National Library of New Zealand
Harvested by the National Library of New Zealand on: Jul 3 2006 at 4:42:47 GMT
Search boxes and external links may not function. Having trouble viewing this page? Click here
Close Minimize Help
Wayback Machine

New Zealand Department of Internal Affairs : Resource material : Draft Evidence of Identity Standard (html version) Skip to Access Key assignments for this site
Skip to the content of this page
Skip to other pages in this section
Skip to site wide navigation
Skip to links for help with this site
Logo of the New Zealand Department of Internal Affairs



About us

What's new




Other pages in this section

Draft Evidence of Identity Standard (html version)


Return to top of page Content area

Draft Evidence of Identity Standard (html version)

Issued for public consultation

22 September 2005
Version 1.0


This Standard is one of the New Zealand e-Government Interoperability Framework (NZ e-GIF) Authentication Standards. These outline good practice guidance for the design (or re-design) of the authentication component of online services – where these services require confidence in the identity of the transacting parties. These standards give effect to the planning advice from the State Services Commission’s 2004 Authentication for e-government: Best Practice Framework for Authentication

This Standard sets out the requirements for establishing the identity of individuals seeking government services. It should be used for all services, regardless of the delivery channel (i.e. it applies to both online and offline service delivery). It has been prepared for use by New Zealand government agencies.

The Standard will help to ensure that agencies implement evidence of identity (EOI) processes that are appropriate to the services they deliver and that adhere to current accepted good practice.

‘Evidence of identity’ refers to the types of evidence that, when combined, provide confidence that individuals are who they say they are. Government services containing identity-related risk will require an evidence of identity process, the comprehensiveness of which will depend on the level of identity-related risk in the particular service. This Standard provides guidance on how to design and operate these EOI processes appropriately.

Application of this Standard will assist with the management of identity theft and fraud, and the consequences that arise from these activities. However, application of this Standard does not guarantee complete mitigation of these risks, nor will it prevent cases of administrative error in relation to the establishment of an individual’s identity. Agencies should therefore apply this Standard alongside, not instead of, other good practice initiatives that assist in the reduction of identity theft and fraud and that prevent administrative error.

This Standard supersedes the Evidence of Identity Framework published in October 2004 (



Part 1 – Introduction And Overview
1.1 Purpose
1.2 Objective
1.3 Standardising EOI business processes
1.4 Contextual factors
1.5 Authentication Standards
1.6 Scope
1.7 Application of Standard
1.8 NZ e-GIF status
1.9 Accessing advice about this Standard
1.10 Document structure
1.11 Interpretation

Part 2 – Minimum Standard Requirements
2.1 EOI process overview
2.2 Minimum EOI process phases
2.3 Minimum process step requirements

Part 3 – Guidance Material
3.1 Navigating the guidance material
3.2 Core concepts for establishing identity
3.3 Risk assessment phase
3.4 Design and operation phase
3.5 Service delivery phase
3.6 Monitoring and evaluation phase

Appendix A: EOI ‘Primary’ documents/records referenced in this Standard
Appendix B: EOI ‘Supporting’ documents/records referenced in this Standard
Appendix C: Change of name, adoption and gender reassignment information

Working group representation
Referenced documents
Latest revisions
Review of standard

    Part 1 Introduction and Overview

    1.1 Purpose

    The purpose of this Standard is to provide good practice guidance for government agencies about the required process for initial establishment of an individual’s identity. The process applies to government services where confidence in the individual’s identity is required because of the types of risk contained within those services.

    Use of this Standard will give the agency greater confidence in an individual’s identity, prior to delivery of a service to that person. This initial establishment of identity is an important means by which agencies can manage the risks to their business objectives that result from the incorrect attribution of identity.

    1.2 Objective

    The objective of this Standard is to give the agency greater confidence in an individual’s identity, prior to delivery of a service to that person. This will help to:
    • provide consistency of customer experience when seeking services of a similar nature from different government agencies
    • provide confidence for the public that the EOI they are asked to provide is fit for the purpose of the particular service they wish to access from an agency
    • reduce the risk of identity theft occurring and the downstream criminal activity that this facilitates, including organised crime
    • protect individuals from others stealing and using their identities to access government services
    • provide confidence that privacy concerns are addressed for evidence of identity processes used by governments.

