Typical DPI-related roles and responsibilities of 'Government' include:

• overall governance: from policymaking to public service delivery

• creating policies to set development goals

• guiding inclusive digitalization

• providing budgetary support for development purposes and DPI development

• providing proof of progress to constituents

• listening to feedback and improving legislative, executive and judicial administration

Click Next to explore the process recommendations in the Conception and Scoping stage of the DPI life cycle.

Typical DPI-related roles and responsibilities of 'Regulators' include:

• setting appropriate and effective guardrails

• supervising and enforcing laws and regulations

Click Next to explore the process recommendations in the Conception and Scoping stage of the DPI Lifecycle.

To know more about this phase of the DPI life cycle, click here

Click on any process listed below to learn about illustrative practices that can be implemented.

To know more about this phase of the DPI life cycle, click here

Click on any process listed below to learn about illustrative practices that can be implemented.

To know more about this phase of the DPI life cycle, click here

Click on any process listed below to learn about illustrative practices that can be implemented.

The Universal DPI Safeguards Framework is designed as an open public asset to extend foundational and actionable recommendations that are adaptable to diverse contexts. It is not a static body of knowledge but will continue to evolve across all its elements with the active contribution of stakeholders such as governments, responsible authorities, seasoned practitioners, civil society organizations (CSOs), and international communities.

The Framework is made up of five components:

1. Risks to be mitigated:

Risk refers to the possibility of harm and involves uncertainty about the effects of an activity on people’s health, well-being, wealth, property or the environment. V1.0. of the Framework describes 13 interrelated risk areas.

2. Principles:

Principles, currently 18, are core propositions to mitigate risk which have been derived from the possible risks observed in the DPI ecosystem. These include new risks and existing structural vulnerabilities.

3. Responsible authorities:

A functional group of stakeholders with assigned or assumed roles, responsibilities and accountability for effective implementation and evolution of DPI safeguards.

4. Life cycle stages:

DPI has five life cycle stages, namely: Conception and Scoping, Strategy and Design, Development, Deployment, and Operations and Maintenance.

5. Recommendations:

These include ~ 300 processes and practices; built from existing experiences in countries.

• A process is a series of activities required to produce a result which may occur once, or be recurrent or periodic. In the Framework, principles are translated into processes relevant to responsible authorities at appropriate life cycle stages.

• Practices are related to processes and indicate what may or may not have been done in the past under normal circumstances. Practices are evolving and may not always indicate the best of practices in the context of the Framework.

Thus, the Framework offers multiple permutations of risks, principles, responsible authorities, life cycle stages and recommendations. It is designed as an open knowledge asset that allows any user to query it to identify actions they need to take.

A functional group of stakeholders with assigned or assumed roles, responsibilities, and accountability for effective implementation and evolution of DPI safeguards.

Click on a Responsible Authority below to learn more about actionable processes and practices.

The Universal DPI Safeguards Framework can be accessed through an interactive knowledge library or this DPI Safeguards Resource Hub.

Guidance to the..

To know more about this phase of the DPI life cycle, click here

Click on any process listed below to learn about illustrative practices that can be implemented.

To know more about this phase of the DPI life cycle, click

Click on any process listed below to learn about illustrative practices that can be implemented.

Typical DPI-related roles and responsibilities of 'Technology Providers' include:

• providing a focal point for technical work, risk identification and mitigation strategies

• having influence over and advising on actual implementation through to maintenance and support of DPI

Click Next to explore the process recommendations in the Conception and Scoping stage of the DPI Lifecycle.

Typical DPI-related roles and responsibilities of 'Donors' include:

• providing funding and financial support

• seeking proof of progress to meet development outcomes

Click Next to explore the process recommendations in the Conception and Scoping stage of the DPI Lifecycle.

To know more about this phase of the DPI life cycle, click here

Click on any process listed below to learn about illustrative practices that can be implemented.

To know more about this phase of the DPI life cycle, click here

Click on any process listed below to learn about illustrative practices that can be implemented.

To know more about this phase of the DPI life cycle, click here

Click on any process listed below to learn about illustrative practices that can be implemented.

To know more about this phase of the DPI lifecycle, click here

Click on any process listed below to learn about illustrative practices that can be implemented.

To know more about this phase of the DPI life cycle, click here

Click on any process listed below to learn about illustrative practices that can be implemented.

To know more about this phase of the DPI life cycle, click here

Click on any process listed below to learn about illustrative practices that can be implemented.

To know more about this phase of the DPI life cycle, click here

Click on any process listed below to learn about illustrative practices that can be implemented.

To know more about this phase of the DPI life cycle, click .

Click on any process listed below to learn about illustrative practices that can be implemented.

Typical DPI-related roles and responsibilities of 'Advocates' include:

• driving advocacy for DPI safeguards

• working to uphold human rights

• representing the interests of the marginalized and diverse sections of the society

• providing innovative ideas to make DPI more inclusive

• highlighting incongruence with existing laws and regulations

Click Next to explore Safeguards Processes in the stage of the DPI Lifecycle.

