, to publicise Māori take-up of online authentication).

3.188 Use of information for statistical purposes, for most non-Māori, need not be a major privacy issue provided it involves the use of aggregate data, in such a way that information about identifiable individuals is not released (although it may be used in the course of analysis to link records). A minority of non-Māori are concerned about the 'autonomy' aspects of such uses, and together with Māori specific concerns this justifies a detailed consideration and specification of the statistical uses, if any, of AA data which will be allowed, and the controls that will apply to any such uses. Statistical expertise will be required for such a consideration.

Recommendation 25. The authorising legislation should set out a detailed regime for use and disclosure of personal information held in connection with the scheme, dealing with:

• The distinction between use and disclosure in this context.
• Limits on who can access information, for what purposes, in what circumstances and subject to what conditions.
• Specific limits and conditions in relation to different categories of data, such as registration information, transaction information, and revocation/suspension data.
• A distinction between uses and disclosures directly associated with the operation of the scheme (including investigation of suspected ID fraud or theft) and those for other secondary purposes unrelated to the scheme.

Information matching (Part 10)

3.189 The Information matching provisions of the Privacy Act (Part 10 and Schedules 3 & 4) do not automatically apply to all matching. Matching programmes have to be expressly prescribed (and the relevant provisions listed in Schedule 3) in order to come under Part 10.

3.190 On the face of it, the definition of information matching programme ¹⁶⁶ also limits the coverage of Part 10 - some one-to-many verifications would not constitute matching programmes, and other many-to-many matches would not be covered because they would not be "for the purpose of producing or verifying information that may be used for the purpose of taking adverse action" (emphasis added).

3.191 But most of the provisions of Part 10 do not use the term 'information matching programme'. Instead, they apply to 'authorised information matching programme(s)'- a term which is separately defined without either of the two limiting conditions that apply to 'information matching programme'.

3.192 Many of the information exchanges involved in the operation of the proposed Authentication scheme fall outside the more limited definition, but could nonetheless be covered by Part 10 if they were 'authorised'.

3.193 For instance all of the following, if done in real time in relation to a particular individual, may be one-to-many; and would also not have any overt intention of taking adverse action ¹⁶⁷ :

• checks between the AA and other databases as part of the processing of an application for a Credential;
• checks by an SA with Key Providers on the validity of a Key; and
• the RVI process whereby an SA accesses ID data for a client from the AA.

But they are all capable of being subject to Part 10 if an 'Information Matching Provision' in another law makes them into 'authorised information matching programmes'.

3.194 A government decision will be required as to whether any or all of the interactions involved in the operation of the Online Authentication system are prescribed as 'authorised information matching programmes' for the purposes of the Privacy Act. It seems likely that the government would wish to either bring them under the scope of Part 10, since this is expressly designed to offer additional privacy safeguards to deal with the perceived risks arising from matching; or alternatively provide similar but customized safeguards and oversight in other legislation.

3.195 It may be that as well as prescribing certain matching programmes for authorised but controlled operation under Part 10, or otherwise providing similar safeguards; the government would also wish to expressly prohibit or proscribe certain other matching. For example, it may be important for public acceptability of the scheme to expressly rule out use of the transaction information as an intelligence database - for instance to draw links between transactions with other government agencies and tax liability. On the other hand, there may be some intelligence matching which would be seen as having a higher priority than the protection of privacy - such as in the context of terrorism. ¹⁶⁸ If some such matching against the new records to be held by the AA are envisaged, they should at least be subject to the additional protections of Part 10, if not more specifically regulated.

3.196 What should be avoided is leaving any information matching involving personal information held by the AA outside the scope of Part 10 and regulated only by the general IPPs. Matching of AA data should either be specifically authorised, or prohibited.

3.197 An important issue is whether any prescription (or conversely proscription) of specified information matching programmes should be part of the package of legislation enabling the AA and the Authentication scheme. If not, and it is left to separate legislation relating to SAs enacted on a different timetable and subject to future variation, that may fuel fears of function creep and/or loss of safeguards.

3.198 A specific requirement of any information matching programme prescribed for the purposes of the Privacy Act, bringing it under Part 10, is that any on-line transfers of information have to be expressly approved by the Privacy Commissioner. ¹⁶⁹ Since nearly all of the information transfers in the authentication scheme are expressly designed to be on-line, approval by the Commissioner of any that fell within Part 10 could be assumed once the scheme was authorised by law ¹⁷⁰ .