    1.3 Standardising EOI business processes

    The minimum requirements outlined in Part 2 relate to the EOI process steps that an agency shall undertake. How these process steps are implemented may vary, depending on the individual agency’s context and objectives. Guidance material is provided within this Standard to assist agencies complete each of the required EOI process steps.

    1.4 Contextual factors

    There are a number of contextual factors that are important to be aware of when applying this Standard. These include the following:

    • Identity-related risk is only one aspect of the overall risk associated with any given agency service (see 3.3.2). Implementation of an appropriate EOI process helps agencies manage the identity-related risk associated with particular services, but may have no effect on other aspects of a service’s risk profile.
    • There is an identity-related risk continuum on which services sit. Where a service sits on this continuum depends on the type and extent of identity-related risk particular to that service (see 3.4.2).
    • It is essential that the level (if any) of identity-related risk is determined for any given service before agency decisions are made regarding the EOI process that needs to be implemented. This is because the level of identity-related risk in the service will determine the stringency of EOI requirements placed on individuals seeking to access that service. Just as the identity-related risk levels for services sit on a continuum, so does the level of confidence required in individuals’ identities (see 3.4.7).
    • Creation of false identities can occur through avenues other than at the initial establishment of identity, such as through internal infiltration of an agency’s systems. For this reason, it is critical that an agency implement the EOI Standard alongside, not instead of, other identity-related risk management processes.
    • Effective implementation of an EOI process depends on appropriate EOI requirements (i.e. what individuals are required to provide by way of identity-related information and documentation) when accessing particular agency services (see 3.4.16).
    • Effective implementation also depends on the manner in which the EOI process is managed internally. For example, it is critical that not only do agencies require individuals to provide the correct documentary evidence, but that agencies have the appropriate in-house processes in place (such as internal controls and staff training) to ensure that the process achieves the outcomes it has been designed to achieve (see 3.4.9).

    1.5 Authentication standards

    This Standard is part of the NZ e-GIF authentication standards for online service delivery. This suite of standards provides detailed guidance for agencies to follow when designing authentication solutions. In particular, the standards enable agencies to determine the level of risk for each of their services and to identify appropriate evidence of identity requirements and authentication key technologies.

    Most online services delivered by government agencies are either anonymous (such as when someone downloads a brochure from an agency’s website) or have low levels of identity-related risk (such as when someone changes their address details). Services with low levels of identity-related risk are typically authenticated using minimal levels of evidence of identity requirements and a username and password for ongoing confirmation of identity.

    NOTE –
    Change of address is a generic example. For some services, change of address may have a high level of identity-related risk.

    To meet the Networked State Services Development Goal (operation of government transformed through the use of the Internet by June 2010), agencies will need to provide online services that have higher levels of identity-related risk. This will necessarily require the implementation of authentication solutions with more rigorous evidence of identity requirements and higher strength authentication keys.

    Table 1 describes the purpose of each of the authentication standards. The standards are listed in the order in which they are intended to be used by agencies.

    Table 1 – Authentication Standards

    Standard namePurpose
    Guide to Authentication Standards for Online ServicesProvides a high-level overview of the NZ e-GIF authentication standards.
    Evidence of Identity StandardSpecifies a business process for establishing the identity of government agency customers. Applies to services delivered through both offline and online channels.
    Authentication Key Strengths StandardSpecifies the authentication keys to be used for online authentication and protections necessary for the authentication exchange.
    Data Formats for Identity Records StandardSpecifies data formats for a set of customer information data elements that government agencies may utilise in customer identity records.
    Password Standard Specifies requirements for passwords used for online authentication.
    Other authentication key standards (to be developed)Specify the requirements for two-factor authentication keys used for online authentication.
    Security Assertion Messaging StandardSpecifies messaging standards for communicating authentication assertions.

      1.6 Scope
        1.6.1 Establishing identity versus confirming identity
        This Standard’s focus is on an agency’s initial contact with an individual seeking a service, or services, that have a level of identity-related risk. Agency contact with that individual, thereafter, will require the agency to have a means of confirming that the individual is the same person who established their identity with the agency at the outset. This latter type of contact is not in the scope of this Standard.

