Universal DPI Safeguards
  • 🇺🇳About the Universal DPI Safeguards Initiative
    • 📈The Journey
    • 📂Key Outputs
      • The Universal DPI Safeguards Framework
      • A Guide to Building Safe and Inclusive DPI for Societies
      • Interim Report: Leveraging DPI for Safe and Inclusive Societies
    • Looking Ahead
  • 🗃️How to use the Hub
  • 🛡️Universal DPI Safeguards Framework
    • Navigating the Framework
    • Responsible Authorities
      • R1 - Government
        • L1 - Conception and Scoping
        • L2 - Strategy and Design
        • L3 - Development
        • L4 - Deployment
        • L5 - Operations and Maintenance
        • All stages
      • R2 - Regulator
        • L1 - Conception and Scoping
        • L2 - Strategy and Design
        • L5 - Operations and Maintenance
        • All stages
      • R3 - Donor
        • L1 Conception and Scoping
        • L2 Strategy and Design
        • L4 Deployment
        • L5 Operations and Maintenance
      • R4 - Technology Provider
        • L1 - Conception and Scoping
        • L2 - Strategy and Design
        • L3 - Development
        • L5 - Operations and Maintenance
      • R5 - Advocates
        • All stages
        • L1 - Conception and Scoping Phase
        • L2 - Strategy and Design
        • L3 - Development
        • L4 - Deployment
        • L5 - Operations and Maintenance
    • Life Cycle Stages
    • Principles
      • Foundational Principles
        • F1 Do no harm
        • F2 Do not discriminate
        • F3 Do not exclude
        • F4 Reinforce transparency, accountability
        • F5 Uphold the rule of law
        • F6 Promote autonomy and agency
        • F7 Foster community engagement
        • F8 Ensure effective remedy and redress
        • F9 Focus on future sustainability
      • Operational Principles
        • O1 Leverage market dynamics
        • O2 Evolve with evidence
        • O3 Ensure data privacy by design
        • O4 Assure data security by design
        • O5 Ensure data protection during use
        • O6 Respond to gender, ability or age
        • O7 Practice inclusive governance
        • O8 Sustain financial viability
        • O9 Build and share open assets
    • Processes
      • F4.4 Facilitate comprehensive access to system architecture information
      • O6.5 Acknowledge and support the development of digital foundational capacities
      • O8.4 Ensure that DPI is affordable to people and businesses
      • F7.2 Sustain the participation of affected communities
      • F4.3 Facilitate comprehensive access to system architecture information
      • O8.3 Design a sustainable financing model for the DPI
      • F9.3 Prioritize investments in reusable software components to create standardized workflows
      • F4.2 Facilitate comprehensive access to system architecture information
      • F5.2 Underpin identification systems (and other DPI systems) with enforceable frameworks
      • F5.1 Establish transparency and full documentation for data-sharing arrangements
      • F3.2 Implement affirmative design measures
      • F1.1 Facilitate accessible remedial mechanisms
      • F4.1 Ensure access to relevant information about every architectural component of the system
      • F5.3 Highlight instances of discrimination and failure
      • O3.27 Increase public awareness about risks in DPI
      • O3.1 Verify the existence and enforcement of regulations, policies and procedures
      • O6.8 Use a participatory approach to foster inclusive, responsive and empowering DPI
      • O7.2 Invite all stakeholders for regular discussions
      • O8.3 Design a sustainable financing model for the DPI
      • F4.1 Ensure access to information about each relevant architecture component
      • F6.1 Evaluate the level of granular control available to users over their data preferences
      • F7.8 Implement a capacity-building strategy using a whole-of-government approach
      • F3.1 Provide accessible in-person options for identity proofing and authentication
      • O1.1 Equip CSOs and civic tech organizations with tools and partnerships
      • O6.1 Raise awareness if the DPI guidance is not linguistically appropriate for the whole population
      • F8.1 Facilitate user access to redress mechanisms
      • F8.7 Ensure availability of independent, accessible and effective remedies and mechanisms
      • F9.1 Establish a collaborative governance framework with public and private stakeholders
      • F8.1 Conduct environmental impact assessments and demand measures that advance carbon neutrality
      • F.1.2 Integrate human rights assessments
      • F1.2 Incorporate legal safeguards against coercive measures of enforcement
      • F5.4 Establish appropriate legal framework to govern DPI initiatives
      • F5.5 Implement independent oversight and impartial grievance adjudication
      • O2.6 Assess DPI against alternative policy options
      • F6.2 Design mechanisms that provide individuals and communities with control over personal data
      • F7.1 Forward relevant stakeholder inputs to DPI implementors
      • F9.2 Ensure adequate resourcing for continuous development
      • O1.2 Establish policies that promote fair competition and require multiple participants
      • O1.3 Mitigate the risk of market distortion and monopolies
      • O2.1 Assess DPI against alternative policy options
