You are here: Home » Services » Authentication » Library » Key Documents » Preliminary Privacy Impact Assessment of models being considered for inclusion in a proposal for online authentication for e-government » C. The privacy analysis

C. The privacy analysis

Within this section:
1. Compliance with the Privacy Principles
2. Compliance with Part X
3. Adequacy of privacy complaints legislation

Authentication of identity is an accepted part of a number of existing offline government transactions. In fact there is legislation covering some government services which requires authentication for some transactions. In some cases, this also applies to business transactions (opening a bank account for a new customer [ - see the Financial Transactions Reporting Act 1996]). Other examples include presenting a passport or similar documentation to apply for a motor vehicle driver's licence.

Electronic authentication is already being developed or is in use for certain online government services (for example, Landonline systems [LINZ] and the New Zealand Immigration Service visa extension applications). The need for authentication is generally accepted while the need for authentication as it relates to the transactions of government is clear, the method of achieving it and its application in an online situation that is at question.

As outlined in section 4, there are four models currently being considered for inclusion in the proposed authentication solution. This preliminary privacy assessment has identified a number of privacy-related issues, ranging from issues about storage to questions about how to obtain informed consent. The specific issues that have been identified are set out in Appendix 4 (Identified Areas for resolution). It is recognised that, once Cabinet has decided how to proceed with online authentication, these issues will need to be explored further in a formal privacy impact assessment and addressed in detailed design.

The sections below comment on the following key areas:

compliance with the Privacy Principles set out in Section 6 of the Privacy Act 1993;
compliance with Part X of the Privacy Act; and
the adequacy of the legislative provisions to allow the Privacy Commissioner to investigate privacy complaints relating to online authentication.

1. Compliance with the Privacy Principles

1.1 General comment

This preliminary analysis suggests that while there are likely to be some issues requiring resolution during detailed design, the proposed authentication models could be implemented in a manner that complies with the majority of the Privacy Principles.

Compliance will be contingent on there being a clear purpose and/or authority for the collection and use of all information used in the authentication process. Difficulties may arise if data is collected the authentication process for purposes other than authenticating a transaction without a clear authority for that collection to take place. Potential issues include:

the need to justify the collection of personal data that will also need to be held by service agencies for operational purposes;
compliance with the Privacy Principle 8 requirement to check accuracy before use; and
in some of the models being considered, the need to develop a process to deal with authentication agencies advising service agencies of corrections.

Aspects of the four models currently being considered include options relating to centralisation of the collection and storage of personal information. In general, neither the centralised or distributed models are necessarily more 'Privacy Act compliant'. However, the risk of a breach of the Principles may be greater if more parties are involved in providing 'centralised' authentication services.

1.2 Principle 12

The EGU Online Authentication Solutions Design team has recommended that New Zealand adopt an identity system based on username and password, similar to that used in the online banking environment. Future developments may include the use of biometrics [like the use of thumb prints possibly combined with an identity card] but this is not proposed at this time. Nevertheless, the question arises as to whether the proposed used of an authentication credential comprising a username and password, in fact constitutes a unique identifier as defined in Principle 12.

According to the Privacy Act 1993 a unique identifier is an identifier:

That is assigned to an individual by an agency for the purposes of the operations of the agency; and
That uniquely identifies that individual in relation to that agency;- but for the avoidance of doubt, does not include an individual's name used to identify that individual.

Use of the authentication credential is central to all of the models currently being considered for inclusion in the authentication proposal. If it is determined that the credential is in fact a unique identifier then Principle 12 applies. There are four clauses to this Principle; these deal respectively with:

(1) specification of purpose;

(2) assignment of common identifiers;

(3) accuracy; and

(4) disclosure.

The first clause states that an agency should not assign a unique identifier unless it is necessary to enable the agency to carry out any one or more of its functions efficiently. The purpose of authentication is to confirm the identity of the person carrying out a transaction (i.e. to uniquely identify that person), therefore a valid argument for assigning the credentials exists.

