Research and engagement — Digital Identity Programme
Four main issues related to trust, privacy and security, ease of use and data handling practices were highlighted through extensive engagement with a range of stakeholders.
Engagement with individuals, businesses, Te Tiriti o Waitangi partners, government and the private sector to understand their experiences of digital identity revealed 4 main issues.
These have informed the development of the Trust Framework Principles.
The current digital identity system has gaps in how it’s regulated and operated that block the development and adoption of digital identity services.
Feedback from organisations and individuals revealed issues that can be categorised under 4 main themes:
- trust and confidence
- privacy and security
- ease of use
- data control and minimisation.
Trust and confidence
The research revealed a lack of trust in the motivations or security of the organisations individuals interact with as well as how public and private systems connect behind the scenes.
The lack of governance and structure in the digital identity system has caused the inconsistent application of standards across both the public and private sectors.
This means that:
- organisations are given limited trust and ability to share information
- it is difficult to connect services in a trusted way
- users are hesitant to give consent to information sharing.
The research also shows that trust depends on the context of the interaction, such as:
- the type of organisation that requests the information
- what information is requested
- and the brand reputation for that company.
In the findings, commercial enterprises were seen as focussed on their own interests and more likely to break rules. People were therefore reluctant to give them access to personal information held by government without appropriate reassurance and controls in place.
Focus group research showed that Māori had lower levels of trust than other groups in Government holding and sharing information about them.
This was due to:
- incorrect assumptions about Māori
- a narrative not informed by Māori
- distrust associated with previous misuse and abuse of Māori data.
Privacy and security
Individuals raised concerns about general data security in both the digital and physical world. This was heightened when personal details were involved.
Surveillance, targeted advertisements, and data security were key talking points for participants under the privacy / matatapu topic.
In one survey, almost a quarter of those who had used government services had had some kind of personal information leaked, hacked or used without their permission. The inconsistent application of data, privacy, identification and security standards was a contributing factor to these breaches.
These types of concerns about privacy and security also pose risks to both customers and businesses by undermining trust and confidence in the digital identity ecosystem and slow adoption of their services.
Ease of use
Accessing government services is mostly done online – with almost 7 in 10 of surveyed individuals interacting digitally in a 12-month period.
Many digital identity services have not kept up with technology advancements and do not meet citizen expectations.
- Social and mobile device-based logins are now commonplace
- Biometric and brokered solutions offer more user convenience and control.
Having to provide information repeatedly is a common issue for individuals and there are limited choices for how to prove who you are online. One of the issues, particularly among young people, is the need to manage multiple online passwords and usernames.
Acting on behalf of someone or an organisation to access a service is also an area of difficulty. Issues include:
- difficulty in establishing or proving permission to act on behalf of someone
- lengthy forms and paperwork.
Data control and minimisation
The research showed that New Zealanders want more control and ownership of their digital identity, known as as data control. The methods that organisations currently use are inconsistent, which is confusing for individuals and businesses using digital services.
Key concerns included security, misuse of information, being spammed, having to use multiple passwords and possible surveillance that might breach their privacy.
Many research participants expressed a sense that they had lost control of their personal information from sharing it as a necessity of participating fully in modern life.
Key themes throughout discussions around the compromise / whakamōrea topic included the issues of informed consent and assumed consent.
These concerns are all related to a practice known as ‘data minimisation’ in which only personal data relevant to a specific purpose should be saved and processed.
Mana (ownership) was also identified as a theme in the Māori focus groups, with participants saying that they did not feel that their data is safe in the hands of government. “Our whānau and hāpu are our original iwi. They should control our data.”
This contrasted with other respondents who thought that data belongs to the person or people who provide it.
The practice of data sovereignty was of extreme importance to both rangatahi (youth) and professionals.
The Digital Identity Programme Team work with sector stakeholders and research bodies to gather a robust body of evidence to inform, develop and test proposals. This includes regular engagement with:
- government agencies
- iwi and Māori groups
- private enterprises in banking, finance, utilities and other services
- NGOs, community and platform providers
- health and education providers
- vendors and identity service providers
- academic institutions.
Evidence gathering also included research and surveys with more than 1000 individuals. These include quantitative surveys and 12 focus groups undertaken both by the Department of Internal Affairs and by Digital Identity New Zealand in 2019 and 2020.
This research included analysis and review of trust frameworks in Australia, Canada and the United Kingdom.
Contact the Digital Identity Programme team — email email@example.com.