Ensuring the Right to Privacy and Transparency in the Digital Identity Ecosystem in Canada
Resolution of the Federal, Provincial and Territorial Privacy Commissioners and Ombuds with responsibility for privacy oversight
St. John’s, Newfoundland and Labrador, September 20-21, 2022
A digital identity ecosystem¹ is emerging in Canada, powered by significant advances in information and mobile communications technologies.
The development of this ecosystem is part of a global trend intended to enable individuals, businesses and devices to securely and efficiently connect with one another, confirm the identity of individuals using reliable information, and carry out transactions online and in person with a high degree of efficiency and confidence.
Digital identity is an essential element of the digital environment, notably to modernize public services. Digital identity initiatives are being implemented across the country to help expand, simplify and secure access by individuals to public services. As the digital identity ecosystem evolves, private sector parties stand to play a growing role as issuers and consumers of digital identity information.
The federal, provincial and territorial Privacy Commissioners and Ombuds with responsibility for privacy oversight across Canada recognize the many potential benefits of a secure digital identity that respects privacy for use by Canadians. The experience of similar efforts in other jurisdictions shows that, to be trusted and widely adopted, digital identities and the ecosystem in which they are used must meet high standards of privacy, security, transparency and accountability. Without trust, the benefits of a digital identity ecosystem will not be realized.
The benefits of a digital identity ecosystem must not come at unacceptable consequences, such as: the collection of personal information beyond that which is necessary, proportional or justified; increased risk of discrimination; heightened incidence of identity theft, fraud and other harms; or diminished roles for individual users.
The federal, provincial and territorial Privacy Commissioners and Ombuds with responsibility for privacy oversight are committed to working with one another, their respective governments and other relevant stakeholders to ensure that a digital identity ecosystem in Canada, including the ways in which its different components interact and share information, is designed and implemented responsibly so as to uphold the right to privacy and transparency.
Canada’s Privacy Commissioners and Ombuds with responsibility for privacy oversight are calling on their respective governments and relevant stakeholders to ensure that rights to privacy and transparency are fully respected throughout the design, operation and ongoing evolution of a digital identity ecosystem in Canada.
To this end, the design and operation of privacy-respecting digital identities and a trustworthy digital identity ecosystem should meet the following non-exhaustive list of conditions and properties which should also be integrated within a legislative framework applicable to the creation and management of digital identities:
- A privacy impact assessment should be conducted and provided to the oversight body in the early design, development and update stages of a digital identity system as the project and solution evolve;
- The privacy implications of identity ecosystem design, functions and information flows should be transparent to all users of the system;
- Digital identification should not be used for information or services that could be offered to individuals on an anonymous basis and systems should support anonymous and pseudonymous transactions wherever appropriate;
- Systems should not create central databases;
- The principle of minimizing personal information must be applied at all stages of the digital identity process: only necessary information should be collected, used, disclosed or retained.² The collection or use of particularly intimate, sensitive and permanent information such as biometric data should be considered only if it is demonstrated that other less intrusive means would not achieve the intended purpose;
- Personal information in an identity ecosystem should not be used for purposes other than assessing and verifying identity or other authorized purpose(s) necessary to provide the service. Ecosystems must not allow tracking or tracing of credential use for other purposes;
- The security of personal information should be proportional with its sensitivity, the context and the degree to which it could be desired by malicious actors;
- Digital identity information must be secure from tampering, unauthorized duplication and use;
- Systems should be capable of being assessed and audited, and of being subject to independent oversight;
- Digital identity systems should provide options and alternatives in order to ensure fair and equitable access to government services for all.
Individual Rights and Remedies
- Individual participation in a digital identity ecosystem should be voluntary and optional;
- Individuals should be able to choose alternative forms of identification and these forms should be reasonably convenient and accessible;
- Clear and informed consent of the individual should be the basis for exchanging personal information between services;
- Individuals should be in control of their personal information;
- Redress to an independent body with adequate resources and powers should be provided for individuals in the event of rights violations.
Governance and oversight
- Governments should be open and transparent about the defined purposes of the digital identity systems, what personal information will be used, how and by whom;
- Governments should provide for express lawful authority, prohibitions, penalties and redress;
- Where necessary, existing privacy laws should be strengthened to support digital governance and uphold the principle of do no harm;
- Governments should establish clear accountability mechanisms to meet transparency and privacy obligations, including providing authority and resources for regulators to exercise adequate oversight and impose appropriate penalties for non-compliance.
In addition to having a digital identity ecosystem aligned with internationally recognized standards and best practices, regulatory frameworks must be designed and implemented in a manner that uphold privacy rights and protect personal data in the public and private digital identity ecosystem. Such regulatory frameworks should be harmonized across Canada to facilitate interoperability, while respecting federal and provincial jurisdictions.
For their part, Federal, Provincial and Territorial Privacy Commissioners and Ombuds with responsibility for privacy oversight commit to continually monitor the development of digital identity initiatives, collaborate between their respective offices to strengthen their collective capacity and knowledge in this area, and stand ready to engage with their respective governments and other relevant stakeholders to provide their views and advice on evolving digital identity programs and initiatives in a timely, constructive manner that is conducive to enhancing privacy protections and public trust in the adoption of digital identities.