While the Principle allows for the same unique identifier to be used by agencies who are "associated persons within the meaning of section OD7 of the Income Tax Act 1994", the use of common identifiers by any other groups of agencies is specifically prohibited in section 12(2). If the credential is a unique identifier then all of the authentication models contravene this Principle.

Clause (3) specifies that identifiers should be assigned only where an agency has taken steps to ensure that an individual's identity has been established. Such a process is fundamental to the enrolment process of all of the authentication models and therefore they comply with this aspect of Principle 12.

The final clause deals with disclosure of identifiers and states that an individual should not be required to disclose their identifier unless the disclosure is for a purpose associated with the assigning of the identifier. For this reason, if the credential is a unique identifier, it is important that a clear and comprehensive description of the credentials' purpose is agreed prior to the implementation of the authentication solution.

2. Compliance with Part X

Information matching and the related guidelines are set out in Part X of the Privacy Act 1993. The definition of information matching contained within Section 97 means that a match is deemed to have taken place where the exchange of information is for the purpose of producing or verifying information that may be used to take adverse action against an individual. The definition of adverse action is not exhaustive and there is precedent for a 'loss of privilege' being seen to equating to an individual having to interact with an agency in a 'non-standard' manner.

Two aspects of the proposed implementation options potentially meet the definition of information matching. The proposal for an authentication agency to obtain verification of an individual's identity from a trusted referee may be deemed to be the type of comparison that is information matching, particularly if a possible outcome of the exchange is that an individual is refused an authentication account or has to provide documentary evidence because the exchange has not provided sufficient, substantive, satisfactory information.

Authentication transactions that entail a two-way exchange resulting in personal information being produced or verified are also likely to meet the definition of information matching. It is worth noting however that a model predicated on authenticating transactions only by testing the validity of the credential that does not include the exchange of personal information, would therefore not be information matching.

It is acknowledged that a data exchange constitutes information matching if it meets the Privacy Act definition and that there is no exemption from meeting the provisions relating to information matching if the definition applies. These provisions include the information matching rules and range from detailed operational considerations to the need for formal inter-agency agreements. It is also recognised that the information matching provisions necessitate an enactment to ensure that the matching programme has an appropriate legislative framework and is specifically listed in the schedules of the Privacy Act.

3. Adequacy of privacy complaints legislation

It is appropriate to consider the adequacy of existing legislation to allow the Privacy Commissioner to investigate privacy complaints relating to electronic authentication. Part VIII of the Privacy Act defines complaints and the procedure for lodging complaints. It also allows for intervention by the Privacy Commissioner where there has been 'misconduct' and establishes the role of the Complaints Review Tribunal in dealing with privacy complaints. Section 88 deals with the awarding of damages in cases where breaches of privacy have had serious implications for the individual(s) concerned. Part IX specifies the proceedings of the Commissioner in investigating complaints.

Irrespective of which aspects of the models are incorporated into the authentication proposal, these Parts of the Act are relevant in the event of any complaints being made about processes or operation breaching the Act. Subject to discussion with the Office of the Privacy Commissioner, consideration of the adequacy of these provisions to investigate complaints relating to electronic authentication will be included in the scope of the detailed Privacy Impact Assessment to be completed later.

Summary Point 8

Authentication of identity is an accepted part of transacting with government. This report considers the privacy implications that are specific to electronic authentication.

This privacy assessment has identified a number of privacy-related issues that will need to be considered further during the formal Privacy Impact Assessment and the detailed design of any online authentication solution.

The proposed authentication solution could be implemented in a manner that complies with the majority of the Privacy Principles. However, clarification is required as to whether an authentication credential, comprising a username and password, constitutes a unique identifier and complies with all of the requirements of Principle 12.

Aspects of the proposed implementation options potentially meet the definition of information matching. Information matching programmes must comply with the rules specified in the Privacy Act and all matching programmes require specific legislative provisions.

Subject to discussion with the Office of the Privacy Commissioner the detailed Privacy Impact Assessment will include a review of the adequacy of the current provisions authorising the Privacy Commissioner to investigate privacy complaints relating to electronic authentication.

[ Previous | Next ]