OECD seeks comment on its recommendation for digital ID governance
The OECD’s Public Governance Committee and its Working Party of Senior Digital Government Officials have developed a series of recommendations on implementing and governing digital ID at the national and international levels as digital public infrastructure.
The document does not mention biometrics.
It states the Recommendations are based on three pillars: “Developing user-centred and inclusive digital identity systems; Strengthening the governance of digital identity; Enabling cross-border use of digital identity.”
OECD Recommendations are legal instruments adopted by the OECD Council, and while not legally binding, adherents are expected to implement them. The officials are soliciting comment on the draft until 31 March from government officials, civil society organizations, international organizations and interested citizens.
Context and definitions
The draft document sets out the group’s recognition of what digital identities can do, such as potentially simplify access to government services.
“Establishing a successful digital identity system and widely adopted solutions can simplify interactions, enable personalisation, and reduce the risk of error and fraud,” states the preamble.
“The success of digital identity systems relies on their usability and accessibility by the intended audience, including those who may not have access to technology or digital solutions, to ensure that essential services are available for all.”
It goes on to define all the components of digital identity. Even definitions can be influential. The OECD definition of AI is the basis of that of the EU for the EU AI Act currently under development. This document has been drafted with reference to a large number of other standards documentation from the ISO, W3C, European Telecommunications Standards Institute (ETSI), U.S. National Institute of Standards and Technology (NIST), European Commission, World Bank and UN bodies.
Here comes the real meat of the document, as seven lists of recommendations: on how to implement digital identity systems, minimizing barriers to access and use of digital ID, cross-border use, strengthening governance, privacy protection, building international trust in the systems and aligning legal frameworks to encourage interoperability.
The OECD recommends taking into account the context where a system will be developed, such as digital maturity and assessing the needs of both users and service providers, public and private. Products should be accessible to all, with minority and vulnerable groups considered, among people and businesses. Digital identity must be portable across tech, sectors and locations.
“The draft highlights the ethics of digital identity, the impact on inclusion and access, on vulnerable groups, but I feel it also recognizes the impact on less-vulnerable groups,” Henk Marsman, principal consultant for IAM at SonicBee tells Biometric Update. “So basically, the possibility of human harm is recognized.”
Users must be able to control what of their information is shared and with whom. And even if they use digital identity at all, notes Marsman: “Realizing digital identity is an add-on and not replacement means that during design and operation the context needs to be taken into account, and not every resident/citizen will make use of it.”
OECD adherents are asked to consider the contexts of individuals, communities and service providers as well as the contexts of countries within international identity processes.
“That every digital identity solution is highly contextual and part of a larger eco-system (that addresses the copy-paste tendencies of large vendors and success stories as well as the ‘single system will fail’ syndrome),” comments Marsman. “Recognizing it should fit into a society that is moving to digital and that it relies on other administrations and practices is key to success.”
For governance, it calls for long-term strategy and expectations, involving clearly defined roles for government agencies and authorities within a country. These must foster inclusion. Cooperation between public and private sectors should be encouraged to drive innovation.
Marsman approves of the document mentioning that “the government has a role like somewhat of a ‘market master,’ making sure that private companies’ drive for profit is restrained when it comes to public and basic services, to ensure everyone is included.”
There should be a means of redress built in and even consideration for the environmental impact of technologies used.
“Treat privacy and data protection as fundamental tenets of digital identity systems,” states the OECD document, “and encourage the adoption of privacy-by-design and privacy-by-default approaches that include informed consent, selective disclosure and collection, as well as purpose and use limitations regarding personal data.”
The final two sets of Recommendations cover interoperability and international usage. The leaders hope that countries will establish points of contact to discuss these issues, and that they will open up issuance and recognition of digital identity solutions and attributes to reduce exclusion, such as for foreign workers.
Comments will be collected, moderated and anonymously published. If approved, the overall Recommendation form the basis for the OECD to “serve as a forum for exchanging information, guidance, and monitoring activities and emerging trends around the governance of digital identity.”
Marsman notes that the document “really honors the title of ‘governance of …’, and that is exactly what is important to redirect digital identity systems that have gone off-path, and the governance of oversight it requires to stay on-path in the first place.”
AI | data protection | digital government | digital ID infrastructure | digital identity | government services | OECD | standards