printer icon
April 4, 2023 Digital Identity New Zealand

Your personal data – what’s at risk and what’s being done to protect it?

Opinion piece by the Digital Identity New Zealand (DINZ) Executive Council Policy & Regulation Sub-Committee

Summary

Current regulation requires some businesses to use and hold on to personal information when you use their services. These large datasets of sensitive personal information are highly attractive for cyber criminals and contribute to ongoing cybercrimes and identity theft that can have a devastating impact on those affected. Optus  and Latitude Financial are recent examples but they are not alone and not likely to be the last. Even businesses like these with good reputations can put the personal information you give them at risk.  

New technology exists that allows you to sign-up for a new service without needing to hand over physical documents or share more than what’s needed. Along with other countries, New Zealand is behind in adopting this new game changing technology but changes are afoot. Until then you need to be aware of who you are sharing data with, how it will be used and how that party will protect it.

Digital Identity NZ (DINZ) is Aotearoa’s only industry association specifically focussed on digital identity and is leading the way to a future where every New Zealander can easily use their digital identity to access services. 

Current regulation requires some businesses to use and hold on to personal information when you use their services  

When you think about the recent high-profile data breaches of personal information due to hackers finding ways to break into computer networks, you might wonder if the awful consequences for people affected could have been significantly reduced or prevented if firms had not stored electronic copies of documents.

The thing is, many businesses like big appliance retailers selling you credit so you can buy the TV of your dreams, or mobile network companies selling you a phone or SIM card, must interpret and follow rules overseen by a regulator in order to do business. This typically leads retailers to electronically copy and store personal information.

While it was the cybersecurity exposures that caused the breaches of personal information in the recent instances, and not the requirements to collect personal information set down by any particular Anti-Money Laundering and Counter Financing of Terrorism (AML/CFT) regime, it did magnify the impact of a breach.  

Optus, the Australian telco giant, obtained identity information not only to satisfy AML/CFT obligations but to satisfy law enforcement agencies’ needs regarding criminals’ use of mobile phones, while Latitude Financial obtained identity information to undertake credit checks as well as to fulfil AML/CFT obligations. 

These regulatory regimes should not be inadvertently putting the mass population’s sensitive personal identity documentation in jeopardy, just because legislation does not reflect current technical capability to make electronic copying of physical documents redundant, be that the traditional centralised approach or the emerging modern decentralised approach. 

Large datasets of sensitive personal information are highly attractive for cyber-attackers 

Stuff wrote an easily readable piece on the most recent high profile breach, Latitude, while focussing on the impact for New Zealanders caught up in it. 

When you buy something, even gift vouchers, at a store on credit, many shoppers will have experienced having had a sense of unease of having no choice or leverage to decline when the retailer asked for identification documents and proceeded to electronically scan or copy them. Sometimes even when credit wasn’t required, but the retailer urged you to open a credit account. And once the interaction has ended and the AML/CFT provisions fulfilled, the unease remains – did they delete my personal information? 

The reasons why they are doing this might range from needing to comply with regulation to instore incentives for retailers to gather personal information, for the marketing department for example, when typically the company’s cybersecurity teams don’t want the data held due to the potential risks it creates.  

Who wins that ‘tug of war’ usually comes down to an organisation’s culture, information security and risk posture and where in the organisation these decisions are made. 

New technology exists that allows you to sign-up for a new service without needing to hand over physical documents or share more than what is needed

In the review of New Zealand’s AML/CFT regulation currently underway, we call for urgent prioritisation of the Amended Identity Verification Code of Practice 2013 (AIVCOP), which has outdated requirements relating to face-to-face verification and the use of copies of documents certified by the trusted referees. 

As inferred in our report published in 2020, we support a complete overhaul of AIVCOP so that it better supports not only the Privacy Act 2020, but also the use of robust and reliable digital identification services to achieve AML/CFT compliance. 

It also must be complementary to and aligned with the upcoming opt-in Digital Identity Services Trust Framework (DISTF) Act that accredits rules-compliant digital identity service providers should they opt-in to do so. The Bill had its third and final reading this week and is set for implementation in July 2024.

Capability has existed for over a decade to electronically verify claims about personal information from its applicable centralised authoritative source compliant with the Privacy Act 2020 and its 1993 predecessor. The problem is to do with scale and interoperability. Scaling New Zealand retail point of sale counters to send identification-related claims to the government agency authoritative registers to have them confirmed, or not as the case may be, and the scale needed by the authoritative source to process so many claims. The high level of interoperability needed to have multiple systems performing like payment networks is a significant and ongoing investment.   

Decentralised digital identity,the subject of DINZ’s summer series of perspectives just completed today, is a topic that offers the strongest hope for a brighter future. Because implicit in this privacy centric approach, is the notion that the individual holds their data inside a secure container such as a digital wallet on a digital device like a smartphone. This way the plethora of computer networks storing people’s personal information as is current practice. 

Significant investment and the collective will to do so notwithstanding, a robust decentralised digital identification approach could allow individuals to access financial services at point of sale without the need for them to hand over physical documents for electronic copying. It could also accelerate financial inclusion if, as a nation, we can overcome obvious barriers such as ground level digital literacy and access to a smartphone/device of some kind which is a prerequisite.  

A recent report published by Digital Identity New Zealand highlighted that “Digital identity underpins the majority of our digital transactions and is the foundation for digital transformation”. The report’s recommendations called out the yearning need to increase awareness and education in many sectors of our society so that everyone in Aotearoa can enjoy the benefits of the digital economy if they choose to. 

Most countries, New Zealand included, are behind the game. To minimise the risks we see from data breaches, right now we need trusted and universally accepted identification methods envisaged by the DISTF Act, that are compliant with privacy and AML/CFT regulations. These also need to allow people to identify, verify and authenticate themselves and to decide if they will share data or proofs and with whom without the need to hand over physical documents containing personal information for electronic copying by retailers with all the associated risks of it being stolen and used for criminal gain.

The AML/CFT Act is under review and parts of the legislation selected for amendment first are currently out for comment. But those parts are not the AIVCOP. Prioritising the AIVCOP can help not only bring compliance with the Privacy Act 2020 closer, but also reduce the unintended consequences of the current AIVCOP provisions that create personal information honeypots for hackers.  

On the face of it, privacy legislation is trumped by AML/CFT legislation when they should be complementary.  Regulatory regimes must support the use of technological advancements in digital identification where there is a demonstrable benefit to New Zealanders. Firms are not going to make the leap to digital identity services if they consider it will put them in breach of their regulatory requirements. But in hesitating, many New Zealanders’ personal information is at risk.

For more information, see here: https://www.digital.govt.nz/digital-government/programmes-and-projects/digital-identity-programme/trust-framework/

Digital Identity New Zealand A purpose driven, inclusive, membership funded organisation, whose members have a shared passion for the opportunities that digital identity can offer. Digital Identity NZ supports a sustainable, inclusive and trustworthy digital future for all New Zealanders.