Inclusive, Private, and Secure: The Blueprint for Responsible Digital Identities

Last updated: 03 February 2025

Establishing a secure and efficient system for verifying identities is crucial – especially as more of our experiences move online. That’s where digital identities enter the picture, offering an alternative to traditional forms of identity. However, to roll out such solutions and encourage widespread adoption, they must offer convenience for all users, alongside robust protection of personal data. But to deliver on the latter, digital identities must be classed as ‘responsible.

So, what does a responsible digital identity look like, and how can it be achieved? 

Responsible digital identity

At Thales, responsible digital identity is based on three main pillars; personal data protection, sovereignty and accessibility.

Personal data protection

In an era of widespread digital mistrust among consumers, establishing end users’ trust in digital identities is key. This pillar is broken down to two levels: 

  • Transparency and citizen consent: The sharing of personal data must be accompanied by a clear request for consent, explaining with whom the data is shared and for what purpose. This puts users in the driving seat to decide when they share data, and what exact attributes they share – whether it be their age, address, employment status, or income, for example. 
  • Decentralised identity approach: In a decentralised digital identity system, there is no single centralised database containing all citizens’ identity credentials. These identity credentials are instead in the hands of citizens, securely stored on their smartphones. Not only does this decentralised storage approach provide greater security, but digital identities are also biometrically-enabled, meaning only the user can launch them via their own face ID or fingerprint.

Sovereignty

This second pillar is crucial, particularly in the current geopolitical context. This ensures that digital identity solutions are based on technologies controlled by trusted actors, and that their deployment mode makes them immune to extraterritorial laws. This sovereignty requirement implies compliance with local security regulations, requiring local data hosting, operation of the solution by authorised personnel, and implementation of proprietary cybersecurity solutions. In other words, sovereignty allows the government to protect personal information and control critical infrastructures, thereby strengthening user trust.

Accessibility

A responsible digital identity must also be inclusive to provide equitable access to all citizens. While they will exist as a complementary form of identity, creating solutions with intuitive interfaces and appropriate solutions, including offline usage, ensures that every citizen, regardless of their digital proficiency or location, can access public services.  

Queensland digital license project

So, what’s a best practice example of these three pillars in play? Thales launched a digital license project in Australia with the State of Queensland. This project, designed “by and for Queenslanders,” is a perfect example of responsible digital identity, combining iterative development modes with incredibly high security requirements. 

This project adopted an agile deployment mode to iteratively incorporate user feedback into the solution’s design, helping to deliver on the accessibility front. Thus, the deployment occurred in several phases: 

  • Test groups: Carefully constituted user groups, ensuring a representative sample of the local population. Associations representing people with disabilities also contributed. 
  • Prototypes and pilots: Implementation began with prototypes and pilots with small user groups to gather their feedback. 
  • Promotion by ambassadors: Ambassadors from civil society or law enforcement were trained to promote and explain the benefits of this solution. 

As a vast territory spanning over 1.8 million km² (with 85% having only limited 3G network coverage), Australia also opted for a mobile identity solution that works in connected and/or offline mode to be as inclusive as possible for citizens living in rural areas. 

In terms of sovereignty, the solution is considered critical infrastructure in Australia and is subject to special security obligations (SOCI Act). As a government-provided solution, it also has to comply with specific security evaluations (IRAP). It also aligns with international standards for mobile driver licenses, delivering interoperability across borders and setting the standard for digital identities on a global scale. 

And as a solution prioritising the safety and security of private information, the app undergoes rigorous privacy and information security testing to protect users’ identity, such as multi-factor authentication. 

The app’s consent-based design also gives the individual control over their identity data so they only disclose the relevant information for the transaction, such as ‘proof of age’ or eligibility to drive. The digital verification process also helps businesses reduce the need to store sensitive identity data. Instead, the process allows for point-in-time, remote verification in a wide range of use cases. 

The takeaways 

In conclusion, combining agile innovation and security requirements is a delicate balance, but projects like the Digital License in Australia demonstrate that it not only possible, but incredibly successful. In fact, one year after its launch, nearly a quarter of the target population adopted this solution. 

These principles thereby ensure a responsible digital identity by placing the user at the heart of concerns, guaranteeing control over the technologies employed.

For further reading on digital identity:

Leave a Reply

Your email address will not be published. Required fields are marked *