copy the linklink copied!2. DI in selected countries

This chapter presents a comparative analysis of the DI experience in 13 countries through each dimension of the analytical framework explained in Chapter 1 based on a survey completed by the countries.

The assessment compares the foundations for identity in terms of existing national identity infrastructure, policies supporting DI and a country’s governance mechanisms.

DI solutions are then analysed with a discussion of the technical approaches for browser, smartcard, mobile, and biometric based systems.

The policy levers and adoption of DI are assessed in light of the legal and regulatory framework, funding and enforcement measures, the services made available, and the enablers and constraints identified by the countries.

The ways in which citizens are being put in control of their data, the openness with which countries are sharing the results, and their approaches to impact assessment are described in the last dimension.

Finally, trends identified in the study are presented.

copy the linklink copied!Dimension 1: Foundations for DI

The foundations for DI are the tools, policies and governance structures, which support the development and implementation of DI in a country. This section begins by considering the different approaches to identity infrastructure within a country that underpin DI registration and access. Following this the approach to policy in the areas of security, interoperability, user experience and privacy is discussed. In conclusion the different approaches to governance are described, with a particular focus on the interactions between private sector and government.

Dimension 1.1: National identity infrastructure

National population registers are used as the source of information for the initial registration of digital identities in several countries. However, due to social and cultural reasons other countries do not have such national identifiers or, if they do, prefer not to attach DI to them. The following approaches for the role of national ID in DI have been observed:

DI is supported by a public, centralised register of the population. Linking DI to a national population register was found in Austria, Estonia, India, Korea, Portugal, Spain, and Uruguay, and tends to increase usability and utility.
DI is supported by a public, decentralised register of the population. In some countries there is no single national population registry but several population registers which are linked to a citizen’s DI. Since 2014, Italy has a centralized National Resident Population Register (ANPR); municipalities are still migrating into ANPR; yet, forecasts indicate that by the end of 2019, the number of citizens in ANPR will be more than 45 million over a population of 60.55 million
DI is verified or provided by several private and public organisations. This approach is being taken by those countries which do not have a national population registration system providing a unique number for all the population as in Canada, New Zealand and the United Kingdom; or where DI efforts have historically been led by the private sector as in Denmark and Norway.

Figure 2.1 shows how countries which rely on national population registers, require mandatory registration for the whole population. This is either from the first days of life (for example in Portugal and Uruguay), or before adulthood (in India and Spain). In Portugal the “Born Citizen Project” (Nascer Cidadão) enrols citizens on the population register and provides a national ID card (Citizen Card) in the medical facility when a child is born.

Figure 2.1. Digital ID enrolment and National Population Registers

There is a strong correlation between a country not mandating registration in a population register or not having one, and private sector responsibility for DI enrolment. This is seen in Canada, New Zealand and the United Kingdom where the absence of mandatory public population registers means greater involvement for private entities in managing DI. Where both registration in the population register and national ID cards are mandatory, private sector involvement is lower (Estonia, India, Korea, Portugal, Spain and Uruguay) with the exception of Italy where, at least within the SPID identification scheme, the private sector plays a part. Finally, for those countries with national population registers but optional national ID cards there are differing levels of involvement for the private sector, with more in Denmark and Norway, and less in Austria.

Characteristics of National ID cards

Six of the countries in this study (Estonia, India, Korea, Portugal, Spain, and Uruguay) have both a national population register and a mandatory national ID Card. Austria, Denmark, and Norway also have national population registers but an optional or sectorial ID card. . Finally, the three countries without a national population register, Canada, New Zealand and the United Kingdom, do not have national ID cards; in this case, government services are usually accessed through verification by private entities (namely banks, and postal services). In Italy, the issuance of the ID card is mandatory; and since 2019 is is mandatory to issue the Electronic ID (CIE) and as a result municipalities no longer issue ID cards in paper format.

The countries which issue ID cards do so using polycarbonate and according to the standard format ISO/IEC 7810:2003 ID-1 and feature the following elements:

Identification of the country
Citizen photo
Biographic information including the name, birthdate, nationality, and biological sex of the holder
Validity information such as the date of issue, or of expiry and the document number
A reproduction of the card holder’s signature
A representation of the data contained on the card encoded in a machine readable format, known as the Machine Readable Zone or MRZ
Physical card security features including holograms and holographic symbols, embossing, variable colour printing, fluorescent elements, and elements visible only under ultraviolet light.

Whilst the materials of the cards are alike, there are differences in how chips have been incporated as shown in Figure 2.2. Five countries feature electronic chips whilst Austria, India and Korea do not. Estonia and Portugal have chips that require contact to be read, Italy has a contactless chip and Spain and Uruguay have a dual interface allowing for both contact, and contactless, reading of the card.

It is noteworthy that ID card systems which have recently been developed or upgraded, as in Italy, Spain and Uruguay, favour contactless. The adoption of this technology reflects the increasing use of ID cards for access control purposes (for example in transportation and at border controls) and the prevalence of mobile devices with near-field communication (NFC) capabilities for public servants to access data on cards ‘in the field’ (for example in relation to enforcement activity).

Figure 2.2. Chip technology incorporated into national ID cards

Face to face interactions are increasingly expensive for both users to access and the government to provide. Therefore, moving enrolment for national ID cards away from such processes is attractive. However, due to the nature of identity this presents security challenges. Remote processes that incorrectly identify a person, or which are subject to fraudulent subversion, undermine the authenticity of an identity and therefore any subsequent DI approach which reuses these flawed, or corrupted, data.

All countries with national ID cards handle the application process online at least in part. Figure 2.3 shows that only in Portugal is the enrolment process fully digital with the remaining countries using paper based forms or the submission of physical photographs or certificates. Alongside this all countries provide an in person enrolment process with Estonia additionally allowing the request of an ID card by post.

Figure 2.3. Approach to enrolling for an ID card

In Portugal, the national ID card (Citizen Card) can be renewed online in certain conditions. To do this it reuses previously provided biometric data (from existing photographs and fingerprints) and requires in-person collection from a Citizen Shop. When claiming the card the recipient must perform a fingerprint match to verify their identity. This two factors approach allows for a reduction in the costs of application whilst maintaining the integrity of assurance for the ID card.

Whilst the costs may reduce for the government, the addition of extra technology to the cards themselves does increase the cost for citizens. There is a wide variance in terms of how much it costs a citizen to obtain their national ID card with Uruguay citizens needing to pay EUR 7.40 compared to Austria’s EUR 61.50.

Dimension 1.2: DI policy

The policy approaches required by countries to implement DI share several common features. In most countries, the following priorities are clearly visible:

1. Improve user experience

2. Provide digital access to government services

3. Increase security

4. Transform the digital economy (including private sector services)

5. Reduce the cost of doing business in the country

DI is a clear enabler for transforming the user experience of services. Many of the countries considered by this study are focusing on how they might apply the concept of digital by design to the experiences of citizens, reducing the requirement for paper processes and offline interactions in meeting a need by being confident in the identity of the person accessing the digital service. Thus, the approach taken to DI is often influenced by how a country has recognised these challenges in their National Digital Strategies, assurance processes, capability building and design guidelines.