3.199 If any of the interactions involved in the operation of the Online Authentication system are prescribed as 'authorised information matching programmes' for the purposes of the Privacy Act, resources and time would need to be allowed for the procedural requirements of Part 10 and the Information Matching Rules. If controls are introduced via separate legislation, there will still be a similar administrative cost.

Recommendation 26. The authorising legislation should clearly prescribe relevant information exchanges as 'authorised information matching programmes' for the purposes of the Privacy Act, Part 10. It may also be desirable to impose additional controls on some of the information exchanges involved, and to expressly prohibit certain other exchanges . The Privacy Commissioner should be consulted about the appropriate level of control.

Outsourcing

3.200 Outsourcing has always been a controversial subject from a privacy perspective. While compliance with privacy standards can be written into outsourcing contracts, there is a widespread public perception, based partly on some well-publicised failures, that contracting out involves a loss of control and accountability. Individuals have certain rights when dealing with agencies, but those rights do not always extend to dealings between the individuals and the outsourced service providers. Most governments have acknowledged this issue by drawing the line at certain sensitive functions which they have required to be conducted 'in-house' by public servants.

3.201 A decision will be required as to whether the AA functions include ones which are so sensitive that they should not be performed by contractors. From a privacy perspective, such a decision would be appropriate, at least in respect of some aspects of the scheme.

3.202 An extra dimension to this issue is whether, even if outsourcing is considered appropriate and defensible in principle, it should nevertheless not be performed overseas - see the discussion below on cross border issues. In New Zealand, the Privacy Commissioner has found it necessary to issue a Code of Practice to specifically cover the overseas transfer implications of privatisation and subsequent contracting of government data processing services. ¹⁷¹

3.203 It seems likely that the AA will use agents for some parts of the registration process - eg: application; trusted referee 'vouching', delivery of Credential confirmations. This gives rise to an issue of responsibility for compliance with Privacy Act IPPs, acceptance of liability etc. The AA will be presumably be responsible for accrediting agents and for monitoring and periodic review of standards, but it is essential that there should be no ambiguity or uncertainty about who is responsible and accountable. The scheme design and authorising legislation should ensure that individuals' rights in relation to access, correction and redress are not compromised by such outsourcing.

3.204 Key Providers will not be providing an AA service, but they will have to meet AA standards for their Keys to be accepted for use in the scheme, and their participation should be covered by some form of agreement or contract.

3.205 Contracts or agreements between all participants in the scheme will need to include express, and enforceable, provisions relating to responsibility for privacy, security and liability, including compliance with the Information Privacy Principles.

Recommendation 27. An express decision should be made as to the extent to which outsourcing of any information handling involved in the scheme will be allowed. Legislation should ensure that individuals' rights and accountability are not lost or compromised as a result of any such outsourcing.

Cross border issues - Transborder data flows

3.206 The issue of information transfers outside New Zealand will arise in both AA registration and SA use, in relation to persons seeking to transact from overseas, including overseas resident Trusted Referees.

3.207 While NZ agencies remain responsible for personal information they hold outside the country ¹⁷², there is otherwise no specific trans-border provision in the Privacy Act at present. One has been recommended by the Privacy Commissioner in order to achieve adequacy assessment by the European Union EU under their Data Protection laws ¹⁷³ , and it is understood that the Government has accepted in principle the need for such an amendment. If such a requirement is introduced it is likely to be similar to NPP9 in Australian Privacy Act 1988 - organisations must take reasonable steps to ensure that similar protection applies in any jurisdiction to which they transfer personal information. This can be satisfied (under the Australian principle) either by the consent of the individual concerned, by the existence of an equivalent law or other scheme in the destination jurisdiction; or by contract terms.

3.208 NZ agencies already have to comply with a similar though more limited requirement under IPP 5 in relation to security (IPP 5(b)), which is usually met by contract terms - eg: with outsourcing service providers - or by MoUs with foreign government agencies. The way in which the cross border transfer implications of contracted-out government data processing has already been mentioned under the Outsourcing heading above ¹⁷⁴ . The Privacy Commissioner has also been consulted about other overseas transfers.

