Attribute | Order | # | Indicator | Description |
---|---|---|---|---|
Interoperable and extensible | Must have | 1.1 | Individuals can authenticate themselves or their documents digitally | This indicator examines if the ID system can be queried to respond with a simple "yes" or "no," effectively confirming the individual's identity. ID authentication involves using an ID number or a tokenized version of the ID, together with an authentication factor, to confirm a citizen's identity. When queried, the ID system will respond with a clear "Yes" or "No" to the question, "Are you who you claim to be?" |
Must have | 1.2 | Policy preference for a government-wide digital and interoperable ID system exists | Beyond specifying a preference for interoperability with vendors, this could include a government wide interoperability policy that provides an incentive for other relying parties to leverage the ID system for KYC, credentials and authentication capabilities. This relates to interoprability with domestic systems, from among the three types of interoperability highligted by ID4D: "Communication with other systems may be provided through various interoperability layers, web services and APIs, or direct connections". | |
Good to have | 1.3 | Vision and strategy of the interoperabiity of the ID system as DPI conveyed transparently | This indicator evaluates whether the vision and strategy for the interoperability of the ID system as DPUI are transparently conveyed. An inclusive and trusted ID system can drive administrative reforms and innovative service delivery for both public and private sectors. Implemented with various purposes, including crosscutting goals and sector-specific uses, a shared vision and thorough evaluation of potential users ensure the system is adaptable to long-term needs. Transparent communication of this vision and strategy builds trust for government and society adoption. | |
Good to have | 1.4 | Documentation for services to use ID system architecture is publicly disclosed | This indicator evaluates whether the documentation for leveraging the ID system architecture is publicly disclosed. Publicly disclosing this documentation allows service providers to effectively use the system for various purposes, such as e-authentication, eKYC, and eSign/SSO, including the necessary hardware and software standards. By making these standards available, third parties can obtain licenses to operationalize services around electronic authentication and identity verification. Additionally, the ID system enables service providers to access and store a KYC packet of an individual's profile (with the individual's consent) for service provision, facilitating common use cases like opening bank accounts, enrolling in government schemes, and purchasing mobile SIM cards. Transparent documentation ensures seamless integration of these functions, enhancing service delivery and ensuring compliance with regulatory standards. | |
Good to have | 1.5 | Procurement guidelines for technical vendors specify interoperability through data, standards, APIs | Given that the ID system will onboard technical vendors for activities including enrolment and authentication, this prevents these vendors being locked-in to the system through proprietary standards adoption. While there may be loopholes in adopted service agreements, this indicator looks for a control on the government's policy level. | |
Good to have | 1.6 | Technical standards and specifications of the ID system are compliant with international standards | This indicator evaluates whether the technical standards and specifications of the ID system comply with international standards. Technology standards encompass hardware, software, and platforms for creating and proofing identities, issuing credentials, authenticating identities, and ensuring interoperability with other databases. Key areas include biometrics, cards, digital signatures, and federation protocols. Compliance with these international standards ensures the technical quality and interoperability of the ID system. | |
Transparency, accountability and oversight | Must have | 2.1 | The ID serves as a legal proof of an individual’s identity | This indicator evaluates whether the ID system serves as a legal proof of an individual’s identity. Recognizing the ID as legal proof confers significant status on what might otherwise be viewed as a purely technological artifact, incentivizing its adoption. This legal recognition ensures that the process of ID creation and its management are legally accountable. In cases where no legal framework exists, other functional IDs may be widely accepted as an alternative. Establishing the ID as legal proof of identity not only promotes its use but also enhances trust and reliability in the ID system, ensuring it is integral to both governmental and societal operations. |
Must have | 2.2 | Institutional governance structure and its accountability are established | This indicator identifies which institute(s) owns the system and operates it. | |
Must have | 2.3 | ID authority is subject to general oversight of the courts | The term ID authority henceforth refers to the dedicated authority or agency which serves as the executor of the ID system. If not a dedicated public authority, the ID system executor can also be a private or public-private entity | |
