Search
Assess Risks
1. Evaluate risks to privacy and data protection
Any activity that collects, stores, processes, generates, and/or utilizes personal data must contend with the risk that this data might be stolen, misused, or mismanaged, with negative consequences for the individual. Evaluating and mitigating risks to digital privacy and data protection (see Box 5 for definitions) is therefore essential for the success of an ID system.
Box 5. Defining privacy and data protection in the ID system context The concept of digital privacy can be understood as the appropriate and permissioned use and governance of data. This differs from the fundamental right to privacy, commonly understood as the “right to be let alone.” In ID systems, data privacy does not necessarily mean that all data is kept secret at all times. Rather, it means that data should only be accessed, processed, or shared by and with authorized users for pre-specified purposes that have been agreed in advance. Data protection—which includes the legal, operational, and technical methods and controls for securing information and enforcing rules over access and use—is therefore fundamental to ensuring data privacy. Personal data, also referred to more narrowly as personally identifiably information (PII) refers to “any information relating to an identified or identifiable natural person”—also known as a data subject—which is a person “who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person” (GDPR, Article 4). Personal data is sometimes divided into a subset known as sensitive personal data, which is personal data that, by their nature, merit specific protection as the context of their processing could create significant risks to a person’s fundamental rights and freedoms. They include data consisting of racial or ethnic origin, political opinions, religious or philosophical beliefs, health, life or sexual orientation, as well as biometric and genetic data (e.g., see GDPR Recital 51). The responsibilities of those using personal data are complemented by the rights of data subjects—e.g., people who have registered in an ID system—such as the right to have control over one’s own personal data, including the corrections or modifications. |
Any activity that collects, stores, or processes personal data raises certain risks, including, but not limited to:
-
Security breaches: Physical or cyberattacks on databases or during data transfer.
-
Exposure of sensitive personal information: Disclosing sensitive personal information (e.g., biometrics, religion, ethnicity, gender, medical histories, etc.) for unauthorized purposes.
-
Unauthorized disclosure: Inappropriate transfer of data between government agencies, foreign governments, private companies, or other third parties.
-
Function creep: Using and disclosing personal data that was collected for one purpose for other purposes without a person’s consent.
-
Surveillance: Tracking people as they go about their daily activities by the public or private sector (e.g., using artificial intelligence and advanced data analytics).
-
Discrimination or persecution: Data collected and/or stored on credentials is used to profile individuals and discriminate against or persecute them based on their identity.
-
Unjust treatment: If the data collected are incomplete or inaccurate, this can lead to mistaken identity or unjust treatment.
-
Identity theft and fraud: With access to people’s personal data (and particularly in combination with unique identifiers), criminals may steal or synthesize people’s identity information and then impersonate them for financial or other gain (e.g., opening bank accounts or applying for credit in their name, falsely claiming government benefits, using the stolen identity to commit crimes or evade background checks).
Although these risks are present in any ID system, digital ID systems can amplify them and increase the scale of their consequences. For example, digital ID systems present considerable cybersecurity risks in the form of penetration by hackers, hacktivists, cyber-criminals or cyber-terrorists to access or steal identity data or to compromise the integrity or functionality of the system. Their purposes can range from making financial profit to making political demands. These threats need not emanate only from cyberspace—human and physical vulnerabilities can play a key role in allowing attackers access to sensitive systems.
Table 16. Threats to privacy and data protection throughout the identity lifecycle
Data Processing Activity | Potential Threats and Vulnerabilities |
---|---|
Collecting data |
|
Storing, transmitting and using data |
|
Retention of data (long-term storage) |
|
Data disposal and data sharing |
|
Source: Adapted from a presentation of the Philippines Data Protection Agency and Shepherdson, Kevin et al. 2016. 88 Privacy Breaches to Be Aware Of: Practical Data Protection Tips from Real-Life Experiences. Singapore: Marshall Cavendish International (Asia). |
In addition, digital ID systems also amplify certain risks due to the ease and speed with which digital data can be transferred, copied, or destroyed, the ability to collect and correlate large amounts of data, and advanced analytics. In addition, particular design choices augment certain risks to digital privacy, including collecting large amounts of data, storing data in centralized databases, using a unique identifier across multiple systems, sharing data across agencies or systems, and collecting certain types of data (e.g., sensitive biographic information and biometrics). Conversely, digital technologies also have advantages regarding privacy and the security of data (e.g. easier to correct data, stronger access control, and enhanced auditability, including through immutable record-keeping) when compared to analogue/paper methods of collecting and managing data.