Recommendation 28. Apart from the specific recommendations outlined in this section, agencies involved in the scheme will need to ensure that they comply with the Information Privacy Principles (or equivalent rules under Codes of Practice), taking account of the issues raised above under each Principle.

Accountability mechanisms & safeguards

Internal complaint handling, dispute resolution and audit

3.209 Whatever arrangements are made for external oversight (see below), there would be an expectation that the agencies concerned would attempt to resolve complaints themselves at first instance (internal review). ¹⁷⁵ To ensure that this was effective, protocols would be needed between SAs, the AA and KPs to clarify responsibility for handling complaints involving authentication. For instance, many complaints about eligibility for or denial of service by an SA may involve an element that relates to alleged errors in the transaction between the SA and the AA, and/or alleged errors in the original verification of identity by the AA. It would be important to ensure that such complaints did not fall between the gaps, with the SA, KP and AA all declining to accept responsibility. To guard against this possibility, an effective external review mechanism (see below) should have the power to rule on where responsibility lay.

3.210 The AA and SAs should be expected to include the operation of the Authentication system into their internal audit programs.

Recommendation 29. Agencies involved in the scheme must be required to have appropriate internal complaint handling; dispute resolution and internal audit processes, and to enter into protocols with other parties to ensure complaints do not fall between gaps.

External audit and review

3.211 Existing review mechanisms including the Privacy Commissioner and the Ombudsmen will apply unless excluded by statute ¹⁷⁶ . Many complaints about operations of AA are likely to fall within the Privacy Act jurisdiction ¹⁷⁷ . However, because of exemptions and exceptions in the Privacy Act not all errors or grievances arising from the operation of the scheme are guaranteed to be covered. Some work has been done on this but it is important that a detailed analysis be performed of all the possible grounds for complaint, and where necessary, gaps in the availability of remedies should be plugged.

3.212 The Project Team's work has emphasised the similarities between the functions of the Privacy Commissioner and the Ombudsmen in relation to complaints handling. There are however some important differences.

3.213 One important distinction is that the Ombudsmen can only make recommendations about changes in administration, whereas the Human Rights Review Tribunal can award damages for interferences with privacy ¹⁷⁸ under the Privacy Act ¹⁷⁹ .

3.214 Complaints about the authentication scheme may involve the actions of Trusted Referees and of Key Providers. Many TRs will be individuals and at least some KPs are likely to be private sector organisations. Both individuals and private sector organisations can be agencies under the Privacy Act, under the jurisdiction of the PC but they would not be within the Chief Ombudsman's jurisdiction, which is confined to the public sector. The Project Team consider that the AA would take responsibility for actions of private sector participants which related to the scheme, but this is not as reliable as ensuring that they are directly accountable to an external review body.

3.215 The Privacy Commissioner has somewhat wider functions in relation to promotion of awareness of privacy in specific contexts, rather than just awareness of complaint rights. If the Ombudsmen were to perform the role of Review Body, they would need additional functions in this area.

3.216 There is obvious potential for complaints about the actions of the AA, and of SAs and KPs in relation to their use of the AA, to fall between jurisdictions. The Privacy Act provides for referral of complaints from the Privacy Commissioner to the Ombudsmen ¹⁸⁰ , but a Protocol would be needed between the Privacy Commissioner and the Chief Ombudsman to clarify criteria for deciding jurisdiction.

3.217 While the Ombudsmen do not have a general pro-active auditing role, the Privacy Commissioner can undertake audits on request ¹⁸¹ ; has a specific role of monitoring the use of unique identifiers ¹⁸² , and has a significant program of pro-active monitoring of information matching, for which is has recruited staff with specific skills. The Auditor-General could conduct performance audits of Authentication Agency processes but would have no particular reason to give this area priority in the allocation of scarce resources, and might also face jurisdictional barriers in auditing processes involving individual Trusted Referees and private sector Key Providers. For these reasons the operation of a centralised all-of-government authentication scheme needs to be subject to regular independent external audit.

A new Review Body?