Must have | 2.4 | Accountability of the ID executors to the ID authority is established | This indicator evaluates if, regardless of whether the ID authority is the country's registration agency or another entity, the ID Act clearly states that the accountability and responsibility for managing the identity system fall under their mandate. Digital ID systems often involve both public and private vendors, each with varying levels of access to sensitive aspects of the system. To protect individual and public interests, it is crucial to clearly establish their accountability and liability. | |
Must have | 2.5 | Legally-binding redressal framework for ID-related malpractice is established | This indicator evaluates whether a legally-binding framework for addressing ID-related malpractice is established. ID systems need grievance redress mechanisms and infrastructure, such as a customer care department, where individuals can file complaints about any aspect of the identity lifecycle. Unresolved complaints should be escalated to an independent supervisory authority, with judicial review as the final recourse. This ensures accountability and provides individuals with a clear path for seeking redress. Verification involves reviewing the legal and regulatory framework outlining these processes. | |
Must have | 2.6 | Procedural rules for collection, storage and sharing of personal data related to ID system are established | This indicator considers that the ID act or secondary policy offers a proactive measure towards transparency around collection, storage and sharing of ID data, or relevant personal data from other government agencies. | |
Must have | 2.7 | Government exemptions/exceptions for using ID system and its data for national security, public order or other government interests are codified in law | If the government needs to use the ID data for surveillance, this is only allowed through the route that an enforced or draft privacy law determines. | |
Good to have | 2.8 | Credentials issued by the DID are treated as legal proof of the elements recorded by the ID | This indicator evaluates whether the credentials issued by the Digital Identity (DID) system are treated as legal proof of the elements recorded by the ID. Providing legal status to credential documents, such as proof of education, business registration, work experience, and vaccination, in addition to the DID itself, enhances their validity and trustworthiness. This recognition ensures that these digital credentials are accepted as official and legally binding proofs of the recorded elements. | |
Good to have | 2.9 | Accountability of institutions recording personal data and their responsibility for digitalisation are established | This indicator evaluates whether the accountability and responsibility of institutions recording personal data and their role in digitalization are established. Institutions collecting personal data must be accountable, typically under the oversight of a Data Protection Authority (DPA) or another designated body. Ensuring that all entities involved in data collection are under the purview of this authority is crucial for maintaining transparency and protecting individual privacy. | |
Good to have | 2.10 | ID system and its operations are under the purview of relevant Freedom of Information Laws, towards addressing corruption | This indicator evaluates whether the ID system and its operations are subject to relevant Freedom of Information (FOI) laws to address corruption. For both citizens and the media, it is essential that ID systems are supported by policies, laws, and regulations that promote trust, ensure data privacy and security, and mitigate abuses like unauthorized surveillance. | |
Good to have | 2.11 | ID system is informed by a multi-stakeholder group of representatives (especially from civil society, domain experts) | This indicator assesses if ID system is informed by a multi-stakeholder group, particularly encompassing members from the civil society. Civil society groups help generate demand for ID and assist individuals in obtaining necessary identification. ID authorities can establish committees with civil society representatives to provide feedback on the ID system's design and implementation. These representatives use social accountability mechanisms to monitor and report on the identity lifecycle. Civil society also helps identify issues from marginalized communities. | |
Good to have | 2.12 | ID authority performance and ID system governance is regularly reviewed and reported | This indicator evaluates whether the performance of the ID authority is regularly assessed and reported. The ID authority oversees the collection, verification, storage, and sharing of identity data, as well as credential issuance and public engagement. To ensure success, it must be legally empowered and demonstrate effective implementation and stakeholder collaboration. Regular performance reviews and reports are essential for building public trust and ensuring accountability. These evaluations involve multiple stakeholders, ensuring the ID authority remains transparent and effective. | |
Privacy, security and protection | Must have | 3.1 | Personal data linked to the ID is under the purview of the DPA and protected by law | This indicator evaluates whether personal data linked to the ID is under the purview of the Data Protection Authority (DPA) and protected by law, with effective enforcement mechanisms. Personal data associated with the ID must be protected by relevant laws, such as data protection or privacy legislation. Additionally, there must be enforcement mechanisms in place to ensure compliance and safeguard personal information. |
Must have | 3.2 | Procedural rules for the ID (enrolment, data processing, issuing credentials, etc.) are established | Operational rules are necessary alongside legal safeguards to ensure the safety, security, and privacy of individuals. This indicator examines if there are rules which specify the processes for managing ID enrolment, data handling, and data sharing. | |
