World Bank, African DPAs outline formula for trusted digital identity, DPI

Trust has moved steadily to the center of the conversation around digital public infrastructure and identity at ID4Africa, and the 2026 AGM addressed the topic directly with a Friday presentation led by the World Bank.

The data lifecycle is not a familiar concept, let alone a well understood one, for most people around the world. But any weakness within it can break the trust of an individual or the general public.

99 problems but user fraud ain’t one

World Bank Digital Development Specialist Prakhar Bhardwaj noted that Kenya, India and Uganda all have successful digital ID systems, but suffered legal or operational break-downs due to weak safeguards in the data collection process.

He also explained a hypothetical example of how trust is tested at each point in the data lifecycle. The rural farmer in the example suffers from a range of problems including unmatched biometrics and false allegations of fraud. She is isolated from the authorities which are supposed to help, and not only loses trust in the hypothetical digital identity system herself, but also serves as a negative example for her neighbors.

His colleague Dr. Zhijun William Zhang identified six separate risks with storing identity data, from inconsistent vendor maturity through single points of failure, function creep, cryptographic gaps and weak insider threat controls to absent incident reporting and redress mechanisms. Cryptographic effectiveness also erodes over time.

Government databases in Bangladesh, the Philippines and Brazil have all suffered data breaches contributing to public mistrust, despite the latter being considered a digitally mature nation.

Practical risks in data processing have already led to problems in the Netherlands, in the form of a biased fraud risk assessment algorithm, and in India in the form of function creep.

The growth of DPI also creates an ever-larger attack surface. Defenses must therefore be constantly enhanced to cover the new territory, Zhang says.

Oversight must therefore be in place at the organizational level, as well by an independent party, which should handle redress. And stakeholders must collaborate, even and especially under stress.

DPAs and trust in DPI

Taylor Reynolds from the World Bank then moderated a panel featuring Lorpu Page, ED of Liberia’s Independent Information Commission, Amouda Abou Seydou, advisor and rapporteur to Benin’s APDP and Drudeisha Madhub, data protection commissioner for Mauritius.

Liberia’s data protection bill to empower the data protection commission is currently going through the country’s legislature.

Reynolds emphasized that while DPI is inherently data-intensive, data protection authorities are frequently under-resourced.

Weak trust is behind many data localization laws on the continent, Madhub noted, yet weak enforcement regular non-compliance results in the remedy worsening the harm. Digital forensics, cybersecurity, data protection and data governance must all go together, she says.

Benin set up the APDP to operate as one piece of the broader ecosystem in part to ensure its data protection principles are operational, Seydou says. Effective data protection implementation requires reliable supporting partners, Page added.

Businesses have been known to plead ignorance about data protection, which is why Mauritius mandated chief data officers. While the country is relatively advanced in its data protection regime, it is introducing amendments to its existing law to bring in administrative fines, which take less time than prosecution.

For data protection measures to increase trust, the public must also be aware of them, Seydou pointed out. Yet resource-constrained DPAs are not well positioned to run population-scale sensitization campaigns.

And people must trust the DPA in order to bring forward problems that can reduce trust in DPI and digital identity systems, said Page.

The proliferation of AI introduces another wrinkle, and an opportunity for organizations to use data in a way that was not even possible when it was collected. Benin has a specific policy for AI, according to Seydou, but also strict purpose limitations around data processing.

When compliance is breached, it does not need to result in a lengthy and expensive court battle. Madhub revealed that her office has issued 3,000 enforcement actions a year, but 99 percent of them are resolved through an amicable dispute resolution process, so do not need to proceed to prosecution.

In Benin, a government liaison provides a bridge between the DPA and the rest of the government. Seydou provided an example of how civil cooperation should work in his office’s interaction with the country’s electoral agency to have extraneous information stripped out of the electoral roll to make it compliant prior to its publication.

The benefit of cooperation also extends to DPAs themselves. Mateo Garcia Silva, digital transformation consultant with the World Bank and Rose Mosero, data protection and cybersecurity advisor to the East Africa Community (EAC) followed the panel with a discussion how data protection authorities work together under regional and continental frameworks.

The EAC has created a body to allow the DPAs of its eight member states to share knowledge to build capacity, align their practices, and if necessary, collaborate on investigations.

Careful system architecture, cybersecurity and data protection that is both enforced and at least somewhat understood by the public are therefore all part of the formula for digital identity systems that deserve the trust of citizens and businesses alike.

Article Topics

Benin  |  biometrics  |  data protection  |  digital identity  |  digital public infrastructure  |  digital trust  |  ID4Africa  |  ID4Africa 2026  |  Liberia  |  World Bank