ID authority and governance structure

For new ID systems, choosing the institutional home and governance structure of the ID authority is a first-order decision. ID authorities are specialized entities responsible for implementing and/or overseeing the collection, verification, storage, and sharing of personal identity data, credential issuance, and the verification and authentication of identity data. They are also typically responsible for public engagement and grievance redress.

In order for an ID system to succeed, this entity must be empowered by law and political will and should demonstrate the capacity to serve as a champion of identity, a convener of multiple stakeholders, and an effective implementor and/or overseer. Because of the sensitive nature of its responsibilities, the ID authority should spend considerable time and resources to build the confidence of the public in its capabilities. The responsibility of the ID authority should be clearly defined and should be balanced and managed with the assistance of other government agencies, the private sector, and broader identity stakeholders. Strong provisions for the effective governance of the ID authority must be put in place.

As shown in Table 24 and Table 25, there are multiple potential institutional arrangements for an ID authority:

  • It can be an autonomous entity governed by a board representing stakeholders, or with direct cabinet- or executive-level reporting

  • Alternatively, it may be an agency or directorate within an existing ministry or department, also potential governed with a board

  • It may be responsible for ID only, or for ID and civil registration

The adoption of one model over another is typically a function of the historical development of these systems, as well as institutional capacity and political considerations. In many countries, legacy identification and civil registration systems have traditionally been located in Ministries of Interior, Home Affairs, Justice, Local Government, and local government has typically been involved in frontline service delivery. In contrast, autonomous ID providers—e.g., India, Peru, Nigeria, etc.—are a relatively new phenomenon, and have been adopted over the past few decades to implement new ID systems in countries where legacy systems were weak or non-existent. The emergence of autonomous ID authorities also reflects a fundamental paradigm shift from ID systems being used as systems to control or monitor the population to systems that enable services and inclusion for the entire government or economy.

Table 24. Institutional arrangements for ID authority

  Agency or Directorate within Ministry Semi- or Fully-Autonomous Agency
Same as central CR or NPR

Botswana, Chile, Ecuador, Indonesia, Jordan, Namibia, Rwanda, Thailand

(most have separate units for ID/CR within agency, and local governments)

Peru, Philippines (planned PhilSys system)

Different than CR or NPR

Kenya, Morocco, Spain India, Ghana, Nigeria

Although unifying the administration of ID and CR is not a requirement for implementing an ID system, it can create a number of efficiencies. Ensuring legal identity from birth, for example, requires strong linkages between ID and CR, which may be operationally easier if both are the responsibility of one agency. At the same time, however, linking ID and CR systems can also be accomplished by separate departments or agencies who operate under a strong framework of cooperation and coordination, as well as with appropriate mandates under relevant laws and regulations and technical interoperability.

As the more “modern” institutional arrangement for managing ID systems, autonomous authorities have a number of advantages:

  • Establishing a new ID agency can be a “clean break” with the past and help interrupt cycles of inefficiency or legacies from unsuccessful previous projects.

  • Autonomous agencies can potentially be seen by other ministries as “neutral” and a service provider, and thus in a position to avoid legacy or institutional mandate conflicts between existing ministries.

  • In certain contexts, autonomous, independent agencies may be more trusted by the population to manage personal data than ministries or departments linked to national security and law enforcement/

  • Autonomous authorities that manage their own staffing and resources may be better able to implement meritocratic hiring practices that attract top talent and ensure sufficient technical capacity.

  • Fiscal autonomy gives authorities the ability to raise their own revenue (e.g., through fees for services), potentially making them self-sustaining.

  • Particularly where they have some amount of fiscal independence, autonomous authorities may be better able to maintain independence during political transitions (i.e., elections).

At the same time, however, creating a new authority with sufficient power and capacity may be difficult in certain contexts.

In a data-centric world, the role of any authority that deals with identity will grow in importance over time, as more data accumulates and the dependency on system increases. To maintain checks and balances over such organizations, a robust multi-layer institutional governance structure is needed.

As summarized in Table 25, ID authorities that are agencies or directorates within an existing ministry will report to that ministry, while there are several different potential governance models for autonomous agencies, including reporting directly to the executive branch (e.g., a presidential office or cabinet) or to a board of directors.

Table 25. Governance models for ID providers

Organizational Type Examples
Autonomous, with direct Cabinet- or Executive-level reporting
  • India: Initially, the Unique Identification Authority of India (UIDAI) was set up as an organization attached to the Planning Commission of India, reporting to a Chairman who had the status of a cabinet minister. Following the passage of the Aadhaar Act in 2016, UIDAI became a statutory authority responsible for implementation of the Act, under the Ministry of Electronics and Information Technology.

  • Ghana: The National Identification Authority of Ghana was set up as an organization within the Office of the President.

Autonomous, governed by a board representing stakeholders
  • Nigeria: The National identity Management Commission (NIMC) is governed by a board of 18 individuals representing different government agencies and stakeholders.

  • Philippines: The Philippine Statistics Authority (PSA) is governed by a board of representatives of 28 Government departments and commissions and one representative of the private sector, chaired by the Secretary of Socio-economic Planning. The Philippine Identification System (PhilSys) Policy and Coordination Council, comprising a subset of these departments but also chaired by the Secretary of Socio-Economic Planning, will oversee the implementation of the PhilSys.