        Agencies should determine the channels through which they will deliver services and the methods to be used for confirming the identity of individuals after the initial establishment stage. Where the agency is delivering a particular service through an online channel, the suite of Authentication Standards shall be referred to (see 1.5).

        1.6.2 Establishing identity versus entitlement
        The vast majority of services that require the establishment of identity will also involve a need for the individual to meet eligibility (or entitlement) criteria. Eligibility criteria are directly linked to the type of service being provided. For example, an entitlement criterion for the issuance of a New Zealand Passport is that the individual is a New Zealand citizen. In most cases, agency processes used to establish both identity and eligibility for particular services will be implemented simultaneously. However, agencies should undertake process design activities separately to ensure that the objectives of both the EOI process and eligibility testing processes are met with integrity through the processes implemented.

        While an EOI process will assist in the management of the identity-related risks associated with a particular service, it will not manage the risk of eligibility (or entitlement) fraud occurring.

        1.7 Application of Standard

        This Standard has been developed specifically for use by New Zealand government agencies. Agencies shall apply this Standard to all services they deliver to the public that contain identity-related risk.

        This Standard is applicable whether a particular agency service is delivered through online or offline channels, or both.

        Private sector organisations may choose to apply this Standard for the services they deliver to the public that contain identity-related risk. This Standard may also be used by agencies, both public and private, for recruitment into positions where confidence in the identity of the person being recruited is required.

        NOTE –
        In some cases complete application of this Standard will not be suitable, due to the nature of a service’s customer base (e.g. where the service’s customer base is made up of overseas-based customers, for a law-enforcement related service, or where the identities of certain customers are protected). In these cases, agencies should use exception processes that are aligned as closely as possible to the content of this Standard.

        1.8 NZ e-GIF status

        Upon approval by the e-GIF Management Committee, this Standard shall enter the e-GIF as Under development (U), and graduate to Recommended (R) after a successful, documented implementation. The standard is expected to graduate to Adopted (A) once there is a track record of proven successful implementation.

        Advice regarding the current e-GIF status of this Standard can be obtained from:

        e-GIF Operations
        State Services Commission
        Postal: PO Box 329, WELLINGTON
        Phone: 04 495 6600
        Fax: 04 495 6669

          1.9 Accessing advice about this Standard

          The Department of Internal Affairs (DIA) is Custodian of this Standard and shall be notified:
        • where an agency requires advice on the meaning or implementation of any aspect of this Standard
        • where an agency requires supplementary guidance on issues relating to identity information management
        • where an agency that issues documents/records referred to within this Standard (see Appendices A to C) changes the issuance process for that document/record. (This is required because a change in issuance process may require amendment to how the particular document/record is reflected in the Standard.)

          The EOI Standard Custodian can be contacted at:

          1.10 Document structure

          This Standard consists of three parts, and Appendices A, B and C as set out below:

          OneIntroduction and OverviewOutlines the purpose, scope and application of this Standard.
          TwoMinimum Standard RequirementsOutlines the minimum process step requirements that agencies shall follow to comply with this Standard.
          ThreeGuidance MaterialProvides guidance material for agencies on how to implement the minimum standard requirements outlined in Part Two. This guidance material is presented in order of the minimum process steps required of agencies.
          Appendices A, B, CDocuments/ Records Used for EOI ProcessesProvides detail on the issuance processes behind, and appropriate uses of, the identity-related documents and records referred to within this Standard. The Appendices should be referred to when agencies are designing the evidential requirements to be placed on service customers.

          1.11 Interpretation

          The following words, defined in SNZ HB 104:2001, are used in this Standard:
        • “Shall” - identifies a mandatory requirement for compliance with this Standard.
        • “Should” - refers to practices that are advised or recommended.
            When cross-referencing to other clauses or clause subdivisions within this Standard, the number only is quoted.

            The full titles of referenced documents cited in this Standard are given in the list of referenced documents at the end of the Standard.

