An official website of the OECD.
Draft Recommendation on the Governance of Digital Identity
Description
Being able to prove you are who you say you are underpins access to a variety of essential services across the public and private sector. This can include reviewing your medical records, traveling abroad, running a business, or opening a bank account. Traditional identity verification involves physical proof of one's identity, such as a birth certificate, driver's licence, ID card, or passport, which are typically provided by trusted government sources and recognise important details like one's name, birthdate, and place of birth.
As essential services have moved online, digital channels have emerged to handle identity verification processes and proofs and authentication of verified identity claims. Digital credentials and wallets, eID cards, and mobile ID applications provided by either public or private entities have all contributed to the evolution of the digital identity landscape. Despite these advancements, in many countries there remains often a lack of cross-sector collaboration, interoperability and poor-quality user experience. As more and more essential services are accessed online and across borders, improving the governance and implementation of digital identity systems in line with user needs becomes important.
The OECD’s Public Governance Committee and its Working Party of Senior Digital Government Officials (E-Leaders) have developed a draft Recommendation on the Governance of Digital Identity that encourages its Adherents to develop and govern digital identity systems as digital public infrastructure. This involves creating and aligning sound and future-proof policies and regulations for solution providers, as well as promoting cross-sector coordination, international collaboration, and a healthy market for identity solutions. The development of digital identity systems should be rooted in the needs of users and service providers, respecting democratic values and human rights, including by ensuring the inclusion of vulnerable groups and minorities, and the protection of privacy.
The draft Recommendation on the Governance of Digital Identity aims to support Adherents’ efforts to ensure reliable and trusted access to digital identity for natural and legal persons that is portable across locations, technologies and sectors.
The draft Recommendation presents a set of principles organised around three pillars:
- Developing user-centred and inclusive digital identity systems
- Strengthening the governance of digital identity
- Enabling cross-border use of digital identity
The consultation is open to government officials, civil society organisations, international organisations and interested citizens and stakeholders.
If approved by the OECD Council, the Recommendation will form the basis for the OECD to serve as a forum for exchanging information, guidance, and monitoring activities and emerging trends around the governance of digital identity.
What is an OECD Recommendation?
An OECD Recommendation is a legal instrument adopted by the OECD Council. Recommendations are not legally binding but represent a political commitment to the principles they contain and an expectation that Adherents will do their best to implement them. There are currently around 180 OECD Recommendations in force. For more information, please consult the online Compendium of OECD Legal Instruments.
Purpose of the public consultation
The aim of the public consultation is to ensure that the final text reflects the experience, needs and aspirations of the international community concerning the governance of digital identity.
Inputs collected during the public consultation will help inform the finalisation of the draft Recommendation. They will be analysed by the OECD Secretariat and a revised version will be discussed by the relevant OECD bodies. Ultimately, the Recommendation will require the approval of the Public Governance Committee after which it would be presented to the OECD Council for adoption.
Guidance on providing feedback
Parties interested in commenting on the draft Recommendation can send written comments in English or French to eleaders@oecd.org or comment directly through the Engagement Platform no later than 31st March 2023.
Comments submitted on behalf of another person or group of persons should identify all enterprises or individuals who are members of the collective group, or the person(s) on whose behalf the commentator(s) is/are acting.
Your rights
Inputs received by email will be analysed and the OECD may publish them, but only in an aggregated and anonymous manner. All comments posted via the Engagement Platform will be subject to moderation but should be expected to be made public.
Any personal data provided as part of this consultation is protected consistent with the OECD Data Protection Rules. If you have further queries or complaints related to the processing of your personal data, please contact the OECD Data Protection Officer. If you need further assistance in resolving claims related to personal data protection you can contact the OECD Data Protection Commissioner.
Questions?
For further information please contact eleaders@oecd.org
Recognizing digital identity solutions, associated attributes, and credentials from other countries and integrating them into the domestic identity framework.
The roadmap should identify the key milestones, timelines, resource requirements, and potential risks associated with each of these initiatives. Additionally, it should be regularly reviewed and updated to ensure alignment with the overall strategic objectives of the organization.
Q: Is the roadmap supposed to be designed by each country? I believe that implies more difficulties in evaluating compliance to the standards, and longer implementation times.
