Skip to content.
|Networking government in New Zealand.
Archive

Archived articles:

See archives for this section
 

3. Scope

[ Table of Contents ]

The purpose of this Data Formats for Identity Records Standard is to specify data formats for a set of self-reported, identity-related data elements that government agencies may use in their customer records.

Where agencies:

  • use one or more elements specified in the Data Formats for Identity Records Standard, they SHOULD use the syntax specified in this Standard
  • exchange one or more elements specified in the Data Formats for Identity Records Standard, they MUST use the syntax specified in this Standard.

3.1 Elements specified in this Standard

The following formats for a person’s self-reported identity-related data elements are specified in this Standard:

  • name
  • gender
  • mother’s name
  • date of birth
  • place of birth.

These identity-related data elements are generally useful in most identity management systems and, in the Department of Internal Affairs’ experience in evidence-based processes, nearly always provide uniqueness. Each data element consists of more atomic elements, such as the component parts of a person’s name. Each of the data elements is defined in section 6.

This Standard also specifies the content, format and structure of a validated exchange file that contains these identity-related data elements. Outline implementation guidance is given in section 7, although comprehensive implementation remains out of scope for this document. Additional implementation guidance will be provided once sufficient experience from initial implementations is gained.

Inclusion of all these identity-related data elements in the exchange file is not mandatory. For example, place of birth may not be available and so would be left blank in the exchange file. See section 7 for more guidance on implementing this Standard.

3.2 Guidance on elements not specified

Agencies may need to use and exchange other authorisation-related data elements (such as role management, user entitlements, and access privileges), either in addition to or in place of the identity-related data elements listed in 3.1. Where this occurs, the exchange file SHOULD conform to the OASIS CIQ Specifications v3.0.

3.3 Legislative obligations remain

Where agencies are undertaking data matching, they are required to fulfil their obligations under the Privacy Act 1993. In particular, agencies may need to have their proposed match authorised by Parliament through legislation. Once a match has received Parliamentary authorisation, the agencies must have an information matching agreement in place before the match can operate. In the interests of efficiency, as well as protection of personal privacy, agencies should ensure that the number of identity-related data elements included in their customer records is kept to the minimum required to fulfil service requirements.

All information collected and stored by a NZ government agency is deemed to be Official Information, and must be protected by strict adherence to promulgated policy statements such as Security in the Government Sector (SIGS) and the Protective Security Manual (PSM). This Data Formats for Identity Records Standard is to be used for services that deliver information classified as UNCLASSIFIED, IN CONFIDENCE, or SENSITIVE only, as specified in the Government's Guidelines for Protection of Official Information.

Agencies MUST undertake a risk assessment for those risks associated with the delivery of their services through an interactive online channel. Agencies SHOULD follow the Australian and New Zealand Standard AS/NZS 4360:2004 on risk management for their authentication systems. Further advice on the application of AS/NZS 4360:2004 is set out in SAA/SNZ HB 436:2004 and SAA/SNZ HB 231:2004. Agencies also need to ensure there is adequate business continuity planning for their online services.

Many authentication risks may be addressed by ensuring that the authentication system is properly protected. The NZ e-GIF authentication standards do not give general advice for securing authentication systems. Agencies should comply with SIGS, NZSIT 400, ISO/IEC 17799:2005 and ISO/IEC 27001:2005.

3.4 Out of scope

The following are outside the scope of this Standard:

  • prescription of the minimum set of data elements to identify individuals uniquely
  • specification of business rules for interpretation, manipulation or use of the elements
  • additional elements and schema for customer information that individual agencies may wish to collect in order to enable or enhance their own specific internal processes and services
  • Internet security and transport standards, policies and protocols associated with the storage and transport of identity records
  • verification of the elements
  • information sharing, data matching and electronic data exchange policies and processes
  • data modelling, database design, and data mapping tools such as XSL Transformations (XSLT)
  • comprehensive implementation guidance.

This Data Formats for Identity Records Standard is not a data storage standard. It does not define agency database fields, nor enforce database designs, although it may influence them. Rather, it defines data elements for the purposes of collecting and transferring data. Each agency decides whether it stores its data in the data formats specified in this Standard or whether it transforms its data when importing to and exporting from its databases. Where agencies store data elements as simple strings rather than as atomic or granular components, transformation will require splitting and mapping these simple strings into their correct atomic parts.


[ Previous | Contents | Next ]