3.218 A new separate review body would have several advantages. It could assist in re-assuring the public that comprehensive oversight and remedies were being provided. It would provide a single clearly identifiable point to which complaints about any aspect of the Authentication system could be taken - it should not be left to the aggrieved citizens to have to decide which jurisdiction their complaint fell under ¹⁸³ . Provision could also be made for financial compensation for non-privacy errors that resulted in significant harm or inconvenience. A separate body could also be given a pro-active audit role across all aspects of the authentication system. Finally, a specialised agency could develop expertise in the technical issues involved in the authentication scheme.

3.219 Against these advantages must be balanced a range of other factors including cost ¹⁸⁴ , agencies having to learn a new set of processes, and the fact that there would still be the potential for overlap at the margins, eg: where complaints involved actions of Service Agencies which were still subject to the Privacy Commissioner and Ombudsmen jurisdictions. A separate body would also differentiate electronic transactions, when the same accountabilities and processes should arguably apply whatever channels a person is using. Also, the creation of a wholly new body would run counter to government policy as expressed through the Review of the Centre ¹⁸⁵ .

3.220 A hybrid approach would involve the creation of a new Authentication Review Body role, with clear jurisdiction over all participants in the Authentication system, and a customised set of functions, but to give this role to one of the existing external review bodies ¹⁸⁶ .

3.221 Several factors would suggest that this might be best placed in the Office of the Privacy Commissioner:

• The specific existing functions of monitoring the use of Unique Identifiers and Information Matching, directly relevant to this scheme, and for which it has recruited specific skills.
• The estimation (of this consultant) that most complaints about authentication will involve an Information Privacy Principle or Information Matching issue under the Privacy Act;
• The breadth of the Privacy Commissioner's jurisdiction covering public and private sector organisations and individuals, and
• The wider range of existing functions, covering all the likely requirements of a Authentication Review Body role.

3.222 If this solution was adopted, there would clearly still need to be protocols for referral of complaints to and from the Ombudsmen as appropriate.

3.223 Whatever decision is made about the location of the Review functions, it is desirable that this itself is reviewed within a set period after the scheme commences operation, in light of experience.

Recommendation 30. Authorising legislation should ensure that an independent review body has the necessary powers to provide coverage of all participants in the authentication scheme, and to perform both complaint adjudication and proactive monitoring roles.

Offences and penalties

3.224 The 'default' regime under the Privacy Act is for civil penalties in the form of potential awards of compensation by the Human Rights Review Tribunal. Several agencies consulted, including the Office of the Privacy Commissioner, have expressed the view that this would not provide an adequate deterrent against intentional abuse of of the authentication system. It would seem appropriate for there to be criminal penalties attaching to at least some such abuses. It may be that certain abuses would already be criminal offences under the general criminal law or computer crime legislation ¹⁸⁷ . If not, or if the specification of those offences do not adequately cover the risks in the authentication system, then appropriate offences should be provided in the authorising legislation.

3.225 One specific abuse would be coercing an individual to make an information privacy (access) request under the Privacy Act with a view to fraudulent use of the information obtained. This should be a criminal offence, as already recommended by the Privacy Commissioner ¹⁸⁸ .

Recommendation 31. The authorising legislation should provide for appropriate criminal offences and penalties over and above the civil penalty regime under the Privacy Act.

Staff training

3.226 There is no point in putting in place elaborate safeguards and accountability mechanisms if the employees concerned are not adequately trained to understand the risks and implement the safeguards. The legislation establishing the Authentication Agency should expressly provide for this as a function, and adequate resources must be provided to allow both initial and continuing training. The Authentication Agency should been given some responsibility for training employees of other participants in the authentication system (SA and KP employees and both organisational and individual TRs) in their specific responsibilities in relation to the operation of the system.

Recommendation 32. The authorising legislation should provide for a continuing staff training and education function, to extend to training of all participants in the authentication scheme.

Communications strategy

3.227 There will of course be a need for general community education about the new authentication scheme, and presumably one or more specific campaigns to promote registration. As part of any communication or advertising, the privacy implications need to be addressed, and not merely by way of token re-assurance. The specific privacy issues highlighted in this report should be expressly addressed and an explanation given as to how the scheme will deal with them. Misleading assurances about the effect of Privacy law need to be avoided.

3.228 The communications strategy for the scheme is already under way, and includes the public consultation in early 2003, subsequent announcements and public availability of some of the project documentation. The strategy will next need to deal with the decision making process of deciding if, and if so how, the scheme is to be implemented. A Cabinet decision is expected in March 2004. This Privacy Impact Assessment, together with the detailed Business Process Design and the Business Case should be made publicly available for comment and consideration before that decision.

