Is there a valid enacted law backing the digital legal ID system? Does this law clearly establish:

a) the elements of legal identity recorded by the identification system (for example: name; sex; date and place of birth; identity of parents; nationality or legal residence in the country);

b) (where relevant) the different statuses that the ID may record and the requirements to be enrolled with any particular status;

c) authority for the digitalisation of the identity system.

‍

If not, what elements are missing?

Those eligible or required to enrol in the digital legal ID are able to know and understand their obligations and rights when all the elements of the identity system are established in law.

A single law (primary legislation adopted by the legislature) or a combination of multiple laws establishe(s) legal authority both (a) for all the elements of legal identity recorded by the identification system under consideration and the different statuses that may be recorded (if relevant), and (b) for the identification system to be digitised (including recording of biometric elements, where that is in place).

Venice Commission of the Council of Europe 'Rule of Law Checklist', chapter on Legal Certainty: https://www.venice.coe.int/images/SITE%20IMAGES/Publications/Rule_of_Law_Check_List.pdf

‍

UN Department of Economic and Social Affairs statistics in 'Guidelines on the Legislative Framework for Civil Registration, Vital Statistics and Identity Management Systems' (2023): https://unstats.un.org/unsd/demographic-social/Standards-and-Methods/files/Handbooks/crvs/CRVS_GOLF_Final-E.pdf

‍

‍"The United Nations defines the rule of law as a principle of governance in which all persons, institutions and entities, public and private, including the State itself, are accountable to laws that are publicly promulgated, equally enforced and independently adjudicated, and which are consistent with international human rights norms and standards," UN Secretary-General. ‘Delivering Justice: Programme of Action to Strengthen the Rule of Law at the National and International Levels’. A/66/749. New York: United Nations, 16 March 2012: https://undocs.org/Home/Mobile?FinalSymbol=A%2F66%2F749

‍

‍See also IOM 'Institutional Strategy on Legal Identity', esp. section 4: Key Principles, and section 5: Implementation Safeguards. https://publications.iom.int/books/iom-institutional-strategy-legal-identity

Does the law clearly establish how the digital legal ID system under consideration relates to the other elements of the ecosystem for legal identity (digital or not), and establish the forms of existing ID that are required to enrol in the digital legal ID system?

(These could include, according to context, birth notifications, baptismal certificates, civil registration certificates, national identity cards, refugee ID documents, voter registration cards, ration books, health care identity documents, certificates issued by local or customary authorities, or any other official document).

Clarity in the relationship between different elements of the legal identity ecosystem makes the requirements for identification easier for those enrolling to understand, and reduces the possibility of arbitrary decision-making. In particular, the discretion to require additional proof of identity from some applicants may enable discrimination in application of the law.

The relationship of the digital legal ID system to other elements of the legal identity system is clearly established in law, including the ‘feeder documents’ that are required to enrol in the digital legal identity register. The same requirements should apply to any applicant, without discrimination.

UN Department of Economic and Social Affairs statistics in 'Guidelines on the Legislative Framework for Civil Registration, Vital Statistics and Identity Management Systems' (2023): https://unstats.un.org/unsd/demographic-social/Standards-and-Methods/files/Handbooks/crvs/CRVS_GOLF_Final-E.pdf

‍For definitions of foundational and functional ID, see the World Bank 'ID4D Practitioner's Guide': https://id4d.worldbank.org/guide

Does a credential issued by a previous legal identification system (digital or not) prove the elements of identity it records for the purposes of enrolment in the digital legal ID system?

If existing documents are downgraded in probative value for enrolment in the new system, risks of exclusion are increased. Comprehensive and clear rules on the status of existing documents help to prevent arbitrary decision making and ensure consistency of records between different registers.

A (non-digital) official document that was in the past accepted as proof of the elements of recroded legal identity should be considered prima facie proof of the same status when the system is digitised, especially during the transitional period. (That is, it can be overturned, but only after following due process of law, and after production of substantive evidence that, for example, it was fraudulently acquired).

UN Department of Economic and Social Affairs statistics in 'Guidelines on the Legislative Framework for Civil Registration, Vital Statistics and Identity Management Systems' (2023): https://unstats.un.org/unsd/demographic-social/Standards-and-Methods/files/Handbooks/crvs/CRVS_GOLF_Final-E.pdf

Is enrolment in the digital legal ID mandatory in law or required in practice for all citizens and /or all residents to access the rights associated with that ID?

Even if there are multiple (digital) IDs, inclusion/exclusion from that ID has a direct impact on associated rights and obligations. The introduction of mandatory digital ID use for accessing public services should be assessed with high levels of scrutiny, considering, among other factors, ID population adoption, the risk to vulnerable communities, and necessity within the specific use case.