More than half of the countries in this study were explicit that their commitment to DI was a policy decision designed to establish a common authentication approach across government services. The concept of a single sign on for government is attractive in simplifying interactions between citizens and their services but relies on the interoperability of data between different parts of the government. One response to this, demonstrated particularly well by Estonia and Portugal, is found in accessing professional attributes from third parties with responsibility for managing the data. In order to make such attribute exchange possible, DI policy needs to ensure the interoperability and reuse of data between public and private sources.

The starting point for DI policy is ensuring that there is confidence that the person using a DI is the person it belongs to. This requires confidence in the way in which an identity is generated in the first place but also that the model of DI is capable of responding to criminal threats and user error. Given the sensitivity of the information countries were unable to share extensive details for publication about how they respond to the security threats identified by their DI models. Nevertheless, provision is made within national digital security strategies to ensure that approaches to DI are secure for government, and for users. In the United Kingdom the nature of how GOV.UK Verify is built and maintained means considerations of security at scale are part of the solution’s design and the product team that exists to support it.

Whilst it is important for government to have confidence in the security and usability of its DI model, it is arguably most important that it has the trust of its users. In this respect, DI policy reflects wider governmental trends concerning data protection, the transparency of access to personally identifiable information, and the mechanisms by which citizens might grant consent for its access or reuse. Several DI approaches include opportunities for user to actively grant consent for their data to be used with the experience of Austria discussed in more detail in Box 2.1.

copy the linklink copied!

Box 2.1. Austria SourcePIN and ssPIN

In Austria a SourcePIN is required for the unique identification of a citizen. This number is generated from the SourcePIN Register when required and deleted afterwards. Citizens are able to access an audit trail detailing how their data have been accessed and used.

In general, this will not have happened without the user knowing as public authorities are not allowed to save the SourcePIN of a citizen. Instead, they use a sector-specific personal identifier (ssPIN), which can only be used for a particular purpose during a particular timeframe. The ssPIN is derived from an individual’s SourcePIN through a non-traceable and irreversible cryptographic process.

To generate an ssPIN, a public body must have the explicit agreement of the person concerned with this consent only providing validity to the ssPIN for use according to the activity under which the initiated procedure falls. It cannot be used to access services in another sector.

Only the SourcePIN Register Authority may generate an ssPIN without the citizen card of the person concerned, and it may do so only in special circumstances with the help of adequate identification attributes.

Figure 2.4. Austria SourcePIN and sector-specific personal identifier

Dimension 1.3: Governance

Governance covers the leadership and development of politics, policies and processes surrounding the implementation of DI and in particular brokering relationships between public and private actors involved with DI.

The models for DI governance are often aligned with how countries are promoting their Information Technology and digital government agendas. There is a strong correlation between those organisations which are responsible for digitally transforming the experience of public services, and those which hold political or operational responsibility for DI governance. This decision reflects the importance of DI in enabling the ambitious redesign of services and the transformation of government.

Figure 2.5 shows the four categories of political leadership identified across the 13 countries in this study. In four of them (Italy, Portugal, United Kingdom and Uruguay), responsibility is closely associated with the head of the government (Prime Minister office, or with the President of a Council of Ministers). The same number of countries (Estonia, Korea, New Zealand and Spain) locate this responsibility within the Internal Affairs or Interior Ministry. Canada and Denmark look to the Finance Ministry whilst the other three countries (Austria, India and Norway) house the responsibility in specific ministries focused on digitalisation.

copy the linklink copied!

Box 2.2. Portuguese DI governance

The Portuguese Governance Model aims to ensure both the implementation and monitoring of the DI programme, and the strategic and operational coordination of the National DI ecosystem.

The governance model is organised across three levels, supported by a Programme Management layer.

The strategic coordination level establishes a common vision for DI in Portugal. The political leadership of the National DI involves the ministry responsible and the president of the council of ministers, along with other relevant ministries for DI (e.g., Internal Affairs, Finance, Justice, Social Security, and Health). Permanent bodies reporting to this leadership have direct responsibility for policy making, monitoring and assessing DI initiatives.

The operational coordination level pursues the policies and vision set by the national leadership. This aggregates those responsible for the functional blocks of Portugal’s DI ecosystem.

The delivery and maintenance level implements projects and runs the ecosystem of DI components. Operating through the direct authority of those in the operational coordination level this is done through responsible the public or private entities.

Given the organisational, functional and technological diversity of the Portuguese DI ecosystem, a programme management office (PMO) is in place. The PMO participates throughout the DI program, establishing measures, planning and monitoring the execution of the guidelines outlined, and ensuring visibility of DI across the country.

Source: Provided by Portugal in response to the OECD survey Benchmarking Digital Identity Solutions (Unpublished)

DI systems, which use digital certification for authentication and also support digital signatures on documents, are often built on top of a Public Key Infrastructure (PKI). Governance of this approach is managed through the same ministry responsible for DI, with the example of Korea discussed in Box 2.3. Such DI solutions are discussed in more detail in Dimension 2.3: Smartcards and Dimension 2.4: Mobile.

copy the linklink copied!

Box 2.3. Public Key Infrastructure governance in Korea

The Korean Government implemented both a National Public Key Infrastructure (NPKI) and a Government Public Key Infrastructure (GPKI). The use of GPKI was facilitated as the Government promoted the use of e-document among government agencies. In 2002 the use of NPKI became mandatory for online banking with the requirement for NPKI subsequently applying to all electronic transactions.

The Ministry of the Interior and Safety (MOIS) serves as the Root Certificate Authority (CA) for GPKI and the Korea Internet Security Agency (KISA) does so for NPKI. Both PKI solutions are interoperable.

Figure 2.7. Relationship between Government and National Public Key Infrastructures

National approaches to DI may be developed by the public sector (often from scratch) or based on the reuse of existing solutions already provided by a country’s private sector. The relationship between private and public sources and application of identity is important in shaping the effective use of any DI. Figure 2.8 explores 7 theoretical models for exploring the relationship between public and private sector solutions and their reuse in accessing services.

Figure 2.8. Models for issuing, managing and using DI

In Model 1 (“Sector specific DI”) private and public entities remain separate with private DI used in private sector services and public DI used for government services. This model is seen in Uruguay.

Model 2 (“Sector specific DI with reusable public DI”) has clear separation between private and public DI but enables the reuse of public DI to access certain private sector services. This model is seen in New Zealand, Portugal and Spain. The inverse approach to this, captured in Model 3 (“Sector specific DI with reusable private DI”), is not evidenced in the countries selected for comparison.

In Model 4 (“Private DI”) users can access both private sector and government services using a single, reusable DI, provided and managed by the private sector. This model is found in Norway.

India and Italy demonstrate Model 5 (“Public DI”) where a single, reusable DI provided and managed by the public sector is available to access both private sector and government services.

Users in Austria, Denmark and the United Kingdom (more detail on GOV.UK Verify can be found in Box 2.4) can access both private sector and government services via Model 6 (“Shared DI”), with a single, reusable DI where responsibility for its issuance and management is shared between government and the private sector.