In order to mitigate the above risks, practitioners should implement multiple, adequate solutions to ensure that these systems merit people’s trust and protect personal data to the highest standards, including:
-
Adopting a comprehensive legal and regulatory framework for the processing of personal data: This includes strong data protection and privacy laws, institutional oversight, and clear lines of authority and accountability that meet existing and emerging standards in national, regional, and international law. There should also be clear and accessible mechanisms for reporting of misuse and/or fraud and obtaining redress should a person’s identity be compromised.
-
Implementing other operational and technical controls that follow a “security-and-privacy-by-design” approach: Privacy and security controls that meet global standards should be built into ID system technology and processes in order to comply with the legal framework and protect against the threat of security breaches, unauthorized disclosure, function creep, surveillance, while giving people more control over their data.
-
Ensuring that ID systems do not serve as a tool for discrimination or persecution: Certain groups—such as ethnic, racial, or religious minorities—may face particular privacy concerns regarding the collection and use of data that indicates their group identity, and which could be used to profile or discriminate against them. Practitioners should carefully consider risks to these groups from collecting sensitive information—including biometrics—and adopt sufficient legal and procedural protections against discrimination.
-
Pro-active consultation and communication: In some cases, mistrust in the system could be the result of a lack of information. In order to pre-empt and/or mitigate these concerns, practitioners should implement outreach and education campaigns early-on to consult with the public on privacy and data protection issues and ensure effective and transparent communication about the purpose and use of these systems and the protections they offer.
-
Identifying risks to be mitigated through a data protection impact assessment (DPIA): Conducting a DPIA is recommended to evaluate the impact of the ID system on personal privacy and data and articulate how various controls will help mitigate these risks.
-
Undertaking threat modeling exercises: Before procurement, practitioners should undertake a threat modeling exercise to assess potential internal and external threats throughout the identity lifecycle (see Table 16 for examples of potential vulnerability at different stages of data processing). This is crucial not only for the security of the system, but to ensure uptake—people are less likely to participate in an ID system if they fear that their data will be misused or mismanaged.
In addition, practitioners should conduct regular audits of the legal, technical, and procedural security measures to ensure that personal data is well protected. Importantly, however, it is not possible to guarantee the complete safety of a system from an attack. Hackers who are intent on penetrating the system and are equipped with the appropriate resources spanning financing, talent and time will eventually succeed—e.g., as they did in the 2015 breach of the U.S. Office of Personnel Management that targeted the records of 21.5 million people or the 2017 Equifax breach that affected over 148 million people. The key to protection is to detect threats early and respond quickly—only by taking data protection seriously will digital ID systems live up to their transformative potential.
2. Evaluate exclusion risks
Well implemented ID systems have the potential to facilitate inclusive development by providing people with a trusted way to prove who they are and thus removing a potential barrier to the access of rights and services. In addition, they can allow service providers to utilize digital technology to expand or innovate how those services are offered. At the same time, there is the risk that these systems may also lead to the exclusion of certain individuals or groups through:
-
Statutory exclusion from the ID system: Some ID systems are designed to cover only a portion of the population, such as national IDs that are issued to citizens over the age of 16 or 18. In such cases, groups that do not meet the inclusion criteria (e.g., due to age, nationality) are excluded from an ID system by design. If these individuals do not have access to other government-recognized ID systems (e.g., if birth registration for children is low or if refugees cannot access identification recognized by the host State), they may be unable to prove their legal identity—which is the subject of SDG target 16.9—or access services.
-
Unintentional exclusion from the ID system: Frequently, there are groups—such as the poor, rural populations, the elderly, marginalized women and girls, persons with disabilities, stateless persons, refugees, stateless persons, etc.—that face significant economic and social barriers to enrolling in or using the ID system. Unless the ID system and its implementation are designed to help people overcome these barriers, it is likely that large and already vulnerable segments of the population will have lower rates of coverage.