Where possible, introducing a digital ID should not narrow the identity options available to citizens. Citizens should retain the option to use existing identification credentials already in their possession.

UN Department of Economic and Social Affairs statistics in 'Guidelines on the Legislative Framework for Civil Registration, Vital Statistics and Identity Management Systems' (2023): https://unstats.un.org/unsd/demographic-social/Standards-and-Methods/files/Handbooks/crvs/CRVS_GOLF_Final-E.pdf

Is there a formal requirement for a 'Regulatory Impact Assessment' before new policies and regulations are adopted?

A regulatory impact assessment can help to ensure that legal and policy regulation of digital legal ID integrates an evidence-based approach to regulatory decisions that may have far-reaching implications for those required or entitled to enrol.

A regulatory impact assessment is conducted according to the international standards / best practices. OECD (2008) proposes the following as the key elements in a regulatory impact assessment process:

1. Defining a regulatory problem

2. Identifying different regulatory options

3. Collecting data

4. Assessing alternative options

5. Identifying preferred regulatory option/s

6. Communicating results of the conducted RIA.

OECD 'Introductory Handbook for Undertaking Regulatory Impact Analysis' (2008) available with other resources at: https://www.oecd.org/regreform/regulatory-policy/ria.htm

‍

‍ITU 'Global Digital Regulatory Outlook 2023—Policy and regulation to spur digital transformation': https://www.itu.int/pub/D-PREF-BB.REG_OUT01

‍

‍World Bank Group 'Global Indicators of Regulatory Governance: Worldwide Practices of Regulatory Impact Assessments': https://documents1.worldbank.org/curated/en/905611520284525814/Global-Indicators-of-Regulatory-Governance-Worldwide-Practices-of-Regulatory-Impact-Assessments.pdf

Has a human rights impact assessment been conducted (and if so, at what stage of the system development)?

If a human rights impact assessment is conducted it can help identify and mitigate risk and harm.

A human rights impact assessment is conducted at early stage of system conception, inline with international best practice, with findings feeding into system development; Human rights impact assessmens are repeated at regular intervals on the implementation of the system in practice.User study to be conducted every year to understand edge cases and scenarios in which the required set of documents are not feasible for all. Alternate processes to be created and current documents not to be made mandatory for all.

OECD 'Guidance on Human Rights Impact Assessment of Digital Activities' (2023): https://oecd.ai/en/catalogue/tools/guidance-on-human-rights-impact-assessment-of-digital-activities

‍

‍Danish Institute for Human Rights 'Human rights impact assessment of digital activities' (2023): https://www.humanrights.dk/publications/human-rights-impact-assessment-digital-activities

‍

The World Bank Group and Nordic Trust Fund  ‘Human Rights Impact Assessments: A Review of the Literature, Differences with Other Forms of Assessments and Relevance for Development’ (2013): http://documents.worldbank.org/curated/en/834611524474505865/Human-rights-impact-assessments-a-review-of-the-literature-differences-with-other-forms-of-assessments-and-relevance-for-development

‍

‍'New and emerging technologies need urgent oversight and robust transparency: UN experts', RightsCon 2023—Costa Rica, 02 June 2023: https://www.ohchr.org/en/press-releases/2023/06/new-and-emerging-technologies-need-urgent-oversight-and-robust-transparency

What reports are there of discrimination and exclusion of individuals or groups from existing identification systems? (e.g., digital and non-digital, including birth registration, national ID cards, voter registration, and any other document required to access rights and services).

If existing patterns of technology and identification related discrimination are identified, this can provide information to help mitigate the potential of the identification system to amplify existing patterns of discrimination.

A human rights impact assessment specifically examines the question of existing patterns of discrimination, and these are addressed in the design and management of the digital legal ID.

Has a data protection impact assessment been conducted (and if so, at what stage of the system development)?

A data protection impact assessment is a process designed to describe the processing of data, assess its necessity and proportionality, and help manage risks.

The data protection impact assessment describes the proposed processing operation and the purpose of processing. It reflects an assessment of the necessity and proportionality of the processing operation against its stated purpose, and an assessment of the possible risks to rights and freedoms of data subjects, and proposed security measures to address these risks.

European Commission 'Guidelines on Data Protection Impact Assessment (DPIA)' (2017): https://ec.europa.eu/newsroom/article29/items/611236

‍

‍UNDP Guide 'Drafting Data Protection Legislation: A Study of Regional Frameworks', Chapter 7.2 (2023): https://www.undp.org/publications/drafting-data-protection-legislation-study-regional-frameworks