Model 7 (“Interoperable DI”) allows for the creation of identity by both private sector and public sector entities but with an interoperability that allows for its reuse to access services of any type. This model is found in Canada, Estonia and Korea where the NPKI is the only digital certification for authentication for the citizens and it can be used for both government services and private sector services such as banking. The NPKI is managed by KISA, an affiliate agency of the Ministry of the Interior and Safety and issued by pre-authorized financial entities. Therefore, it is regarded as public DI.

Figure 2.9. DI models found in selected countries

copy the linklink copied!

Box 2.4. GOV.UK Verify

GOV.UK Verify is a federated identity system managed by the UK government. Direct responsibility for the programme is held by the Government Digital Service, a unit of the Cabinet Office which fulfils a central coordinating function close to the Prime Minister and their senior ministers.

This federated approach means the identity infrastructure behind the UK’s DI is not run by the government. Instead of receiving an identity from the government, a user registers with a certified company of their choosing who verifies their identity. When a user uses a service requiring a verified identity the user is passed to their chosen certified company, having authenticated with them the certified company communicates that verification to the service being accessed and the user returns to complete their transaction.

Nevertheless, the government maintains an important role in providing the user journey from GOV.UK, the UK’s single government website to the different identity providers. Moreover, the Government Digital Service team provides an important role in setting standards for the onward user experience, and working with the industry to agree protocols and standards covering identity proofing, verification and authentication.

Certification for identity providers is based on those protocols and standards. The UK government publishes guidance that explains the standards a certified company has to meet, and how they can meet them, rather than specifying technologies or processes. Once certified, these companies have to demonstrate an ongoing commitment to appropriate information security arrangements and are assessed by tScheme for the quality of their service. They also have to pass a number of rigorous contractual ‘gates’ at which they demonstrate to government that their solutions meet any contractual requirements.

UK hub and supplier services are developed based on openly published standards and Good Practice Guides (GPG’s) developed with government departments and industry partners. The government sets standards for services requiring minimal, or in-depth, evidence for citizens to prove their identity. Each UK government department decides how much evidence is required in order for citizens to access each of its digital services.

Figure 2.10. GOV.UK Verify conceptual architecture

Governance models with a focus on the public sector are easier to manage and implement due to avoiding the need for operability with external private systems. However, as the private sector may already have DI solutions, those models which do not promote cooperation between the sectors see lower levels of DI reuse. Solutions that reuse existing (private) DI, develop a shared model, or consider public and private sector applications tend to ensure higher adoption of DI by services in both the public and private domains.

copy the linklink copied!Dimension 2: DI Solutions

This section explores DI solutions in the selected countries. The platforms are described in terms of their overall approaches before exploring how their authentication mechanisms involve browser based activity, smartcards, mobile devices and biometrics.

Dimension 2.1: DI Platform

As discussed in Dimension 1.1: National identity infrastructure, there are several models for the way in which a country will approach identity. When it comes to implementing DI many countries follow the same model of creating a national platform. In 77% of the countries there is a central entity responsible for providing authentication but also in developing, supporting, securing and sharing components and code that ensure interoperability between DI providers and public services.

Figure 2.11. Features of national DI platforms

Using DI to provide additional attributes expands the scope beyond authentication or a signature. This allows a citizen to obtain specific data, play a legal role, or prove a professional skill or responsibility. In addition to the authentication process, 23% of the selected countries use DI to provide access to attributes including tax information, address, birthdate, and professional information.

15% of the selected countries enable individuals to digitally sign documents on the basis of a role they hold. For example, in Portugal it is possible to use existing authentication mechanisms (Mobile ID and ID card) to access additional attributes and to take on the legal responsibility of another individual. The Portuguese Professional Attribute Certification System Case Study is considered in more detail in Box 2.5.

copy the linklink copied!

Box 2.5. Portuguese Professional Attribute Certification System

Portugal’s Professional Attribute Certification System (SCAP) uses existing, non-digital, authentication mechanisms to enable citizens to be authenticated according to the functions and entitlements they hold as a qualified professional.

SCAP ensures interoperability between existing identity mechanisms and attribute providers in order to support the authentication and the digital signing of documents according to the different roles citizens have.

Figure 2.12. SCAP functional architecture

Through the association of business attributes with their identity SCAP allows a citizen to use their Citizen Card or Mobile ID to authenticate and provide signatures as a legally recognised actor, such as Managers, Administrators, and Directors.

SCAP is also used internally by public servants to authenticate and electronically sign documents, according to the role of “public servant”.

Figure 2.13. Main steps in the SCAP user journey for electronic signatures

Certain DI approaches enable countries to provide cross-border services and their citizens to identify themselves when accessing the services of another country. Nearly 70% of countries provide similar DI mechanisms for both national, and foreign, citizens. Additionally, over half of the countries have bilateral agreements which allow citizens to use their national identification solutions to access public services outside their country of origin. Finally, the implementation of European Regulation 910/2014, commonly known as eIDAS, amongst the EU member states means that Austria, Denmark, Estonia, Italy, Norway, Portugal, and Spain are covered by an expectation to deliver international cross border DI using a common interoperability solution.

Some countries are making DI available not just to those who live in their country, but to anyone who wishes to have a government backed identity regardless of their residency. A particularly interesting example is that found in Estonia; their e-Residency project, discussed in Dimension 4: Transparency and monitoring, allows a DI to be requested by any citizen in the world.

Figure 2.15. Means of authentication within DI solutions explores some of the decisions countries have taken in implementing DI. Smartcards, or another physical second factor, form part of the solution in 7 of the countries; mobile devices are used in a further 7 and are commonly associated with an increased likelihood of adoption (OECD 2018). Browser based authentication features in 6 countries with biometric authentication being employed by a single country.

Dimension 2.2: Browser based

Browser based approaches to DI are found in 6 of the countries featured in this study (Canada, India, Italy, New Zealand, United Kingdom, and Uruguay). This mechanism provides authentication only and is based on a user identifier and a password. These are often user defined but may reference an existing ID number, such as that found on an ID card, or involve a pre-set password. They may be paired with a second factor authentication step. The example of Italy is discussed in Box 2.6.

Figure 2.16. Features of browser based DI

copy the linklink copied!

Box 2.6. The Italian Public Digital Identity System (SPID) and Electronic Identity Card (CIE)

The Italian Public Digital Identity System (SPID) enables Italian citizens to access online government services through a single DI (username and password).

SPID allows public administrations to replace their locally-managed authentication services with substantial savings in processing time and administrative costs. Moreover, compared to these legacy approaches, SPID increases the level of assurance as to whether the other party is who they claim to be..

SPID meets the requirements for assurance level “Low”, “Substantial” and “High” in line with the requirements of Article 7, Articles 8(1)-(2) and 12(1) of the eIDAS Regulation and Commission Implementing Regulation (EU) 2015/1502. As for the Low level see https://www.agid.gov.it/sites/default/files/repository_files/documentazione/spid-avviso-n4-livelli-servizio-minimo-funz-omogenee.pdf.

