Regulators set out list of conditions to include in design and operation of ID ecosystem
Privacy regulators across Canada have called on their respective governments and relevant stakeholders to ensure that rights to privacy and transparency are “fully respected” in the design, operation, and evolution of a digital identity ecosystem in the country.
In their resolution, federal, provincial, and territorial privacy commissioners noted that the digital identity ecosystem emerging in Canada and around the world would allow individuals, businesses, and governments to confirm identities and carry out transactions online with a high degree of efficiency and confidence. However, they stressed that while a secure digital identity offers many benefits, it must be designed and adopted to uphold privacy, security, transparency, and accountability.
“The development and implementation of a digital ID ecosystem is a tremendous opportunity to demonstrate how innovation and privacy protection can coexist,” Privacy Commissioner of Canada Philippe Dufresne said. “By identifying, understanding, and mitigating privacy concerns at the outset, governments and stakeholders will engender trust among Canadians and show their commitment to privacy as a fundamental right.”
Accordingly, the commissioners set out a non-exhaustive list of conditions to include in designing and operating a digital identity ecosystem. In particular, they require that a privacy impact assessment be conducted and provided to the oversight body in the early design, development, and update stages of a digital identity system as the project and solution evolve. They also presented the following conditions:
- Digital identification should not be used for information or services that could be offered to individuals on an anonymous basis, and systems should support anonymous and pseudonymous transactions wherever appropriate;
- Personal information in an identity ecosystem should not be used for purposes other than assessing and verifying the identity or other authorized purposes necessary to provide the service;
- Digital identity information must be secured from tampering and unauthorized duplication and use;
- Digital identity systems should provide options and alternatives to ensure fair and equitable access to government services.
The commissioners also require that individual participation in a digital identity ecosystem be voluntary and optional. Moreover, individuals should be able to choose alternative forms of identification, which must be reasonably convenient and accessible, and should be in control of their personal information.
In addition, the commissioners ask governments to be open and transparent about the purposes of the digital identity systems and what personal information will be collected, how it will be used, and by whom, strengthen existing privacy laws to support digital governance and uphold the principle of “do no harm,” and establish clear accountability mechanisms to meet their transparency and privacy obligations.
“In addition to having a digital identity ecosystem aligned with internationally recognized standards and best practices, regulatory frameworks must be designed and implemented in a manner that uphold privacy rights and protect personal data in the public and private digital identity ecosystem,” the commissioners wrote. “Such regulatory frameworks should be harmonized across Canada to facilitate interoperability, while respecting federal and provincial jurisdictions.”