            1.11.1 Definitions
            For the purposes of this Standard, the following definitions (1) shall apply:

            AgencyAny government organisation that applies this Standard.
            Anonymous serviceA service that does not require the user to be identified or require protection of a user’s identity. For example, access to publicly available online publications.
            Attributed identityThe attributes of a person’s identity that are present from birth, for example birth name, and date and place of birth.
            BenchmarkEvaluation or checking of processes by comparing with a standard point of reference.
            Biographical informationRecord of the events that occur during a person’s lifetime, for example birth registration, employment history and marriage or civil union registration.
            Biometric informationPhysical and behavioural attributes of a person, for example their facial features, DNA profile, retina, iris, voice and fingerprints.
            Biometric recognitionThe process of matching an input biometric to stored biometric information. In particular, biometric recognition refers to comparing the biometric input from an individual to the stored biometric template about that individual. Examples of biometrics include face images, fingerprint images, iris images, retinal scans, etc.
            Business processesA series of steps (i.e. related activities) followed to achieve a given outcome. A process has several key characteristics, including: specific measures that determine if it is done correctly, and that enable it to be repeated multiple times; it consumes resources such as time, money and/or energy; and it responds to quality control mechanisms that can help the process be done more efficiently.
            ConsequenceOutcome or impact of an event.
            NOTE –
            (1) There can be more than one consequence from one event.
            (2) Consequences can range from positive to negative.
            (3) Consequences can be expressed qualitatively or quantitatively.
            (4) Consequences are considered in relation to the achievement of objectives.
            DiscrepancySituations where an individual has supplied identity-related documents or information that may have an inconsistency requiring further investigation.
            e-GIFE-government Interoperability Framework – a collection of policies and standards endorsed for New Zealand government information technology (IT) systems.
            Electronic verificationVerification of the accuracy of information through electronic checks of information records such as electronic databases.
            EvaluationSystematic review of processes to ensure that business processes are still effective and appropriate.
            EventOccurrence of a particular set of circumstances.
            NOTE –
            (1) The event can be certain or uncertain.
            (2) The event can be a single occurrence or a series of occurrences.
            Evidence of identity (EOI)The types of evidence that, when combined, provide confidence that an individual is who they say they are.
            Evidence of identity processProcess by which an agency establishes confidence in an individual’s identity.
            Evidence of identity process risksAny risk created through an EOI process.
            Exceptions/exception caseIndividuals (or a group of individuals) who, for genuine reasons, are unable to meet the EOI requirements set out in this Standard.
            False identitiesSituations where a person uses an identity that is not their own (in some cases, this can be for legitimate reasons).
            FrequencyA measure of the number of occurrences per unit of time.
            IdentificationProcess of associating identity data with a particular person.
            IdentityA set of attributes and/or data linked to an individual person.
            Identity data/informationData/information pertaining to an individual’s identity.
            Identity-related risksAny risk, for a particular service, that results from an individual’s identity being incorrectly attributed.
            Identity fraudThe gaining of money, goods, services, other benefits or the avoidance of obligations through the use of a false identity.
            Identity manipulationAlteration of one or more elements of identity (e.g. name, date of birth) to dishonestly obtain an advantage.
            Identity theftTheft or assumption of a pre-existing identity (or significant part thereof), with or without consent, and whether, in the case of an individual, the person is alive or dead.
            Internal controlsAny policies, procedures, techniques and mechanisms put in place to minimise process failure and help ensure that actions are taken to address risks.
            LikelihoodUsed as a general description of probability or frequency.
            NOTE – Can be expressed qualitatively or quantitatively.
            Monitor/monitoringTo check, supervise, observe critically or measure the progress of an activity, action or system on a regular basis in order to identify change from the performance level required or expected.
            Primary data sourceThe original (i.e. issuing) source of identity data/information.
            Primary documentsThose that can be used as part of a process for establishing an individual’s identity (e.g. Birth Certificate, Community Services Card, New Zealand Citizenship Certificate. Other types are set out in Appendix A).
            Pseudonymous serviceA service that does not require a person to be uniquely identified but requires that the service agency be able to respond to the user - for example, to ‘recognise’ the person when he/she accesses the service on return visits.
            RiskThe chance of something happening that will have an impact on objectives.
            (1) A risk is often specified in terms of an event or circumstances and consequences that may flow from it.
            (2) Risk is measured in terms of a combination of the consequences of the event and their likelihood.
            Risk profilingThe process of gathering data on characteristics (e.g. customer behaviours) in order to identify categories of risk.
            Risk treatmentProcess of selection and implementation of measures to modify risk.
            (1) The term ‘risk treatment’ is sometimes used for the measures themselves.
            (2) Risk treatment measures can include avoiding, modifying, sharing or retaining risk.
            ServiceAn activity conducted between a customer and a government agency, in accordance with the functions for which that agency is accountable.
            Supporting documentsThose that can be used to assist in establishing an individual’s identity, where an individual is unable to provide ‘primary’ documents (e.g. bank statement, student ID card, utility account. Other types are set out in Appendix B).
            Trusted refereeA person who is asked to confirm the accuracy of identity information supplied by an individual and who confirms that to their knowledge the information corresponds to that individual.
            The two key elements that should exist for a person to be a trusted referee are that:
            • they have personal knowledge of the individual being identified
            • they are trusted by the agency, according to the agency’s own criteria of sufficient trust.
              (1) The terms ‘event’, ‘frequency’, ‘likelihood’, ‘monitor’, ‘risk’, and ‘risk treatment’ are taken from AS/NZS 4360.