3.229 Experience elsewhere has been that Privacy Impact Assessments, even where commissioned, have been kept from the public until after critical decisions have been made, fuelling suspicions about motives and function creep. Far better to expose the analysis of all benefits and costs, both financial and intangible, as early as possible so that a mature debate can be held about the overall public interest.

Recommendation 33. There should be clearly defined responsibility for a public communications strategy, to include publication of the justification for and merits of the scheme, its design specifications and this Privacy Impact Assessment, before a final decision is made to proceed, and continuing public education programme during implementation and operation.

Monitoring, Reporting and Periodic Review

3.230 The all-of-government authentication scheme is sufficiently important, as a piece of public infrastructure likely to directly affect a major and ever-growing section of the New Zealand population, to warrant close monitoring and periodic review.

3.231 The routine monitoring should be performed by someone independent of the scheme's operation (including the review body(ies), whose performance also needs to be monitored). This monitoring may be appropriately performed by the Controller and Auditor-General, perhaps on a specific reference, as well as in pursuance of his existing functions.

3.232 The legislation authorising the scheme should also provide for an appropriate mechanism to review any major changes to the scheme, such as additional functionality for the AA, increased information storage or exchange, or greater access to data for previously unauthorised purposes, whether or not those changes require legislative amendments ¹⁸⁹ .

3.233 The legislation should also stipulate at least an initial review after the scheme has been in operation for a number of years, to independently examine whether the scheme has met its objectives and honoured its commitments. Subsequent periodic reviews may also be desirable, to ensure that scope- and function-creep do not take place unnoticed or unremarked.

Recommendation 34. The authorising legislation should provide for ongoing independent monitoring and for periodic independent review of the scheme, and for a clear consultation and public decision making process for any subsequent significant changes.

