Information Commissioner's Office
Data protection is an enabler for trust and confidence in the implementation of digital identity systems
Blog posted by: Steve Wood, Deputy Commissioner (Executive Director, Regulatory Strategy), 22 April 2021.
Digital identity systems have started to come of age, driven by the opportunities and challenges of the digital economy and public services.
The public need safe and secure ways to establish their identity in light of the reality of how digital services work in their daily lives. Such systems need to recognise the risks of fraud and security that exist at present, such as through the continued reliance on paper records.
Inspiring trust and confidence in the public about how their personal data is used in a digital identity system is paramount. Which is why we welcome the opportunity to provide our regulatory advice on how the UK Government’s digital identity and attributes trust framework should address data protection.
We recognise that the framework is currently an alpha ‘working’ version that will continue to be updated as proposals develop, as well as to reflect feedback received by the Department for Digital, Culture, Media and Sport (DCMS).
The ICO acknowledges that a digital identity system with strong governance and effective data protection safeguards can help improve public access to digital services and reduce security risks. We are therefore broadly supportive of the establishment of the framework. We have however highlighted that accountability for the way that personal data is processed must be present from the outset.
We also welcome the decentralised approach that the framework proposes, which provides a strong foundation for a ‘data protection by design’ approach that must be embedded across the system.
In a communication also aimed at data protection officers, digital service design teams, monitoring bodies and risk managers, we are supporting Government efforts to get the privacy considerations right, and are recommending that:
- Robust governance and clear accountability are established
- Any system be user-centric and boundaries around who controls personal data and how it is used and gathered be clearly established
- Effective measures are in places to address the data protection risks that relate to data minimisation and purpose limitation
- Organisations operating in the trust framework must have appropriate technical and organisational security measures in place to protect the personal data held in the system
The paper does not focus on COVID-19 status certificates – the Information Commissioner recently issued a separate blog on this issue.
Steve Wood is Deputy Commissioner (Executive Director, Regulatory Strategy) and is Chair of the OECD Working Party on Data Protection & Privacy.
Latest News from
Information Commissioner's Office
ICO fines three companies £415,000 for nuisance marketing10/06/2021 12:25:00
The Information Commissioner’s Office (ICO) has fined three separate companies a total of £415,000 for sending nuisance marketing to people about car finance, solar panels and funeral plans.
Elizabeth Denham welcomes a delay to the launch of the GPDPR10/06/2021 10:38:00
Elizabeth Denham recently (08 June 2021) welcomed a delay to the launch of the GPDPR.
Statement in response to concerns around the GP Data for Planning and Research programme08/06/2021 16:15:00
Statement in response to concerns around the GP Data for Planning and Research programme.
Conservative Party fined £10,000 for sending unlawful emails03/06/2021 12:05:00
The Information Commissioner’s Office (ICO) has fined the Conservative Party £10,000 for sending 51 marketing emails to people who did not want to receive them.
Blog: How the digital design community can help shape the ICO’s work on the Children’s Code28/05/2021 12:25:00
A blog by Georgina Bourke, Principal Technology Adviser specialising in UX Design.
Blog: Spotlight on the Children’s Code standards – data protection impact assessments28/05/2021 09:10:00
A blog by Michael Murray, ICO’s Head of Regulatory Strategy.
Amex fined for sending four million unlawful emails21/05/2021 12:25:00
The Information Commissioner’s Office (ICO) has fined American Express Services Europe Limited (Amex) £90,000 for sending more than four million marketing emails to customers who did not want to receive them.
ICO and CMA set out blueprint for cooperation in digital markets19/05/2021 14:20:00
The Information Commissioner’s Office (ICO) and the Competition and Markets Authority (CMA) have published a joint statement, setting out their shared views on the relationship between competition and data protection in the digital economy.