                Part 2 Minimum Standard Requirements

                2.1 EOI process overview

                Figure 1 provides a high-level overview of the process steps that an agency shall carry out when implementing any EOI processes for services that require an individual’s identity to be established.

                          Figure 1 – Overview of evidence of identity model

                2.2 Minimum EOI process phases

                The main phases of the EOI process as shown in Figure 1, are described in Table 2.

                Table 2 – Phases of EOI process
                Risk assessmentThis phase involves determining the level of identity-related risk within the services that an agency delivers. The results of the identity-related risk assessment will help determine what, if any, EOI process is required for a particular service.
                Design and operationThis phase involves designing EOI processes that are appropriate to the level of identity-related risk (identified during the risk assessment phase) in the particular service. Guidance is provided to ensure operationally appropriate EOI processes are implemented.
                Service deliveryThis phase is not in scope of this Standard, with the exception of any EOI process that is required before the service can be delivered to an individual.
                Monitoring and evaluationThis phase involves the ongoing monitoring of EOI processes and periodic evaluation to ensure that each agency’s EOI business processes and associated outcomes remain consistent with the EOI process objectives that were established as a result of the risk assessment phase.

                  2.3 Minimum process step requirements

                  To achieve the minimum requirements of this Standard, agencies shall ensure that they implement the following process steps. These process steps each form part of one of the process phases listed in Table 2.

                  2.3.1 Risk Assessment Phase
                  The agency shall undertake an identity-related risk assessment of each of its services. This risk assessment shall involve the following steps:
                    Step 1 – Establish the context and objectives for the agency’s services
                    When defining the context within which a particular service sits the agency shall consider, at a minimum, the following factors:
                    • The business, social, regulatory, cultural, competitive, financial and political environment in which the service exists
                    • The agency’s key business drivers
                    • Resources available to the agency (people, systems, processes)
                    • The impact of stakeholders (both internal and external to the agency).

                    Step 2 – Carry out an initial risk assessment
                    The agency shall determine whether the service results in any of the following:

                    Financial benefitWill the individual customer receive a financial payment as a result of the service (e.g. payment of a benefit or grant)?
                    Non-financial benefitWill the individual customer receive specific other non-financial benefits as a result of the service (e.g. training)?
                    Personal informationWill subsequent information about the individual customer be collected and stored by the agency?
                    Subsequent use for EOIWill the service result in the issue of a document or data source that can be used subsequently, by the customer, as a form of EOI?
                      If a positive answer results, the agency shall carry out a formal risk assessment
                      (Step 3).

                      If the initial risk assessment results in a determination that the service does not contain identity-related risk, no further application of this Standard is required.

                      Step 3 – Carry out a formal risk assessment

                      Step 3.1 – Determine consequences of incorrect attribution of identity
                      The agency shall identify the consequences that could result from the service being delivered to a person whose identity is incorrectly attributed by the agency. Potential consequences shall be considered from agency, individual, non-government organisation and general public perspectives.

                      At a minimum, the agency shall consider the following risk consequence areas in relation to the particular service:
                    • Inconvenience, distress, or damage to standing or reputation
                    • Financial loss or liability
                    • Harm to agency programmes or the public interest
                    • Unauthorised release of sensitive information
                    • Personal safety
                    • Downstream effects external to the agency.
                        Having determined whether any of these consequence categories apply for the particular service, an evaluation shall be made of the impact level for each consequence.