Footnotes

[79 A PIA could have this objective - see for instance the PIA carried out as part of the Australian Government's review of Authentication options - National Office of the Information Economy, Australian Government Authentication Initiative Final Report, August 2003 - not yet publicly available.]
[80 NZ Passport holders will be familiar with a similar EOI requirement, but few other relationships with government require the same processes and level of evidence.]
[81 See below for discussion of why registration will effectively be mandatory for many individuals playing organisational roles.]
[82 Reported at CNN.com 4 September 2003 - http://www.cnn.com/2003/TECH/ptech/09/04/id.crime/index.html (accessed 19 October 2003)]
[83 The Changing Nature of Fraud in Australia, July 2003, at http://law.gov.au/agd/Department/Publications/publications/Fraud.htm (accessed 20 October 2003)]
[84 The Australian government report estimates that two thirds of fraud offences in the private sector are not reported]
[85 Identity Fraud in Australia: An Evaluation of its Nature, Cost and Extent SIRCA 02—2003 for Steering Committee on Proof of Identity, chaired by AUSTRAC, November 2003 - available through Standards Australia]
[86 In the US, for example, the passage of the Identity Theft Assumption and Deterrence Act of 1998 (18 U.S.C. 1028) was founded upon the results of an investigation by the US GAO on the Cost of Identity Fraud released earlier that year (GAO, 1998). Comparative research has also been conducted within the United Kingdom (Cabinet Office, 2002). (Source: SIRCA report - see footnote to para 2.60)]
[87 Biometrics Discussion Paper, v 0.3 9 October 2003, 3.3.2 & 3.3.3 paras 31 & 32 - appears to suggest that fraud is where the perpetrator aims to create multiple identities whereas theft is a single masquerade.]
[88 On-line Authentication: Security, e-government unit, March 2003, Section 3 - Identity Fraud]
[89 and also popular illustration in films such as Gattaca, Minority Report and Catch me if you can.]
[90 On-line Authentication: Security, e-government unit, March 2003, Section 3 - Identity Fraud]
[91 For a more detailed exposition of this model, see Clarke R. (1999) Identified, Anonymous and Pseudonymous Transactions: The Spectrum of Choice, at http://www.anu.edu.au/people/Roger.Clarke/DV/UIPP99.html#Id; Clarke R. (2001) Authentication: A Sufficiently Rich Model to Enable e-Business at http://www.anu.edu.au/people/Roger.Clarke/EC/AuthModel.html#HEI; and Clarke R. (2003) Authentication Re-visited: How Public Key Infrastructure Could Yet Prosper at http://www.anu.edu.au/people/Roger.Clarke/EC/Bled03.html#HEI]
[92 In New Zealand there are some clear constraints within particular government programmes - eg: the Ministry of Education requires a single verified name for all educational qualifications.]
[93 See Clarke R. (1994) Human Identification in Information Systems at http://www.anu.edu.au/people/Roger.Clarke/DV/HumanID.html]
[94 Design of online authentication for government: summary of recommended approach - July 2003]
[95 Blueprint: Authentication for e-government, July 2003, p3]
[96 Key Provider Role, v.0.3 Oct 03, paragraph 10.]
[97 Discussion Paper: Single or Multiple EOI processes 2.2 v0.2 6 October 2003 (para 3).]
[98 It is understood that the IQA consultants, who initially favoured the option of multiple credentials, are now inclined to support the single credential model, partly on the basis that it reduces the likelihood of undetected theft.]
[99 Some of the project documentation states that prevention of 'double dipping' underlies the need for evidence of a 'unique' identity, but there is sufficient doubt about this asserted benefit to justify a request for a more detailed analysis.]
[100 Discussions with the Office of the Privacy Commissioner]
[101 Design of online authentication for government: summary of recommended approach - July 2003]
[102 Reported in Blueprint: Authentication for e-government, July 2003, p5]
[103 The Trusted Referee Discussion Paper (V.0.2 8 October) suggests that the AA would pre-populate a database with accredited individual trusted referees (paras 20-21).]
[104 Trusted Referee Discussion Paper (V.0.2 8 October) para 22.]
[105 See Legal Issues Paper How will minors obtain an ID Credential and associated Key? Version 0.6 28 October 2003 - discussion of need for parental consent.]
[106 The fact that not all New Zealanders would be registered, and that the AA would also register some non-nationals would not stop the main part of the database from forming a partial population register.]
[107 Eg: Treasurer of XYZ club, or finance manager of ABC Ltd, although there may be legal liability issues surrounding any attempt to use such aliases.]
[108 There will need to be some limits on what unverified names Credential Holder's can register, if only to avoid obscenities, but there is currently no intention to prevent the registration of non-offensive aliases. The question of whether two Credential Holders would be allowed to register the same alias is one of many that remain to be decided.]
[109 It was noted in consultation that employers are resisting a requirement to use individual employees Keys to transact on behalf of their employer.]
[110 Draft Evidence of Identity Framework, v 0.2 10 September 2003, p4.]
[111 In Roger Clarke's model, psesudonyms are a sub-set of a wider class of 'nyms' - see Clarke 1999 at http://www.anu.edu.au/people/Roger.Clarke/DV/AnPs and http://www.anu.edu.au/people/Roger.Clarke/DV/UIPP99.html]
