Privacy by Design (PbD) - New Study by NTNU and SIA for successful integration of PbD principles in government-issued digital ID services.

A new study identifies the key factors that contribute to the successful integration of privacy-by-design principles in government-issued digital ID services.

By Kristel Teyras, Chair of the Digital ID Working Group at the Secure Identity Alliance (SIA)

Watch Interview of lead researcher at NTNU Mohamed Abomhara  HERE.

 

Around the globe, the number of government-issued digital ID schemes that provide citizens with a legal identity that enables them to access a range of services – employment, education, banking, healthcare, social safety net programs – is growing.

 

The Multidisciplinary Research group on Privacy and data protEcTion (MR PET) at the Norwegian University of Science and Technology (NTNU) recently undertook a major global research study to understand how factors, such as stakeholder attitudes, knowledge, and practices influence how Privacy-by-Design (PbD) is incorporated into these national digital ID systems.

 

The findings of the research, which was conducted in partnership with SIA, provide insights and key learnings that will enhance the responsible and robust application and implementation of PbD principles into future national ID schemes.

 

The study distinguishes the 8 following cases based on the combination of survey participants’ Knowledge, Attitude and Practices.

 

Getting to grips with PbD – real-world research reveals real-world challenges

 

Operationalizing PbD is pivotal to any digital identity initiative and researchers at MR PET group from NTNU wanted to get to grips with what can inhibit the practical and consistent achievement of PbD goals.

 

The research was conducted with agencies that manage or issue digital credentials, as well as suppliers of ID systems components and infrastructure. Undertaken in partnership with SIA, a recognized global leader in PbD principles and practices, the study featured an initial online survey supplemented by a series of in-depth focus group discussions.

 

The goal of the researchers was a simple one. By exploring the views, experiences, and perceptions of research participants the team would uncover the potential barriers and enablers that impact the successful adoption of PbB.

 

Dedicated to helping governments and government agencies around the world address this important issue and deliver secure, inclusive, and trusted ID for all, SIA believes these study findings will help enhance the future development of privacy preserving national ID systems.

 

Finding #1: Addressing the balance – conflicting organizational priorities

 

The study identified several potential reasons why stakeholders can struggle to prioritize or comprehensively address PbD practices. These include economic limitations and time-to-market constraints that can hinder a commitment to, or the implementation of, good practices.

 

For example, in developing countries, the provision of digital ID to citizens that facilitates their access to rights and services may be the primary objective. In these scenarios, while addressing both inclusion and PbD concurrently may well be the aspirational goal, practical considerations mean that the immediate need for access and inclusion often takes priority. As a result, strict adherence to PbD principles and practices at the design and implementation stage may be sacrificed.

 

Finding #2: Resource limitations

 

The implementation of PbD requires time, budget, skills, and tools. In the absence of these resources, stakeholders will struggle to implement good or effective practices despite having the required knowledge and commitment to do so.

 

This is particularly the case when senior organizational leaders are unwilling or unable to allocate appropriate resources or funding for this important privacy-oriented aspect of their national ID projects. For some, competing priorities may mean that PbD implementation is viewed as too complex, too expensive, or too difficult to undertake.

 

The research also highlights an economic context to how PbD is viewed and implemented. In Western and highly developed economies, existing systems and resources make it easier to comply with new regulations like GDPR. In developing countries, however, the introduction of new regulations may prove challenging due to resource constraints that inhibit the acquisition of necessary tools or technologies.

 

Finding #3: Executive buy-in is critical

 

Lack of awareness about the value and benefits of PbD in relation to the enhanced privacy and trustworthiness of national digital ID systems, especially among leaders and peers, can make it difficult for practitioners to implement PbD in a proactive and beneficial manner from the get-go.

 

This complacency means that PbD in national ID systems may be limited to the achievement of minimal regulatory compliance. However, if regulations related to PbD are inconsistently enforced, this undermines any wider organizational motivation to consistently implement good practices.

 

Similarly, executive decision makers can set out unrealistic budgetary and time constraints in their tenders that will make it difficult to embed relevant PbD principles at the initial design stage. In particular, they may significantly underestimate the ongoing costs relating to privacy and security measures that are essential for combating fraud. This lack of buy-in can inhibit the comprehensive and early integration of PbD in national ID systems.

