New Zealand

Domestic law and policy

New Zealand’s digital ID is regulated by the Digital Identity Services Trust Framework (DISTF). [18]Under the DISTF, a digital identity service is defined as a “service or product that […] enables a user to share personal or organizational information in digital form”. [19]Examples of these services include verifying the accuracy of personal or organizational data, confirming its connection to an individual or entity, and securely facilitating information-sharing between trust framework participants. [20]This framework is designed to ensure privacy, security, and user control over personal data while fostering a trusted digital identity environment. [21]

The Digital Identity Services Trust Framework Regulations (2024) establish assessment criteria for providers, define digital identity services, and outline a complaints process. [22]The legislation mandates that accredited providers maintain an accessible, fair and timely complaints process and considers tikanga Māori principles where applicable. [23]Additionally, the Trust Framework Authority oversees compliance and ensures that accredited providers adhere to the established rules and regulations. [24]The government initially drafted the Digital Identity Services Trust Framework Bill as a stepping stone to the DISTF, which was referred to the Economic Development, Science, and Innovation Committee for further review and to incorporate Māori consultation and participation into the legislation. [25]

Data Protection

New Zealand’s primary data protection legislation is the Privacy Act (2020). [26]The Act governs the collection, use, storage, retention, and transfer of personal information to ensure individuals’ privacy rights are safeguarded. [27]The Act outlines 13 Information Privacy Principles (IPPs) that guide the processing of personal data, including information collected through digital identity systems. [28]

Several provisions of the Privacy Act offer safeguards for personal information within the digital ID framework. [29]IPP 1 mandates that personal information may only be collected if necessary for a legitimate agency function, [30]and IPP 2 requires that such information be collected directly from the individual concerned. [31]While the Act does not explicitly require encryption of digital ID data, Principle 5 states that personal information must be protected with reasonable safeguards to prevent loss, unauthorized disclosure, or misuse. [32]Additionally, IPP 10 prohibits the use of personal information for purposes other than those for which it was originally collected, except with the individual’s consent. [33]

Regarding government access to digital ID data, IPPs 10 and 11 impose restrictions on data usage and disclosure. [34]However, these principles also include exceptions that allow government agencies some discretion to share personal data for purposes such as public health, public safety, or to protect public revenue. [35]Similarly, IPP 9 requires that agencies do not retain personal information longer than necessary for its intended use, but it does not specify a specific time limit for data storage. [36]

The Digital Identity Services Trust Framework Rules (2024) outline operational requirements for accredited service providers, covering areas such as identification management, privacy and confidentiality, security, information and data management, and data-sharing protocols. [37]To become accredited, digital identity service providers must comply with these rules based on the services they offer. [38]

New Zealand is also in the process of establishing the Biometric Processing Privacy Code, expected to be completed by mid-2025, which will introduce stronger privacy safeguards, notification and transparency obligations and limits on some uses of biometric information. citation_39 This Code has also undergone public consultation. [40] There have been some concerns raised about the draft Code not including provisions for proper oversight and excluding the consent safeguard for users’ biometric data. [41]New Zealand’s Council for Civil Liberties also raised concerns about the potential for creeping surveillance due to the lack of a consent safeguard. [42]

International Commitments

New Zealand is part of the Digital Identity Working Group (DIWG), which includes eight member states working toward interoperable digital identity systems. [43] The DIWG has developed a set of interoperability principles to guide the development of digital identity infrastructure that is mutually recognized across borders. [44]

New Zealand is also a member of the Organisation for Economic Co-operation and Development (OECD), and aligns with the OECD Recommendation on the Governance of Digital Identity. [45]These recommendations emphasize the importance of user-centered and inclusive digital ID systems, strong governance mechanisms, and cross-border recognition of digital IDs. [46]

In relation to New Zealand’s human rights treaty obligations, legal frameworks and policies for New Zealand’s digital ID have not been found to contradict such obligations due to the optional nature of the digital ID and the relatively robust data protection frameworks mentioned in the above section. [47]

To comply with its human rights obligations, it is important for the country to continually ensure that the digital ID system does not become a barrier to essential services and access to legal identity, particularly for vulnerable populations.

