Letter to the Standing Committee on Access to Information, Privacy and Ethics on International Privacy Best Practices For Digital Identity

June 20, 2022

BY EMAIL

Mr. Pat Kelly, M.P.
Chair
Standing Committee on Access to Information, Privacy and Ethics
House of Commons
Sixth Floor, 131 Queen Street
Ottawa, Ontario, K1A 0A6

Dear Mr Chair:

Subject: International Privacy Best Practices For Digital Identity

At Commissioner Therrien’s appearance before the Standing Committee on Access to Information, Privacy and Ethics on June 2, 2022, he was asked to provide the Committee with examples of international best practices regarding the use of digital identity. I am pleased to provide the following information in response to this request.

As you are aware, digital identities have emerged as one way to facilitate more efficient online access to goods and services while adapting to evolving security risks. At the same time, they can also evoke concerns of tracking and surveillance, the use of data for marketing or profiling purposes, the loss of anonymity in routine activities, and the potential for data breaches.

It should be noted, however, that many of these concerns can be addressed with an appropriately designed digital identity system. The following represents a non-exhaustive list of privacy best practices that should be fundamental features of the design of digital identity initiatives:

• Use of these systems should be transparent and controlled by the individual.
• Information should only be shared between services with clear consent of the individual.
• Systems should be designed to prevent personal information from being collected, used or disclosed for other purposes beyond identity verification, such as marketing or profiling;
• Systems must be protected by strict security protocols, including the use of encryption;
• Frameworks enabling digital identity systems must include clear accountabilities; and, Systems must be capable of being evaluated, audited, subject to independent oversight and enforcement.

Globally, several jurisdictions have operational digital identity systems, with many others at varying stages of the development process. To help inform the design of these systems, institutions such as the Organization for Economic Co-operation and Development^{Footnote 1} (OECD) and Digital Government Exchange^{Footnote 2} (DGX) have also published reports and recommendations on this subject. You will find below examples of jurisdictions which have incorporated privacy best practices into their digital identity initiatives.

To support transparency and user-centricity of digital identity systems, they should be consent-based and individuals should be given control over the personal information that may be disclosed to other parties for identification purposes. This is the case in Portugal, where the Autenticação.Gov platform gives individuals control over the data attributes that are passed on to the service provider.^{Footnote 3} In other jurisdictions, such as Austria, Spain, Denmark, and Estonia, there are data traceability functions and citizens are able to access an audit trail or activity log detailing how their digital identity data have been accessed and used.^{Footnote 4}

A decentralized digital identity model generally affords individuals greater control over their personal data, reducing risks related to compromised cybersecurity and unintended sharing as compared to a centralized model. The United Kingdom recently consulted on their digital identity trust framework, which proposed a decentralized approach.^{Footnote 5} Self-sovereign identity (SSI) is one type of decentralized model that facilitates on-device storage and removes the need for centralized administration.^{Footnote 6} This model, which is being adopted by several countries including South Korea and Finland, limits the possibility for tracking within its design.^{Footnote 7}

The principles of necessity, proportionality, purpose specification, and limiting collection and use are internationally recognized and key aspects of Canadian privacy law. Digital identities should not involve the collection, use, or disclosure of personal information beyond the purpose of verifying identity, such as for marketing or profiling. The UK digital identity framework explicitly prohibits profiling, and the creation of aggregate data sets to reveal sensitive information about users^{Footnote 8}.

Given the potential harm that could be caused by a breach of one’s digital identity, high security safeguards are needed to prevent identity theft or fraud. In France and Australia, digital identities are based on cryptographic processes to increase security.^{Footnote 9} The OECD recommends the use of two-factor authentication to ensure access is being granted by the legitimate party.^{Footnote 10} In Italy and Singapore, two-factor authentication is required in most cases.^{Footnote 11}

Finally, we note the importance of strong oversight of these systems, allowing for consumers to seek redress from independent review bodies. The UK’s digital identity consultation document highlighted the need for a complaints process and redress options outside of the courts to resolve any harms.^{Footnote 12} The World Bank also recognized the need for independent oversight and a means for the adjudication of grievances in their set of principles for digital identity.^{Footnote 13} Redress options are particularly important if digital identities are used for automated decision-making, which may be subject to bias or other inaccuracies.

We hope this information is of assistance to you, and welcome the opportunity to expand in more detail, should you wish.

Sincerely,