General

Protecting your privacy as a person using RealMe® is very important to the Department of Internal Affairs (DIA) and New Zealand Post Limited (NZ Post) (together, we, our, us). Our privacy statement in relation to RealMe is set out below.

RealMe and its approach to privacy

The RealMe service consists of, in essence, the RealMe login service and the RealMe verified account service. Once you have a RealMe verified identity, you will be able to use your RealMe verified account to retrieve relevant personal information from trusted information providers for the purpose of verifying your identity and, where relevant, address, to other service providers.

To enable this to occur, RealMe interacts with other systems operated by DIA and NZ Post: the igovt identity verification service and the NZ Post address verification service. These are separate systems with separate stores of personal information.

When you choose to use the igovt identity verification service or the NZ Post address verification service, RealMe will send a unique number to the relevant service. The service uses that number to check if your igovt verified identity or NZ Post verified address exists.

The RealMe service then retrieves your igovt verified identity or NZ Post verified address and asks you whether you consent to your information being sent to the participating service provider. If you do agree, the RealMe service will then redirect you to the participating service provider and your identity or address information will have been sent to that participating service provider.

The RealMe verified account does not store your personal information. Instead, when you access your account, the account retrieves the information from verified information providers to display it for as long as you are viewing your account.

This deliberate privacy-centric design ensures that your personal information is protected to the greatest extent possible. There is no combining of different items of personal information in a central database and linking of information between services is minimised and only occurs with your consent. The RealMe service does not provide its operators with a detailed picture of what you're doing online with particular service providers using the RealMe service.

The different systems and the entities that operate them can be summarised as follows:

real me privacy statement image

This privacy statement covers the components of RealMe that provide login and verification services to service providers integrated with RealMe. Separate privacy statements apply to DIA's treatment of your personal information with the igovt identity verification service and NZ Post’s treatment of your personal information with its address verification service. You will be shown and asked to consent to those privacy statements when applying for an igovt verified identity and verified address. All privacy statements that apply to RealMe and its supporting services can be found in a single location. You can review them at any time.

Information we collect for the RealMe login service

Email address and phone numbers

You need to provide certain personal details in order to use RealMe.

When you apply for a login and create your username and password, you will be asked to enter your email address to enable the RealMe Help Desk to provide you with support in your use of RealMe, and to enable us to communicate with you about the RealMe service.

If you are already a RealMe user (or were previously an igovt logon service user) and have not provided your mobile phone number, DIA may ask you periodically if you would like to receive support via TXT messages to your mobile phone. If you would like to receive support in this manner, you will need to provide your mobile phone number to DIA when requested.

We remind you of our recommendation in the Terms of use not to use an email address that is shared with other people. If you do use a shared email address, your username, temporary password or other information will be sent to it when you request support for your login, for example when you forget your username or password.

Additional contact details where RealMe codes are used as part of your login

Each participating service provider will decide whether their online service needs an extra level of security that will involve you also entering a RealMe code when logging in to use that service. If so, the RealMe login service will indicate whether you should use your mobile phone to receive the RealMe code by TXT or through an app or the RealMe token that has been issued to you to generate the RealMe code. Where you have both, you will generally be able to choose the device that you prefer to use.

Where the participating service provider needs you to be able to receive RealMe codes by TXT on your mobile phone, or through an app on your mobile phone or mobile device, you will be asked to provide your mobile phone number to the RealMe login service when creating a new login or registering your phone with a login you created previously.

Alternatively, where the participating service provider prefers RealMe codes to be generated by a RealMe token, it will ask you for a delivery name and address and ask the RealMe Help Desk to send you a RealMe token. The participating service provider will provide that information to the RealMe Help Desk only for the purpose of enabling the delivery of your RealMe token.

Site visit data

When you use the RealMe login service or access your RealMe verified account, a server will automatically record your visit, including transaction information such as the IP address of your machine and the domain name from which you are accessing the Internet. This information is recorded for security reasons.

Additional information in relation to a user's computer and the network through which the user is accessing RealMe may be collected if we consider that the user is attempting to compromise RealMe or any associated service.

Purpose of collection

The information referred to above is collected for the following purposes:

  • for you to create and to enable you to manage a login for the purposes of accessing participating service providers’ online services;
  • to enable the RealMe login service to log you in to a participating service provider's website or service; and
  • to enable the RealMe verified account service to provide your verified details to a participating service provider's online service;
  • to enable us to communicate with you about the RealMe service;
  • for statistical purposes in relation to the usage of the RealMe login service and RealMe verified account service.

The information collected by the RealMe login service will be held on DIA's electronic database. DIA may use a third party to provide and manage the infrastructure on which the database resides.

Information we collect for the RealMe verified account service

Mobile phone number

DIA will also ask you whether you wish to receive a TXT confirmation message on your mobile phone each time you use RealMe to verify your personal information attributes. The RealMe verified account service will retrieve your mobile phone number from the RealMe login service to send these TXT messages.

Consequences of not providing the required information

If you do not provide the required information referred to above for the RealMe service, you will not be able to use the RealMe service. You do, however, remain free to transact with and receive services from participating service providers in the offline environment. Your use of the RealMe service is optional.