-
Exclusion from associated rights and services: The above groups of people who were unable to register or who are unable to easily use the ID system will then face barriers to accessing the rights and services for which this ID is required. This is a particular concern when ID is formalized and mandated in a context where a large portion of the population previously lacked government-recognized identification but may have been able to access services through informal or alternate methods of identification. In such cases, people who could previously get by without formal identification may now find themselves unable to complete basic transactions that require the new ID. For example, a potentially stateless population (e.g. ex-refugees) may have lived and been accepted in a community for years or even generations and received some kind of social benefits (e.g. cash transfers), but their access to these entitlements may be made more difficult if they are unable to register for a new ID due to the lack of conclusive evidence of their nationality, and this ID becomes mandatory for access to services.
In order to mitigate these risks, practitioners should undertake a thorough assessment of groups that may be vulnerable to exclusion and the barriers they may face when attempting to enroll in or use the ID system and access related rights and services. Important groups that may experience difficulties with identification typically include:
-
Minors, including orphans and other vulnerable children
-
Women and girls
-
Minority groups (e.g., ethnic, linguistic, religious, political, etc.)
-
Migratory groups (e.g., pastoralists and nomadic peoples, etc.)
-
Non-nationals, including migrants, refugees, and asylum seekers
-
Stateless persons
-
Nationals who lack proof of nationality
-
Internally-displaced persons
-
Gender and sexual identity minorities
-
Poor people
-
Rural dwellers and other geographically isolated communities
-
The elderly
-
Persons with disabilities
-
Illiterate people
As shown in Table 17, these groups may face a variety of barriers to enrolling in or using ID systems, including:
-
Legal or statutory: Certain laws, including those that define who is included in the ID system, regulations, and policy frameworks that relate to citizenship, statelessness, and birth registration may prohibit certain individuals from participating in an ID system, or may create disincentives for registration. For example, laws that require marriage certificates for birth registration may prevent unmarried women or those with customary marriages from registering their children. In addition, penalties for late birth registration may disincentivize parents from registering their children. Similarly, national ID laws that restrict these systems to only nationals exclude non-nationals and/or those who cannot prove their nationality. In addition, the strict requirement of a birth certificate for enrollment is likely to create a barrier for many adults who may not have had their birth registered decades earlier, but still hold other reliable forms of identification (e.g., a passport or driving license).
-
Procedural: The policies and processes that govern how individuals enroll in and use ID systems may also create barriers to participation, including complex logistical requirements—e.g., requiring supplementary documentation that necessitates multiple visits to government offices—and the location, hours, and the staffing of registration centers. For people who speak minority languages or persons with disabilities, enrollment in ID systems may also be hampered when registration procedures and staff do not adequately take their needs into account.
-
Economic: Charging fees for registration or obtaining a credential may be cost-prohibitive for poor people. In addition, complex procedural barriers may also create indirect costs, such as travel expenses, lost wages, and fees paid to agents or intermediaries. If fees are charged for identity authentication and verification, and such fees are passed on to people by service providers, this can also create costs for accessing services that create a barrier for poor people.
-
Social, cultural, and religious: Multiple groups may face social barriers to participating in ID systems. In some contexts, for example, women and girls have less mobility and may not be able to reliably visit registration centers. Enrollment requirements that force people to remove specific garments (e.g., headscarves for women) or break religious practices may create additional barriers. In addition, certain groups, including ethnic and religious minorities may be reticent to participate in ID systems if they fear persecution or misuse of their data.
-
Technological: Certain types of digital ID systems, including online authentication and mobile ID applications that rely on smartphones may not be accessible to poor people, those in lower connectivity areas, as well as people who are digitally illiterate. In addition, certain modalities of biometric recognition may present difficulties for certain populations (e.g., children, the elderly, persons with disabilities, manual laborers, etc.).
Identifying vulnerable groups and the barriers they face should involve multi-stakeholder consultation, including input and information gathering sessions with the public and civil society organizations that advocate for vulnerable groups. The IDEEA also provides additional tools for evaluating statutory and procedural barriers to registration.
