You are here:
NZLII >>
Databases >>
New Zealand Bill of Rights Act Reports >>
2021 >>
[2021] NZBORARp 57
Database Search
| Name Search
| Recent Documents
| Noteup
| LawCite
| Download
| Help
Digital Identity Trust Framework Bill (Consistent) (Sections 14, 19 and 25(c)) [2021] NZBORARp 57 (23 August 2021)
Last Updated: 8 October 2021
23 August 2021
LEGAL ADVICE
LPA 01 01 24
Hon David Parker, Attorney-General
Consistency with the New Zealand Bill of Rights Act 1990: Digital Identity
Services Trust Framework Bill
Purpose
- We
have considered whether the Digital Identity Trust Framework Bill (‘the
Bill’) is consistent with the rights and freedoms
affirmed in the New
Zealand Bill of Rights Act 1990 (‘the Bill of Rights Act’).
- We
have not yet received a final version of the Bill. This advice has been prepared
in relation to the latest version of the Bill
(PCO 23338/2.40). We will provide
you with further advice if the final version includes amendments that affect the
conclusions in
this advice.
- We
have concluded that the Bill appears to be consistent with the rights and
freedoms affirmed in the Bill of Rights Act. In reaching
that conclusion, we
have considered the consistency of the Bill with s 14 (freedom of expression), s
19 (freedom from discrimination)
and s 25(c) (right to be presumed innocent
until proved guilty) of the Bill of Rights Act. Our analysis is set out
below.
The Bill
- Currently,
New Zealand lacks consistency in the way personal and organisational information
is shared, stored and used in a digital
identity1
environment. This has led to inconsistencies and inefficiencies in how
this information is handled, undermining trust and confidence
in the digital
identity system for individuals, government agencies and the private
sector.
- The
Bill establishes a legal trust framework (consisting of primary legislation, and
a set of rules and regulations) for the provision
of secure and trusted digital
identity services2 for individuals and organisations
(‘the Trust Framework’).
- The
policy objectives of the Bill are to:
- help
drive consistency, trust, and efficiency in the provision of digital identity
services;
- support
the development of interoperable digital identity
services;
- provide
people with more control over their personal information and how it is used;
and
1 Digital identity is the
user-consented sharing of personal and organisational information online to
access services and complete transactions.
It is understood that the use of
digital identity is believed to improve service delivery and reduce
inefficiencies, security risks
and privacy breaches.
2 Digital identity services are services, or a
product, provided by a digital identity service provider that enable the sharing
of the
information by a user in a transaction with the relying party.
- enable
the user-authorised sharing of personal and organisational information digitally
to access public and private sector services.
- The
Bill creates an opt-in accreditation scheme for accrediting digital identity
service providers against the Trust Framework rules.
This scheme establishes a
minimum set of standards for handling personal and organisational information
which accredited digital
identity service providers must comply with.
- The
Bill creates a Trust Framework board (‘the Board’) which will
undertake education, publish guidance, and monitor the
performance and
effectiveness of the Trust Framework. To enforce the Trust Framework rules and
to protect the security and privacy
of Trust Framework users, the Bill allows
for the establishment of a Trust Framework authority (‘the
Authority’).
- To
protect the integrity of the Trust Framework and to enforce compliance with the
rules, the Bill also creates offences and a complaints
process, allowing people
to submit complaints to the Authority and giving the Authority the power to
order remedies. The offences
contained in the Bill carry pecuniary penalties for
activities such as falsifying accreditation.
Consistency of the Bill with the Bill of Rights Act
Section 14 – Freedom of expression
- Section
14 of the Bill of Rights Act affirms the right to freedom of expression,
including the freedom to seek, receive, and impart
information and opinions of
any kind in any form. The right to freedom of expression has also been
interpreted as including the right
not to be compelled to say certain things or
to provide certain information.3
- The
Bill places various obligations on applicants, Trust Framework providers and
other persons to provide information to the Authority
in relation to the
accreditation scheme. These provisions require applicants to disclose and keep
updated certain information as
part of their accreditation applications and
allow the Authority to require persons to provide information to assist it in
relation
to complaints and compliance.
