Privacy of information is critical to digital identity management systems, but in recent times, data owners are sceptical about who to trust with their identity data. This is because of data breaches and unethical practices involving identity service organisations. Governments across the world are responding to this trend by enacting data protection laws to achieve data privacy and protection of the rights of citizens. These laws seek to make data owners in charge of their data and identity management organisations ethical in dealing with personal data, but like every law, it can be broken. Therefore, Data protection laws are insufficient solutions to user privacy in the world of digital identity. Privacy has to be designed into the identity management system.
Presently, the world has moved from a siloed identity management system to a federated identity management system. This system relies on ‘trusted’ third parties for the identification of persons and entities. In this system, the data owner stores his identity data with a central identity organisation such as Facebook or Google and uses their identity service for online transactions requiring authentication. In this system, the user trades privacy for convenience. The user does not have to maintain different identity accounts with various organisations, which makes the system convenient. In contrast, the user lacks absolute control over his data, which puts his privacy at risk. Hence, wrapping data protection laws around federated digital identity systems does not guarantee the confidentiality of user data.
With this in mind, the best way to guarantee privacy in a fast-evolving digital world is by design. Hence, developed countries are taking bold steps to adopt self-sovereign identity (SSI)systems in their digital identity management initiatives. SSI aims to disrupt the federated digital identity model by giving data owners complete control over their identity data. SSI systems are decentralised systems built on trust and transparency platforms such as blockchain. These systems ensure privacy by design and the elimination of third-party identity organisations in the identity triangle. Also, SSI systems give the data owner convenience in sharing identity data with organisations and flexibility in revoking data access.
The SSI system rides on an efficient DLT system; therefore, as advances are made in blockchain and other DLT technologies, the SSI system will disrupt the federated identity management system and ensure privacy by design. Despite the relative freshness of the SSI systems, countries such as Estonian have started leveraging it in their e-residency identity management systems.
In Nigeria, where digital identity is a priority and pre-requisite for the digital economy, the SSI system should be considered in developing a national identity framework. Apart from it being the technological direction in identity management, it presents a simple way to ensure compliance with the Nigeria Data Protection Regulation (NPDR), as well as a competitive advantage for Nigerian companies. Furthermore, the SSI system gives data owners sole ownership of their identity data, allowing complete control over the sharing and use of personal data and flexibility in revealing only necessary information for a particular transaction.