Skip to content.
|Networking government in New Zealand.
You are here: Home » About e-govt » Programme » E-government Agency Checklist » Consultation Process for Directions

Consultation Process for Directions

Cabinet Direction and Whole of Government Direction

Consultation Process

An agency, subject to either the Cabinet direction or the whole of government direction, that is considering investing in or building alternative online credential management or identity verification capability is required to consult the State Services Commission (SSC) through the Government CIO.

Agencies are reminded that the directions require consultation with SSC “before developing a proposal to invest in or build [alternative] online credential management or identity verification capability”. The earlier the consultation the better from the point of view of ensuring that all parties are fully aware as early as possible of the proposal.  Delays on the part of an agency in consulting SSC will not justify the grant of consent for an agency to invest in or build alternative capability.

In the first instance, an agency’s consultation with the Government CIO should be in the form of a written communication, by post or email, which:

(a)  explains the alternative online credential management or identity verification capability that the agency is considering;

(b)   explains whether that alternative capability is an integral part of a proposed service, website or application or whether it is separate to such service, website or application;

(c)   sets out in reasonable detail the nature of the proposed service, website or application;

(d)   if consent is sought, at this early stage,to the agency investing in or building alternative capability1 explains:

(i)   any generic class consent on which the agency relies in seeking consent and why the agency considers that that generic class consent applies; or

(ii)  if no relevant generic class consent exists, the reasons why the agency seeks consent to investing in or building an alternative to the relevant all-of-government authentication shared services, including information pertinent to the decision criteria set out below to the extent that:

  • those decision criteria are considered relevant to the agency’s request for consent; and
  • the agency is able to provide such information;

(e)   indicates whether the agency would like to meet with the Government CIO and/or SSC officials to discuss the matter.

The Government CIO’s contact details are as follows:

Peter Brown, Deputy Commissioner

State Services Commission, 100 Molesworth Street

PO Box 329, Wellington

Email: Peter.Brown@ssc.govt.nz

Following receipt of the agency’s written communication and any meetings which the agency or the Government CIO may request, the Government CIO will usually:

(a)   seek input from the Business Development Unit Account Manager, relevant State Services Performance Specialists, the Business Manager of Identity Management Services, and representatives of other interested agencies (if any), to the extent the Government CIO considers necessary;

(b)   assess the proposed service and alternative investment or build by reference to the decision criteria set out below; and, having done so

(c)   either:

(i)   request from the agency any further information considered relevant to the grant or denial of consent, following receipt and consideration of which the Government CIO will inform the agency as to whether SSC consents to the agency investing in or building an alternative to the relevant all-of-government authentication shared services; or

(ii)  inform the agency as to whether SSC consents to the agency investing in or building an alternative to the relevant all-of-government authentication shared services.

Decision criteria

 In deciding whether to consent to an agency investing in or building an alternative to the relevant all-of-government authentication shared services, the Government CIO will take into account the following decision criteria, as applicable:

(a)   whether the service risk category into which the proposed service falls, under the Evidence of Identity Standard, is “nil or negligible risk” or a higher risk category;

(b)   whether the non-identity related security risk impacts of the  service to the agency’s business or functions is nil or negligible;

(c)   whether SSC has issued a generic class consent covering the service or capability or kind of service or capability;

(d)   the time to develop the service from conception to launch and the estimated date of launch;

(e)   the anticipated number of users of the relevant service at launch and expected growth in the relevant user community over time;

(f)    whether there is or is likely to be a significant overlap between the service’s relevant user community and the user communities of other government services (including other agencies’ services) utilising the shared authentication services;

(g)   the expected lifespan of the service and whether the agency plans to enhance or expand it in the future;

(h)   the cost of the alternative online credential management and/or identity verification capability (including procurement, build and implementation) as against the likely cost of integration with the relevant shared authentication services;

(i)    the extent to which the agency’s investment in or building of an alternative to the relevant all-of-government authentication shared services does or could be seen to detract from the rationales for those shared services, including without limitation:

(i)    an all-of-government approach to authentication;

(ii)   improved user experience; and

(iii)  the avoidance of duplicate investment;

(j)    the state of development of the relevant shared authentication services at the time of the agency’s consultation with SSC as against the agency’s requirements; and

(k)   any other matter the GCIO considers relevant to the application.

Where SSC consents to an agency investing in or building an alternative to the relevant all-of-government authentication shared services, its consent may be qualified or be subject to conditions. For example, it may be appropriate for the grant of consent in respect of a particular service or capability to be time-bound and subject to review.

Agencies should note that, given the evolving nature of the technology and services, the granting of consent at one point in time does not mean that such consent will necessarily be granted on subsequent occasions in respect of the same or similar service, application or capability, as a change of surrounding circumstances may warrant and justify an alternative approach.


[1]           If consent is sought not at the commencement of consultation with SSC but during the course of that consultation, SSC can be expected to ask the agency to provide the information referred to in this paragraph at that later stage.