Understand the Status Quo

An analysis of the current identity landscape is a valuable exercise for countries planning new identification systems and those hoping to optimize existing systems. To maximize the utility of identification in the medium- and long-term, it is important to first take a holistic view of existing ID systems and stakeholders within the identity ecosystem and assess their strengths and weaknesses, particularly regarding system coverage, quality, and the enabling legal framework.

ID4D has developed multiple tools to assist in this type of exercise, including an ID4D Diagnostic for an ecosystem-wide overview, and the ID Enabling Environment Assessment (IDEEA) for a comprehensive analysis of the policies, laws, and regulations that enable the ID system and provide key safeguards. These tools are flexible and designed to be adapted based on the country context.

In addition to desk reviews and consultations with government stakeholders, diagnostics of the status quo should also include the perspectives of end-users as well as various government and private-sector institutions who rely on these systems. In particular, it is recommended that countries consult with individuals to understand their particular experiences and challenges with the existing ID system (see forthcoming toolkit for end-user research).

1. Take stock of the identity ecosystem and stakeholders

The current landscape of ID systems—aka, the identity ecosystem—has important implications for the design of future systems or reforms. To begin, countries should make a full accounting of existing registries and credentials, as well as the agencies that provide them and their core users. As shown in Table 3, this should include:

Foundational registries and credentials
Functional registries and credentials used in various sectors (e.g., social protection, voter registration, tax administration, passports, driver’s licenses, etc.)
Non-governmental ID systems provided by other actors
Current ID providers and their roles in each of these systems
Supporting and enabling agencies

Table 3. Identity ecosystem stock-taking

System	Providers	Users	Supporters/Enablers
Foundational National ID Civil register Population register, etc.	Ministry of Interior Ministry of Justice Ministry of Health Local governments, etc.	Other agencies Private sector Donors Individuals	Regulator/ oversight body Ministry of finance Ministry in charge of Digital Government Ministry in charge of digital infrastructure, including broadband connectivity Agency in charge of Cybersecurity technology Civil society Donors and other development partners
Functional Voter registry Social assistance registries Taxpayer registry Passport Driver’s license Land registry Property registry, etc.	e.g., Electoral commission Ministry of Social Affairs Revenue Department Immigration Department Transportation Department Ministry of Interior Etc.
Non-Governmental Financial sector IDs SIM card registry Credit registry Donor program registries, etc.	e.g., Banks Mobile operators Credit agencies Donors and Int’l Organizations

System

Providers

Users

Supporters/Enablers

Foundational

National ID
Civil register
Population register, etc.

Ministry of Interior
Ministry of Justice
Ministry of Health
Local governments, etc.

Other agencies
Private sector
Donors
Individuals

Regulator/ oversight body
Ministry of finance
Ministry in charge of Digital Government
Ministry in charge of digital infrastructure, including broadband connectivity
Agency in charge of Cybersecurity technology
Civil society
Donors and other development partners

Functional

Voter registry
Social assistance registries
Taxpayer registry
Passport
Driver’s license
Land registry
Property registry, etc.

e.g.,

Electoral commission
Ministry of Social Affairs
Revenue Department
Immigration Department
Transportation Department
Ministry of Interior
Etc.

Non-Governmental

Financial sector IDs
SIM card registry
Credit registry
Donor program registries, etc.

e.g.,

Banks
Mobile operators
Credit agencies
Donors and Int’l Organizations

Source: ID4D Diagnostic Guidelines

In addition to identifying the various stakeholders who should be involved in the planning process, the characteristics of the existing identity ecosystem will be important inputs into key decisions. This includes the number of ID systems, as well as the capacity of various stakeholders. To effectively manage an ID system, identity providers must have sufficient human, technical, and fiscal resources, as well as substantial political support within the government and from other relevant stakeholders.

