Privacy rights must be respected in digital ID systems, say Canadian regulators


As Canada’s public and private sectors launch new digital identity programs, federal, provincial, and territorial regulators say rights to privacy and transparency must be fully respected throughout their design and operation.

“The development and implementation of a digital ID ecosystem is a tremendous opportunity to demonstrate how innovation and privacy protection can co-exist,” federal Privacy Commissioner Philippe Dufresne said Monday as the group’s resolution was released.

“By identifying, understanding and mitigating privacy concerns at the outset, governments and stakeholders will engender trust among Canadians and show their commitment to privacy as a fundamental right.”

Systems must be designed and implemented in a manner that upholds privacy, security, transparency, and accountability to be trusted enough to be widely adopted, the group says.

Their resolution was passed at a meeting in late September but only released this week.

Digital ID systems securely verify who people are online. It’s an essential part of the ability of governments to deliver services to residents, and, in certain cases, for businesses to sell products where identification is needed beyond a credit card number — for example, opening a bank account online, getting a loan, or buying insurance. Often digital ID systems will need to connect to government systems, raising a number of privacy issues.

By coincidence the resolution was released a week after the Digital ID and Authentication Council of Canada (DIACC) launched its Voilà Verified Trustmark Program, a certification program that assures a digital identity service complies with the Pan-Canadian Trust Framework (PCTF). The Voilà Verified program allows solution vendors to earn a public-facing trustmark. The program meets the standards of the International Organization of Standardization (ISO).

The PCTF framework defines client, customer, and individual duty of care in a digital identity system. DIACC is a group of 115 Canadian governments and businesses that has been working for several years to create digital identity standards.

In an email, DIACC president Joni Brennan said it applauds the privacy commissioners for recognizing privacy and transparency as foundational requirements for a digital identity ecosystem that maximizes benefits to people.
Over the last decade, DIACC members have made a significant and sustained investment in developing research, education, and public and private sector collaboration to deliver the Pan-Canadian Trust Framework, she noted. The PCTF defines a duty of care that people and entities should expect from digital identity service providers.

“Auditable privacy requirements are all-encompassing and represented in every PCTF component,” she said. “The PCTF was authored to meet or exceed existing federal, provincial, and territorial privacy legislation and regulations. The PCTF will continue to evolve along with Canadian and international privacy and transparency-focused governance design principles.

In their resolution the privacy regulators said a digital identity ecosystem should at least meet the following conditions:

  • a privacy impact assessment should be conducted and provided to the oversight body in the early design, development, and update stages of a digital identity system as the project and solution evolve;
  • the privacy implications of identity ecosystem design, functions, and information flows should be transparent to all users of the system;
  • digital identification should not be used for information or services that could be offered to individuals on an anonymous basis, and systems should support anonymous and pseudonymous transactions wherever appropriate;
  • systems should not create central databases;
  • the principle of minimizing personal information must be applied at all stages of the digital identity process: only necessary information should be collected, used, disclosed, or retained. The collection or use of particularly intimate, sensitive and permanent information such as biometric data should be considered only if it is demonstrated that other less intrusive means would not achieve the intended purpose;
  • personal information in an identity ecosystem should not be used for purposes other than assessing and verifying identity or other authorized purpose(s) necessary to provide the service. Ecosystems must not allow tracking or tracing of credential use for other purposes;
  • the security of personal information should be proportional with its sensitivity, the context, and the degree to which it could be desired by malicious actors;
  • digital identity information must be secure from tampering, unauthorized duplication and use;
  • systems should be capable of being assessed and audited, and of being subject to independent oversight;
  • digital identity systems should provide options and alternatives in order to ensure fair and equitable access to government services for all.

In addition, the regulators said, clear and informed consent of the individual should be the basis for exchanging personal information between services. Individuals should be in control of their personal information, and redress to an independent body with adequate resources and powers should be provided for individuals in the event of rights violations.

For their part, governments should be open and transparent about the defined purposes of their digital identity systems.

Leave a Reply