[112 Although one Discussion paper - Delivering Authenticated Services Online, v.0.6 5 November 2003 - includes a more sophisticated analysis.]
[113 The IQA consultants support this narrow interpretation of pseudonymity by stating "Keys could potentially be pseudonymous, ie not bound to any identity record at the AA" Source: IQA paper.]
[114 Design of online authentication for government: summary of recommended approach - July 2003]
[115 Both the Hong Kong government Smart Identity Card (SMARTIC), about to be rolled out, and the proposed Queensland government 'smart' driver licence provide multi-functionality, including the option of a digital signature/certificate. Both schemes have been/are controversial on privacy grounds, although the introduction of the Hong Kong SMARTIC has been made easier by the population's familiarity with an existing ID card. Recent proposals for an Identity Card in the UK are also very controversial.]
[116 There was little or no mention of a photograph in the early documentation, but it has emerged and become more significant as the design has evolved.]
[117 Blueprint: Authentication for e-government, July 2003]
[118 NZ Customs Service Biometrics Briefing Paper, June 2003. See also http://www.customs.govt.nz/about/news/biometrics+110903.html.]
[119 European Data Protection Commissioners - Article 29 Working Party Working Document on biometrics, adopted 1 August 2003 - see http://europa.eu.int/comm/internal_market/privacy/index_en.htm. The Australian Privacy Commissioner has also written on the subject - see http://www.privacy.gov.au/news/speeches/sp80notes.htm]
[120 DIA claim high levels of success with face-recognition technology, including in one-to-many matching, but no detailed published evidence appears to be available. See also footnotes to para 3.74.]
[121 See Biometrics Discussion Paper, v 0.3 9 October 2003, 3.6 para 39]
[122 DIA notes that there has been no such pressure from other agencies for use of the photographs held in the Passport system, but we suggest that greater awareness of face recognition capability, and the perception that the AA is a common service for all-of-government would make such pressure much more likely in the future.]
[123 Trials of 'Smartgate' by Australian Customs at Sydney airport - although the government has claimed success for these trials, no results have been published and there has been critical media coverage.]
[124 Interviews with DIA Identity Services Division personnel.]
[125 eg: trials in the City of Tampa, Florida, and at Logan airport in Boston have reportedly been abandoned. See http://www.aclu.org/news/2001/n010302a.html and Sydney Morning Herald 23 August 2003 and http://www.usatoday.com/usatonline/20030902/5460651s.htm (both sites accessed 24 November 2003)]
[126 Doubts have been raised about whether username/password systems can allow for identical usernames - this needs to be resolved before this can be promoted as a positive feature.]
[127 The question of whether Credential Holders would be entitled to obtain the Key Serial Number(s) (and their Credential serial number) under the Access Principle of the Privacy Act is discussed below.]
[128 See also paragraph 3.151 concerning the possibility of having multiple Key Serial Numbers for each Key.]
[129 In the Australian federal Privacy scheme, there is both a general unique identifier principle and a specific set of controls on the use of the tax file number.]
[130 There should be clear criteria for referral eg: will the AA be informed of any failed attempt to associate a new Key, or to authorise an RVI.]
[131 Consideration is being given to a challenge-response process to avoid the need for this requirement]
[132 The question of what access to the AA database the shopfronts would require has yet to be specified, and involves security considerations.]
[133 See Review of the Centre papers on SSC website http://www.ssc.govt.nz/]
[134 Preliminary Authentication Agency Analysis v 0.4 18 August]
[135 also known as data protection]
[136 although the Privacy Commisisoner has some functions in relation to these wider issues - Privacy Act, s.13.]
[137 As amended - there have been several amendments to the Code since it was first issued, most recently in 2000.]
[138 Other Codes issued by the Commissioner deal with specific issues and should not be relevant to this scheme]
[139 See Implementation Principle - Legal compliance]
[140 It is assumed that the operation of the scheme is consistent with the Bill of Rights Act - at least one agency consulted asked this in the wider context of the constitutionality of the scheme.]
[141 Draft Principles for Evidence of Identity and Draft EOI framework, 10 September 2003]
[142 Although only at the level of contact with an agency, with no details of the service sought or provided. Nevertheless, it will often be possible to infer other information from the fact and timing of the contact.]
[143 Authentication Project: Policy Work Programme (Phase 1) V.0.1 21 July 2003, paragraph 14.]
[144 PA s.2 Interpretation of 'Unique Identifier']
[145 Part (b) of the definition]
[146 Part (a) of the definition]
[147 Necessary and Desirable, Review of the Privacy Act 1993, March 1998, Recommendation 28]
[148 See discussion in Necessary and Desirable, Review of the Privacy Act 1993, March 1998, paragraphs 2.14.5-2.14.7]