Art. 64 of the Codice Amministrazione Digitale - Digital Administration Code (CAD) provides that SPID is mandatory and that all government services should replace any previous authentication models with the exception of Electronic Identity Card (CIE). In order to speed up the process, simple instructions are provided at https://developers.italia.it/en/spid.

SPID has been recognized eIDAS compliant on Sept. 10, 2018 (https://ec.europa.eu/cefdigital/wiki/display/EIDCOMMUNITY/Italy+-+SPID).

CIE is both a personal identification document that certifies the identity of the holder and a means of authentication for online e-Government services. It aims to streamline and speed up communication between the state and citizens. The use of CIE is based on the cryptographic services installed on the card itself, and the interaction with the user device based on NFC. https://www.cartaidentita.interno.gov.it/identificazione-digitale/entra-con-cie/

CIE is a credit card that replaces the old paper-based ID document and former eID card. It is available to all Italian citizens. Through CIE, a citizen can obtain SPID online or in person. CIE has been recognized eIDAS compliant on Jun. 06 2019 (https://ec.europa.eu/cefdigital/wiki/display/EIDCOMMUNITY/Italy+-+eID).

Source: Provided by Italy in response to the OECD survey Benchmarking Digital Identity Solutions (Unpublished).

Figure 2.17. Usage and enrolment channels for browser based DI

The countries adopting browser based approaches are focused on its use online and within mobile apps to provide authentication only.

Users can enrol across a range of channels with more than 80% of countries offering a face to face process whilst contact centres using video calls and the provision of mobile apps are additional channels designed to support an increased ease of enrolment.

Assuming that the mechanism for proving an identity has been solved, browser based DI is easy and cost-effective to implement with a positive user experience that can be readily replicated across multiple services. Efforts in Italy and the United Kingdom have focused on providing support to developers in service teams to simplify the work required to implement their approaches and reduce the adoption costs. For the user, there are no costs to bear in acquiring a DI and no costs when they use it.

However, browser based mechanisms that only use a single factor of authentication are at risk of digital security threats such as phishing and do not provide some additional features such as digital signatures or encryption. To increase security when using a username and password, a second factor of authentication is recommended to ensure access is being granted to a legitimate party.

In Italy, in most cases, in order to increase the level of security, the browser based authentication requires SPID level “Substantial” which calls for second authentication factor. To protect high-value data or services, the level “High”, which requires mandatory asymmetric cryptographic keys besides second authentication factor.

Dimension 2.3: Smartcards

Smartcards can form one element of the DI solution as seen in Austria, Denmark, Estonia, Italy, Korea, Portugal, Spain, and Uruguay. In all but one of these countries this second factor for authentication is provided through contact or contactless Smartcard technology. In Denmark the two factor solution is a code card (NemID).

The card based approaches of these countries provide a second factor authentication mechanism for online services and secure digital signatures. In addition, Estonia (see Box 2.11), Spain, and Uruguay, use Smartcards equipped with contactless technologies like Near-field Communication (NFC) or Radio-frequency identification (RFID) to manage permissions around access in the physical (real) world (including access to public buildings, public transportation, and airports). A further three countries have deployed Match on Card (MoC) Smartcard based solutions that reference fingerprint data in order to verify that the user enrolling for the card is who they claim to be. Finally, Smartcard implementations support encryption in some countries.

Smartcards are mostly used online or through face to face channels. Only those Smartcards which feature contactless technology are used to support mobile authentication. Users are always able to enrol for the use of Smartcards through face to face channels. Denmark supports online applications, Portugal supports online renewals, and Estonia allows people to register for their Smartcard by post.

Figure 2.19. Usage and enrolment channels for Smartcard based DI

The Smartcard approach to DI is popular amongst frequent users in Austria, Estonia, Portugal and Spain. In these countries Smartcards underpin the identity infrastructure for professionals who perform several digital signatures or secure authentications per day (for example health care professionals, lawyers, and public servants) and are therefore a feature of daily life. For those users that do not need to engage in those activities as frequently, mobile approaches are favoured. Smartcards represent a DI solution that is effective when targeted at niche users but present challenges for governments intending to use it to provide digital services to infrequent users.

Smartcard technology brings with it greater costs than some of the other factors being considered. As well as the overhead of obtaining physical infrastructure to support their use, the item cost of a card is usually borne by a citizen. Austria, Estonia, Portugal, Italy, Uruguay, and Spain all charge for these cards at an average of EUR 24 for an adult, and often with subsidies for particular segments of the population.

Another important consideration for the design of Smartcards is how to approach the topic of validity. If a card contains biometric information relating to how someone looks then the card will need to be renewed after a period of time. However, the need to secure your Smartcard and the certificates that support it may require a shortening of the previously expected length of validity, or conversely enable countries to keep cards in circulation for longer than they might otherwise. In Estonia, the validity of the card and the validity of the certificate is 5 years meaning that renewal periods are synchronised. In Italy the validity of CIE is 10 years for individuals of age eighteen or above.

copy the linklink copied!

Box 2.7. Spanish DNI electrónico

In Spain citizens have for many years been familiar with having an identity card, the DNI, to provide proof of identity in face to face settings. This card was replaced with the DNI electrónico (DNIe) featuring a chip which contained not only identification and biometric data but also two electronic certificates: one for authentication, and one for signatures.

The DNIe allowed citizens to authenticate and access any electronic public service. However, the need for card readers, compatibility challenges with some platforms and limited private sector services supporting it limited initial adoption. In response, the Spanish government developed an updated version of the card featuring a dual interface chip allowing services to be accessed through card readers and devices supporting Near Field Communication (NFC).

Figure 2.20. DNIe 3.0 dual interface (back of the card)

DNIe represents an evolution of familiar identity infrastructure for Spanish users; with functionality including the ability to digitally sign documents, secure authentication and straightforward access to services in both the public and private sectors it enjoys wide social acceptance. Over 44 million Spanish citizens hold a DNIe.

Source: Provided by Spain in response to the OECD survey Benchmarking Digital Identity Solutions (Unpublished).

Dimension 2.4: Mobile

Mobile devices are part of the DI approach in 7 of the studied countries (Austria, Estonia, Italy, Norway, Portugal, Spain, and the United Kingdom).

In some countries a mobile device forms part of a two factor approach to authentication with a One Time Pass (OTP) being generated in response to an attempt to authenticate with a user name and password online. In Estonia the OTP is generated by a security certificate installed onto the user’s mobile phone whilst in the other countries, the OTP is sent by SMS or through an authentication app.

Mobile devices are not just used for increasing the security of a user’s authentication with a service. Several of the countries surveyed are using mobile devices to transform the experience of government services, a trend that has only strengthened since the OECD’s 2011 report on M-Government (OECD/ITU, 2011[4]). 29% of countries use mobile to provide encryption whilst 86% use it to enable digital signatures. Box 2.8 discusses the case of Austria, where the addition of a mobile user experience has increased adoption compared to the smartcard based process that had previously struggled to gain traction.