Table 4. Design implications of existing ID ecosystem and stakeholders

Ecosystem characteristic	Implications for Key Decisions
Existence of core foundational systems (e.g., civil registers and national IDs)	Administration: In a “greenfield” project where there is no national ID system and/or the system is very weak, countries can either assign the new ID system to an existing agency, or create a new agency to implement the new ID system. Where countries already have foundational systems, it may be less desirable, or more politically infeasible to create new agencies for this purpose. Countries may wish to add the responsibility for an ID system to the agency responsible for civil registration. Registration: Where foundational ID systems exist but countries wish to improve or extend these systems to new populations, they must choose whether to leverage existing hardware, software, and/or data (e.g., initializing the new ID system by cleaning and updating old data, or using the old system as a source of evidence identity proofing in the new system), or whether to invest in new systems and collect data from scratch. These choices should be heavily informed by the coverage and quality of these systems, described below. Credentials and Authentication: Where there are strong foundational ID systems with non-digital credentials (e.g., a legacy paper national ID card), countries can consider providing digital ID credentials centrally (i.e., by the foundational ID providers) or through a partnership or federated arrangement with other public and private sector entities.
Number of functional ID databases and credentials	Interoperability: Where there are already many operational ID systems for different sectors—e.g., tax, social protection, voting, etc.—countries can consider different options for integration and/or interoperability depending on the level of quality and trust in these systems.
Resource deficits for existing ID authority, in terms of staff or financing, or unclear or overlapping mandates with other entities that limit capacity	Legal Framework: Determine if updates are needed to the legal framework in order to better empower the ID authority and/or to clarify responsibilities. Administration: Consider creating new, autonomous agency to manage the ID system, new business models, and/or partnerships with other government agencies or with the private sector to fulfill some roles and responsibilities, such as for registration.

Ecosystem characteristic

Implications for Key Decisions

Existence of core foundational systems

(e.g., civil registers and national IDs)

Administration: In a “greenfield” project where there is no national ID system and/or the system is very weak, countries can either assign the new ID system to an existing agency, or create a new agency to implement the new ID system. Where countries already have foundational systems, it may be less desirable, or more politically infeasible to create new agencies for this purpose. Countries may wish to add the responsibility for an ID system to the agency responsible for civil registration.

Registration: Where foundational ID systems exist but countries wish to improve or extend these systems to new populations, they must choose whether to leverage existing hardware, software, and/or data (e.g., initializing the new ID system by cleaning and updating old data, or using the old system as a source of evidence identity proofing in the new system), or whether to invest in new systems and collect data from scratch. These choices should be heavily informed by the coverage and quality of these systems, described below.

Credentials and Authentication: Where there are strong foundational ID systems with non-digital credentials (e.g., a legacy paper national ID card), countries can consider providing digital ID credentials centrally (i.e., by the foundational ID providers) or through a partnership or federated arrangement with other public and private sector entities.

Number of functional ID databases and credentials

Interoperability: Where there are already many operational ID systems for different sectors—e.g., tax, social protection, voting, etc.—countries can consider different options for integration and/or interoperability depending on the level of quality and trust in these systems.

Resource deficits for existing ID authority, in terms of staff or financing, or unclear or overlapping mandates with other entities that limit capacity

Legal Framework: Determine if updates are needed to the legal framework in order to better empower the ID authority and/or to clarify responsibilities.

Administration: Consider creating new, autonomous agency to manage the ID system, new business models, and/or partnerships with other government agencies or with the private sector to fulfill some roles and responsibilities, such as for registration.

2. Determine coverage and gaps in the existing systems

In addition to looking at the overall composition of the identity ecosystem, an assessment of the status quo should include an evaluation of the rate and gaps in coverage of foundational systems and key functional systems. This involves an examination not only of the number of people covered, but also an analysis of specific groups that may be disproportionately excluded from existing ID systems. In many countries, for example, we often see differential rates in coverage for the following groups (and their intersections):

Women and girls
Orphans and vulnerable children
Poor people
Rural dwellers
Ethnolinguistic minorities
Migrants and refugees
Stateless populations or populations at risk of statelessness
The elderly
Persons with disabilities
Non-nationals

As shown in Table 5, these characteristics have important implications for the design of new ID systems and the improvement of existing system.

