An official website of the OECD.
Draft Recommendation on the Governance of Digital Identity
Description
Being able to prove you are who you say you are underpins access to a variety of essential services across the public and private sector. This can include reviewing your medical records, traveling abroad, running a business, or opening a bank account. Traditional identity verification involves physical proof of one's identity, such as a birth certificate, driver's licence, ID card, or passport, which are typically provided by trusted government sources and recognise important details like one's name, birthdate, and place of birth.
As essential services have moved online, digital channels have emerged to handle identity verification processes and proofs and authentication of verified identity claims. Digital credentials and wallets, eID cards, and mobile ID applications provided by either public or private entities have all contributed to the evolution of the digital identity landscape. Despite these advancements, in many countries there remains often a lack of cross-sector collaboration, interoperability and poor-quality user experience. As more and more essential services are accessed online and across borders, improving the governance and implementation of digital identity systems in line with user needs becomes important.
The OECD’s Public Governance Committee and its Working Party of Senior Digital Government Officials (E-Leaders) have developed a draft Recommendation on the Governance of Digital Identity that encourages its Adherents to develop and govern digital identity systems as digital public infrastructure. This involves creating and aligning sound and future-proof policies and regulations for solution providers, as well as promoting cross-sector coordination, international collaboration, and a healthy market for identity solutions. The development of digital identity systems should be rooted in the needs of users and service providers, respecting democratic values and human rights, including by ensuring the inclusion of vulnerable groups and minorities, and the protection of privacy.
The draft Recommendation on the Governance of Digital Identity aims to support Adherents’ efforts to ensure reliable and trusted access to digital identity for natural and legal persons that is portable across locations, technologies and sectors.
The draft Recommendation presents a set of principles organised around three pillars:
- Developing user-centred and inclusive digital identity systems
- Strengthening the governance of digital identity
- Enabling cross-border use of digital identity
The consultation is open to government officials, civil society organisations, international organisations and interested citizens and stakeholders.
If approved by the OECD Council, the Recommendation will form the basis for the OECD to serve as a forum for exchanging information, guidance, and monitoring activities and emerging trends around the governance of digital identity.
What is an OECD Recommendation?
An OECD Recommendation is a legal instrument adopted by the OECD Council. Recommendations are not legally binding but represent a political commitment to the principles they contain and an expectation that Adherents will do their best to implement them. There are currently around 180 OECD Recommendations in force. For more information, please consult the online Compendium of OECD Legal Instruments.
Purpose of the public consultation
The aim of the public consultation is to ensure that the final text reflects the experience, needs and aspirations of the international community concerning the governance of digital identity.
Inputs collected during the public consultation will help inform the finalisation of the draft Recommendation. They will be analysed by the OECD Secretariat and a revised version will be discussed by the relevant OECD bodies. Ultimately, the Recommendation will require the approval of the Public Governance Committee after which it would be presented to the OECD Council for adoption.
Guidance on providing feedback
Parties interested in commenting on the draft Recommendation can send written comments in English or French to eleaders@oecd.org or comment directly through the Engagement Platform no later than 31st March 2023.
Comments submitted on behalf of another person or group of persons should identify all enterprises or individuals who are members of the collective group, or the person(s) on whose behalf the commentator(s) is/are acting.
Your rights
Inputs received by email will be analysed and the OECD may publish them, but only in an aggregated and anonymous manner. All comments posted via the Engagement Platform will be subject to moderation but should be expected to be made public.
Any personal data provided as part of this consultation is protected consistent with the OECD Data Protection Rules. If you have further queries or complaints related to the processing of your personal data, please contact the OECD Data Protection Officer. If you need further assistance in resolving claims related to personal data protection you can contact the OECD Data Protection Commissioner.
Questions?
For further information please contact eleaders@oecd.org
6. Each sensitive attribute database (SAD) shall be accessible only to the designated database administrator (DDA).
7. Each access to each SAD or to each primary attribute database (PAD) shall be authenticated by a physical authentication key (PAK) complying with FIDO2 or later.
8. The PAK shall not be a smart phone, smart watch, electronic tablet, console, laptop, PC, Mac, workstation, server, or other electronic device that permits the uploading or downloading of data other than the SAD or PAD authentication code generated by the PAK and other necessary data transmitted between the PAK and the SAD or PAD.
9. The PAK shall be secured at all times around the DDA's neck on a cloth lanyard of at least 1,000 N tensile strength that identifies the site owner of the lanyard with an email address, telephone number and prepaid return postage post box address.
10. The PAK on its lanyard shall be secured in an industry-standard secure safe or vault when the DDA is not at work.
1 . Date of birth (DOB), place of birth (POB) and biometric data (BD), shall be designated as unchangeable sensitive attributes (USA).
2. Health data shall be designated as changeable sensitive attributes (CSA).
3. USA and CSA shall only be kept in a sensitive attribute database (SAD) if no other reasonable means exists to authenticate their owner's identity.
4. Each SAD shall be cross-linked to, but separate from and not a part of, the primary attribute database (PAD) of non-sensitive attributes containing each person's other identifying attributes, eg last name, first name, residential address, email address, landline, mobile number.
5. Each SAD and each PAD shall be at least 256-bit encrypted and protected by an alphanumeric User ID at least twelve characters in length that is not an email address, a randomly generated alphanumeric password at least 20 characters in length, and a physical authentication key (PAK) complying with FIDO2 or later.
1. Attributes are time or location based, changeable by the user, eg names, or fixed eg date of birth (DOB); place of birth (POB); biometrical data (BD) (eg blood type; fingerprints & iris scans; face recognition; height; gait; genome; chromosomes; biological sex at birth; ethnicity; skin colour/tone).
2. Health and biometrical data may be transient but sensitive (eg HIV/AIDS; current chosen gender).
3. Attributes created by governments are changeable, eg passport #, driver licence #, social security #, if such data has been stolen to be used to hijack the identity of a natural or legal person and their title to realty or non-realty.
4. Fixed attributes, eg DOB, POB, BD, being unchangeable, if stolen present timeless risk to a natural or legal person whose identity may be stolen and hijacked by third parties.
5. Fixed attributes but not changeable attributes must be protected therefore as sensitive personal data.
Shall read:
Attribute refers to a verified quality or characteristic ascribed to a user, which may be changeable by the user eg name, uniqueness identifier (eg driver licence #, passport #, personal ID #, social security #, company registration #) and address; or fixed eg date of birth, place of birth, biometrical data (eg blood type, fingerprints & iris scans, face recognition, height, gait, genome, chromosomes, biological sex at birth; ethnicity; skin colour/tone) in electronic form;
The theft of a user's attributes and/or the user's credential shall constitute a serious crime within the meaning of the criminal law, punishable by a fine of more than $10 thousand but less than $10 million and a period of incarceration not to exceed 20 years and not less than five years.
1. A changeable attribute may be changed by the user, eg name, address, or at the user's behest changed by a credential provider, eg by a government.
2. A credential provider shall cancel and change a user's changeable attributes and reissue the user's credential with the changed attributes when a user reasonably requests such change, eg if a third party has stolen the user's changeable attributes and/or the user's credential.
3. The credential provider shall not charge a fee for this change greater than the fee charged for renewing the existing credential.
4. The credential provider shall take all reasonable steps to ensure the stolen credential and the stolen attributes cannot be used by a third party to hijack the user's identity.
5. If the credential provider fails to take all reasonable steps to protect the user's identity following theft of the
credential and/or attributes, then the provider shall compensate the user.