Identification for Accountability vs Privacy

TL;DR

This paper explores the balance between privacy and accountability in identity management, proposing different identity forms aligned with GDPR principles and emphasizing user awareness in identity scheme adoption.

Contribution

It introduces two identity types, 'publicly-recognised' and 'domain-specific', tailored to privacy and accountability needs, guided by GDPR considerations.

Findings

Different identity forms can be tailored to privacy or accountability needs.

Designing identity schemes requires considering privacy-accountability balance.

Users should be aware of identity implications when interacting with systems.

Abstract

This document considers the counteracting requirements of privacy and accountability applied to identity management. Based on the requirements of GDPR applied to identity attributes, two forms of identity, with differing balances between privacy and accountability, are suggested, termed "publicly-recognised identity" and "domain-specific identity". These forms of identity can be further refined using "pseudonymisation" and as described in GDPR. This leads to the different forms of identity on the spectrum of accountability vs privacy. It is recommended that the privacy and accountability requirements, and hence the appropriate form of identity, are considered in designing an identification scheme and in the adoption of a scheme by data processing systems. Also, users should be aware of the implications of the form of identity requested by a system, so that they can decide whether this is acceptable.