Figure 2.22. Mobile DI usage channels and enrolment process

The countries using mobile devices are mainly focused on use online and within mobile apps. Users are usually able to enrol the use of their mobile devices through a face to face process or online, although this may require the use of their national ID as a confirmation of their authenticity. Contact centres using video calls and the provision of mobile apps are additional channels designed to support the increased ease of enrolment. In Estonia, users must liaise with their mobile phone operator in order to upgrade their SIM card.

The use of mobile devices in support of DI approaches is increasingly common. For several countries, including Austria, Estonia, Portugal, and Spain, challenges with the user experience of Smartcards or security concerns around single factor authentication has motivated their use of mobile solutions. DI approaches that take advantage of mobile can offer an improved user experience, and enhanced security for accessing both government and private sector services.

Mobile DI approaches also provide the opportunity to simplify the application of more advanced functionality like digital signatures. In those countries where it is available, a mobile signature is the legal equivalent of a handwritten signature and can be used in any context without the requirement for additional hardware (unlike the use of a Smartcard). This is attractive both to infrequent users of the identity, and the providers of services themselves.

Using devices which citizens already have is an effective way of avoiding some of the implementation costs that might otherwise be required in providing Smartcards and encouraging adoption. Two factor authentication mechanisms using OTP sent by SMS or generated by existing authentication apps require little upfront investment by governments and add marginal costs to the provision of DI solutions. However, before considering the development of standalone mobile applications to support DI efforts countries should have confidence that the benefits it will produce will offset the ongoing overheads or challenges around introducing an additional step in adoption for users.

copy the linklink copied!

Box 2.8 Mobile signatures in Austria

In Austria the development of a mobile device based signature solution has enabled the use of qualified electronic signatures in any location where a phone can be used. This simplifies the necessary software and hardware infrastructure compared to the former card-based approach.

The user experience is similar to that provided by banks for online banking. After successfully logging in with an access code and password, a code (referred to as TAN in Figure 2.23) is sent via text message to the associated mobile phone number. When this code is entered into the service, a qualified electronic signature is created.

Should users wish they can install an app on their phone to generate the required code instead of relying on text messages. An additional feature of the app is the ability to sign by simply scanning a QR code, removing the need to enter a code at all. It is anticipated that these app based interactions will replace text messages in most cases, particularly as the cryptographic relationship between the app and the device increases the level of security associated with the signature created in this way.

Due to the user friendliness and continuous development of this approach Austria sees more than 10 000 mobile phone activations per month and at the end of 2017 had more than 870 000 total users (approximately 10% of Austria’s population).

Figure 2.23. Austrian mobile signature solution

Dimension 2.5: Biometric and emerging DI

As seen in the case of Spain (Box 2.7) the increasing functionality of technology offers opportunities to revisit decisions about identity mechanisms. One of the most interesting emerging themes in identity relates to biometric data. Such data can provide a strong link between an ID card, an ID system, the data recorded in that system, the DI, and the citizen. Biometric data are often used by police and security forces to verify the citizen’s identity but India is also using it to provide public services, their experience is discussed in Box 2.9.

Where biometric data are collected it most commonly incorporates a photograph; several countries also collect fingerprints. In Portugal, Spain, and Uruguay these data are held on the card and accessed using Match on Card technology. In India, biometric data are recorded in a central database and includes not only photograph and fingerprints but a scan of a user’s eyes too which form part of the authentication process when a user attempts to access an Aadhaar enabled service.

Wider application of biometrics, for example in voice recognition or a heartbeat remain at the experimental, science fiction, end of the spectrum and were not present in any of the countries surveyed. Nevertheless, with smart home devices featuring voice matching and biometric data being used in schools to access pre-loaded credit for buying meals there is an increasing acceptance of these interactions as part of twenty first century life. Therefore, although only India has a DI approach where the biometric data forms part of each authentication, ongoing developments in smartphone technology will continue to improve the quality of cameras and immediacy of access to fingerprint scanners making it increasingly likely to feature in future approaches to DI.

Another trend that is indicated by the experience of several countries in this study is that of ‘Bring Your Own Identity’. Users are increasingly familiar with the simplicity of reusing their credentials for email or social media to access other online communities or services. However, whilst simple to use, these methods are neither sufficiently trusted by users to protect their privacy or acceptable to businesses or government for providing the necessary assurance to transact as securely as possible. Consequently, governments and businesses, most notably Canada, Denmark, New Zealand, Norway and the United Kingdom are exploring how to establish trust based, but federated models of identity, that can reduce their overheads in managing and providing identity whilst enabling their users to increasingly access transformed digital services that can replace the need for face to face interactions.

copy the linklink copied!

Box 2.9. Aadhaar: the world's largest biometric ID system

With over 1.2 billion users, Aadhaar is the world's largest biometric ID system. Aadhaar relies on a 12-digit unique number issued to all Indian residents which is based on demographic and biometric data including photograph, ten fingerprints and scans of both eyes which are stored in a centralised database.

The Aadhaar card is printed on paper and is therefore not in itself a secure document, Security is instead provided by the use of biometrics which prevent the same person from enrolling a second time, with a different ID number. When a user wishes to access government services they do so with their Aadhaar identifier and either a fingerprint or eye scan.

One example of a service enabled by Aadhaar is the Jeevan Pramaan (Digital Life Certificate). After retirement, pensioners must provide Life Certificates to the relevant authorities but in order to get a Life Certificate, a citizen must personally present themselves before the relevant organisation. Through the Jeevan Pramaan, the Indian government are attempting to digitise the entire process, thereby making it possible to receive the certificate without having to attend in person. This will reduce unnecessary logistical hurdles and simplify the process for both citizens and the government.

Figure 2.24. Digital Life Certificate for Pensioners process

copy the linklink copied!Dimension 3: Policy levers and adoption

DI is fundamental to the digital transformation ambitions of countries wishing to embrace the breadth of opportunity offered by a digital government approach. This section on policy levers will discuss the legal and regulatory frameworks used by countries as well as the funding incentives, and enforcement deterrents supporting the implementation of DI. This is followed by an analysis of how the DI ecosystem has supported the development of services provided by both government and private sectors. Finally the major enablers and constraints to DI adopted are discussed.

Dimension 3.1: Legal and regulatory framework

All countries have national laws or regulations relating to DI with 85% of them also mentioning DI in their strategies for implementing digital government and reducing administrative burden in order to be more responsive the needs of their users. Denmark, Estonia, Korea, Portugal, and the United Kingdom enforce the use of the national DI framework for central or federal government services. In Denmark, Estonia, Korea, and Portugal DI is legally mandatory for citizens.

Figure 2.25. Legal and regulatory framework for DI in countries

Austria, Canada, New Zealand, and Portugal have specific laws or regulations forbidding the use of the same identifier for an individual across all government agencies. The example of Austria’s SourcePIN, discussed in Box 2.1, is one approach to disaggregating information about individuals so that only that which is necessary for a service to meet a need is ever stored. However, legislation is not always required for this approach to be taken. In countries with a federated model, such as the United Kingdom, the disassociation of an identity from the transaction means that only the identity information required by the service is transmitted, or in some cases confirmed without transferring anything.

