Protecting your privacy as a person using RealMe® is very important to the Department of Internal Affairs (DIA) (we, our, us). Our privacy statement in relation to RealMe is set out below.
RealMe and its approach to privacy
The RealMe service enables you to log in to many government services and, if you choose to, retrieve personal information from trusted information providers for the purpose of verifying your identity, address or other attributes to other service providers.
To enable this to occur, RealMe interacts with other systems operated by DIA and NZ Post: DIA's identity verification service and the NZ Post address verification service. These are separate systems with separate stores of personal information.
When you choose to use the identity verification service or a third party attribute provider's attribute verification service, RealMe will send a unique number to the relevant service. The service uses that number to check if your verified identity or attribute information exists.
RealMe then retrieves your verified identity or third party verified attribute and asks you whether you consent to your information being sent to the participating service provider. If you do agree, RealMe will then redirect you to the participating service provider and your identity or attribute information will have been sent to that participating service provider.
RealMe does not store your personal information. Instead, when you login, your information is retrieved from information providers to display it for as long as you are logged in.
This deliberate privacy-centric design ensures that your personal information is protected to the greatest extent possible. There is no combining of different items of personal information in a central database and linking of information between services is minimised and only occurs with your consent. The RealMe service does not provide its operators with a detailed picture of what you're doing online with particular service providers using the RealMe service.
The different systems and the entities that operate them can be summarised as follows:
This privacy statement covers the components of RealMe that provide login and information brokering to service providers integrated with RealMe. Separate privacy statements apply to DIA's treatment of your personal information with the identity verification service or any other third party attribute provider's treatment of your personal information with their attribute verification service. You will be shown and asked to consent to those privacy statements when applying for a verified identity and verified address. All privacy statements that apply to RealMe and its supporting services are accessible from the RealMe Home page. You can review them at any time.
Information we collect for the purpose of you logging in with RealMe
Email address and phone numbers
You need to provide certain personal details in order to use RealMe.
When you apply for a login and create your username and password, you will be asked to enter your email address to enable the RealMe Help Desk to provide you with support in your use of RealMe, and to enable us to communicate with you about the RealMe service.
If you are already a RealMe user (or were previously an igovt logon service user) and have not provided your mobile phone number, DIA may ask you periodically if you would like to receive support via TXT messages to your mobile phone. If you would like to receive support in this manner, you will need to provide your mobile phone number to DIA when requested.
Additional contact details where RealMe codes are used as part of your login
Each participating service provider will decide whether their online service needs an extra level of security that will involve you also entering a RealMe code when logging in to use that service. If so, the RealMe login service will indicate whether you should use your mobile phone to receive the RealMe code by TXT or through an app or the RealMe token that has been issued to you to generate the RealMe code. Where you have both, you will generally be able to choose the device that you prefer to use.
Where the participating service provider needs you to be able to receive RealMe codes by TXT on your mobile phone, or through an app on your mobile phone or mobile device, you will be asked to provide your mobile phone number to the RealMe login service when creating a new login or registering your phone with a login you created previously.
Alternatively, where the participating service provider prefers RealMe codes to be generated by a RealMe token, it will ask you for a delivery name and address and ask the RealMe Help Desk to send you a RealMe token. The participating service provider will provide that information to the RealMe Help Desk only for the purpose of enabling the delivery of your RealMe token.
Site visit data
When you use the RealMe login service or access your RealMe verified information, a server will automatically record your visit, including transaction information such as the IP address of your machine and the domain name from which you are accessing the Internet. This information is recorded for security reasons.
Additional information in relation to a user's computer and the network through which the user is accessing RealMe may be collected if we consider that the user is attempting to compromise RealMe or any associated service.
Purpose of collection
The information referred to above is collected for the following purposes:
- for you to create and to enable you to manage a login for the purposes of accessing participating service providers’ online services;
- to enable the RealMe login service to log you in to a participating service provider's website or service; and
- to enable the RealMe verified service to provide your verified details to a participating service provider's online service;
- to enable us to communicate with you about the RealMe service;
- for statistical purposes in relation to the usage of the RealMe login service and RealMe verified service.
The information collected by the RealMe login service will be held on DIA's electronic database. DIA may use a third party to provide and manage the infrastructure on which the database resides.
Information we collect for the RealMe verified service
Mobile phone number
DIA will also ask you whether you wish to receive a TXT confirmation message on your mobile phone each time you use RealMe to verify your personal information attributes. The RealMe verified service will retrieve your mobile phone number from the RealMe login service to send these TXT messages.
Consequences of not providing the required information
If you do not provide the required information referred to above for the RealMe service, you will not be able to use the RealMe service. You do, however, remain free to transact with and receive services from participating service providers in the offline environment. Your use of the RealMe service is optional.