Must have | 3.3 | There exists a process to notify individuals and general public about personal data related to ID system leaks or threats | This indicator assesses whether there is a process in place to notify individuals and the general public about leaks or threats related to personal data within the ID system. While this outcome is related to the country's data and information management systems rather than the technical DPI architecture, it is crucial given the extensive biometric data collected and exchanged through the ID program. Specific guidelines may be required to address these concerns. | |
Good to have | 3.4 | ID-related personal data collection, processing and sharing is based on individual consent | This indicator evaluates whether the collection, processing, and sharing of personal data related to the ID system are based on individual consent. Personal data collected through the ID system should be handled in accordance with purpose specification terms and should be subject to legal accountability measures. Ensuring that data handling practices are consent-based protects individual privacy and aligns with data protection laws. | |
Good to have | 3.5 | Data protection authority regulates ID data collected and shared by the ID Authority and executors | This indicator assesses whether the data protection authority regulates the collection and sharing of ID-related data by the ID Authority and its executors. Effective regulation ensures that ID data collection and sharing are conducted under strict oversight to protect individual privacy. Ensuring such regulatory oversight helps maintain the integrity and security of personal data within the ID system. | |
Good to have | 3.6 | Data and system security standards are publicly disclosed | This indicator assesses whether the security standards for data and systems in the ID infrastructure are publicly disclosed. Operational controls that ensure the security and integrity of ID system facilities, data centers, and equipment are crucial for protecting personal data. Security measures should prevent, detect, mitigate, and respond to threats from internal and external sources. Publicly disclosing these security standards helps ensure transparency and trust in the ID system. | |
Good to have | 3.7 | ID system data and cyber resilience are regularly reviewed and strengthened | This indicator evaluates whether the ID system's data and cyber resilience are regularly reviewed and strengthened. To ensure trustworthiness, the ID system must provide reliable identity information, protect personal data, and gain public trust. Regular assessments and enhancements of the system's resilience against threats such as hacking, fraud, spoofing, unauthorized access, and natural disasters are crucial. Continuous improvement of these measures helps mitigate risks to privacy and data protection. | |
Non-discrimination and inclusion | Must have | 4.1 | Processes to access, review, edit and delete one's ID data are transparent | This indicator assesses the transparency of the processes that allow individuals to access, review, edit, and delete their ID data. A digital identity system can exclude individuals if there are no mechanisms to address and correct human or machine-based errors in data input. Ensuring inclusivity and accuracy requires clearly articulated data management processes that are transparently communicated to the public. |
Must have | 4.2 | Enrolment in DID is possible without discrimination | This indicator evaluates whether the enrolment process for the digital identity (DID) system is free from discrimination. The digital identity system can potentially exclude certain population groups from accessing essential services based on enrolment criteria. Safeguards are essential to ensure that the enrolment process is accessible to individuals who may face discrimination due to factors such as race, color, sexual orientation or gender identity, language, religion, political beliefs, national or social origin, birth status, or any other. | |
Must have | 4.3 | DID is not the only legal document to serve as a credential for accessing basic human rights | This indicator assesses whether digital identity enables access to basic human rights, including access to primary education, access to emergency healthcare, family membership. | |
Must have | 4.4 | Cost of enrolling for the DID is affordable | This indicator assesses whether the cost of enrolling in the digital identity (DID) system is affordable or free. High enrolment costs can further exclude individuals, especially if the digital identity system is the sole method for accessing essential services. To mitigate this, access to these services should, at least initially, be designed to accept multiple proofs of eligibility. This approach ensures that individuals are not barred from services due to the cost of enrolling in the digital identity system. | |
Good to have | 4.5 | DID is designed with inclusive access features | This indicator evaluates whether the digital identity (DID) system is designed with features that ensure inclusive access for all individuals. Certain digital ID systems, such as those requiring online authentication or mobile applications, may be inaccessible to individuals in low-connectivity areas, those who are economically disadvantaged, or people who are digitally illiterate. Additionally, some biometric recognition methods may pose challenges for specific groups, including children, the elderly, persons with disabilities, and manual laborers. To ensure inclusivity, the DID system should incorporate various access methods, such as QR codes and multi-modal access options. | |