For the European Union member states considered by this study the eIDAS regulation provides an important legal basis to the delivery of cross-border services and the easy movement of citizens from one jurisdiction to another within the single market. Established in EU Regulation 910/2014 of 23 July 2014 it has been providing the legal underpinnings to the conditions under which member states have developed and enhanced DI solutions that could be recognised by other countries and reused by their citizens to access services throughout the single market. From September 29 2018 any organisation delivering public services in an EU member state must recognise electronic identification from all EU member states. Regulation (EU) No 910/2014 of the European Parliament and of the Council (23 July 2014) on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC provides that one year from the date of the Member State’s notification of the electronic identification scheme, all Member States should mutually recognise the electronic identification means falling under the notified scheme to allow to ensure the cross-border interoperability of the public administration online services which are already available.

Dimension 3.2: Funding and Enforcement

Nearly half of the surveyed countries have explicitly identified the use of public money to support the adoption of DI. In the United Kingdom this includes the funding of a common platform for others to reuse and centralised procurement of identity providers. In Portugal, all computers and laptops procured by public agencies have integrated smartcard readers to facilitate the dissemination of DI.

Denmark, Portugal (see Box 2.10), and the United Kingdom specify the adoption of DI as part of their evaluation of ICT/digital investment proposals from central or federal government departments and agencies.

Analysing business cases and evaluating procurement in light of DI policies is an effective complement to funding that encourages adoption. This is perhaps most clearly seen in the approach taken by countries to avoid charging their citizens for obtaining their original DI or replacing it.

Using funds to incentivise the development of a particular approach gives greater autonomy to service teams and government entities to meet the needs of their users whilst the process of evaluating ICT and digital spending can be seen as a more obstructive means of enforcing DI policy.

Figure 2.26. Funding and enforcement to assist adoption of DI

copy the linklink copied!

Box 2.10. Funding and enforcement of DI policy in Portugal

Portugal has a mandatory and binding ICT project and investment assessment process for all investment over EUR 10 000. The process adopts a multi-criteria assessment of investment with funds only being awarded to those projects which are successful assessed.

The process is the responsibility of the Agency for Administrative Modernisation (Agência para a Modernização Administrativa, AMA), who are also responsible for defining guidelines for digital government and has been important to the success of embedding DI policies. The process looks at the proposed return on the investment by analysing the total cost of ownership when set against the expected benefits. Whilst the financial aspect is important, all projects are considered in light of whether they align with existing government strategy and policies including those related to DI. Projects approved (or rejected) are published on a public dashboard with a merit system that rewards those agencies with the best ability to deliver.

AMA is responsible for public funding programmes aimed at creating a simpler, more efficient and effective public administration focused on the needs of citizens and businesses. Agencies are able to request funding to improve their systems and services to reflect the national DI policy and platform.

These mechanisms of assessment and funding act as steering mechanisms to influence the focus, path and pace of delivery for DI and digital government in general.

Source: Provided by Portugal in response to the OECD survey Benchmarking Digital Identity Solutions (Unpublished).

Dimension 3.3: Government services

Figure 2.27. The role of DI in transforming government services

copy the linklink copied!

Box 2.11. DI for public transport in Estonia

Some of Estonia’s largest cities, Tallinn and Tartu, are using their identity infrastructure to provide ‘virtual’ tickets for travelling on public transport. Using their national ID cards citizens are able to buy tickets online, by SMS or at kiosks.

In order to use a virtual ticket customers must carry their ID card whilst travelling. During routine ticket checks users present this card, which is based on Smartcard technology, an inspector can read it and confirms the validity of the ticket.

The ticket details are not stored on the card but in a central database. The card is used by the ticket controller to lookup a record in the master database meaning the citizen need to only carry their ID card rather than any other form of ticket.

By being able to rely on a secure and effective DI, citizens are able to meet their needs without having to be physically present. The highest priorities for implementing DI were taxation, education and health. Whilst the primary focus of DI is initially central government services, more than half of the surveyed countries anticipate the adoption of DI within local governments and even in other channels. The example of Estonia’s implementation across multiple channels is explored further in Box 2.11.

DI can also be an enabler of transformation for those working within government. Often overlooked by efforts to deliver more usable public facing services, public servants are being considered by more than half of the countries surveyed including Denmark, Estonia, India, Korea, Norway, Portugal, Spain, and Uruguay. In those countries DI is being applied to accounting and finance, public procurement, workflow for case management, administrative and managerial activity, legal functions.

Dimension 3.4: Private sector services

It is not only government that views DI as an important mechanism for benefiting from the opportunities of digital transformation. In Austria, Denmark, Estonia, India, Italy, New Zealand, Norway, Spain, and the United Kingdom DI is recognised as an enabler for Business to Consumer (B2C) services provided by the private sector. The reuse of New Zealand’s RealMe DI by businesses is explored in Box 2.12. Three countries are using DI in providing Business to Business (B2B) services. Austria, Estonia and Portugal are working with businesses to implement DI in public procurement and electronic contracting.

The governance models for these countries is discussed in more detail in section 0 Dimension 1.3: Governance but whilst they reflect 4 of the 7 models between them, all of them involve the private sector in some way. In Austria and Denmark they have a shared DI model between the public and private sectors; Estonia has an model of interoperability with private or public sector DI usable for any service; India’s Aadhaar is a public DI designed for use by any service; Norway and the United Kingdom have DI models that use private sector identities; and Italy, New Zealand, Portugal and Spain, have public sector identities that can be reused by private sector services. This suggests that a private-public model of DI has broader benefits to a country’s digital economy as the reuse of DI across sectors is mutually beneficial for government and the private sector too. In Estonia, the government estimates that the benefit of DI from B2C and B2B transactions (not government services) has been a 2% contribution to the national Gross Domestic Product (GDP) (OECD, 2018). Moreover, the experience of Estonia where only 17% of transactions requiring the use of DI are provided by public sector organisations, demonstrates the importance of creating the conditions under which public sector DI infrastructure can partner with the private sector to encourage adoption amongst the population by embedding DI into the everyday lives of citizens.

Approaches to DI that encourage its use by both government and private sector services are increasing both visibility, and familiarity. This amplifies the relevance of a DI mechanism as citizens use it more regularly than if they were solely limited to its application for public sector services. The reusability and interoperability of a given DI for accessing both government and private sector services adds value to citizens who don’t need to manage multiple credentials or constantly create new accounts to prove who they are, and provides an additional incentive for uptake.

Figure 2.29. The role of DI in transforming private sector services

copy the linklink copied!

Box 2.12. RealMe in New Zealand

The RealMe scheme allows citizens to access multiple government services with the same username and password. Users wanting to access a service are handed to the RealMe platform as part of their journey and after authentication, handed back to the service. RealMe stores no information but simply validates that a user can access a service, the individual retains control over what information they share and when they share it.

The RealMe service was developed in partnership by the Department of Internal Affairs and the New Zealand Post. It responds to the needs of government whilst also proving used to the private sector. Users can use it for a range of services including opening a bank account, enrolling to vote, transferring foreign currency, applying for a loan or allowance, and renewing their passport online.