Q: Who is the owner of the Data, The Government or the Person? I ask because I see some GDPR related problems in a lot of current projects of the eID ecosystem. Example:
SWIFT wants to serve as global registry for KYC, so that all banks could connect to them and verify KYC agains a huge, complete and globals DB. The problem with this is that the USER DATA, including biometric maps and other meta data, are:
A) Traveling across borders, and en EEUU, META and Google where having troubles with their users data being transferred outside of EEUU if remember right. That will be a problem with that approach.
B) Based on the 2nd question. If the Data is owned by the person, neither the gov nor a private company should be accessing the data without the user consent. This is being done currently and planned 1/2
Thank you for your response and for raising some important questions regarding the ownership of data and the challenges involved in designing a roadmap for integrating digital identity solutions from other countries. To answer your first question, the roadmap for integrating digital identity solutions can be designed at different levels - it could be done at the country level or at the international level, depending on the specific context and objectives of the organization. Regardless of the level at which it is designed, it is important to ensure that the roadmap is aligned with overall strategic objectives and takes into account key milestones, timelines, resource requirements, and potential risks associated with each initiative. Regarding your second question, the ownership of data is a complex issue that may vary depending on the legal and regulatory framework of each country.
However, it is generally recognized that individuals should have control over their own personal data, and any collection, processing, and sharing of personal data should be done in accordance with applicable privacy and data protection laws. In the case of the example you provided, it is important to ensure that the user's consent is obtained before their data is shared with SWIFT or any other entity.
In conclusion, integrating digital identity solutions from other countries can be challenging, but it is essential to ensure interoperability and facilitate cross-border transactions. It is important to address issues such as data ownership and privacy, and to design a roadmap that takes into account key milestones, timelines, resource requirements, and potential risks associated with each initiative. Ultimately, the goal should be to develop a digital identity framework that is secure, trustworthy, and respects the rights and privacy of individuals.
The SWIFT approach is ideal in terms of topology, but not ideal in from the Data Privacy and Ownership perspective.
There are a lot of KYC service providers sharing user without user consent, in order to run AML/ATF and anti fraud related tasks for onboarding and KYC regulatory compliance.
Are there any recommendations in that aspect? Data Ownership. Or is that something that each adherent defines based on local jurisdictions?
Then, an example of Self Sovereign Data and ID (SSI) could be seen in VC-DIDs implementations like:
TBD (web5) https://www.tbd.website/
Dock.io (DID+Blockchain) https://www.dock.io/
Civic (web3) https://www.civic.com/
2/3 ( I need to add one more )
Thank you for raising the concern regarding data privacy and ownership in digital identity solutions. It is a crucial aspect that needs to be considered when designing and implementing any digital identity framework. The Self-Sovereign Identity (SSI) model that you have mentioned seems to be a promising solution that can give individuals control over their personal data. In terms of data ownership, it is true that the legal frameworks and regulations surrounding data privacy can vary across jurisdictions. However, the principles of giving users control over their personal data and ensuring that any sharing of data is done only with explicit user consent are generally accepted as best practices. Therefore, it is important to ensure that any digital identity solution adheres to these principles and is in compliance with relevant laws and regulations.
"from other countries to be recognised domestically." -- This implies that the Data Schemas are non-standard and need to be "translated" in order to interoperate. ( which is the case in Costa Rica )
Again, if I was given the task to implement the recommendations, having a recommended schema to use would make things way easier and faster to implement.
We should recommend the Schema.org standards for all entities. along with the W3C standards for VCs and DIDs. https://schema.org/docs/schemas.html
I would use a lot of information and examples from the SWIFT and GLEIF websites. Specially the GLEIF website has a lot of the things that this recommendation is asking for.
https://www.gleif.org/en/about/this-is-gleif
Thank you for your response and for highlighting the importance of having standardized data schemas when integrating digital identity solutions from other countries. Indeed, the interoperability of digital identity solutions can be challenging due to the differences in data schemas used by different countries. I appreciate your recommendation of using the Schema.org standards for all entities, along with the W3C standards for VCs and DIDs. These standards are widely recognized and can help ensure interoperability between different digital identity solutions. Additionally, using standardized data schemas can help facilitate the implementation process and make it faster and more efficient. I also agree that the SWIFT and GLEIF websites can provide useful information and examples that can be used when implementing digital identity solutions.