UNDP data protection report shares advice on digital identity policy

The United Nations Development Programme (UNDP) partnered with the Centre for Communication Governance at National Law University Delhi to produce Drafting Data Protection Legislation: A Study of Regional Frameworks, a report on the importance of data protection for legal identity as more countries develop DPI and digital ID schemes.

The right to a legal identity is considered a universal human right. Target 16.9 of the Sustainable Development Goals sets out to affirm this right by providing “legal identity for all, including birth registration, by 2030.”

The process of granting legal identity involves collecting extensive personal data. Countries with growing DPI like India, Mexico, and Estonia are also overseeing a growing volume of data on all citizens, including biometric data, increasing the risk of data breaches, excessive surveillance, and other privacy risks. Digital ID systems may also introduce “inherent error rates,” UNDP warns, or involve commercial partners, potentially increasing data privacy risks.

Nations can mitigate privacy risks by developing comprehensive data privacy laws. The report is intended to help member states develop data protection legislation and regulatory frameworks for the protection of data privacy.

The report covers data protection principles, individuals’ rights over their own data, and special considerations for the data of children. It also covers data sharing across borders.

Data protection principles explored in the report include concepts around consent, notice and transparency. It also covers the life cycle of data from before it is collected to how it is managed.

The principles of confidentiality, integrity and availability, or the “CIA triad,” provide the basis for keeping data secure. They ensure data remains unchanged and that it is available to the intended parties while remaining unavailable to all others.

The report also covers preserving the rights of data subjects. Beyond notice and consent, a framework should give individuals the right to rectify inaccurate data, especially when that data is used in an automated decision making process that could exclude them from public welfare services they are actually entitled to.

Children may be particularly vulnerable to personal data use risks, especially as education systems are increasingly digitized. Regulations must manage age of consent and age verification methods in regards to children, particularly if they are included in digital ID systems, as in Aadhaar.

Businesses may need to share data across national borders. In these cases, the territory receiving the data should have adequate data protection.

Article Topics

data protection  |  data sharing  |  digital identity  |  digital public infrastructure  |  legislation  |  SDG 16.9  |  UNDP