Source: Provided by New Zealand in response to the OECD survey Benchmarking Digital Identity Solutions (Unpublished).

Dimension 3.5: Enablers and constraints

The experience of implementing DI in the surveyed countries identified areas of activity that have enabled this activity and other issues which should be understood as constraints. The OECD framework has identified the following themes:

the business model
hardware infrastructure (for both citizens and service providers)
levels of digital literacy and awareness of the DI approach in society
the user experience of enrolling and using the DI

Figure 2.31. Enablers and constraints impacting DI adoption

As Figure 2.31 shows, almost all of these are seen both positively and negatively in the contribution they make towards adoption of DI. The exception to this is the business model underpinning the choice of DI implementation. For Korea and Portugal this is identified purely as a positive contributor to supporting adoption. One approach to the business model behind DI is to reduce, or even eliminate, the fees involved with accessing government services that might otherwise have taken place face to face. In Korea, citizens who use the digital channel instead of attending in person receive a financial incentive.

For Austria, Norway, Portugal and Spain, the role of hardware infrastructure was identified as being an important enabling factor. In particular it was recognised that if a DI solution can use the mobile devices which people already own then there are increased opportunities for adoption. However, on the service provision side, the requirement for hardware to be available in order to authenticate using a second factor, such as with Smartcard technology was cited as a constraint by Estonia, Korea, Portugal, Spain and Uruguay. Removing the need for hardware infrastructure, or reusing existing technology, removes both a cost barrier and a logistical challenge to adoption.

In 5 of the countries (Canada, Italy, Portugal, Spain and Uruguay) the lack of awareness amongst the public is cited as being one of the main constraints whilst Denmark, Estonia and Norway identify it as one of the areas that has been targeted to increase adoption. The role of an approach which is embraced by both public and private sectors is an opportunity to share responsibility for raising awareness. Austria, Denmark, Estonia, Norway and the United Kingdom recognise digital literacy has a role to play in complementing efforts to increase the awareness of a DI approach with India, Portugal and Uruguay finding that to be a constraint.

Assuming that people are aware of the DI approach and are given opportunities to use, one of the areas countries must consider is the usability of the DI service that has been designed. This process begins with the enrolment of users with Denmark, Estonia, Norway and the United Kingdom indicating that making sure that the DI registration process is online and costs the user nothing should be priorities whilst India, perhaps in recognition of the greater complexity of a biometric based DI approach, considers that enrolment is a constraint

This necessarily extends to the user experience of the DI approach when accessing a service with Austria, Italy, New Zealand and Norway considering that to be an enabler, and Canada, Korea, Portugal, Spain and Uruguay seeing it as a constraint. The discussion around different DI solutions (see Dimension 2: DI Solutions) identified that browser and mobile device based approaches provide the best user experience and, assuming the presence of two-factor authentication, provide suitable levels of security. Moreover, the private sector’s incorporation of DI into their services is a positive factor in ensuring that people are comfortable with the DI approach with user journeys that are focused on successful outcomes.

copy the linklink copied!

Box 2.13. Canadian identity management accelerators

The government of Canada has a roadmap for making DI real across all jurisdictions and service channels in the country. Underpinning that are five principles:

1. Communication: evolve the messaging from what has been developed to sharing why it’s important and what is realised if done well.
2. Develop the Pan-Canadian Trust Framework as a foundational piece to moving identity management forward.
3. Use Pilots to test out the trust framework and support the delivery of citizen-centred services.
4. Technology: stay up to date with rapidly advancing technologies and ensure adoption does not preclude standards.
5. Public Policy and Governance: articulate a shared public policy position on identity management to help determine what governance structure and approval authorities make sense.

Source: Provided by Canada in response to the OECD survey Benchmarking Digital Identity Solutions (Unpublished).

copy the linklink copied!Dimension 4: Transparency and monitoring

The OECD Recommendation on Digital Government Strategies (OECD, 2014[6]) calls on governments to recognise the importance of Openness and Engagement in the following ways:

1. Openness, transparency and inclusiveness
2. Engagement and participation in a multi-actor context in policy making and service delivery
3. Creation of a data-driven culture
4. Protecting privacy and ensuring security

Given the importance to government of having confidence that they are engaging with the person they believe to be using the DI credentials, and in the public having confidence that government is treating their personal data with respect, these themes are highly relevant.

This section explores how countries are approaching this topic with regard to the ways in which users are being given control of their data, the data governments publish about DI performance, and the impact assessment and cost-benefit evaluation mechanisms in place to judge the success of the scheme.

Different countries are exploring how to put citizens in greater control of who can access their data, visibility of how that data are used and the power to revoke, refuse or consent to requests for access. Publishing performance data, especially as open data, allow stakeholders to track the level of use of DI mechanisms, and achieve near real time monitoring of its impact. Finally, the availability of impact assessment and cost-benefit evaluation mechanisms are important in assessing the maturity and effectiveness of DI policies and solutions.

Figure 2.32. Provision of tools that help citizens control their data

Dimension 4.1: Citizen control of their data

The majority of the selected countries (62%) provide tools for citizens to see how their data are being used, and thereby increase their trust in DI systems.

One approach, which is being prioritised in the thinking around the future of DI in Chile, is to show users an audit of all activity on and around their account such as Carpeta Ciudadana in Spain (Box 2.14). This includes not just the logins performed by users but also the way in which organisations have used their data. In certain situations citizens are able to accept, or refuse, the re-use of their data.

In Denmark, anyone with a NemID can access a personal activity log which monitors all uses of the NemID. Citizens can opt out of having any log made, removing the record not just for themselves but for government too.

copy the linklink copied!

Box 2.14. Carpeta Ciudadana

Carpeta Ciudadana enables a citizen to know and control access to their data by public organisations. It provides a summary of the citizen’s information grouped by subject and displays the number of files currently open, or in the pipeline, at the time of their query, grouped by ministry or agency. It then links the user to further details about the files.

Carpeta Ciudadana shows information about the exchange of information between public organisations and the condition of consent placed upon it. The list of data that has been requested, and shared with, administrative bodies to complete a formality or query also displays whether the citizen has given explicit, or tacit, consent for its reuse.

Carpeta Ciudadana is not just focused on the DI experience of the citizen, additionally presenting logs of any face to face interactions between the citizen and the public administration.

Source: Provided by Spain in response to the OECD survey Benchmarking Digital Identity Solutions (Unpublished).

Another approach for increasing transparency favoured by several countries, and in the case of Portugal discussed in Box 2.15, is to request the explicit permission of the citizens to grant access to particular attributes within the authentication process.

copy the linklink copied!

Box 2.15. Autenticação.Gov

In Portugal, Autenticação.Gov provides a central DI platform for securely authenticating users for public and private sector services. The platform supports Smartcards, mobile devices and additional browser based forms of authentication. The service provider judges the appropriate level of authentication required for the service being accessed and this restricts the DI mechanisms shown to the user. As an example, access to the Public Taxes Portal requires Level 3 authentication which is only available through Smartcard or mobile authentication whilst the Citizen Portal operates at Level 2 and has a lower set of requirements for authentication.

