/Docs/G/CA-DIACC-DigitalIdentityRequirements-CmA/0.md
  Source views: Source JSON(ish) on GitHub (VSCode)   Doc views: Document (&k=r00t): Visual Print Technical: OpenParameters Xray

---

Requirements of the Canadian Digital Identity Ecosystem
The DIACC proposes 10 requirements of the Canadian digital ecosystem. The DIACC recognizes that additional principles may be identified and considered with respect to specified service delivery and economic sector needs, such as the Principles for Electronic Authentication published by Innovation, Science, and Economic Development Canada (formerly Industry Canada) in 20044.

1. Robust, secure, scalable;
   Canada’s digital identity ecosystem must be robust enough to ensure it is secure, available, and accessible at all times. Full time services access also requires redundancy and disaster recovery tools.
   The ecosystem infrastructure must enable the digital services delivery and economic sectors to adopt the latest advances in security technologies and policies. Protecting personal information is a non-negotiable priority. Infrastructure design must secure personal information that is both in transit and at rest. Infrastructure must rely on a foundation of awareness and training for expertise including: access control, audit and accountability, risk assessment, penetration testing, and vulnerability management.
   A trust framework that governs digital identity ecosystem solutions and services must scale to securely enable innovation. Some entities are ready to accept digital identities while others are not. A digital identity ecosystem trust framework must be designed to enable the service delivery and economic sectors to integrate at scale.
2. Implement, protect, and enhance Privacy by Design;
   Digital privacy enhancing tools enable an individual to manage who may access their personal information for a specified purpose.
   DIACC members focus on the identification and development of tools and policy that respect Privacy by Design as a foundational element of digital identity interactions.
   Solutions need to be able to prove compliance with applicable Canadian data protection laws and regulations.
3. Transparent in governance and operation;
   Canadians need to trust that services offered in the Canadian digital identity ecosystem will respect and meet their needs.
   Canadians need to have trust in the policies and practices that govern the Canadian digital identity ecosystem.
   It is critical that Canadians have transparency and opportunities to engage with experts who influence policy and technology regarding the governance of their digital identity ecosystem.
4. Inclusive, open, and meets broad stakeholder needs;
   Digital identity ecosystem services and tools must be affordable, standardised, and beneficial to Canadians. Services must be secure and innovative while reducing economic costs of operation. A trust framework must be flexible enough to enable established and innovative technologies and services. The ecosystem must be beneficial to individuals as well as to commercial service and technology providers by mitigating risks while enabling opportunities to develop sources of revenue.
   Business and public sector entities share the need to deliver secure modernized digital services to their constituents while minimizing costs. Individuals must have equal and convenient access to services regardless of geographic location. All Canadians must be able to understand and use services offered in the Canadian digital identity ecosystem, regardless of their personal abilities.
5. Provides Canadians choice, control, and convenience;
   Privacy respecting and enhancing services rely on the principle that individuals are informed about the details and potential benefits and consequences associated with personal information management. Informed individuals are likely to make better decisions about how their personal information is provided, shared, and used. Informed consent requires that individuals have a clear understanding of the facts, implications, and potential consequences of an action. Informed consent is gained by providing an individual with the knowledge and tools to securely manage access to their personal information.
   Digital identity ecosystem services and tools must be easy to use. Remembering dozens of passwords or carrying 15 different cards is not a scalable or secure approach. If an individual forgets their password (or other identifier) or loses their identification (or device upon which it is stored) they must be able to securely and conveniently re-validate their digital identity with ecosystem services. Digital identity ecosystem services must be secure enough to prevent fraud and convenient enough to allow for rapid authentication and access control.
6. Built on open standards-based protocol;
   Use of open standards and applicable best practices for Canada’s digital identity ecosystem will help protect against obsolescence, ensure interoperability, and foster a dynamic and competitive solutions market environment. Building Canada’s digital identity ecosystem on open standards-based protocols will ensure that Canadians are not locked into one technology or supplier. The risks of governments and companies being locked into closed ecosystems must be mitigated.
   Adoption of an open standards based approach allows different services, based on standards driven technologies, to seamlessly connect. This is essential to allow the digital service delivery and economic commercial sectors to leverage interoperable and verifiable solutions that best meet their needs.
7. Interoperable with international standards;
   Interoperability and global technology and policy standardizations are foundational to todays connected world.
   Much like standardised railway gauges enable travel and the transfer of goods across countries, and the standardisation of cargo container sizes reduces shipping costs, technology and policy interoperability and standardisation allows digital services to communicate and lower costs while increasing innovation opportunities.
   For Canada to thrive in the global digital economy, we need to ensure that our digital identity ecosystem is able to interact with information systems around the world while respecting our own cultural, constitutional, legislative, and regulatory needs.
8. Cost effective and open to competitive market forces;
   It is essential that the digital identity ecosystem respects the budgetary constraints of the present and the future.
   Ensuring the ecosystem is open to competition, representing multiple economic sectors, each playing different roles, will lead to decreased costs for individuals and increased innovation.
9. Able to be independently assessed, audited, and subject to enforcement;
   For Canadians to trust a digital identity ecosystem, governing controls must be put in place.
   On-going, functionally independent, and third party, assessments provide one way to ensure that ecosystem entities and services are adhering to the trust framework requirements.
   Services demonstrating compliance may leverage a trust mark, while services are not in compliance will not be seen as trustworthy and will not leverage the benefits of the trusted digital identity ecosystem.
   Where possible, the PCTF will reference internationally adopted technology and policy standardisations.
   That said, PCTF participating entities and services are subject to applicable Canadian laws and codes for operations within Canadian jurisdictions.
10. Minimizes data transfer between authoritative sources and will not create new identity databases
    Users of digital identity ecosystem services should be asked to provide only the minimum amount of personal information necessary to complete an interaction.
    Where possible, and appropriate, anonymous transactions should be supported.
    This is critical, if Canada is to embrace an ecosystem in which people engage in activities such as e-voting.