Strong data protection regulations key to digital ID success for the UK, says ICO
The UK Information Commissioner’s Office (ICO), an independent authority which promotes data privacy, supports the new UK Digital Identity and Attributes Trust Framework, highlighting the importance of accountability for the way that personal data will be processed in a new report.
Where digital ID systems become increasingly common, driven by the COVID-19 pandemic, the importance of public trust in the systems is paramount to their success and efficacy. Though planned digital vaccine certificates are in development, the framework does not cover the potential use of COVID-19 certification in the UK.
The ICO supports the establishment of the Framework, published in February, which is grounded in governance and data protection safeguards, including a decentralised approach to mitigate privacy risks like unwarranted intrusion or lack of autonomy.
The body makes some recommendations for the framework to be effective; first that any digital ID system under the framework be user-centric and clearly establish boundaries for data usage, because profiling data collected for digital identity purposes could be intrusive.
Secondly, formation of robust governance and clear accountability is necessary. Several good governance frameworks for digital ID have been published, for example identity management company Exostar was accredited to Kantara’s trust framework certificate in January for compliance with security, governance and infrastructure regulations based on NIST standards.
Lastly, organizations operating in the trust framework should have appropriate security measures in place to protect the personal data held in the system. For instance, Jamaica’s national digital identity system came under criticism last month around the safety of public biometric data, which is planned to be held in a centralized system.
It is also important that the UK government watch and learn from other digital identity systems that are in development around the world, says ICO, though mentioning that the interoperability of the framework and regulations surrounding it could be affected by Brexit.
Accountability enables organizations to demonstrate how they respect the public’s data protection rights by complying with the law, therefore unlocking trust and confidence in a system, the ICO suggests. Nigeria’s biometric national digital ID is currently developing a security strategy which focuses on developing a culture of accountability to improve uptake in the program.
Therefore, whilst the introduction of the framework in the UK is a big step forwards, government must proceed in accordance with current data protection laws, and embed accountability from the outset.