Capacity and coordination | Good to have | 5.1 | Processes to leverage the ID system across all levels of government are established | This indicator evaluates whether processes are in place to utilize the ID system across all levels of government. For digital identity to serve as a foundational infrastructure, it must be integral to service delivery across multiple agencies and public outcomes. Effective coordination is required to ensure that the digital identity system can be used for authentication and verification across both public and private services. This involves building state or city-level capacities and establishing agreements. |
Good to have | 5.2 | Budget for management of identification is dedicated, reliable and sufficient. | This indicator assesses whether the budget for managing the identification system is dedicated, reliable, and sufficient. For the sustainability of the ID system, the ID authority must have adequate resources to fulfill its mandate, sourced either from the state budget or its own revenue. Ensuring a reliable and sufficient budget is essential for the effective implementation and maintenance of the ID system. Recognizing the ID system as a critical national information infrastructure (CNII) allows for the allocation of necessary high-end security arrangements and corresponding budgets. | |
Good to have | 5.3 | Strategy for skills training and retention is established | This indicator evaluates whether a strategy for skills training and retention is in place for the ID management system. Improving the ID management system's accuracy, transparency, and efficiency requires continuous capacity building and skills development. The ID authority and its partners need the skills to implement cybersecurity standards effectively. Key activities include technical training, regular skills gap analyses, capacity building plans, and tailored awareness programs. One significant challenge is tailoring capacity building for each implementation step, such as registration, which involves hiring, training, and retaining a large number of temporary staff. | |
Good to have | 5.4 | DID use across government is facilitated through a coordination body | This indicator evaluates whether a coordination body facilitates the use of digital identity (DID) across government. For DID to serve as foundational infrastructure, it must support service delivery across multiple agencies and public outcomes. Effective coordination ensures DID accessibility across public and private services as an authenticator and verifier. This requires political commitment, a "whole of government" approach, and coordination among various stakeholders, including ministries, private companies, and civil society. A coordination body ensures a shared vision, clear mandates, and sufficient resources for sustainable ID system management. | |
Scale of adoption | Good to have | 6.1 | Public entities (that are not the same as the architect of the ID layer) use the ID infrastructure | This indicator evaluates whether public entities, distinct from the architect of the ID layer, utilize the ID infrastructure. For the ID system to achieve widespread adoption and effectiveness, it must be employed by various public entities to authenticate identities and conduct follow-up services at scale. This usage indicates robust integration and reliance on the ID system across different government sectors. |
Good to have | 6.2 | ID infrastructure is used across more than 1 sector | This indicator evaluates whether the ID infrastructure is utilized across multiple sectors. Treating digital identity as a sector-agnostic resource maximizes its infrastructure potential. This approach ensures that while the digital identity may include sector-specific features, it remains interoperable with other sectoral ID systems. This interoperability allows the digital identity to be effectively used across various sectors, enhancing its utility and integration within different domains. | |
Good to have | 6.3 | Private entities use the ID infrastructure | This indicator assesses whether private entities utilize the ID infrastructure for their operations. Private sector development and service delivery benefit significantly from reliable identification and authentication systems. For instance, banks need to verify clients' identities for services such as account opening and loan approval, ensuring interactions are with the legitimate person, not an identity thief. Trustworthy ID credentials help private firms reduce operating costs related to identity verification for regulatory compliance, expand their customer base and create new market opportunities. | |
Good to have | 6.4 | Civil society actors use the ID infrastructure | This indicator evaluates whether civil society actors, including NGOs, community-based organizations, and other local groups, actively utilize the ID infrastructure in their operations. Civil society organizations leverage the ID infrastructure to support their missions, such as providing services to individuals and communities. They use the ID system to verify identities, ensure access to benefits and services, and engage in activities that promote social inclusion and participation. By utilizing the ID infrastructure, these organizations enhance their capacity to serve marginalized groups, streamline service delivery, and improve the overall effectiveness of their programs. |