Table 5. Design implications of status quo ID coverage

Coverage characteristic	Implications for Key Decisions
Low coverage for CR, ID, or similar foundational systems either overall or for specific groups	Legal Framework: Identify any legal or procedural barriers to civil registration and ID and amend laws and procedures accordingly Interoperability: Investments should be made to improve CR systems system in order to ensure identification from birth for the “flow” of newborns. Registration: Extend eligible population to previously uncovered groups (e.g., children, non-nationals) Implement registration strategies that make enrollment easy and convenient and mitigate direct and indirect costs to registration, such as fees, travel time, transportation costs, lost wages, middlemen, etc. Implement targeted registration campaigns for excluded, under-covered, and other marginalized groups Identity proofing for the ID should not rely solely on possession of birth certificates or should include appropriate alternative methods (e.g., introducers) to ensure universal registration Public Engagement: Incorporate people-centric design approaches into the decision-making process for designing and implementing the ID system Continuous consultation with end-users and civil society to understand existing difficulties and desired improvements Implement strong information and awareness campaigns Adopt user-friendly grievance redress systems

Coverage characteristic

Implications for Key Decisions

Low coverage for CR, ID, or similar foundational systems either overall or for specific groups

Legal Framework: Identify any legal or procedural barriers to civil registration and ID and amend laws and procedures accordingly

Interoperability: Investments should be made to improve CR systems system in order to ensure identification from birth for the “flow” of newborns.

Registration:

Extend eligible population to previously uncovered groups (e.g., children, non-nationals)
Implement registration strategies that make enrollment easy and convenient and mitigate direct and indirect costs to registration, such as fees, travel time, transportation costs, lost wages, middlemen, etc.
Implement targeted registration campaigns for excluded, under-covered, and other marginalized groups
Identity proofing for the ID should not rely solely on possession of birth certificates or should include appropriate alternative methods (e.g., introducers) to ensure universal registration

Public Engagement:

Incorporate people-centric design approaches into the decision-making process for designing and implementing the ID system
Continuous consultation with end-users and civil society to understand existing difficulties and desired improvements
Implement strong information and awareness campaigns
Adopt user-friendly grievance redress systems

3. Assess the trustworthiness of the system

As with coverage, the trustworthiness of existing ID systems—i.e., whether or not they provide reliable sources of identity information and authentication, adequately protect personal data, and are trusted and used by people—has implications for how these systems could be improved and/or leveraged by new ID projects. In this context, a number of characteristics are particularly important and should be evaluated by people familiar with the system:

Uniqueness—the rate at which databases are free of duplicate identity records—i.e., the same person enrolled multiple times, under the same or different names—and credentials are unique to the individual (i.e., one person cannot have multiple of the same credentials, and/or multiple people cannot have the same credential). Uniqueness is important for some—but not all use cases.
Accuracy—the rate of data entry errors, missing fields, or out-of-date attributes contained in identity records and/or credentials. Inaccurate data not only decreases the reliability and trustworthiness of the system for relying parties, it also has the potential to negatively affect people who are treated unjustly due to incorrect or out-of-date information.
Security—the physical and cybersecurity of systems and data, and the resilience of databases, data transmissions, credentials, authentication mechanisms, and other systems to attempts at theft, hacking, fraud, spoofing, and cyber and other attacks, unauthorized access or disclosure, and misuse, as well as natural disasters, flooding, etc. Where security of the ID system is weak, this creates significant risks to privacy and data protection.
Confidence of the population—whether or not people have confidence in the system and trust it with the collection and use of their data. The ability of people to have oversight and control over their data and how it is used, and their level of trust in the system overall are fundamental for the success of the system—if people do not trust or value identity systems, they are unlikely to use them.

