Share your views on the draft OECD Recommendation on the Governance of Digital Identity

The public consultation will run until 31st March 2023

The OECD is launching a public consultation on the draft OECD Recommendation on the Governance of Digital Identity. In this blog post, we’ll explore what digital identity is, why it matters, and what some OECD Member countries are doing to support its governance. We’ll also summarise the three pillars of the draft Recommendation.

You can find all the details about how to contribute at the end of this post and we would welcome your comments on the draft text by 31 March 2023.

What is digital identity?

There are various contexts in which proving who you say you are, or sharing information about yourself, matters. Accessing services in either the public or private sectors often requires a foundation of trust that you are who you claim to be, and that the information you share is verifiable.

Depending on what type of service you are accessing, this may require different processes or levels of assurance. For example, banks have legal obligations to know who you are for anti-money laundering purposes, but also has obligations towards you personally because the potential harm from someone fraudulently accessing your bank account is high. The same goes for claiming government benefits or declaring taxes or benefitting from health services. Indeed, identity theft and fraud affect many people, including one in five Europeans in the last two years, and generate large losses, such as $56 billion in 2020 in the United States.

Traditional identity verification in most countries still involves providing physical documents and proofs such as birth certificates, driver’s licenses, ID cards, or passports. Digital transformation offers opportunities to leverage technology for improving identity verification and authentication to access services both online and offline. Digital channels can offer solutions such as through digital credentials and wallets, eID cards, and mobile ID applications.

The draft OECD Recommendation on the Governance of Digital Identity includes the following definitions¹:

• Digital identity: a set of one or more electronically recorded attributes and/or credentials that can be used to prove a quality, characteristic, or assertion about a user, and, when needed support the unique identification of that user.
• Attribute: a verified quality or characteristic of a person or organisation, for example, name and date of birth, or company registration number.
• Credentials: a collection of attributes that show you are entitled to do something or have a qualification, for example, a passport, driver’s licence, business license, or student diploma.

When combined, attributes and credentials can support improving identity verification and authentication processes, and if shared separately, can make it easier for individuals and organisations to prove something about themselves. It can also make it easier for individuals to have greater agency over what attributes or credentials they share and with whom. A practical example might be proving you have the legal right to buy alcohol by presenting a verified claim of your legal age through an app on a smartphone, without having to show your name and date of birth.

Why should it matter to me or my organisation?

There is increasingly a consensus view of digital identity as digital public infrastructure, which is “a solution or system that enables the effective provision of essential society-wide functions and services in the public and private sectors”². While ensuring the trust and security of digital identity solutions and systems is fundamental, it is also crucial that they are adaptable to the changing digital landscape and responsive to user needs. Establishing successful digital identity systems and widely adopted solutions can simplify interactions and enable personalisation while reducing the risk of error and fraud. It can lead to greater trust and resilience in the digital environment, benefitting both economies and people.

The success of digital identity systems and solutions rely on their trustworthiness, usability and accessibility as perceived by the intended audience, including those who are not tech-savvy or familiar with digital solutions, to ensure that access to essential services is not restricted. Increasingly and importantly, the ability for users to travel with and use a digital identity solution across jurisdictions is becoming important, calling for increased international collaboration and co-operation in the area.

Examples of what OECD Members are doing to support the governance of digital identity

Work is already being done across many OECD Members to improve the governance of digital identity. Depending on national contexts, priorities and what works best for countries might look different. Examples include:

• The Australian Government’s Trusted Digital Identity Framework (TDIF)
• The European Commission’s Proposal for a REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL amending Regulation (EU) No 910/2014 as regards establishing a framework for a European Digital Identity
• The Korean Government mobile driver’s license pilots
• The New Zealand Government’s Digital identity Programme and Digital Identity Services Trust Framework
• The United Kingdom’s digital identity and attributes trust framework

The draft OECD Recommendation on the Governance of Digital Identity

An OECD Recommendation is a legal instrument adopted by the OECD Council. Recommendations are not legally binding but represent a political commitment to the principles they contain and an expectation that Adherents will do their best to implement them. There are currently around 180 OECD Recommendations in force.

For more information, please consult the online Compendium of OECD Legal Instruments.

The three pillars of the draft Recommendation

The OECD’s Public Governance Committee and its Working Party of Senior Digital Government Officials (E-Leaders) has developed a draft Recommendation on the Governance of Digital Identity that encourages its Adherents to develop and govern digital identity systems as digital public infrastructure.

This involves creating or aligning policies and rules to support interoperability, promoting cross-sector coordination and international collaboration, and fostering innovation and a sound market for digital identity solutions.

Digital identity should be rooted in the needs of users and service providers and the respect of democratic values and human rights, including ensuring the inclusion of vulnerable groups and minorities and the protection of privacy.

The draft Recommendation on the Governance of Digital Identity aims to support Adherents’ efforts to ensure reliable and trusted access to digital identity for natural and legal persons that is portable across platforms, sectors, and borders.

The draft Recommendation presents a set of principles organised around three pillars:

• Developing user-centred and inclusive digital identity systems
• Strengthening the governance of digital identity
• Enabling cross-border use of digital identity

If adopted by the OECD Council, the Recommendation will form the basis for the OECD to serve as a forum for exchanging information, guidance, and monitoring activities and emerging trends around the governance of digital identity.

Purpose of the public consultation

The aim of the public consultation is to ensure that the final text reflects the experience, needs and aspirations of the international community concerning the governance of digital identity.

Inputs collected during the public consultation will help inform the finalisation of the draft Recommendation. They will be analysed by the OECD Secretariat and discussed by the relevant OECD bodies. Ultimately, the Recommendation will require the approval of the Public Governance Committee after which it would be presented to the OECD Council for adoption.

Guidance on providing feedback

Parties interested in commenting the draft Recommendation can comment directly on the draft text using the OECD’s Engagement Platform or send written comments in English or French to eleaders@oecd.org.

Comments submitted on behalf of another person or group of persons should identify all enterprises or individuals who are members of the collective group, or the person(s) on whose behalf the commentator(s) is/are acting.

The deadline is 23:59 (GMT+1) on 31 March 2023.

[1] Current definition in the draft Recommendation may be subject to modification.

[2] Definition by the Digital Public Goods Alliance, GovStack community of practice