Global events continue to highlight the need for the rapid and reliable identification of individuals to support national security. Government’s promise to keep their citizens safe and secure and are simultaneously looking to improve public service delivery. Effective service delivery also requires the identification of individuals to ease access to applicable services. Whilst security and service delivery drivers are very different they both need to be underpinned by a trusted, flexible and available nationwide identity management scheme.

Radically different objectives drive identity management programmes.

This article highlights key research regarding the challenges and opportunities in creating more comprehensive national identity management schemes and key lessons that we have learnt from implementing these schemes. Such schemes are best viewed as a series of interconnected processes relating to the handling of personal data. Each process area raises different challenges. The two process areas considered in this report are identity authentication, confirming that an individual is who they say they are, and identity management, where personal data is used for transactions, or maintained and shared with others (Dennis Carlton 2008). The important processes related to identifying an individual when they are not present (such as those used for crime scene analysis) are not considered. Identity authentication and management processes raise different challenges.

Impediments to progress – piecemeal pervades

IBM research indicates that very few countries have a cohesive identity management strategy (Bryan Barton 2007). Those that do are struggling to implement it completely. Working without an overall plan nations have devised piecemeal, often narrowly focused identity management approaches in response to specific national security, immigration control and other societal concerns.

Our recent experience gained whilst advising an East African country is typical:

  • There is no single widely deployed system that can reliably authenticate the identity of all individuals within the country using attributes (such as fingerprints or other biometrics) that are hard to falsify.
  • There is no single trusted reference number that can identify an individual from birth to death.
  • Processes to issue the various documents that may be treated as identification (National ID Card, Passport, Driver License etc.) are not joined up, for example there is no linkage between the National ID card records held by the National Registration Bureau and Passport Issuance.

Towards improved identity management

Positioning pan-government identity schemes as having benefits for people (e.g. easier access to government services) as well as benefits for government (e.g. increased security) makes it easier to defend the investment and changed required to implement them. Having secured the mandate to implement such a scheme our experience highlights that they must be, trusted, available, flexible and deliverable. Successful identity management is trusted, available, flexible and deliverable.

Trusted

The scheme should be universal so that users trust it to identify any individual within the country. A front line government official needs to be certain that they can reliably identify an individual whether they are a citizen, migrant, visitor, asylum seeker, refugee or illegal. It must support the accurate authentication of an individual’s identity. This requires the routine use of biometrics as part of the authentication process. Biometrics are hard or impossible to duplicate or share so are particularly useful where there is a significant incentive for people to falsify their identity. Routine use of biometrics in the authentication process requires accurate automated biometric matching. Other non-biometric authentication techniques should be considered where there is a lower incentive for impersonation and where the individual is not physically present. After authenticating the individual, these alternative techniques should provide access to the same underlying personal data.

High data quality is also critical to building trust. Schemes need to establish a clear policy and confidence threshold for the identities that will be migrated into the scheme, taking into account factors such as the likelihood that the identity is fraudulent. Consideration should be given to establishing a process to automatically determine the confidence level for key items of personal data based on available metadata (data about the data e.g. the source organisation). Where necessary individuals who cannot be migrated into the new scheme should be re-registered. Furthermore a process for resolving quality issues as they are discovered should be defined to support continuous improvement. Application of data stewardship principles and other master data management techniques that have been developed in other industries such as banking will also help to drive data quality improvements.

Available

The technology that underpins the identity scheme should be open and support interoperability to ensure that its data is available for access. By their very nature these schemes cut across many government and private sector organisations and processes. Their value increases exponentially with the number of processes that make use of the scheme. Using technology that is open and interoperable reduces the barriers to automatically integrating the data managed by the scheme with other public and private sector processes.

The scheme should support mobile access out “in the field”. A key benefit is the ability for front line staff (e.g. the police) to identify an individual who cannot, or refuses to, provide any identity documents. For this to be practical front line staff must be able to routinely access the scheme’s identity information which requires the use of wireless mobile biometric identification devices.

Flexible

The organisation, processes and IT should be flexible; enabling new technologies to be introduced as they evolve. Biometric technology has advanced substantially in the last decade and will continue to do so. Identity schemes need to be able to take advantage of this new technology to deliver increased benefit; for example introducing new modalities such as iris or facial recognition or implementing multi-modal biometric authentication. Individual elements of the IT system, such as the biometric matching engine, should be able to be swapped in and out of the solution. This is key to creating a flexible IT system and places the government in a strong negotiating position with the IT vendors. Adopting a component based, service orientated, IT architecture using best of breed software from multiple vendors rather than a monolithic solution from a single vendor provides this flexibility.

Deliverable

Delivering a successful identity scheme requires a multifaceted programme of change including complex IT systems integration; modern programme management techniques should be adopted to ensure success. Key to this is to establish and communicate a compelling vision for national identity management. Then deliver this vision incrementally using the learnings from each increment to inform, and where necessary correct, the direction of future work. Well planned change management is critical to ensure that value is delivered by the new organisations, processes and systems by making sure that people are motivated, trained and incentivised to adopt the new ways of working.