Table 6. Design implications of the robustness of existing ID systems

Robustness characteristic	Implications for Key Decisions
*Low uniqueness and accuracy of existing foundational* ID registries**	Registration: If using existing data as a source for the new/improved system, it must be cleaned, deduplicated, and updated. This may require additional data collection and outreach efforts for data that the system does not already contain, or to replace low-quality data that is flagged or rejected during the migration. For example, biographic deduplication could help reduce the number of duplicates, depending on the quality of the data and other factors (e.g., the prevalence of dates of birth listed as “1 January”). Interoperability: Potential linkages between CR and ID to increase data accuracy
*Low uniqueness and accuracy of functional* ID registries**	Interoperability: Data exchange or queries against a unique, accurate foundational system can potentially help clean up functional ID databases (e.g., removing duplicates and ghosts).
Low security of existing identity databases, applications, and credentials	Privacy and Security: Bring old or new systems into alignment with best-practice standards for data protection and privacy and adopt privacy and security measures throughout the lifecycle as the default setting. Registration: Consider the implications of insecure existing credentials for the identity proofing process in the new or upgraded system (i.e., will they provide a high enough level of assurance?) Credentials and Authentication: Adopt credentials with appropriate security features that protect personal data.
Low confidence among the population	Public Engagement: Practitioner’s should work to build trust in the new system through proactive and meaningful public consultations and communication campaigns. Privacy and Security: A data protection impact assessment may be required to address new privacy needs and to re-consider how legacy and new systems can better protect people’s data and build the confidence of the population.

4. Evaluate the legal framework

A vital component of the existing ID landscape within a country are the laws and regulations that govern the ID system. In order to evaluate the legal framework, ID4D has created the ID Enabling Environment Assessment (IDEEA), which is a supplementary tool to the ID4D Diagnostic. The IDEEA is a due diligence questionnaire that facilitates a systematic assessment of a country’s laws, regulations, and institutions that enable and govern its ID systems, with the goal of identifying areas where administrative and legal frameworks might be strengthened to support the development of an ID system.

To begin, the assessment covers general laws, decrees, institutions and other frameworks that govern identity-related issues and data collection in general, including those dealing with:

Data protection and privacy—existing laws and oversight institutions
Cybersecurity and cybercrime—definitions of critical information infrastructure, oversight and regulatory institutions, criminalization of cybercrime, roles and mandates of central cybersecurity agency versus line agencies such as the ID authority.
International and extraterritorial issues—data sovereignty, cross-border data transfers, and international functionality and recognition, and international conventions
Inclusion—constitutional and legal provisions relating to minorities, discrimination, and citizenship
Other ID-related laws—including limitations on a universal identifier, ID requirements related to passports and travel, exchange of health-related data, KYC requirements, SIM card requirements, e-Signatures, and more.

Next, it assesses the laws, regulations, and policies that enable and govern specific ID systems, including frameworks related to their:

Purpose and capabilities—legal and regulatory definitions and capabilities
Institutional design—administration, independence, roles, powers, interagency conflict, private sector involvement, financial sustainability, vendors technology and procurement
Inclusivity—requirements regarding citizenship and legal status, age requirements, compulsory registration of births and deaths, the mandatory nature of IDs, fees, and barriers to inclusion
Lifecycle management—registration, identifiers and credentials, use, storage and protection of personal data, and individual rights and protections

The completion of an IDEEA will help countries identify key areas of the legal framework that should be updated as part of a project to improve an existing ID system or create a new one. These findings will also impact key design decisions, as shown in Table 7.

Table 7. Design implications of existing legal framework

Legal system characteristic	Implications for Key Decisions
Insufficient, weakly enforced, or discriminatory laws and regulations related to ID	Legal Framework: Adopt new—or amend existing—laws, decrees, institutions, and other frameworks to enable the ID system, empower ID providers and oversight agencies, remove barriers to inclusion, and protect privacy and personal data. Public Engagement: Conduct information campaigns and outreach to advertise changes in the law or procedure.

Legal system characteristic

Implications for Key Decisions

Insufficient, weakly enforced, or discriminatory laws and regulations related to ID

Legal Framework: Adopt new—or amend existing—laws, decrees, institutions, and other frameworks to enable the ID system, empower ID providers and oversight agencies, remove barriers to inclusion, and protect privacy and personal data.

Public Engagement: Conduct information campaigns and outreach to advertise changes in the law or procedure.

Practitioner's Guide

Search

Understand the Status Quo

1. Take stock of the identity ecosystem and stakeholders

2. Determine coverage and gaps in the existing systems

3. Assess the trustworthiness of the system

4. Evaluate the legal framework