Executive Summary

This update to the December 2003 Privacy Impact Assessment (PIA) addresses developments in the Online Authentication project since that time, specifically the implications of the recommended Initial Implementation.

Given that the long term objectives of a centralised authentication infrastructure and ID Credential remain unchanged, most of the privacy issues remain valid, as do the recommendations as to how they should be addressed.

Some of the privacy issues will not arise in the Initial Implementation, but these should continue to be addressed in the policy and standards work and in the further investigation of evidence of identity and the role of ID credentials.

The shared key pilot, which will form part of the Initial Implementation, will involve the collection and use of some personal information, and further assessment of the privacy implications is recommended as the detailed design of the pilot is developed.

This update identifies which of the recommendations from the December 2003 PIA need to be addressed in which Components of the Initial Implementation.

Four further recommendations are made, dealing with the locking in of privacy protection; presentation of PI findings; governance arrangements; and continued consideration of alternative approaches to Credentials.