[149 Assuming association of a Key Serial Number with a client recordfor the purposes of the SA(emphasis added)is held to be an 'assignment' under IPP 12. Interpretation of this provision by the OPC to date has been that mere recording of another (first) agency's UI, or even its use only for the original purpose of its assignment, does not constitute assignment by the second agency. It could be argued that an SA would only be recording a Key Serial Number for the purposes for which that serial number had been assigned.]
[150 thereby invoking s.7(4) - an action is not a breach of ...[IPP 12] if that action is authorised by or under law.]
[151 PA s.46]
[152 PA s.54]
[153 Blueprint: Authentication for e-government, July 2003, p6.]
[154 Harm or detriment is usually required before a breach of an IPP becomes an actionable 'interference with privacy'. PA s. 66 (1)(b).]
[155 http://www.privacy.gov.au/publications/IS6_01.html]
[156 See in particular Clarke R. (2001)Introduction to Information Security, at http://www.anu.edu.au/people/Roger.Clarke/EC/IntroSecy.html especially sections 2 and 3, and Appendices 1 and 3; and the many texts and leading articles identified in the Bibliography to that paper.]
[157 at http://www.e-government.govt.nz/see/]
[158 The Privacy Act only allows requests for access or correction (information privacy requests) to be made by NZ citizens and permanent residents or by others while physically in New Zealand (Privacy Act s.34). To ensure equity, either the legislation authorising the scheme, or an amendment to the Privacy Act, should extend these rights to all Credential Holders, wherever they are located.]
[159 Privacy Act s.30 implies that a Privacy Commissioner Code of Practice or s.54 authorisation would not suffice.]
[160 Exemptions (a) and (b) in s.29 are relevant, as may be s.27 (1)(c) if refusal of an application had led to law enforcement activity.]
[161 For instance it is understood that the Department of Immigration has assigned common birth dates to some refugees. Many other people may have no documentary evidence of date or place of birth.]
[162 See paragraph 3.116.]
[163 Privacy Act s.7]
[164 The penalties applying to various Identity Services functions within DIA provide a precedent.]
[165 It is intended that there be some tolerance built in to the system eg: for a limited number of attempts to enter a password.]
[166 Privacy Act s.97]
[167 Although almost any matching, even if it is primarily directed to positive outcomes, could nonetheless be seen as having adverse consequences, where, for instance, someone was found to be ineligible for a benefit or assistance.]
[168 There is however a widespread belief that terrorism prevention and detection is being used in many jurisdictions as a convenient but unjustified excuse for extensions of the powers of some law enforcement and intelligence agencies.]
[169 Privacy Act, Fourth Schedule - Information Matching Rules - Rule 3.]
[170 Although the Commissioner may well seek to impose conditions - Privacy Act, Fourth Schedule, Rule 3(2).]
[171 EDS Information Privacy Code 1997, expired 30 June 2003 (replaced with undertakings from the contractor).]
[172 Privacy Act s.10]
[173 Necessary and Desirable, Review of the Privacy Act 1993, March 1998, Recommendation 35(a)]
[174 see footnote 165]
[175 The need for this is recognised by the Project Team - see paperIdentification of a Review Bodyversion 1.1 31 October 2003, paragraph 24.]
[176 The Project Team has also identified the Human Rights Commission jurisdiction. While important, this is not considered further in this paper, although some of the findings may be relevant.]
[177 See paperIdentification of a Review Bodyversion 1.1 31 October 2003. The table at paragraph 22 of that paper underestimates the categories of complaint which would involve an Information Privacy Principle or Information Matching Provision.]
[178 Interferences with privacy are breaches either of any of the IPPs, of provisions of a Public Register Code of Practice issued under s.63, or of the Information Matching provisions (Part X); which have an adverse effect on an individual (Privacy Act s.66)]
[179 Privacy Act s.88]
[180 Privacy Act s.72]
[181 Privacy Act s.13(1)(b)]
[182 Privacy Act s.13(1)(c)]
[183 Both the Privacy Commissioner and the Ombudsmen can require a complainant to have first taken an issue up with the agency concerned. This could generally apply to complaints about the authentication scheme, with complaints going first to the AA, and SA or a KP as appropriate, but only where responsibility was clear. It seems likely that in at least some situations it will not be clear which agency is responsible and one or more agencies must be prepared to take on a clearing house role. A new Review Body could readily perform this role.]
[184 Estimated by the Project team to be significantly higher than the marginal costs of absorbing functions into existing agencies.]
[185 See last footnote to para 3.81]
[186 At least one agency consulted raised the issue of liability in relation to the Review Body role, and in particular the different status of government departments, Crown entities (such as the Privacy Commissioner) and Officers of Parliament (the Ombudsmen).]
[187 The new section 252 of the Crimes Act, which took effect from 1 October 2003, may be relevant]
[188 Privacy Commissioner (1998) Necessary and Desirable: Privacy Act 1993 Review, paragraphs 12.18.6-12.18.18.]
[189 Even if changes require legislative amendments, it may not be enough to rely on normal parliamentary processes - significant changes should be examined by a review committee representing a range of interests before the amendments are introduced.]

[ Previous | Next ]