Legal Framework in Identity Systems T Koshy 17th July 2017

Setting the Context CRVS Identity Management Registration & Certification of Vital Events Measuring Characteristics and Trends Identity Management Establishing Identity Authentication for Service Delivery

Identity Management Clear Focus Use of Biometrics Channel for Collection, Verification & Transmission Personal Data Central Electronic ID repository Authentication for Service Delivery Value Added Services through ID platform E Sign E Stamping Digital Locker

Identity Management Ecosytem Build e-ID Building on e-ID Building around e-ID Build e-ID Building on e-ID Building around e-ID Establishing infrastructure to provide every resident a unique identity Interfacing ID systems to service delivery (government and private sector enterprise) to improve efficiencies and reduce leakages Deploying an innovation ecosystem around the ID and bring about transformation of governance and industry e-ID aids in overcoming challenges faced by the governments in providing effective and efficient service delivery

Principles of Identification for Sustainable Development 1 Inclusion Universal Coverage and Accessibility 2 Design Robust, Secure, Responsive, Interoperable identity platform, Technology neutrality and Operational sustainability 3 Governance Safeguarding data privacy, security, and user rights; Institutional accountability and Independent oversight and grievance management Source: Principles of Identification for Sustainable Development: Towards the Digital Age

Key Design Principles for a Legal Framework 1 2 3 Accountability OECD Principles: Collection Limitation Principle, Data Quality Principle, Purpose Specification Principle, Use Limitation Principle, Security Safeguards Principle, Openness Principle, Individual Participation Principle, Accountability Principle Data Ownership Data Governance A strong legal framework provides the basis for a robust legal environment that promotes trust in the design, implementation and use of unique ID in a country

Accountability Communication Framework and Transparency Citizens/Legal Residents Ensuring accountability through Clearly defined rules for data collection, compilation and storage Enforce Compliance to stated rules and procedure for collection, compilation and storage of data A robust communication framework; governed by rules on data sharing amongst parties (data owner, holder and consumer); Data Owner Institutions & Agencies that collect/store enrolment data Data Holder Data protection entails protecting of data during the following stages: Collection (Registration), storage, usage, sharing and disposal Information being collected should always be treated as potentially valuable for others. Designers of program should consider who would monitor the compliance of data protection within the program, whether there is a monitoring body for each social program linked to the identity program or individuals need to submit their complaints to the national identity body. Private/Public organizations which uses the data for service fulfilment Data Consumer Specify Responsibility and Ensure Accountability of stakeholders

Accountability Legislative Provisions Adequate safeguards and penalties for identity impersonation at the time of enrolment Adequate safeguards and penalties against unauthorized data access and usage Penalties for non-compliance with authorized disclosure requirements Clear expectations & penalties for mandated service commitments Adequate protocols for data breach notifications and actions by stakeholders A specific oversight mechanism within the program should address the data protection issues. Such mechanism should not only comply with the minimum requirements related to due process guarantees but should also have the mandate to order deletion or rectification of data as well as other form of repartitions. Clearly articulated penal provisions ensure adequate safeguards against non- compliance to on data privacy and disclosure

Data Ownership Consent Architecture The access to any identity–linked data is the prerogative of the individual There should be no blanket consent for public use, around the information provided as a part of the enrolment procedure “Function creep” should be prevented by ensuring that data collected for one purpose is not used for another without prior consent Access to one’s own personal data-without constraint and without any delays or expenses Information on categories being processed Purpose of processing Who is receiving it Logic involved in processing Example of Right to Information Act- oversight on government-private contracts… An effective legal framework for managing national identities should be based on the principles of purpose and prior informed consent

Data Governance Protection of Personally Identified Information (PII) Personal data is defined as any information relating to an identified or identifiable natural person (‘data subject’) – Article (2a), convention (108) Protection of personal data- United Nations Guidelines for the Regulation of Computerized Personal Data Files, OECD guidelines on the protection of privacy and trans border flow of personal data, Council of Europe’s convention for the protection of individuals with regard to Automatic Processing of Personal Data (Convention 108) Legal framework will encompass the following: Constitution of a country: does the constitution guarantee right to privacy/and or data protection? Right to a remedy in the constitution? Independent oversight body established by the constitution Internationally legally binding treaties Other laws/regulations/policies/guidelines specific to a country, Individual privacy rights to protect individuals, permit them to access their personal information and wherever necessary , to challenge/correct inaccuracies

Elements of Legal Framework for National Identity Incorporation of the right legislative principles and information protection protocols should culminate in the articulation of a clear and effective National Act for Identity, with adequate constitutional validity to enforce the stated provisions.

Linkages between CRVS and National ID law Circular and dynamic linkages for universal coverage Legislative provisions for data transmission and storage Legal requirement of CR certificate/s as breeder document/s As both civil register and national identity system deal with citizen data which comprises of PII…common design principles for legal frameworks come into play Civil registration provides critical entry into the identity management system. ID management system adds layers of additional and relevant information, as per the law; including photograph, fingerprints, and other biometrics. Civil Registration Law essentially comprises of : (Source: Outline Legal CRVS document) General provisions, civil registration infrastructure, sphere of competence, roles and responsibilities of registrars, regn. Of birth, death, marriage, divorce, amendment of records, data privacy and confidentiality including collection and transmission of records, procedures and protocols for collecting and transmitting statistical information (vital stats), procedures and protocols for submitting records to the population register and identity management agency, citizen’s compliance and remedies, inspection and penalties and Funding of the civil registration system and operations A legal framework conducive to a centralized organization can facilitate communication between information systems and enables nationwide harmonization of registration and data standards

Thank You