References
18.^
‘Trust framework for digital identity’ (New Zealand Government 19 September 2024) <https://www.digital.govt.nz/standards-and-guidance/identity/trust-framework>.
19.^
 Digital Identity Services Trust Framework Act (2023) Article 10.
20.^
 Digital Identity Services Trust Framework Act (2023) Articles 10-11.
21.^
‘New Zealand Digital Identity Services Trust Framework goes live this week’ (BiometricUpdate, 6 November 2024) <https://www.biometricupdate.com/202411/new-zealand-digital-identity-services-trust-framework-goes-live-this-week>.
22.^
Digital Identity Services Trust Framework Regulations 2024 (2024) Articles 9, 10, 14-17.
23.^
Digital Identity Services Trust Framework Regulations 2024 (2024) Article 14.
24.^
‘Trust Framework Authority’ (Te Tari Taiwhenua) <https://www.dia.govt.nz/Trust-Framework-Authority>.
25.^
 Rachel De Souza, ‘New Zealand: Digital Identity Services Trust Framework Bill Passes Final Reading’ (Privacy Matters, 30 March 2023) <https://privacymatters.dlapiper.com/2023/03/new-zealand-digital-identity-services-trust-framework-bill-passes-final-reading/> accessed 22 May 2025.
26.^
 “New Zealand’s Privacy Act 2020’ (Cookiebot 23 February 2021) <https://www.cookiebot.com/en/new-zealand/.
27.^
 “New Zealand’s Privacy Act 2020’ (Cookiebot 23 February 2021) <https://www.cookiebot.com/en/new-zealand/.
28.^
 “New Zealand’s Privacy Act 2020’ (Cookiebot 23 February 2021) <https://www.cookiebot.com/en/new-zealand/.
29.^
 “New Zealand’s Privacy Act 2020’ (Cookiebot 23 February 2021) <https://www.cookiebot.com/en/new-zealand/.
30.^
 Privacy Act (2020) Part 3, Article 22 (New Zealand)
31.^
Privacy Act (2020) Part 3, Article 22 (New Zealand)
32.^
 Privacy Act (2020) Part 3, Article 22 (New Zealand)
33.^
 Privacy Act (2020) Part 3, Article 22 (New Zealand)
34.^
Privacy Act (2020) Part 3, Article 22 (New Zealand)
35.^
‘Implementing the Privacy Principles’ (New Zealand Government 3 March 2022) <https://www.digital.govt.nz/standards-and-guidance/governance/managing-online-channels/security-and-privacy-for-websites/designing-for-security-and-privacy/implementing-the-privacy-principles>.
36.^
 Privacy Act (2020) Part 3, Article 22 (New Zealand)
37.^
  Digital Identity Services Trust Framework Rules 2024 (2024). 
38.^
‘Explanatory note’, Digital Identity Services Trust Framework Rules 2024 (10 October 2024).
40.^
Masha Borak, ‘New Zealand to Receive Biometrics Code by Mid-2025’ (Biometric Update, 16 April 2025) <https://www.biometricupdate.com/202504/new-zealand-to-receive-biometrics-code-by-mid-2025> accessed 22 May 2025.
41.^
 Masha Borak, ‘New Zealand to Receive Biometrics Code by Mid-2025’ (Biometric Update, 16 April 2025) <https://www.biometricupdate.com/202504/new-zealand-to-receive-biometrics-code-by-mid-2025> accessed 22 May 2025.
42.^
Masha Borak, ‘New Zealand to Receive Biometrics Code by Mid-2025’ (Biometric Update, 16 April 2025) <https://www.biometricupdate.com/202504/new-zealand-to-receive-biometrics-code-by-mid-2025> accessed 22 May 2025.
43.^
 ‘Eight countries set out principles for the future of digital ID’ (Global Government Forum, 4 April 2022) <https://www.globalgovernmentforum.com/eight-countries-set-out-principles-for-the-future-of-digital-id/>.
44.^
 Digital Identity in response to COVID-19 (Digital Transformation Agency 2022); ‘Digital Identity Working Group lays out principles for interoperable digital identity systems’ (NFCW, 25 February 2022) <https://www.nfcw.com/2022/02/25/376184/digital-identity-working-group-lays-out-principles-for-interoperable-digital-identity-systems/>.
45.^
 OECD ‘Recommendation of the Council on the Governance of Digital Identity’ (2023)
46.^
 OECD ‘Recommendation of the Council on the Governance of Digital Identity’ (2023)
47.^
‘Making It Easier to Verify Your Identity Online’ (Beehive.govt.nz, 30 August 2024) <https://www.beehive.govt.nz/release/making-it-easier-verify-your-identity-online> accessed 22 May 2025.
Footer design