Privacy Considerations for Digital ID

Privacy is a key consideration in digital identification or credential programs, which are rapidly expanding in Canada and internationally. A recent pilot project launched in select U.S. airports demonstrates some of the key considerations that Canada’s privacy commissioners are calling for in digital ID or credential programs.

Earlier this year, the Transportation Security Administration (TSA) began accepting mobile driver’s licences at a number of U.S. airport checkpoints. To pass through security, passengers can either tap their mobile device against a CAT-2 digital reader or scan a QR code. Notably, this is an optional program – passengers can still use their physical ID if they prefer.

How the Data Is Collected

When a passenger uses their mobile device to clear security, they receive an alert with a summary of the data they’re sharing with the TSA. Once they have consented to providing that information, the passenger’s identity is authenticated and matched against a live photo taken at the checkpoint.

The live photos and data captured by the TSA are converted into an anonymized format and encrypted before being transferred to the Department of Homeland Security (DHS) and the Science & Technology Directorate. The DHS deletes the data within 24 months. Once a passenger has passed through the checkpoint, their data is overwritten when the next passenger is scanned.

High Standards of Security

The TSA’s pilot project contains many of the best practices highlighted by Canada’s privacy commissioners and ombuds in a joint resolution released in September.

The privacy commissioners stressed that digital identity ecosystems “must meet high standards of privacy, security, transparency and accountability” in order to be trusted and widely adopted. Among other measures, the commissioners noted that organizations should:

  • Conduct a privacy impact assessment before accepting digital IDs
  • Obtain consent before collecting data from individuals
  • Minimize the personal data they collect at all times
  • Not store personal information in a central database
  • Ensure that the data is protected from tampering and unauthorized duplication
  • Not accept digital IDs for services that could be offered on an anonymous basis
  • Ensure that digital IDs are optional, rather than a requirement

These recommendations have been implemented in the TSA’s pilot program, which requires travellers to consent to data collection, does not store their data in a central database and protects the data from unauthorized access, among other security measures described above.

Legal and Privacy Considerations

While mobile driver’s licences have yet to take off in Canada, other forms of digital ID are available. For example, several provinces in Canada have implemented digital proof of auto insurance. Importantly, digital proof of insurance is optional – drivers can still use physical pink slips. You can find out more about digital ID in Saskatchewan and elsewhere in a recent podcast by the Saskatchewan Information and Privacy Commissioner.

If you’re planning to accept digital ID from your clients, there are a number of legal and privacy considerations to be aware of. The lawyers in our Privacy, Data & Cybersecurity group would be pleased to walk you through planning and implementing a digital ID program. Contact us to learn more.

Note: This article is of a general nature only and is not exhaustive of all possible legal rights or remedies. In addition, laws may change over time and should be interpreted only in the context of particular circumstances such that these materials are not intended to be relied upon or taken as legal advice or opinion. Readers should consult a legal professional for specific advice in any particular situation.