In terms of transparency, when a user authenticates (regardless of the mechanism they use) they are given control of the data attributes to be provided to the service provider. These data are subsequently retrieved from across government, digitally signed by government, and transferred to the service provider as part of a successful authentication.

Figure 2.33. Citizen authorisation for sharing attributes when using Autenticação.Gov

Dimension 4.2: Performance data

Figure 2.34. Availability of DI performance data

All the countries surveyed for this study publish open data about their DI performance whilst Austria, Canada, Denmark, Estonia, Portugal, and the United Kingdom also provide real-time, or near real-time, dashboards. This information allows stakeholders to track the level of use of DI.

In Estonia, the country’s e-Residency scheme (Box 2.16) demonstrates not only an innovative approach to encouraging the adoption of DI by citizens of other countries around the world, but also in the level of transparency available in terms of its performance.

copy the linklink copied!

Box 2.16. e-Residency in Estonia

Estonia’s e-Residency scheme is a transnational DI for any non-Estonians and non-residents of Estonia in the world. It allows an individual to establish a location-independent online business in Estonia, with access to digital services similar to those accessible by Estonian citizens and Estonia-based businesses.

The vision is to provide secure and effective digital services for global citizens who are investors, entrepreneurs, students, freelancers, developers, and others. e-Residency is challenging the society to think about what it means to be global in the future and how to bring the world together – for individuals, businesses, and governments.

Importantly, e-Residency offers full transparency in the results and its progress through regularly updated, public dashboards.

Figure 2.35. e-Residency performance dashboard

Dimension 4.3: Impact assessment

Denmark, Portugal (Box 2.10, Spain and the United Kingdom have processes in place to conduct cost-benefit evaluations of spending on ICT and digital projects in the context of DI policies. The situation found in each country means that the cost-benefit analysis from one country is not the same as that found in another, preventing more in-depth comparison of how these countries identified the appropriate mechanism for them.

Canada and Portugal also conduct regular external impact assessments of DI. These assessments are performed by external parties, including universities, to measure the effective impact of DI on the citizen, the economy, and in society. Moreover, in Canada, the National Management Accountability Framework reflects DI indicators (Box 2.17).

Figure 2.36. How the impact of DI is assessed

copy the linklink copied!

Box 2.17. Assessing adoption of DI in Canada

Canada’s Management Accountability Framework (MAF) requires departments to report on their progress against certain indicators, including those related to DI. Within MAF, departments must report on their progress in adopting Cyber Authentication services and compliance with the identity policy instruments.

Figure 2.37. Canadian Management Accountability Framework

copy the linklink copied!Observed trends

On the basis of the experiences discussed above nine trends present themselves:

Design DI for reuse

The success of DI frameworks depends on the level of adoption and usage by citizens. Therefore, ensuring that services, which require strong confidence in the identity of a user, can use a single DI approach, regardless of whether they’re delivered by the public or private sectors.

Focus on the user experience

The user experience for DI is an important success factor. DI will not meet expectations for delivering results if the user experience fails to be well designed and is not immediately accessible to users by requiring the installation of specific software or the acquisition of additional hardware.

Digital literacy matters

There is a correlation between adoption of DI and digital literacy in a population. Therefore, as well as ensuring that the approach to DI recognises the needs of those with lower digital literacy, activities to raise awareness, and develop digital skills are advised.

Go mobile

The relentless growth of mobile internet access and smartphone ownership around the world makes it essential for the design and implementation of DI solutions to reflect the opportunities provided by mobile devices. Several of the countries discussed in this benchmarking exercise have had positive experiences with mobile DI solutions and are migrating from legacy approaches to a mobile first model.

Adopt open standards for interoperability

When DI platforms support open standards (for example, SAML2 and OAuth2) they are more successfully adopted by services provided by both the public and private sectors. Open standards ensure independence from proprietary software providers and allow for more straightforward implementation by services, and facilitate interoperability with multiple authentication providers, even those supporting citizens in other countries.

Continuously improve the DI offer

Approaches to DI can improve in response to developments in what’s possible. This is seen in the increased use of mobile devices, and in those countries, which have used DI to design out the need for signatures. Elsewhere, countries have made it easier for services to implement their DI into existing provision and have made it easy to enable the sharing of professional attributes or using the same DI to operate in a legal capacity alongside using it personally.

One size does not fit all

Countries are comfortable to offer different mechanisms to different sections of society. Whilst mobile devices increasingly form part of the landscape for the general population, the needs of professionals are often met by Smartcards. In countries where private sector DI is available then its reuse by the public sector offers increased benefits to government whilst reducing the friction of adoption.

The 3 “S” of digital ID policy: Security, Signature, and Single sign-on

National DI policies are focused on approaches that are secure, which allow for transforming the experience of signing documents and provide common, single, mechanisms for authentication.

The citizen is in control

Giving a citizen control of their identity and their data are seen across this study. This includes:

i) allowing the definition of which attributes can be made available to a service
ii) providing transparent tools that give citizens visibility over the use of their data, and
iii) publishing open data on how different approaches are performing.

References

Austrian Government Federal Chancellery (2017), Digital Austria, https://www.digital.austria.gv.at.

Canadian Government (2017), Canadian Management Accountability Framework, https://www.canada.ca/en/treasury-board-secretariat/services/management-accountability framework.html.

Estonian Government (2018), Estonian e-resident application dashboard, https://app.cyfe.com/dashboards/195223/5587fe4e52036102283711615553.

Jeevan Pramaan (2018), Jeevan Pramaan, https://jeevanpramaan.gov.in.

MIDESO (2017), Encuesta de Caracterización Socioeconómica Nacional, Ministerio de Desarrollo Social de Chile.

OECD (2014), Recommendation of the Council on Digital Government Strategies, OECD/LEGAL/0406.

OECD/ITU (2011), M-Government: Mobile Technologies for Responsive Governments and Connected Societies, OECD Publishing, Paris, https://dx.doi.org/10.1787/9789264118706-en.

Portuguese Government Agência para a Modernização Administrativa (2018), Portuguese Professional Attribute Certification System.

UK Government (2018), Guidance - GOV.UK Verify, https://www.gov.uk/government/publications/introducing-govuk-verify/introducing-govuk-verify (accessed on 1 July 2108).

Metadata, Legal and Rights

This document, as well as any data and map included herein, are without prejudice to the status of or sovereignty over any territory, to the delimitation of international frontiers and boundaries and to the name of any territory, city or area. Extracts from publications may be subject to additional disclaimers, which are set out in the complete version of the publication, available at the link provided.

https://doi.org/10.1787/9ecba35e-en

The use of this work, whether digital or print, is governed by the Terms and Conditions to be found at http://www.oecd.org/termsandconditions.

╳

OECD Digital Government Studies: Digital Government in Chile – Digital Identity:

Do you want to open the publication page on OECD-ILIBRARY for more details on:

available formats

purchase of a print copy

or to publication metadata?

Cancel

2. DI in selected countries