- TRUST FRAMEWORK FOR DIGITAL IDENTITY
- Trust Framework Authority
- Share your information in a digital format
- Benefits of using digital identity services
- Trust Framework Authority accreditation mark
- Trust Framework legislation
- Administering bodies
- Trust Framework Register
- Accreditation & maintenance
- Forms and guidance
- Independent evaluators
- Resources
- Make a complaint
Maintaining accreditation
Obligations providers must meet
There are obligations on providers to enable them to keep their accreditation. Providers must ensure that the service(s) they deliver continue to meet the requirements of the:
- Digital Identity Services Trust Framework Act 2023 — New Zealand Legislation website
- Privacy Act 2020
- Digital Identity Services Trust Framework Regulations 2024 — New Zealand Legislation website
- Digital Identity Services Trust Framework Rules in place at the time of their accreditation
- Identification standards - Digital Government website
- Terms of use of the accreditation mark.
Maintaining records and reporting
Providers must collect and keep the information required by the Regulations about their activities and provide it to the Trust Framework Authority periodically as required or at all reasonable times on request. Providers must report to the Trust Framework Authority according to the requirements set out in regulation 19 (Six monthly reports and annual reports). Contact the Trust Framework Authority at TFA@dia.govt.nz for copies of the reporting templates.
Notify the Trust Framework Authority of any incidents
Providers must notify the Trust Framework Authority as soon as reasonably practicable of any incidents relating to the Trust Framework Provider, or to an accredited service, in accordance with Regulation 20. Ideally this would be within 72 hours of becoming aware of the incident. This includes actual or suspected events, including a cybersecurity event or fraud, that do, or would do, any of the following:
- adversely affect privacy or confidentiality
- adversely affect he integrity or availability of an accredited service
- cause or risk causing serious harm to a Trust Framework participant.
This obligation is in addition to any a provider’s obligation to notify the Privacy Commissioner of a notifiable privacy breach under section 114 of the Privacy Act 2020.
Trust Framework Authority must be told of changes to information
Providers and applicants are required to inform the Trust Framework Authority of changes to key information or specified information. This include changes to information that has been provided in an application for:
- accreditation
- reconsideration
- renewal
- provisional accreditation.
Note that under section 100 of the Act it is an offence to fail to the tell the Trust Framework Authority of a change to key information or specified information.
To inform the Trust Framework Authority of these changes, contact TFA@dia.govt.nz.
Other changes
Providers may also want to make other changes to their accreditation, for example:
- adding an attribute to a credential
- removing an attribute from a credential
- changing the way a derived value is measured
- changing the level of assurance of an attribute
- exiting a service.
For any of the above changes, contact the Trust Framework Authority at TFA@dia.govt.nz.
What changes may mean for your accreditation
If you make any changes, it may affect your accreditation. The Trust Framework will assess the impact of the change(s) and inform you if there is any impact on your accreditation.
Investigations
The Trust Framework Authority may conduct investigations of Trust Framework providers. This may be in response to a complaint where the Trust Framework Authority identifies that a breach appears to have occurred, or on its own initiative into a matter that could have been the subject of a complaint.
