Foodstuffs deploys digital identity ahead of new NZ privacy law

“Is that really you?” It’s the gateway question to ensuring customers’ privacy and it will be on the minds of many CIOs as the act of verifying a person’s digital identity becomes increasingly critical. This is particularly true in New Zealand with new privacy legislation coming into effect on 1 December 2020.

Foodstuffs North Island is one of New Zealand’s largest grocery providers, supplying more than 300 individually owned supermarkets; its brands include New World, Four Square, Pak’n’Save, and Gilmours. The Foodstuffs IT team is responsible for managing the authentication of a large user base of employees, store owners, partners, and suppliers.

Chief Digital Officer Simon Kennedy says the overarching authentication system ensures a single sign-on to more than 250 systems that his team of 260 IT professionals manage. The business opted for Auth0, a cloud-based identity platform for developers.

What digital identity does for Foodstuffs

Foodstuffs North island

Establishing the digital identity system across its entire network has been a milestone achievement in the company’s digital transformation. The devops team can now bring identity management into the start of each new programme of work, which in turn assists with automation around the build, test, and deploy process.

The digital identity system was fully deployed in February 2020, shortly before the lockdowns imposed as a result of the COVID-19 pandemic, and Kennedy says that it operated “flawlessly” throughout that experience. “The key thing is that it provides for delegated authority and this streamlines the administrative process. Not only does this result in significant cost saving for us, it also empowers our suppliers,” he says.

But the biggest win, according to Kennedy, is for their customers, as it enables more efficient interactions at the checkout. Customers increasingly expect the kind of “Uber frictionless experience” that only comes when back-end authentication systems are aligned with front-end applications, he says.

This new way of delivering digital identity also provides for a more secure customer experience. “Digital identity is a key element in managing customer data, in a way that is respectful of individual preference and fully compliant with all relevant legislation,” Kennedy says.

While integrating the new digital identity solution throughout its partner network has always been on the roadmap, Kennedy’s team have been aware that new privacy legislation comes into effect on 1 December 2020, and took this into account when planning the work.

Privacy legislation top of mind

The new privacy law will make it mandatory for organisations to report privacy data breaches, and failure to do so could result in a fine of up to $10,000. Privacy Commissioner John Edwards tells CIO New Zealand that CIOs need to be working with compliance officers, legal counsels, and audit and risk committees “to figure out a way of bringing those matters to the attention of the appropriate people in an organisation.”

The Privacy Commissioner this week launched an online tool, NotifyUs, that enables organisations to assess whether a privacy breach is notifiable. Information entered into the self-assessment tool isn’t sent to the commissioner’s office; instead, it is designed to assess whether a breach has occurred.

There is an emphasis in the tool on the types of harm that could occur as a result of the breach, including employment harm, identity theft, financial harm, and physical harm.

“We want the privacy breach pre-assessment and reporting process to be straightforward. NotifyUs has undergone extensive testing ahead of today’s launch to ensure the guidance is clear and easy to follow. I encourage people to use it in advance of the new legislation taking effect on 1 December,” Edwards says.