- Under
s 14 of the Bill of Rights Act any provision that requires a person to provide
or disclose information would be a prima facie limit on freedom of
expression. A provision found to limit a particular right or freedom may
nevertheless be consistent with the Bill
of Rights Act if it can be considered a
reasonable limit that is justifiable in terms of s 5 of that Act. The s 5
inquiry asks whether
the objective of the provision is sufficiently important to
justify some limitation on the right or freedom engaged and, if so, whether
the
limitation is rationally connected and proportionate to that objective and
limits the right or freedom no more than reasonably
necessary to achieve that
objective.4
- To
the extent that the provisions of the Bill engage the right in s 14 (as to
whether such information is truly ‘expressive’
in nature), we
consider that the requirements are rationally connected to the objectives of the
Bill, which are to establish a legal
framework for the provision of secure and
trusted digital identity services, and establish governance and accreditation
functions
that are transparent and incorporate te ao Māori approaches to
identity.
3 RJR MacDonald v Attorney-General of
Canada (1995) 127 DLR (4th) 1.
4 Hansen v R [2007] NZSC 7, [2007] 3 NZLR
1.
- We
also consider that the limits on the freedom of expression are no more than
reasonably necessary and are proportionate to the objectives
of the Bill. The
relevant provisions in the Bill relate to the operation of the accreditation
scheme, which is an opt- in scheme,
so applicants and Trust Framework providers
who are required to provide information in relation to the scheme are doing so
because
they have elected to be part of the scheme. Where there are requirements
on other individuals and organisations to provide information
to assist the
Authority with complaints and compliance with the scheme, the collection of this
information can only be for specified
purposes.
- For
these reasons, we conclude that any limits on the right to freedom of expression
provided by the Bill are justified under s 5
of the Bill of Rights
Act.
Section 19 – Freedom from discrimination
- Section
19(1) of the Bill of Rights Act affirms that everyone has the right to freedom
from discrimination on the grounds of discrimination
in the Human Rights Act
1993 (‘the Human Rights Act’).
- The
key questions in assessing whether there is a limit on the right to freedom from
discrimination are:5
- does
the legislation draw a distinction on one of the prohibited grounds of
discrimination under s 21 of the Human Rights Act; and,
if so
- does
the distinction involve disadvantage to one or more classes of
individuals?
- Clause
46(2)(a) provides that when selecting board members for the Board, the chief
executive of the Board must ensure members of
the Board include persons with
knowledge or expertise in te ao Māori approaches to identity. Additionally,
pursuant to clauses
50 – 54, the Bill creates a Māori advisory group
(‘Māori Advisory Group’). The relevant Minister must
only
appoint members to the Māori Advisory Group who, in the Ministers opinion,
have the appropriate knowledge, skills and experience
to assist the group to
perform its role, which is to advise the Board on Māori interests and
knowledge.
- We
note that there is no obligation to appoint members to the Board who have
knowledge or expertise in other cultural approaches,
and there is also no
obligation to appoint an advisory group to advise the Board on non-Māori
interests and knowledge. It could
appear that these provisions could constitute
discrimination on the basis of race or ethnic origins. However, we do not
consider
that this is the case, for the following reasons.
- The
appointment of members who have knowledge of te ao Māori approaches to
identity and the establishment of a Māori Advisory
Group do not result in a
disadvantage to any class of people. Rather, they are ensuring that the regime
provides protection for te
ao Māori approaches to identity and Māori
interests and knowledge, thereby upholding the Crown’s obligations under
the Treaty of Waitangi. Additionally, Māori have a broader right to active
participation within the Māori Crown partnership;
a right that arises from
the Treaty of Waitangi. The Treaty creates a basis for civil government, based
on protections and acknowledgement
of Māori rights and interests within New
Zealand’s shared citizenry.6
5 See, for example, Atkinson v Minister
of Health and others [2010] NZHRRT 1; McAlister v Air New Zealand
[2009] NZSC 78; and Child Poverty Action Group v Attorney-General
[2008] NZHRRT 31.
