Trusted Digital Identity: A Pan-Canadian Approach
In the spirit of of being open, I am sharing what we developed collaboratively with other jurisdictions. We are using this as input to develop our policy instruments.
If you have any comments, questions or concerns, I’d love to hear.
Trusted Digital Identity Principles
1. Within Canada, identity management is identified by the public and private sector as a strategic priority to provide better services to Canadians and to enable the evolution toward a digital economy.
2. As digital service delivery models mature, governments, businesses and individuals need to know electronically that clients are who they say they are. As well, everyone needs to trust the use and protection of identity information as it travels across jurisdictional and organizational boundaries. Together, these needs can be addressed by means of a Trusted Digital Identity and the Pan-Canadian Trust Framework (“Framework”).
3. A Trusted Digital Identity is an electronic representation of a person, used exclusively by that same person to receive valued services and to carry out important transactions with trust and confidence. For governments and businesses, a Trusted Digital Identity can be:
a. relied on as an equivalent alternative for provided services that require an in-person interaction with a service delivery agent or government official;
b. used to enable federation of identity[1], by means of agreed on levels of assurance:
i. Level 1 Trusted Digital Identity:little or no confidence
ii. Level 2 Trusted Digital Identity:some confidence
iii. Level 3 Trusted Digital Identity:high confidence
iv. Level 4 Trusted Digital Identity:very high confidence.
4. The Pan-Canadian Trust Framework can provide a Trusted Digital Identity through a set of agreed on definitions, principles, conformance criteria, assessment approach, standards, and specifications. Additionally, the Framework provides business value for a diverse array of participants that is commensurate with risk and takes into account the different perspectives of public sector and private sector stakeholders:
· For individuals or organizations (as end users of services): The Framework increases their confidence in the protection, disclosure, and use of their identity and personal information, thereby enabling a “tell us once” approach for convenient access to services in a trusted, secure, and privacy-enhanced manner.
· For governments and organizations (including private sector organizations): The Framework provides an opportunity for participants acting in the role of an authoritative party to offer standardized, high value with high integrity services between jurisdictions and the private sector. The Framework also provides an opportunity for participants acting in the role of a relying party (i.e., as a service provider) to rely on many trusted processes and services which in turn, can be used to improve integrity, efficiency and streamlining of high value and complex digital services.
5. The Framework enables:
· Achievement of the Pan-Canadian Service Delivery Vision: “Citizens and businesses enjoy simple, convenient, and secure access to services in a manner they choose and manage.”
· Mutual confidence, or trust, in each other’s identity management processes.
· Reduction in identity risk by increasing the integrity and consistency of supporting programs, processes, and services.
· Adoption of innovative, competitive solutions that can be relied on beyond the traditional organizational boundaries of departments, agencies, and jurisdictions.
· Choice for Canadians in how they use a trusted digital identity. The Framework respects privacy, ensures security, and gives jurisdictions the flexibility to implement solutions that best meet the needs of their respective clients.
· Interoperability of solutions resulting in streamlined services and improved client experience.
· Implementation under existing legislation or, if required, used as input into development of new legislation.
· Transparency and accountability for all participants using the Framework.
[1] A trusted digital identity and defined assurance levels may also be considered as an eligible eID scheme for notification under EU Regulation 910/2014 found at: http://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32014R0910
