ITBusiness.ca

Privacy rights must be respected in digital ID systems, say Canadian regulators

As Canada’s public and private sectors launch new digital identity programs, federal, provincial, and territorial regulators say rights to privacy and transparency must be fully respected throughout their design and operation.

“The development and implementation of a digital ID ecosystem is a tremendous opportunity to demonstrate how innovation and privacy protection can co-exist,” federal Privacy Commissioner Philippe Dufresne said Monday as the group’s resolution was released.

“By identifying, understanding and mitigating privacy concerns at the outset, governments and stakeholders will engender trust among Canadians and show their commitment to privacy as a fundamental right.”

Systems must be designed and implemented in a manner that upholds privacy, security, transparency, and accountability to be trusted enough to be widely adopted, the group says.

Their resolution was passed at a meeting in late September but only released this week.

Digital ID systems securely verify who people are online. It’s an essential part of the ability of governments to deliver services to residents, and, in certain cases, for businesses to sell products where identification is needed beyond a credit card number — for example, opening a bank account online, getting a loan, or buying insurance. Often digital ID systems will need to connect to government systems, raising a number of privacy issues.

By coincidence the resolution was released a week after the Digital ID and Authentication Council of Canada (DIACC) launched its Voilà Verified Trustmark Program, a certification program that assures a digital identity service complies with the Pan-Canadian Trust Framework (PCTF). The Voilà Verified program allows solution vendors to earn a public-facing trustmark. The program meets the standards of the International Organization of Standardization (ISO).

The PCTF framework defines client, customer, and individual duty of care in a digital identity system. DIACC is a group of 115 Canadian governments and businesses that has been working for several years to create digital identity standards.

In an email, DIACC president Joni Brennan said it applauds the privacy commissioners for recognizing privacy and transparency as foundational requirements for a digital identity ecosystem that maximizes benefits to people.
Over the last decade, DIACC members have made a significant and sustained investment in developing research, education, and public and private sector collaboration to deliver the Pan-Canadian Trust Framework, she noted. The PCTF defines a duty of care that people and entities should expect from digital identity service providers.

“Auditable privacy requirements are all-encompassing and represented in every PCTF component,” she said. “The PCTF was authored to meet or exceed existing federal, provincial, and territorial privacy legislation and regulations. The PCTF will continue to evolve along with Canadian and international privacy and transparency-focused governance design principles.

In their resolution the privacy regulators said a digital identity ecosystem should at least meet the following conditions:

In addition, the regulators said, clear and informed consent of the individual should be the basis for exchanging personal information between services. Individuals should be in control of their personal information, and redress to an independent body with adequate resources and powers should be provided for individuals in the event of rights violations.

For their part, governments should be open and transparent about the defined purposes of their digital identity systems.

Exit mobile version