By Pramodya De Alwis, Head of Digital Identity, CentraPass
As humans, we have been communicating who we are for generations, and we have been quite creative at doing it. We created names and through that we created forms of identification for us and things that belong to us. We have learnt about the issues of identification as a consequence of certain identifying features being used to target specific groups of people. However, have we now learnt to ignore this problem because it doesn’t affect us day to day, or so we think? There have been major issues around the world where personally identifiable data was leaked or used maliciously to generate unethical yet legal profits.
The European Union’s GDPR (General Data Protection Regulation) was aimed at helping individuals who had simply lost the ownership of their identity. From the GDPR EU website: the right to privacy is part of the 1950 European Convention on Human Rights, which states, “Everyone has the right to respect for his private and family life, his home and his correspondence.” These were powerful regulations and the definite first steps in an uphill battle against organisations profiting from personally identifiable data collection for marketing purposes.
If you have ever used an online marketing tool to target specific user groups, then chances are you have used the data these online platforms have mined from the internet. It would be a pipe dream to believe we can just wipe this industry out overnight; in fact it is hard to imagine it being wiped out at all. However, there are ways to decrease the risks posed by malicious actors. The GDPR is a great example of one way, a legal framework designed to reduce the exposure of individuals by using fines and jail sentences. Another way is using modern technology and its real time capabilities to generate cryptographically secure information.
NZ Privacy Act
New Zealand’s Privacy Act 2020 is our own version of the GDPR, a well needed refresh from the Privacy Act 1993. But how can businesses keep up with these changes? Some have already made provisions to keep up with GDPR so are well prepared for Privacy Act 2020 but is this enough?
Do business know what data they really need to keep?
A prime example is the Waikato DHB. They stored data like passport and drivers licence images even after it was used to verify individuals. This is obviously a red flag when you consider hundreds of companies all around New Zealand are probably doing the same thing. New Zealand and the rest of the world do not have the infrastructure in place to reduce the blast radius of cyberattacks. We need to somehow build tools and networks for safe exchange of personally identifiable information. Enter the New Zealand Digital Trust Framework (DTF). Designed to remove the requirement of storing personally identifiable data on organisation data stores and consented sharing of data between people and organisations. This will give power back to the individuals to determine who should be allowed to see their data.
Digital workflows can make a difference
So far it sounds like this is all about the individual, and while it is a massive win for people, with the right tools and innovation, companies can improve their opportunities while eliminating risk. For example, the traditional barriers of gaining customers can be reduced by introducing digital workflows. Companies can still gather useful customer metrics (yet privacy preserving) without putting themselves in breach of the Privacy Act 2020 (or GDPR for international customer).
While the DTF is ambitious, it is not the first of its kind; countries all around the world are looking to do something similar. The current most notable ones reside in Canada and England. This could also be a chance at interoperability between countries, but it heavily depends on how we build our communication network. We need to work globally to solve this issue and there is research and development being carried out by the open-source development and open standards community.
Methods to protect data
Through the advent of the W3C Decentralised Identifiers (DID) specification and subsequently Verifiable Credentials (VC), there are well researched methods available for adoption. The IATA travel pass, which is being used to track COVID certificates across borders is an example of this technology already in action. These specifications describe methods for individuals to allow consented communication of private data with guarantees around safe usage by organisations. VCs also enable individuals to make claims, such as claiming you are allowed to drive, without revealing any personally identifiable information; this is known as a zero-knowledge proof and it has the power to change how we share information forever.
How can we get everyone on to the DTF?
First of all, the rules have to be published. This is an ongoing process involving the DIA, industry professionals (including CentraPass) and companies across New Zealand who will be affected by the new rules. The DTF is also completely opt-in but there is no reason why organisations across New Zealand will choose not to partake; those who do not will have to find their own way for themselves and their customers. CentraPass is working on building the tools and services required to help businesses build a safer digital world for their customers. We work closely with companies looking to improving their KYC and AML workflows to enable secure customer journeys on their platform. Our team is working to ensure the DTF follows global standards and gives Kiwi businesses a chance to innovate, improve onboarding workflows and protect their customers.