                        Step 3.2 – Analyse and evaluate overall identity-related risk level
                        The agency shall determine the overall level of identity-related risk in the service, based on the evaluation of the above risk consequence categories and analysis of the likelihood of these consequences occurring. Following this, the agency shall align the service’s overall risk rating with one of the following risk categories:

                        Service Risk CategoriesDescription
                        Nil or negligibleNil identity-related risk in the service
                        Negligible level of identity-related risk in the service.
                        LowLow level of identity-related risk consequence in the service.
                        ModerateModerate level of identity-related risk consequence in the service.
                        HighHigh level of identity-related risk consequence in the service.

                        Where the service fits within the Nil or negligible Risk Category, no further application of this Standard is required.

                        Where the service fits within Low to High Risk Categories, the agency shall progress to the Design and Operation Phase of the EOI process.

                        2.3.2 Design and Operation Phase

                        Step 1 – Determine required EOI Confidence Level
                        The agency shall determine the level of confidence required in the identity of the individual, in relation to the level of identity-related risk contained in the particular service.

                        The risk level assessed for a given service corresponds to the level of confidence required by the agency in establishing the individual’s identity. The different EOI Confidence Levels for services where identity-related risk exists are:

                        Low Identity Risk Service Low EOI Confidence Level required
                        Moderate Identity Risk Service Moderate EOI Confidence Level required
                        High Identity Risk Service High EOI Confidence Level required

                        Step 2 – Design and implement EOI process
                        The agency shall design an EOI process that meets the minimum evidential requirements for the required Confidence Level identified in Step 1. Descriptions of evidential requirements are outlined in 3.4.7 and Table 11 of this Standard. Guidance on good practice processes to support these evidential requirements is contained in 3.4.9.

                        Where an agency currently has an EOI process in place for the particular service, the design step shall be used to identify and close any gaps between current process and the minimum requirements of this Standard.

                        Step 3 – Ongoing operation of EOI process
                        At a minimum, when implementing an EOI process, the agency shall consider the following operational aspects to ensure that the agency’s ongoing EOI processes meet good practice in each of these areas:
                      • Privacy considerations
                      • Internal controls
                      • Legal considerations
                      • Transition of business processes (if existing processes need to be modified)
                      • Complaints handling
                      • Communication protocols between agencies.

                        2.3.3 Monitoring and Evaluation Phase

                        Step 1 – Develop monitoring and evaluation plan
                        Prior to the EOI process being implemented, the agency shall ensure that monitoring and evaluation processes are in place to enable ongoing effectiveness of operational EOI processes.

                        Step 1.1 – Design monitoring plan
                        The agency shall select appropriate performance indicators for monitoring of the EOI process, which will form the basis for later evaluation. The agency’s choice of performance indicators shall take the following, at a minimum, into account:
                      • Cost to the agency
                      • Ability to collect the required data/information, and
                      • Reliability of the performance indicator.

                        For each performance indicator, the agency shall determine the method of collection and analysis of data/information and the frequency with which collection and analysis will take place.

                        Step 1.2 – Design evaluation plan
                        In carrying out evaluation processes, the agency shall, at a minimum, document the:
                      • rationale for all EOI business processes
                      • key EOI process objectives to be achieved and the context within which the evaluation is being conducted
                      • performance indicators used as a basis for the evaluation, and
                      • results (against those performance indicators) that the agency considers represent outcomes – successful or otherwise.

                        Agencies shall determine the frequency with which evaluation activities will take place. This decision shall be made prior to any EOI processes becoming operational.

                        Step 2 – Implement monitoring and evaluation plan
                        Once the monitoring and evaluation plan and the EOI processes are operational, monitoring and evaluation processes outlined in the plan (see Step 1) shall commence.

                        Step 3 – Modify EOI processes (if required)
                        Where evaluation suggests EOI processes are not adequately meeting objectives, the agency shall consider modifying EOI processes. For any modified EOI processes the following, at a minimum, shall be undertaken:
                      • Testing of modified EOI processes (before they become operational)
                      • Updating of the Monitoring and Evaluation Plan to reflect the modified EOI processes.

                        Return to top of page
                        Links for help with this site

                      • Site map



                        Contact us

                        Email us


                        Return to top of page

                        Last updated: 30/03/2006