      • O3.2 Undertake data protection impact assessments and legislative reforms prior to DPI roll-out
      • O3.3 Analyse stakeholder interests and implement appropriate safeguards
      • O3.4 Provide features to protect users from tracking and profiling
      • O4.1 Establish a framework for safe data storage and processing
      • O4.2 Establish a cybersecurity framework for DPI
      • O5.1 Implement privacy and data protection impact assessments prior roll-out
      • O3.7 Undertake data protection impact assessments and legislative reforms prior to DPI roll-out
      • O3.21 Establish mechanisms to ensure a right to opt-out whenever appropriate
      • O5.7 Implement privacy and data protection impact assessments prior to roll-out
      • O5.9 Assess existence of comprehensive data protection laws to protect personal data
      • O5.2 Require parties to register their DPI use cases in a public registry
      • O6.2 Understand the needs of affected communities and test the impact of DPI on these groups
      • O6.3 Ensure equitable access to DPI
      • O6.4 Include networks of human agents to help users utilize and engage with DPI systems
      • O8.1 Estimate the costs of deployment, operational costs, and estimate payback period
      • O8.2 Design a sustainable financing model for the DPI
      • F2.5 Recognise access to DPI-based public services as a human right
      • F4.13 Establish requirements for auditable data trails to support dispute redressal
      • F7.5 Implement a whistleblower channel, allowing the public to address potential complaints
      • F8.8 Set redress mechanisms and other consumer protection tools for failed/fraudulent transactions
      • O1.6 Enable transparency in the development of standards by standard-setting bodies
      • O3.28 Undertake a Data Protection Impact assessments and legislative reforms prior to DPI roll-out
      • O3.21 Establish mechanisms to ensure a right to opt-out whenever appropriate
      • O5.7 Oversee the implementation of privacy and data protection impact assessments prior roll-out
      • O8.7 Ensure that the price of using DPI is affordable to people and businesses
      • F4.14 Oversee the publication of reports on user complaints and inclusion metrics
      • F9.10 Set a normative framework for public–private partnership to implement DPI frameworks
      • O3.29 Audit data processed against the specified purpose being served
      • O3.21 Establish mechanisms to ensure a right to opt-out whenever appropriate
      • O3.15 Implement strict controls to enforce purpose limitation and restrict secondary data use
      • F2.4 Design and implement backup processes for users who lack assumed documentation
      • F4.10 Implement comprehensive reporting and accessibility protocols
      • F6.5 Implement optional features for user control over personal data
      • O2.5 Implement rigorous testing protocols
      • O3.5 Enable third-party audits
      • O4.9 Mandate security audits by third parties
      • O3.14 Integrate strict data minimization protocols into design
      • F3.3 Identify and address end user/citizen needs
      • F1.3 Establish monitoring and mitigation teams
      • F2.1 Implement alternative enrollment measures
      • F3.3 Assess the interoperability system
      • F3.4 Develop alternative processes to access services without requiring subscription to a DPI
      • F3.5 Implement affirmative design measures
      • F4.5 Establish comprehensive auditing mechanisms
      • F4.6 Create stakeholder participation systems
      • F4.7 Ensure an auditable data trail for dispute redressal
      • F4.8 Provide clear definitions for key human rights terms
      • F6.3 Incorporate user choice mechanisms to participate
      • F6.4 Design user interfaces that empower subjects with clear and continuous control over their data
      • F7.3 Forward relevant stakeholder inputs to DPI implementors
      • F7.4 Sustain the participation of affected communities by funding community engagement
      • F8.3 Ensure that the DPI interface indicates the responsible public authority and their contact info
      • F9.4 Adopt common standards, conduct regular system integration tests, and remove redundancies
      • F9.5 Conduct stringent security checks and vendor assessments
      • F9.6 Encourage modular system design and support for multiple technologies
      • F9.7 Adopt comprehensive procurement processes that prevent vendor lock-in
      • O1.4 Provide tools and support to enable integration and scalability
      • O1.5 Develop an open access system with APIs, accountability, and fraud protections
      • O2.2 Implement regular public consultations and review mechanisms
      • O2.3 Design mechanisms to generate relevant data
      • O2.4 Design feedback loops to address data inaccuracies and enable community reporting
      • O3.5 Integrate strict data minimization protocols into design
      • O3.6 Establish multi-layered security controls to protect data throughout its lifecycle
      • O3.7 Undertake data protection impact assessments and legislative reforms prior to DPI roll-out
      • O3.8 Enable third party audits
      • O3.9 Establish robust data delinking mechanisms
      • O3.10 Enable different levels of privacy between payer and payee
      • O3.11 Implement symmetrical identification
      • O3.12 Implement and protect the right to pseudonymity within DPI when applicable
