1. Legal Framework in Identity Systems T Koshy
17th July 2017

2. Setting the Context CRVS Identity Management
Registration & Certification of Vital Events
Measuring Characteristics and Trends
Identity Management
Establishing Identity
Authentication for Service Delivery

3. Identity Management Clear Focus Use of Biometrics
Channel for Collection, Verification & Transmission Personal Data
Central Electronic ID repository
Authentication for Service Delivery
Value Added Services through ID platform
E Sign
E Stamping
Digital Locker

4. Identity Management Ecosytem
Build e-ID
Building on e-ID
Building around e-ID
Build e-ID
Building on e-ID
Building around e-ID
Establishing infrastructure to provide every resident a unique identity
Interfacing ID systems to service delivery (government and private sector enterprise) to improve efficiencies and reduce leakages
Deploying an innovation ecosystem around the ID and bring about transformation of governance and industry
e-ID aids in overcoming challenges faced by the governments in providing effective and efficient service delivery

5. Principles of Identification for Sustainable Development1
Inclusion
Universal Coverage and Accessibility 2
Design
Robust, Secure, Responsive, Interoperable identity platform, Technology neutrality and Operational sustainability 3
Governance
Safeguarding data privacy, security, and user rights; Institutional accountability and Independent oversight and grievance management
Source: Principles of Identification for Sustainable Development: Towards the Digital Age

6. Key Design Principles for a Legal Framework1 2 3
Accountability
OECD Principles: Collection Limitation Principle, Data Quality Principle, Purpose Specification Principle, Use Limitation Principle, Security Safeguards Principle, Openness Principle, Individual Participation Principle, Accountability Principle
Data Ownership
Data Governance
A strong legal framework provides the basis for a robust legal environment that promotes trust in the design, implementation and use of unique ID in a country

7. Accountability Communication Framework and Transparency
Citizens/Legal Residents
Ensuring accountability through
Clearly defined rules for data collection, compilation and storage
Enforce Compliance to stated rules and procedure for collection, compilation and storage of data
A robust communication framework; governed by rules on data sharing amongst parties (data owner, holder and consumer);
Data Owner
Institutions & Agencies that collect/store enrolment data
Data Holder
Data protection entails protecting of data during the following stages: Collection (Registration), storage, usage, sharing and disposal
Information being collected should always be treated as potentially valuable for others.
Designers of program should consider who would monitor the compliance of data protection within the program, whether there is a monitoring body for each social program linked to the identity program or individuals need to submit their complaints to the national identity body.
Private/Public organizations which uses the data for service fulfilment
Data Consumer
Specify Responsibility and Ensure Accountability of stakeholders

8. Accountability Legislative Provisions
Adequate safeguards and penalties for identity impersonation at the time of enrolment
Adequate safeguards and penalties against unauthorized data access and usage
Penalties for non-compliance with authorized disclosure requirements
Clear expectations & penalties for mandated service commitments
Adequate protocols for data breach notifications and actions by stakeholders
A specific oversight mechanism within the program should address the data protection issues.
Such mechanism should not only comply with the minimum requirements related to due process guarantees but should also have the mandate to order deletion or rectification of data as well as other form of repartitions.
Clearly articulated penal provisions ensure adequate safeguards against non- compliance to on data privacy and disclosure

9. Data Ownership Consent Architecture
The access to any identity–linked data is the prerogative of the individual
There should be no blanket consent for public use, around the information provided as a part of the enrolment procedure
“Function creep” should be prevented by ensuring that data collected for one purpose is not used for another without prior consent
Access to one’s own personal data-without constraint and without any delays or expenses
Information on categories being processed
Purpose of processing
Who is receiving it
Logic involved in processing
Example of Right to Information Act- oversight on government-private contracts…
An effective legal framework for managing national identities should be based on the principles of purpose and prior informed consent

10. Data Governance Protection of Personally Identified Information (PII)
Personal data is defined as any information relating to an identified or identifiable natural person (‘data subject’) – Article (2a), convention (108)
Protection of personal data- United Nations Guidelines for the Regulation of Computerized Personal Data Files, OECD guidelines on the protection of privacy and trans border flow of personal data, Council of Europe’s convention for the protection of individuals with regard to Automatic Processing of Personal Data (Convention 108)
Legal framework will encompass the following:
Constitution of a country: does the constitution guarantee right to privacy/and or data protection? Right to a remedy in the constitution? Independent oversight body established by the constitution
Internationally legally binding treaties
Other laws/regulations/policies/guidelines specific to a country,
Individual privacy rights to protect individuals, permit them to access their personal information and wherever necessary , to challenge/correct inaccuracies

11. Elements of Legal Framework for National Identity
Incorporation of the right legislative principles and information protection protocols should culminate in the articulation of a clear and effective National Act for Identity, with adequate constitutional validity to enforce the stated provisions.

12. Linkages between CRVS and National ID law Circular and dynamic linkages for universal coverage
Legislative provisions for data transmission and storage
Legal requirement of CR certificate/s as breeder document/s
As both civil register and national identity system deal with citizen data which comprises of PII…common design principles for legal frameworks come into play
Civil registration provides critical entry into the identity management system. ID management system adds layers of additional and relevant information, as per the law; including photograph, fingerprints, and other biometrics.
Civil Registration Law essentially comprises of : (Source: Outline Legal CRVS document)
General provisions, civil registration infrastructure, sphere of competence, roles and responsibilities of registrars, regn. Of birth, death, marriage, divorce, amendment of records, data privacy and confidentiality including collection and transmission of records, procedures and protocols for collecting and transmitting statistical information (vital stats), procedures and protocols for submitting records to the population register and identity management agency, citizen’s compliance and remedies, inspection and penalties and Funding of the civil registration system and operations
A legal framework conducive to a centralized organization can facilitate communication between information systems and enables nationwide harmonization of registration and data standards

13. Thank You