Use of the information we collect

General

We use the information collected:

  • to provide the RealMe login service;
  • to provide the RealMe verified account service;
  • to communicate with you about the RealMe service;
  • for statistical purposes;
  • to detect and prevent fraudulent or other unlawful uses of the RealMe service.

RealMe login service

Every login generates a unique number on creation (i.e., when you successfully set up a username and password for the first time). Where the login is used to enable you to login to a participating service provider's website, another unique number specific to that service provider is created and provided to it.

In special circumstances, DIA may also provide transaction information to that participating service provider, if required to establish proof of a transaction undertaken with the service provider. Such information may include your email address, the date and time of the login, the IP address of your machine and the domain name from which you are accessing or did access the Internet.

Provision of information to the igovt identity verification service

If you have or apply for an igovt verified identity through DIA's igovt identity verification service:

  • the RealMe login service will also provide your email address and mobile phone number to the igovt identity verification service to enable this system to communicate with you; and
  • RealMe Help Desk personnel may also provide your contact details to the igovt identity verification service to enable relevant igovt services personnel to communicate with you.

Security

We have procedures in place to prevent loss, unlawful access, use, modification, disclosure or other misuse of your information, consistent with good practice and as required by relevant law and policy. Particular care has been taken to ensure that only certain people with specific roles and authorised access levels are able to view your information and only for specific RealMe-related purposes.

Site visit data

Collection of statistical information

When you visit this website we may collect statistical information about your visit to help us improve the website. This information is aggregated and non-personally identifying. It includes:

  • your IP address;
  • the search terms you used;
  • the pages you accessed on our website and the links you clicked on;
  • the date and time you visited the site;
  • the referring site or message (if any) through which you clicked through to this website;
  • your operating system (e.g., Windows XP, Mac OS X);
  • the type of web browser you use (e.g. Internet Explorer, Mozilla Firefox); and
  • other incidental matters such as screen resolution and the language setting of your browser.

Use of statistical information

The statistical information referred to above will be viewable by website administrators and certain members of our staff via analytical tools like Google Analytics. It may also be shared with other government agencies.

Use of Cookies

Non-Persistent cookies

Going to the RealMe login service generates session (non-persistent) cookies that you can find on your PC under the following names:

  • PRD_JSESSIONID
  • GLS
  • BROWSER_ID
  • PRD_CLIENT_KEY

When you use RealMe to verify your identity (with DIA's igovt identity verification service) or your address (with NZ Post's Address Verification Service), RealMe will also generate session (non-persistent) cookies that you can find on your PC under these names:

  • REALME_ACCOUNT
  • PRD_JSESSIONID

All these cookies expire when you close your browser and none of them store any personally identifiable information.

Persistent cookies

A successful login to a participating service provider that requires an extra level of security using a RealMe code by token will generate a browser-specific persistent cookie on your PC with the name: TokenPreferred.

This cookie does not store any personally identifiable information. The presence of this cookie on your PC indicates a preference to login with a RealMe token where allowed for a participating service provider. You will be presented with a screen that facilitates logging in with your RealMe token.

This cookie expires upon:

  • a successful login with a RealMe code other than through a RealMe token to a participating service provider that requires an extra level of security on the same PC;
  • manual deletion of the cookie; or
  • reaching the cookie default expiry period (10 years from cookie creation date).

Accessing and correcting your personal information

RealMe login service

If any of the information that you have provided for your login (or which is provided by a participating service provider during migration) changes or becomes incorrect you must update it at the RealMe website (www.realme.govt.nz) using the option to Manage my Login.

You are also free to go to the RealMe website at any time to:

  • change your username, password, contact details or security questions and answers;
  • combine your logins (where you have more than one RealMe username and password);
  • suspend your login; or
  • delete your login.

RealMe verified account service

You are also free to go to the RealMe website at any time and access your RealMe verified account to:

  • change your notification preferences;
  • remove data providers from your account (verified identity, verified address); or
  • delete your RealMe verified account.

Rights of access and correction

Under the Privacy Act 1993, you have the right to access and to request correction of any of your personal information provided to us. If you wish to see the personal information we have stored in connection with your use of the RealMe service, or if you wish to request correction of such personal information (and you are unable to do so from the RealMe website), please contact theRealMe Help Desk. The RealMe Help Desk may require proof of your identity before it is able to provide you with this information.

If you have any concerns regarding your privacy please feel free to contact us at any time through:

The Privacy Office
Department of Internal Affairs
P O Box 805
Wellington 6140
Phone: (04) 495 7200
Email: Privacy@dia.govt.nz

If you are not satisfied with our response to your concern, you can contact the Privacy Commissioner:

Office of the Privacy Commissioner
PO Box 10-094
Wellington, New Zealand
Phone: +64-4-474 7590
Enquiries Line (from Auckland): 302 8680
Enquiries Line (from outside Auckland): 0800 803 909
Fax: +64-4-474 7595
Email: enquiries@privacy.org.nz