A comprehensive legal framework begins with policies, legislation, and regulations to define and govern the ID system, including its mandate, design, institutions, characteristics, relationships, accountabilities, oversight, and more. Given the specificity of enabling legislation to the country and legal context, it is not possible to enumerate all possible aspects or features to be addressed by such policies, laws and regulations here. However, many of the policy choices enumerated in Section II. Key Decisions will need to be supported by—or reflected in—the legal framework. These could include, but are not limited to:

  • The scope and purpose of the ID system (e.g., that the purpose of the ID to provide a foundational, universal digital identity)

  • Eligibility requirements for registration in the ID system (e.g., that it is open to all ages and not linked to nationality)

  • System specifications (e.g., that it will involve the establishment of a population register with a unique, random identifier, which data will be collected, etc.)

  • The creation, mandate, independence, and budget of the entity that oversees the ID system

  • The operation and staffing of this authority, including the selection criteria for and terms and conditions of appointments, as well as dismissal of key employees

  • The form, role, and process of appointments of any governance mechanisms (e.g., a board)

  • The Interoperability of the ID system with other systems (e.g., the civil register, other government systems, and private sector actors)

  • Data sharing and transfer policies

  • Grievance redress mechanisms

  • The mutual recognition of the ID within the country and across borders

  • Whether the ID system will be bound by open standards and technology neutrality

In particular, creating a coherent and trusted ID system with wide coverage requires an overarching legal and policy framework that provides transparent and comprehensive institutional mandates and accountability. The role of each actor in the identity ecosystem should be clear and publicly available, as should responsibilities within each institution. Identity providers should establish memoranda of understanding (MOUs) or equivalent with other agencies for the exchange and use of data and for authentication and verification services.