The ODI’s support for digital ID is conditional on the scheme being designed around individual control, data minimisation, open standards, and genuine inclusion.
A well-designed digital ID can improve people's lives in concrete, measurable ways and several countries have built systems that work like this. However, to work this way, schemes must be built with this intention from the outset. We believe that the architecture is a democratic safeguard, not a “technical detail.”
As set out in our consultation response, there are several recommendations the ODI believes the government should adopt:
Key components of our response
- The specific standards used in the scheme must enable unlinkability and data minimisation through techniques such as selective disclosure and zero knowledge proof.
- One (not three) binding standard should be mandated by the Office for Digital Identity and Attributes (OfDIA).
- The universal unique identifier (UUID) approach should permit individuals to bring existing identifiers with them, rather than requiring a new government-issued identifier in all cases. It is important to consider that unique identifiers are only useful when associated with an authoritative issuer as uniqueness of generated identifiers doesn’t prevent reuse.
- There should be serious consideration of technologies that allow people and not government departments (or other entities) to hold data about them. This not only protects the individual but engenders trust, and mitigates some of the risks of cyber attacks by bad actors. Solid, which is stewarded by the ODI, is one such protocol.
- There must be statutory protection for non-digital alternatives, including protected funding to maintain the systems that allow for them, and a requirement for independent review prior to any withdrawal or reduction.
- An audit log of all access to people’s digital ID must be accessible to them and provide a clear view of who accessed which part of their data under which conditions and for what purpose. This is a necessary transparency measure that must be built into the digital ID’s architecture.
- The government should legislate specifically for purpose limitation and the statutory protection of individual rights, covering private sector use of digital ID infrastructure. Policy commitments alone are not a substitute for primary legislation.
- The government should provide free services for checking the validity of common types of credentials, including Right to Work and DBS checks. All certified holder services (wallets) should be offered compatibility with the government service for verification.
- The government should engage a broad range of civil society organisations and technical experts, and use participatory design approaches, enabling affected communities to play a direct role in shaping system design.
There are others who support digital ID on outcome grounds alone, arguing that the benefits are clear and the design can be worked out later. The ODI's position differs; we believe that a system built on the wrong foundations will not simply underperform, it will create harms that are difficult or impossible to reverse. What matters is whether digital ID will be built in a way that serves the public, or that creates new risks, exclusions, and potentially, concentrations of power.