      • O3.13 Ensure that biometric authentication is not mandatory
      • F4.9 Insitutionalize oversight mechanisms
      • F4.10 Adhere to open standards and modular architecture
      • O8.5 Focus on cost reduction
      • F1.4 Establish monitoring and mitigation teams
      • F2.2 Provide accessible in-person options for identity proofing and authentication
      • F2.3 Establish mechanisms to promote ongoing user awareness and engagement
      • F9.8 Build institutional memory
      • F9.9 Document and maintain an archive on the outcomes of pilot studies, testing, and decision-making
      • O3.26 Implement strict controls to enforce purpose limitation and restrict secondary data use
      • O3.16 Embed strong privacy standards from the start and integrate these into design and processes
      • O3.17 Ensure compliance with privacy laws and evaluate risks around PII
      • O3.18 Emphasise transparency and user empowerment in managing data
      • O3.19 Develop privacy requirements and select mitigation strategies
      • F1.4 Establish monitoring and mitigation teams
      • F4.11 Publish reports on inclusion and user complaints
      • F8.4 Implement a multi-channel complaint resolution mechanism that tracks resolutions
      • O3.20 Ensure unobservability of daily user interactions by design
      • Establish mechanisms to ensure a right to opt-out whenever appropriate
      • O3.22 Ensure linkability, unobservability, and zero-knowledge proofs are the default
      • O3.23 Establish robust data delinking mechanisms
      • O3.24 Make alternative mechanisms besides biometrics available
      • O3.25 Ensure that biometric authentication is not mandatory
      • O4.3 Ensure secure and auditable data handling
      • O6.6 Embed vulnerability in product design
      • F8.5 Establish capability to successfully remedy user exclusion and harm
      • F8.6 Empower regulators with independent oversight
      • F9.12 Train civil servants, citizens and the private sector on new iterations of DPI implementation
      • F4.12 Ensure accountability through records controls
      • O4.4 Establish a trusted—unique, secure and accurate—identity system
      • O4.5 Implement data validation, completeness, and consistency checks
      • O4.6 Use an established cybersecurity framework
      • O5.3 Ensure digital presevation of records
      • O6.7 Ensure that DPI are linguistically appropriate for the whole population
      • O9.1 Ensure modularity and reusability across sectors, enabling evolution with society
      • O2.8 Leverage analytics for ongoing evaluation and informed decision-making
      • O2.7 Design systems to capture evolving user needs
      • O2.9 Establish mechanisms to assess the value users derive
      • F1.5 Assess system uptime to ensure reliability
      • F9.13 Implement public–private partnership frameworks for sustainable DPI implementation
      • O4.7 Implement a framework for safe data storage and processing
      • O5.4 Conduct regular security audits to check encryption protocols
      • O5.6 Implement regular performance metrics tracking with predefined response protocols
      • O4.7 Invite security audits by third parties
      • O5.4 Implement regular performance metrics tracking with predefined response protocols
      • O5.5 Ensure that access to personal information is based on the informed consent of the user
      • O5.8 Create redress mechanisms that deal with bad actors
      • O7.1 Establish governance frameworks for transparency, accountability and stakeholder participation
      • O8.6 Ensure budgetary allocation for DPI financial sustainability and adequate resourcing
      • O9.2 Develop a centralized platform for digital asset sharing and a community of practice
      • O9.3 Nurture engagement with technical community and private actors
      • O9.4 Create an online repository of open DPI components, reference architecture for maintenance
      • O4.8 Design specific security features to protect against unauthorized access and data breaches
    • Risks
      • Risks to Safety
      • Risks to Inclusion
      • Risks to Structural Vulnerabilities
  • 🌏Country Implementation
    • 🗺️Implementation Around the World
      • 🇧🇷Brazil
      • 🇩🇴Dominican Republic
      • 🇪🇹Ethiopia
      • 🇫🇮Finland
      • 🇮🇳India
      • 🇲🇼Malawi
      • 🇳🇬Nigeria
      • 🇷🇼Rwanda
      • 🇸🇴Somalia
      • 🇹🇹Trinidad and Tobago
      • 🇺🇾Uruguay
    • 🧰Toolkits & Resources
      • Maturity Model
    • ⛑️Country Adoption Support
  • 🤝Ecosystem Engagement
    • Share your story
    • 🗓️Events Calendar
    • 💼Convening Toolkit
      • Convening Resources
      • ❓Convening FAQs
  • ℹ️Additional Resources and Information
    • Curated Resources
    • 📜Licensing
    • 🗒️Release notes
    • ☎️Contact us
Powered by GitBook
On this page
Export as PDF
  1. Universal DPI Safeguards Framework
  2. Processes

O3.5 Enable third-party audits

Last updated 6 months ago

O3 Ensure data privacy by design

RS1 Privacy vulnerability

L5 Operations and Maintainance

Practices

  • Implement third-party audits using best practices from established privacy frameworks such as LINDDUN and NIST to identify and mitigate privacy risks effectively.

  • Ensure that third-party auditors assess systems against principles

🛡️

LINDDUN (N/d). A Framework for Privacy Threat Modelling.