Agency or directorate within an existing Ministry
  • Thailand: The Bureau of Registration Administration (BORA) under the Department of Provincial Administration (DOPA) of the Ministry of Interior.

  • Argentina: The Registro Nacional de las Personas (RENAPER) is a directorate under the Ministry of Interior and Transportation.

Source: Adapted from the Digital Identity Toolkit

In addition to direct oversight by a ministry, the Executive, or a board of directors, a variety of other structures are needed to strengthen the governance of ID systems. One such structure for an could consist of multiple specialized committees such as the following:

  • Executive/Board: This is the highest-level governance body, with representation at the executive level from across government, and often also civil society and the private sector. It would typically be responsible for setting strategies, policies and objectives and providing strategic oversight.

  • Technical steering Committee: This body, reflecting the Board but at the technical-level, translates the strategies, policies and objectives set by the Board into operational plans. It oversees the work of various subcommittees in specific domains, such as:

    • Technology Sub-Committee: This body provides direction regarding the adoption and use of technologies, including technical standards, policies (e.g. open source software or cloud data storage) and design choices.

    • Use Cases and Authentication Sub-Committee: This body provides direction regarding the services provided to relying parties, including authentication and verification services. It may also be responsible for reviewing applications for access to the ID system.

    • Legal Sub-Committee: This body provides direction regarding the development and review of relevant laws and regulations.

    • Public Engagement Sub-Committee: This body provides direction regarding consultations and public information and awareness campaigns.

    • Financial Management Sub-Committee: Oversees and manages planned capital and operational funding usage. Monitors the financial performance metrics for the ID authority.

    • Risk and Compliance Sub-Committee: Ensures that risks (e.g., to privacy, security, and exclusion) are identified, assessed, and mitigated in a reasonable and coherent manner for the whole ID system.

  • Independent Auditor and Oversight Body: An independent supervisory or regulatory authority is a critical component of the ID authority’s institutional governance. It is typically put in place to ensure the compliance of the ID authority with its mission and laws related to data protection and privacy. It is the body that enhances the trust in the organization and its independence has to be a high priority for the government.

In addition to long-term governance arrangements, some countries consider temporary institutional arrangements for the start-up phase of their ID systems. This can help ensure a rapid launch and efficient project management in the short term while allowing enough time to set up more robust organizational structures in the long term (see Box 24).

Box 24. Temporary institutional arrangements for the startup phase of an ID system

India (2009) — attached office

The Unique Identification Authority of India (UIDAI), responsible for Aadhaar, was established by notification in January 2009 as an attached office to the-then Planning Commission of India. Following the appointment of UIDAI’s Chairman in July (at the rank of Minister, sitting in Cabinet meetings when Aadhaar was discussed), the Prime Minister’s Council on UIDAI was set up to oversee the development of UIDAI’s overall strategy and to ensure the coordination across Government.

In addition, the government set up a Cabinet Committee on UIDAI related issues in October 2009, chaired by the Prime Minister with 12 Ministers as additional members. The Committee oversaw UIDAI’s organization as well as its plans, policies and implementation progress for the rollout of the Aadhaar program, including overseeing two technical committees on biographic and biometric standards.

Following the passage of the Aadhaar Act in 2016, UIDAI became a statutory authority responsible for implementation of the Act, under the Ministry of Electronics and Information Technology. By 2016, over a billion people had been registered and issued an Aadhaar number.

Uganda (2013) – temporary project

Uganda’s national ID system was launched in November 2013 as the National Security Information System (NSIS) project. The project approach was adopted to expedite the mass registration of citizens in time for the February 2016 elections, including by leveraging expertise of a range of agencies. Provisions for the registration of citizens in the Uganda Citizenship and Immigration Control Act provided a legal basis for the project. While the project was led by the Ministry of Internal Affairs, which has responsibility for implementing the Act, it was formally implemented jointly by the following agencies:

  • Directorate of Citizenship and Immigration Control – validated citizenship of registrants

  • National Information Technology Authority – provided technology compliance assurance, quality assurance leadership and technical support

  • Uganda Bureau of Statistics – provided expertise from managing census operations

  • Electoral Commission – ensured compliance with electoral laws

  • Uganda Registration Services Bureau (URSB) – as the agency responsible for civil registration

  • Uganda People’s Defense Force and Uganda Police Force – providing human resources for the mass registration

The mass registration was completed by August 2014. Following passage of the Registration of Persons Act in March 2015, the National Identification and Registration Authority (NIRA) was established as a semi-autonomous agency to be responsible for the national ID system and civil registration, assuming the latter responsibility from the URSB.

Figure 15. Key considerations for the institutional home and governance of the ID authority

Inclusion Reliability Data Protection Sustainability

Whether the same as the CR agency or not, coordination with the CR is crucial for ensuring inclusive and streamlined identity services from birth to death.

The ID authority must have sufficient technical expertise to implement and/or oversee a trusted ID system and to deliver services at the local level. As custodians of personal data, the capacity of the ID authority and its oversight bodies to protect this data is paramount to the overall success of the system. The ID authority must have sufficient resources with which to implement their mandate, whether from state budget or own revenue.