Pillar 3: Governance
The final group of principles addresses how ID systems should be governed to protect user privacy and rights, system security, and clear accountability and oversight.
Principle 8. Safeguarding data privacy, security, and user rights through a comprehensive legal and regulatory framework.
Principle 8 sets out the requirements for a comprehensive legal framework: ID systems must be underpinned by policies, laws and regulations that promote trust in the system, ensure data privacy and security, mitigate abuse such as unauthorized surveillance in violation of due process, and ensure provider accountability.
This typically includes an enabling law and regulations for the ID system itself as well as laws and regulations on data protection, digital or e-government, electronic transactions and commerce, AML, civil registration, cybersecurity and cybercrime, functional ID systems, and freedom of information, among others. The enabling law and regulations for an ID system should clearly describe the purpose of the ID system, the ID system’s components, roles and responsibilities of different stakeholders, how and what data is to be collected, liability and recourse for ID holders and relying parties, the circumstances in which data can be shared, correction of inaccurate data attributes, and how inclusion and non-discrimination will be maintained. Laws and regulations on data protection and privacy should include oversight from an independent body (e.g. a national privacy commission) with appropriate powers and should protect ID holders against inappropriate access and use of their data by third parties for commercial surveillance or profiling without informed consent or lawful purpose. At the same time, these frameworks should not stifle competition, innovation, or investment and can include regulatory and self-regulatory features.
In addition, the ID-related laws, regulations, and policies should enable people with genuine choice and control over the use of their data, including the ability to selectively disclose the attributes that they want. Users should be given simple means to have inaccurate data corrected free of charge and to know what data is being held about them. Personal information should not be used for secondary, unconnected purposes without the user’s informed consent, unless otherwise required under the law. ID providers should be transparent about identity management, develop appropriate resources to raise users’ awareness of how their data will be used, and provide them with tools to manage their privacy. ID providers should ensure that the initial process to correct errors is administrative rather than judicial in order to increase speed of resolution and reduce costs. Data sharing arrangements should also be transparent, fully documented, and serve the best or vital interests of the individual(s) concerned.
Principle 9. Establishing clear institutional mandates and accountability.
Principle 9 highlights the need for institutional mandates and accountability in the governance of ID systems. Ecosystem-wide trust frameworks must establish and regulate governance arrangements for ID systems. This should include specifying the terms and conditions governing the institutional relations among participating parties, so that the rights and responsibilities of each are clear to all. There should be clear accountability and transparency around the roles and responsibilities of identification system providers.
Principle 10. Enforcing legal and trust frameworks through independent oversight and adjudication of grievances
Finally, Principle 10 emphasizes that the ID system should include clear arrangements for the oversight of these legal and regulatory requirements. The use of ID systems should be independently monitored (for efficiency, transparency, exclusion, misuse, etc.) to ensure that all stakeholders appropriately use identification systems to fulfill their intended purposes, monitor and respond to potential data breaches, and receive individual complaints or concerns regarding the processing of personal data. Furthermore, disputes regarding identification and the use of personal data that are not satisfactorily resolved by the providers—for example, refusal to register a person or to correct data, or an unfavorable determination of a person’s legal status—should be subject to rapid and low-cost review by independent administrative and judicial authorities with authority to provide suitable redress.