 

Finding #4: Lack of awareness, understanding and know-how

 

The research found that technical and managerial practitioners often lack sufficient training or education on PbD principles in relation to robust privacy protection and cybersecurity. As a result, they will struggle to understand the importance of adhering to certain standards and procedures.

 

Typically, those in technical roles with limited hands-on practical PbD experience are less incentivized to bridge the knowledge-attitude-practice gap and can find it hard to integrate privacy principles into systems.

 

For example, while understanding these principles in general, these individuals may be unaware of how to practically implement these in a specific real-world context. This lack of knowledge and/or technical skills prevents them from evolving into highly engaged, informed, and fully empowered stakeholders to successfully enable PbD integration at the ID system development phase. Something that will ultimately hinder the practical implementation of PbD measures.

 

By understanding the bigger picture and being exposed to formal education and training on PbD, these practitioners will be able to acquire the skills and know-how needed to change established routines and processes – without fear of making errors.

 

Key recommendations

 

The findings of the NTNU research reveal how the relationship between knowledge, attitudes, and practices towards PbD are complex – and are influenced by a variety of factors including experience and job role.

 

To support and enhance PbD implementation and bridge the gap between privacy frameworks and their practical application in national ID systems, the study offers a number of recommendations for enhancing the rigorous application of PbD to safeguard citizen data and comply with regulatory factors.

 

The recommendations for governments include:

 

• Undertake pre-tender research – conducting detailed RFIs enables governments to make more informed decisions on the latest technical advances in PbD and industry best practices. By collaboratively consulting with suppliers, governments will be able to set out appropriate PbD requirements in their tenders and leverage industry expertise to achieve better project outcomes. This includes ensuring that functional PbD requirements are appropriately aligned with the operational challenges and practical goals of projects in order to assure compliance with legal requirements and minimize the risk of privacy breaches.

 

• Engage with international entities – participation in dialogues, workshops and advisory sessions organized by alliances such as the SIA – as well international organizations like the UN or the World Bank – provide access to a wealth of global expertise, guidance on technical standards, and best practices for implementing national ID schemes that are compliant with international privacy and human rights standards.

 

• Targeted training for all stakeholders – alongside nurturing an organization-wide foundational understanding of the legal and ethical aspects of PbD, government bodies should plan to deliver role-based workshops for specific stakeholder groups that will grow specific domain related knowledge and skills. This program should be backed by a comprehensive communications strategy that supports effective organizational dialogue and alignment which will enhance the effective implementation of PbD.

 

• Appoint designated PbD champions – who can act as in-house experts, facilitate knowledge sharing and coordinate PbD initiatives across stakeholder groups to boost PbD efficacy and implement PbD principles efficiently.

 

• Targeted public outreach programs – that educate the general population and build public trust in the social legitimacy of PbD in national ID systems.This is seen as vital for assuring universal uptake and capturing feedback that can be used for policy refinement.

 

If you’d like to explore the study’s findings and recommendations more fully, contact the lead researcher at NTNU Mohamed Abomhara and request for the full version of the “Enhancing Privacy Protections in National Identification Systems: A Study on Stakeholders’ Knowledge, Attitudes, and Practices of Privacy by Design” paper. Please note, the study is currently under review at the International Journal of Information Security.

 

***

*Secure Identity Alliance (SIA) is a global non-profit association representing actors and organizations and adjacent industries active across the digital identity ecosystem. The association supports the development of the activities of its members across four broad pillars: Identity for Good, Outreach, Open Standards Development and Industry Services and Solutions. We bring together public, private and non-government organisations to foster international collaboration, help shape policy, provide technical guidance and share best practice in the implementation of identity programmes. Underpinning our work is the belief that unlocking the full power of identity is critical to enable people, economy and society to thrive.

NTNU is a university with a main profile in science and technology and has an international focus on a variety of programmes of professional study, and great academic breadth. The Department of Information Security and Communication Technology (IIK) at NTNU conducts international competitive research in several areas of cyber security, information security, communication networks and networked services and hosts the Centre for Cyber and Information Security (NTNU CCIS) as a national centre for research, education, testing, training and competence development within the area of cyber and information security.