Use of the information we collect
We use the information collected:
- to provide the RealMe login service;
- to provide the RealMe verified service;
- to communicate with you about the RealMe service;
- for statistical purposes;
- to detect and prevent fraudulent or other unlawful uses of the RealMe service.
RealMe login service
Every login generates a unique number on creation (i.e., when you successfully set up a username and password for the first time). Where the login is used to enable you to login to a participating service provider's website, another unique number specific to that service provider is created and provided to it.
In special circumstances, DIA may also provide transaction information to that participating service provider, if required to establish proof of a transaction undertaken with the service provider. Such information may include your email address, the date and time of the login, the IP address of your machine and the domain name from which you are accessing or did access the Internet.
Provision of information to the identity verification service
If you have or apply for a verified identity through DIA's identity verification service:
- the RealMe login service will also provide your email address and mobile phone number to the identity verification service to enable this system to communicate with you; and
- RealMe Help Desk personnel may also provide your contact details to the identity verification service to enable relevant services personnel to communicate with you.
RealMe uses third party providers to store and process information. Personal information submitted to RealMe will be stored on Microsoft Azure cloud servers.
Personal information will be retained in compliance with the requirements of the Public Records Act 2005.
We have procedures in place to prevent loss, unlawful access, use, modification, disclosure or other misuse of your information, consistent with good practice and as required by relevant law and policy. Particular care has been taken to ensure that only certain people with specific roles and authorised access levels are able to view your information and only for specific RealMe-related purposes.
Site visit data
Collection of statistical information
When you visit this website we may collect statistical information about your visit to help us improve the website. This information is aggregated and non-personally identifying. It includes:
- your IP address;
- the search terms you used;
- the pages you accessed on our website and the links you clicked on;
- the date and time you visited the site;
- the referring site or message (if any) through which you clicked through to this website;
- your operating system (e.g., Windows XP, Mac OS X);
- the type of web browser you use (e.g. Internet Explorer, Mozilla Firefox); and
- other incidental matters such as screen resolution and the language setting of your browser.
Use of statistical information
The statistical information referred to above will be viewable by website administrators and certain members of our staff via analytical tools like Google Analytics. It may also be shared with other government agencies.
Going to the RealMe login service generates session (non-persistent) cookies that you can find on your PC under the following names:
- x-ms-cpim-cache (x2)
When you use RealMe to verify your identity (with DIA's igovt identity verification service) or your address (with NZ Post's Address Verification Service), RealMe will also generate session (non-persistent) cookies that you can find on your PC under these names:
All these cookies expire when you close your browser and none of them store any personally identifiable information.
A successful login to a participating service provider that requires an extra level of security using a RealMe code by token will generate a browser-specific persistent cookie on your PC with the name: TokenPreferred.
This cookie does not store any personally identifiable information. The presence of this cookie on your PC indicates a preference to login with a RealMe token where allowed for a participating service provider. You will be presented with a screen that facilitates logging in with your RealMe token.
This cookie expires upon:
- a successful login with a RealMe code other than through a RealMe token to a participating service provider that requires an extra level of security on the same PC;
- manual deletion of the cookie; or
- reaching the cookie default expiry period (10 years from cookie creation date).
Accessing and correcting your personal information
If any of the information that you have provided to RealMe (or which is provided by a participating service provider during migration) changes or becomes incorrect you must update it at the RealMe website (www.realme.govt.nz) using the option to Manage my Login.
You are also free to go to the RealMe website at any time to:
- change your username, password, contact details or security questions and answers;
- combine your logins (where you have more than one RealMe username and password);
- suspend your login; or
- delete your login
- change your notification preferences;
- remove data providers (verified identity, verified address); or
- delete your RealMe verified identity.
Rights of access and correction
Under the Privacy Act 1993, you have the right to access and to request correction of any of your personal information provided to us. If you wish to see the personal information we have stored in connection with your use of the RealMe service, or if you wish to request correction of such personal information (and you are unable to do so from the RealMe website), please contact theRealMe Help Desk. The RealMe Help Desk may require proof of your identity before it is able to provide you with this information.
Your information from 1 January 2018 is available in your RealMe dashboard. For information prior to this date, please contact the RealMe Help desk on 0800 664 774 (or +64 4 462 0674 if you are overseas).
If you have any concerns regarding your privacy please feel free to contact us at any time through:
The Privacy Office
Department of Internal Affairs
P O Box 805
Phone: (04) 495 7200
If you are not satisfied with our response to your concern, you can contact the Privacy Commissioner:
Office of the Privacy Commissioner
PO Box 10-094
Wellington, New Zealand
Phone: +64-4-474 7590
Enquiries Line (from Auckland): 302 8680
Enquiries Line (from outside Auckland): 0800 803 909
Fax: +64-4-474 7595