Cookies on Pinsent Masons website

Our website uses cookies and similar technologies to allow us to promote our services and enhance your browsing experience. If you continue to use our website you agree to our use of cookies.

To understand more about how we use cookies, or for information on how to change your cookie settings, please see our Cookie Policy.

Estonia and Scandinavia show UK the way on digital IDs

The process of verifying someone's identity when they use online public or business services in the UK can be streamlined by learning lessons from the way things are done in Estonia and Scandinavia, one of Estonia's foremost technologists has said.19 Nov 2018

Speaking to Out-Law.com at an event on 'e-government' in Glasgow, Linnar Viik said individuals should be able to access multiple online services, spanning both the public and private sectors, using a single digital ID unique to them.

Viik, dubbed Estonia's 'Mr Internet' for his role in establishing Estonia's technology infrastructure following its split from the Soviet Union, said there are already examples of this in Scandinavian countries and in his native Estonia, which is widely regarded as a global leader in technology, innovation and digital government.

In Estonia, a state-provided digital ID system has been operating for years. People can use their digital IDs to, for example, access local health services, register property and vote in elections, as well as set up a company online. The same digital ID used to access public services can also be used to access a raft of online services provided by businesses. For example, people can access their bank accounts online in Estonia using their digital ID, and they can now use their digital ID to sign documents electronically too.

Viik said the Estonia's digital ID system had evolved over time, most recently switching from a system tied to mobile SIM cards to a software-based certificate system of authentication. He said the interoperability of Estonia's digital ID stemmed from the way the country went about establishing its own IT infrastructure after regaining its independence in 1991.

Viik said: "In the 1990s there were two parallel processes going on in Estonia – at the same time as the government was investing in IT and exploring digital IDs, banks were also looking into enabling digital access to their services. Banks, and the other businesses we engaged with, such as utilities and telecoms companies, concluded that in the long-term it would be easier to maintain high levels of security, cheaper and more efficient to use the government-provided digital ID than to set up and use their own ones.”

Built on a number of principles, Estonia's IT infrastructure is designed to make digital services as seamless for users as possible. Data is not held in silos. Instead, the 'once only' principle ensures that people only need to provide the government with their data once – thereafter other agencies are expected to check the information gathered and provide citizens with services they need.

The 'integrity' principle governs data security and regulates access to the information – agencies are only permitted to access information for purposes "within their remit", Viik said. Access is logged, with the logs available for inspection by individuals and Estonia's data protection authority.

"If you want to play in Estonia and be part of the public services eco-system you need to comply with integrity standards," Viik said.

A state-provided digital ID is not the only model of digital ID that can be used. Viik pointed to the practice in some Scandinavian countries where digital IDs provided by banks can be used by individuals to access online government services. Similarly, he said the Estonian government had accepted people's bank IDs as proof of identity to allow them to declare tax online in the fledgling stages of the country's digital revolution.

Governments should recognise digital IDs provided by businesses for enabling access to online public services if those ID systems adhere to robust security standards, Viik said. He said the government has an important role to play in specifying the standards that should apply as part of their "responsibility to protect citizens' safety and security online".

"If I have an account with a bank then I have already been through an ID verification process," Viik said. "If banks trust documents provided by the government for verification purposes, such as passports, then governments should also trust banks who have engaged in KYC. The debate is really over the security standard that should apply to banks' digital ID."

Viik said, though, that governments must not expect instant results from digital projects, like digital ID solutions. He said it can take "two or three" technology iterations, a number of IT budget periods, and time to win public trust before take-up of new digital services becomes widespread.

"It takes time to build up the trust and digital nativity in each and every individual and to build up experience and to take constructive criticism and take one step further," Viik said. "Most projects have received at least minor criticism. When you are creating services it takes time before it gets to everyone and everyone understands how important it is.

For Estonia, the future goal is to achieve "zero bureaucracy" in government services, Viik said.

That vision would eliminate "annoying application processes" and see people automatically provided with access to services where they are entitled to them, he said. "Digital agents" could complete tasks and make decisions on behalf of citizens, although there remains a "big debate" over what parameters should be set.

"For example, is it OK for an AI agent to pay a parking ticket for me and, if so, when will it pay it?" Viik said. "Individuals will have different comfort zones."