GovPass will make it easier for people to prove who they are when using government services online. People have told us that to use GovPass, they need to trust that their personal information is protected and that they have control over where it is going. So we have sought to ‘build’ privacy into the design of GovPass.
What is privacy by design?
Privacy by design is a method to embed privacy into the design and architecture of products or projects.
New digital products and services are not inherently privacy enhancing, they need to be designed specifically to meet that purpose. It is best practice to consider privacy before, at the start of, and throughout development.
GovPass has been designed as a federation of identity providers and an exchange using ‘double-blind’ architecture. Having the exchange means the service doesn’t see your identity documents, and, the identity provider doesn’t know what service you are accessing. Having the exchange means your identity attributes are not stored centrally. The exchange merely passes those attributes on to the service. It does not retain the attributes, only some logs to record what occurred.
GovPass approach to privacy
GovPass has adopted privacy enhancing principles in the design and architecture of the platforms. The principles focus on:
- limiting the collection, use and disclosure of personal information to a narrow purpose
- minimising collection and retention of information and keeping data stores separate
- giving users choice of how they verify their identity
- giving users control through consent and transparency
We have sought to tightly limit the purpose of the program and consequently limit collection, disclosures and retention of personal information. Services will only be able to use personal information to verify a user’s identity.
Minimum data retention
GovPass will collect and retain a minimum amount of information needed for the purpose of verifying identities. Once an identity is verified, only the essential information will be retained, the rest will be discarded. This minimises security threats and limits ‘function creep’ (widening of the use of a system beyond the purpose for which it was originally intended).
Our approach is to separate information and not create a central store, which is the purpose of a federated architecture.
Opt in, not opt out
GovPass is designed to complement existing identity verification options, such as in-person verification. Users will have the choice to use the system and will be able to revoke their account at any time.
Users have told us that they want to know what is happening to their information. GovPass will include clear information on how personal data will be used, prior to gaining consent
How GovPass ensures privacy
Two practical ways we are ensuring privacy in the design of GovPass is:
- by commissioning a series of independent Privacy Impact Assessments (PIA) to identify and mitigate privacy risks. Access the first PIA.
- employing and seeking advice from people with a detailed knowledge and commitment to protecting privacy.
Find out more information about Privacy Awareness Week.