Authentication Principles
The following prinicples were approved by the Cabinet Committee on Government Expenditure and Administration (EXG) on 16 April 2002. Cabinet confirmed the recommendations of the Committee on 22 April 2002.
Policy Principles
The following policy principles for the authentication of online G2P (Government to Person) transactions:
| Policy Principle | Explanation |
|---|---|
| Security | Suitable protection must be provided for information owned by both people and the Crown |
| Acceptability | Ensuring that the proposed authentication approach is generally acceptable to potential users, taking into account the different needs of people and emerging industry standards, and avoids creating barriers |
| Protection of privacy | Ensuring that the proposed authentication approach protects privacy appropriately |
| All-of-government approach | Balancing public and agencies' concerns about independence with the benefits of standardisation while delivering a cost-effective solution |
| Fit for purpose | Avoiding over-engineering, recognising that the levels of authentication required for many G2P transactions will be relatively low |
| Opt-in | Ensuring that members of the public retain the option of authenticating their identity and carrying out transactions offline and are not disadvantaged by doing so. However, it will not be possible for an individual to conduct secure online G2P transactions without the use of the appropriate authentication process. |
Implementation Principles
In considering the options for implementation, the following principles will be followed:
| Implementation Principle | Explanation |
|---|---|
| User focus | Ensuring the recommended solutions are as convenient, easy to use and non-intrusive as possible |
| Enduring solution | Providing a solution that is enduring yet sufficiently flexible to accommodate change and a wide range of current and future transactions |
| Affordability and reliability | Ensuring the recommended solutions are affordable and reliable for the public and government agencies |
| Technology neutrality | Ensuring a range of technology options is considered, and as far as possible avoiding 'vendor capture' |
| Risk-based approach | Providing an approach based on agreed trust levels that protects identity and personal information |
| Legal compliance | The solution must comply with relevant law, including privacy and human rights law |
| Legal certainty | Relationships between the parties should be governed in a way that provides legal certainty |
| Non-repudiation | The issue of non-repudiation must be considered for those transactions that require it, so that the risk of transacting parties later denying having participated in a transaction is minimised |
| Functional equivalence | Authentication requirements should be similar to those that apply to existing transactions except where the online nature of the transaction significantly changes the level of risk |