Table 17. Common vulnerable groups and barriers to registration and use of ID
Group | Statutory | Procedural | Economic & Social | Technological |
---|---|---|---|---|
Children |
May not be included in the ID system; some regulations for birth registration (e.g., requiring marriage certificates or national IDs of parents) may deter registration |
The absence of a parent or legal guardian can pose challenges for registration because of the requirement for their consent prior to data collection |
|
Difficulty capturing biometrics in young children; risk that biometrics captured from a young age will become out of date if not regularly updated |
Women and girls |
Some countries have different requirements for men and women to enroll for ID |
Women may face harassment when they attempt to enroll in or use the ID system; some centers may have insufficient female staff or no female-only facilities in contexts where this is socially required (see economic and social barriers) |
Women and girls may have less mobility in (e.g., difficulty leaving the house without a male relative), some procedures may run counter to religious practice (e.g., removing face coverings or physical contact with non-male relatives) |
|
Ethnic, racial, or religious minorities |
Some laws and regulations (e.g., around nationality) may discriminate based on ethnicity, race, or religion |
Individuals may face discrimination when they attempt to enroll in or use the ID system |
Groups with a historical mistrust of government that fear profiling or persecution may be reluctant to participate in an ID system or to engage with any government service. |
|
Linguistic minorities |
|
Enrolling in and using the ID may be difficult if staff do not speak local languages and/or application forms have not be translated |
|
Credentials may be difficult to use if they are not in local languages; translated or transliterated names and other information may be inaccurate |
Migrants |
May not be included in the ID system |
May face challenges accessing proof of immigration or visa status, if this is a requirement for registration in an ID system |
Even if included in the ID system, persons with an irregular migration status may be reluctant to apply for fear of immigration enforcement or other negative consequences |
|
Nationals without proof of nationality |
|
May be unable to enroll with extensive and inflexible identity proofing requirements for nationality (e.g., a birth certificate) or unclear or weak administrative processes for accessing proof of nationality |
May be reluctant to apply for the ID for fear of being falsely identified as a non-national |
|
Refugees and asylum seekers |
May not be included in the ID system |
May have difficulty providing documentation or other evidence for identity proofing |
May be reluctant to apply for fear of immigration enforcement or other negative consequences |
|
Stateless persons |
May not be included in the ID system |
May have difficulty providing documentation or other evidence for identity proofing |
May be reluctant to apply for fear of immigration enforcement or other negative consequences |
|
Gender and sexual identity minorities |
Laws and policies may prohibit (or make extremely difficult) changes in the gender/sex attribute of the ID system. |
People may experience discrimination or persecution when attempting to register or update their gender in the ID system |
People may fear persecution and discrimination when gender markers on their IDs do not match their physical presentation (e.g. in systems were gender is verified against a breeder document rather than self-reported) |
Data standards may not allow for non-binary gender attributes |
Poor people and rural dwellers |
Penalties for late registration (e.g., of births) may be cost prohibitive |
Complex registration requirements provide logistical and travel challenges |
The direct and indirect costs (e.g., fees, travel, lost wages) to apply for or use the ID may be prohibitive |
May lack smartphones or other resources to access online or digital services or use digital credentials (e.g., mobile ID) |
Elderly people |
|
Lack of mobility and/or accessible centers may hinder registration; the elderly also be more likely to lack certain identity documents (e.g., birth certificates) where these systems have been historically weak |
The direct and indirect costs (e.g., fees, travel, lost wages) to apply for or use the ID may be prohibitive for many elderly people |
May have difficult providing biometrics (e.g., fingerprints, iris scans); limited access/literacy to access digital services |
Persons with disabilities |
|
Lack of mobility and/or accessible centers may hinder registration, as may lack of trained staff and accommodating enrollment procedures |
Stigma against persons with disabilities may prevent them from leaving home to enroll for IDs |
May have difficult providing biometrics (e.g., fingerprints, iris scans, facial recognition) |
Illiterate people |
|
May have difficultly completing applications and/or confirming the accuracy of personal information in written form |
|
May have difficultly remembering and using credentials such as ID numbers and PINs, and/or using advanced digital authentication technology |
Once barriers have been identified, practitioners can adopt a variety of strategies to address these issues in system design and rollout. Mitigation efforts may involve adjustment to:
-
The legal and regulatory framework
-
Who is eligible to enroll in the ID system
-
Whether and what types of biometrics are collected
-
Whether and what types of sensitive information are collected
-
Registration procedures and timelines
-
Identity proofing requirements
-
The types of credentials and authentication mechanisms adopted
-
Communication campaigns
-
Grievance redress mechanisms