An official website of the OECD.
Draft Recommendation on the Governance of Digital Identity
Description
Being able to prove you are who you say you are underpins access to a variety of essential services across the public and private sector. This can include reviewing your medical records, traveling abroad, running a business, or opening a bank account. Traditional identity verification involves physical proof of one's identity, such as a birth certificate, driver's licence, ID card, or passport, which are typically provided by trusted government sources and recognise important details like one's name, birthdate, and place of birth.
As essential services have moved online, digital channels have emerged to handle identity verification processes and proofs and authentication of verified identity claims. Digital credentials and wallets, eID cards, and mobile ID applications provided by either public or private entities have all contributed to the evolution of the digital identity landscape. Despite these advancements, in many countries there remains often a lack of cross-sector collaboration, interoperability and poor-quality user experience. As more and more essential services are accessed online and across borders, improving the governance and implementation of digital identity systems in line with user needs becomes important.
The OECD’s Public Governance Committee and its Working Party of Senior Digital Government Officials (E-Leaders) have developed a draft Recommendation on the Governance of Digital Identity that encourages its Adherents to develop and govern digital identity systems as digital public infrastructure. This involves creating and aligning sound and future-proof policies and regulations for solution providers, as well as promoting cross-sector coordination, international collaboration, and a healthy market for identity solutions. The development of digital identity systems should be rooted in the needs of users and service providers, respecting democratic values and human rights, including by ensuring the inclusion of vulnerable groups and minorities, and the protection of privacy.
The draft Recommendation on the Governance of Digital Identity aims to support Adherents’ efforts to ensure reliable and trusted access to digital identity for natural and legal persons that is portable across locations, technologies and sectors.
The draft Recommendation presents a set of principles organised around three pillars:
- Developing user-centred and inclusive digital identity systems
- Strengthening the governance of digital identity
- Enabling cross-border use of digital identity
The consultation is open to government officials, civil society organisations, international organisations and interested citizens and stakeholders.
If approved by the OECD Council, the Recommendation will form the basis for the OECD to serve as a forum for exchanging information, guidance, and monitoring activities and emerging trends around the governance of digital identity.
What is an OECD Recommendation?
An OECD Recommendation is a legal instrument adopted by the OECD Council. Recommendations are not legally binding but represent a political commitment to the principles they contain and an expectation that Adherents will do their best to implement them. There are currently around 180 OECD Recommendations in force. For more information, please consult the online Compendium of OECD Legal Instruments.
Purpose of the public consultation
The aim of the public consultation is to ensure that the final text reflects the experience, needs and aspirations of the international community concerning the governance of digital identity.
Inputs collected during the public consultation will help inform the finalisation of the draft Recommendation. They will be analysed by the OECD Secretariat and a revised version will be discussed by the relevant OECD bodies. Ultimately, the Recommendation will require the approval of the Public Governance Committee after which it would be presented to the OECD Council for adoption.
Guidance on providing feedback
Parties interested in commenting on the draft Recommendation can send written comments in English or French to eleaders@oecd.org or comment directly through the Engagement Platform no later than 31st March 2023.
Comments submitted on behalf of another person or group of persons should identify all enterprises or individuals who are members of the collective group, or the person(s) on whose behalf the commentator(s) is/are acting.
Your rights
Inputs received by email will be analysed and the OECD may publish them, but only in an aggregated and anonymous manner. All comments posted via the Engagement Platform will be subject to moderation but should be expected to be made public.
Any personal data provided as part of this consultation is protected consistent with the OECD Data Protection Rules. If you have further queries or complaints related to the processing of your personal data, please contact the OECD Data Protection Officer. If you need further assistance in resolving claims related to personal data protection you can contact the OECD Data Protection Commissioner.
Questions?
For further information please contact eleaders@oecd.org
We may expect to see extraordinary efforts made by hostile state actors, acting in cahoots with organised crime groups, terrorists and others, to infiltrate, penetrate, capture, steal, download, sell, transmit, and disseminate stolen digital identities, in order to hijack user identities, to cause loss of assets and income, other financial losses, distress, chaos, widespread alarm, fear, and panic amongst users and governments. Technology races ahead. Processor speeds double every 18 months. Crime does not rest. There is no room for complacency. Quis custodiet ipsos custodes?
Shall read:
XIII. 4. Report to Council on the implementation, dissemination and continued relevance of this Recommendation no later than two years following its adoption and at least every five years thereafter.
XIII. 4. Regularly report to Council on the implementation, dissemination, and continued relevance of this Recommendation to ensure its effectiveness and appropriateness in light of the evolving digital landscape. The first report should be submitted no later than two years following its adoption, with subsequent reports submitted at least every five years thereafter;
I see a problem with Countries having ro report compliance and advance on their own. Instead, not only for this set of recommendations, the OECD should implement a tool that performs automatic tests on the countries systems. This is because:
A) When administration changes, a lot of projects are left unattended with no real Ownership. Year could go by and no one would be in ownership of these projects until 5 years have passed and somehow we are notified, then we run to report, and in my experience, sometimes we are evaluated high for these recommendations and the solutions are not implemented, and not effective.
B) I personally believe there might be cases where someone reports a vague document or answers, even URLs to websites and the tools, but the tools don't work, or there are no resources or people in charge of the tools and requests.
Is there a checklist at least of what a country should report in order to comply AND, a description on HOW the team in charge .. 1/2
I can understand your concerns regarding the potential lack of compliance and effectiveness of digital identity solutions and the need for a more comprehensive approach to monitoring their implementation. In response to your suggestion for the OECD to implement a tool that performs automatic tests on countries' systems, I agree that this could be a useful measure for ensuring ongoing compliance and effectiveness. However, it is important to note that such a tool would likely require significant resources and development to create and maintain. Regarding your question about whether there is a checklist for countries to report in order to comply, I believe that the OECD could develop such a checklist to provide clear guidance on what should be included in each country's report. Additionally, it would be helpful for the OECD to provide a description of how the team in charge of monitoring compliance and effectiveness would evaluate these reports and take action if necessary.
Overall, I agree that regular monitoring and reporting on the implementation and effectiveness of digital identity solutions is essential for ensuring their ongoing relevance and alignment with evolving digital landscape.
of the implementations can make sure all the systems and recommendations are in compliance and FUNCTIONAL?
e.g. Something like a list of TESTS to be run for both the implementers as well as by the OECD to make sure the recommendations are functional across the years? Like Quality Assurance Automation Guidelines ( similar to how a website is tested by agencies and QA teams )
Your suggestion regarding implementing a list of tests to ensure the functionality and compliance of the systems and recommendations is an excellent idea. Quality assurance automation guidelines can help in ensuring that the systems and recommendations are tested by implementers as well as the OECD to ensure that they remain functional and compliant over time. Regular reporting to the Council on the implementation, dissemination, and continued relevance of the recommendation is also crucial to ensure its effectiveness and appropriateness in the evolving digital landscape. The use of quality assurance automation guidelines can assist in monitoring and assessing the implementation of the recommendation.