6 Cabinet Office Circular CO (19) 5.
- For
these reasons, we do not consider that clause 46(1) of the Bill engages the
right to freedom from discrimination under s 19 of
the Bill of Rights
Act.
Section 25 – Minimum standards of criminal procedure
- Section
25(c) of the Bill of Rights affirms the right to be presumed innocent until
proved guilty according to law. The right to be
presumed innocent requires that
an individual must be proven guilty beyond reasonable doubt, and that the State
must bear the burden
of proof.7
- The
Bill creates several strict liability offences:
- Clause
97(1): An applicant fails without reasonable excuse to give the Authority key
information or specified information in their
application for
accreditation.8
- Clause
98(1): An applicant has made an application for accreditation and fails without
reasonable excuse to tell the Authority of
any change to key information or
specified information within the relevant time period before the application is
decided.
- Clause
98(2): A Trust Framework provider fails without reasonable excuse to tell the
Authority of any change to key information or
specified information for the
period during which they are accredited.
- Clause
99: A person obstructs, without reasonable excuse, the Authority when it is
carrying out its functions or exercising its powers.
- Strict
liability offences prima facie limit s 25(c) of the Bill of Rights Act
because the accused is required to prove a defence, or disprove a presumption,
in order to
avoid liability.
- We
consider that the limits to the right under s 25(c) of the Bill of Rights Act
appear to be justified, for the following reasons.
In reaching this conclusion
we have taken into account the nature and context of the activity being
regulated, the ability of the
defendants to exonerate themselves, and the
penalty levels:
- Strict
liability offences are more easily justified where they are in the category of
‘public welfare regulatory offences’
created in order to protect the
public. They recognise the importance of protecting the personal and
organisational information of
users and the trust that is placed in the
accredited Trust Framework providers in handling and protecting that
information. The strict
liability offences in the Bill arise in the context of
preventing fraudulent accreditation and obstructing a regulatory authority
from
carrying out its function. Fraudulent applicants or Trust Framework providers
could undermine the integrity of the Trust Framework
and therefore the purpose
of the Bill. Preventing fraudulent and obstructive activity is necessary in the
public interest as it will
assist in creating a
7 See R v Wholesale Travel
Group (1992) 84 DLR (4th) 161, 188 citing R v Oakes [1986] 1 SCR 103.
8 What constitutes key information will be
prescribed by regulations. Specified information on the other hand is defined in
cl 24(1)
as whether the applicant: (a) has been convicted of a criminal offence,
whether in New Zealand or overseas; (b) is subject or has
been the subject of a
formal investigation or proceeding by the Privacy Commissioner; and (c)
information relating to accreditation.
sound legal framework for the provision of secure and trustworthy digital
identity services.
- The
Bill contains the general defence of ‘reasonable excuse’. This
defence relies on information that is more likely to
be in the defendant’s
knowledge, and provides them with a suitably broad range of
defences.
- The
penalty levels are fines not exceeding $10,000 in the case of an individual, and
fines not exceeding $20,000 in the case of a
body corporate for all four
offences. We consider that these penalties are proportionate to the importance
of the Bill’s objective.
- For
the above reasons, we consider the strict liability offences to be justified in
terms of s 25(c) of the Bill of Rights Act.
Conclusion
- We
have concluded that the Bill appears to be consistent with the rights and
freedoms affirmed in the Bill of Rights Act.
Jeff Orr
Chief Legal Counsel Office of Legal Counsel
NZLII:
Copyright Policy
|
Disclaimers
|
Privacy Policy
|
Feedback
URL: http://www.nzlii.org/nz/other/NZBORARp/2021/57.html