To know more about this phase of the DPI life cycle, click .

Click on any process listed below to learn about illustrative practices that can be implemented.

To know more about this phase of the DPI life cycle - Click

Click on any process listed below to learn about illustrative practices that can be implemented.

To know more about this phase of the DPI life cycle - Click

Click on any process listed below to learn about illustrative practices that can be implemented.

To know more about this phase of the DPI life cycle, click

Click on any process listed below to learn about illustrative practices that can be implemented.

To know more about this phase of the DPI life cycle, click .

Click on any process listed below to learn about illustrative practices that can be implemented.

To know more about this phase of the DPI life cycle, click .

Click on any process listed below to learn about illustrative practices that can be implemented.

To know more about this phase of the DPI life cycle - Click

Click on any process listed below to learn about illustrative practices that can be implemented.

The building blocks for safe and inclusive DPI:

• F1. Do no harm

• F2. Do not discriminate

• F3. Do not exclude

• F4. Reinforce transparency and accountability

• F5. Uphold the rule of law

• F6. Promote autonomy and agency

• F7. Foster community engagement

• F8. Ensure effective remedy and redress

• F9. Focus on future sustainability

All individuals, regardless of intersecting identities, should have unbiased access and equal opportunity. Risks due to the circumstances of all vulnerable communities, historically marginalized groups and those who opt-out should be mitigated.

All individuals should have a choice of channels (digital/non-digital) to access and benefit from services enabled by DPI based on their individual capacity and resources. Access should not be limiting, conditional or mandatory — explicitly or in practice.

Principles are core propositions that form the foundation of a flexible, universal framework that guides the effective functioning of a DPI. The purpose of DPI is to maximize participation, agency and trust for all individuals. This implies that the risks described in the previous sections need to be mitigated, and residual risks need to be managed in the context of each country’s sociopolitical environment. To achieve this, all responsible authorities should be guided by a set of principles to ensure trust and coordinated responses throughout the DPI life cycle. These principles form a common language that helps to build mutual understanding and support ongoing cooperation.

The principles listed in the Framework are shaped by various research methods, including consultations with diverse stakeholders, a review of secondary resources, case study analysis and discussions with country-based implementers. As the DPI landscape evolves, these principles should be periodically reviewed and updated.

The principles are divided into two categories: (1) foundational and (2) operational. The former refers to principles that should serve as the basis for any DPI, while the latter refers to principles that come into play at an operational level and may vary across contexts.

Harms to individuals may not be immediately obvious. A human rights-based framework should be integrated throughout the DPI life cycle to anticipate, assess, and effectively mitigate any potential human rights harms and power differentials.

DPI should be introduced with a clear legal basis, with required legal and regulatory aspects embedded into its design, supported with capacity for sector specific tailoring (such as health), implementation, oversight and regulation by law.

Ensure that everyone (especially indigenous communities with sui generis rights), on their own or with assistance, can take control of their data, promote their agency, exercise choice, and contribute to their society’s well-being.

DPI should be developed with democratic participation, have public oversight, promote fair market competition and avoid vendor lock-in. All partnerships should be transparent, accountable and publicly governed.

• DPI should foster an increasingly inclusive environment for public and private innovation such that market players compete and introduce diverse solutions that cater to the emerging needs of all participants in society.

• DPI should embed technical rules that enforce core privacy principles (e.g. data minimization, provisions to delink, and the ability to limit observability by purpose and time) and governments should enact legal safeguards around them.

All stages of the DPI life cycle should centre on the needs and interests of individuals and communities at risk. They should participate at critical junctures and provide feedback actively in an environment of transparency and trust.

Complaint response and redress mechanisms, avenues for appeal without reprisal, supported by robust administrative and judicial review, should be accessible to all in a transparent and equitable manner during service delivery.

Inculcating foresight is key to anticipating and limiting long term and inter-generational harms. For example, mitigating the environmental impact with a net-zero strategy or minimizing resource needs with reuse of software.

Conception & Scoping (L1)

The scoping stage of the DPI life cycle is crucial as it establishes the purpose, goals, constraints, and boundaries of a DPI. This then guides subsequent decision-making and ensures alignment with strategic and operational objectives as well as people’s needs.

Strategy and Design (L2)

At this stage, a comprehensive plan is formulated and the DPI design is conceptualized in order to translate objectives into actionable steps that meet functional and performance objectives. The most appropriate standards, designs, safeguards and implementable steps are thought of at this stage.

Development (L3)

In the development stage, a prototype DPI is built according to defined specifications, ensuring functionality, reliability, and scalability.

Deployment and Transformation (L4)

At this stage, the DPI is implemented in its operational environment, and any necessary organizational changes are made to maximize its impact and adoption.

Operations and Maintenance (L5)

Once DPI is commissioned, it is expected that individuals regularly interact with its services, and that government agencies rely on its systems for their operations.

To know more about this phase of the DPI life cycle - Click

Click on any process listed below to learn about illustrative practices that can be implemented.

Driving continuous trust and adaptation:

• Have strong and transparent security standards in place, ensure they are well communicated in procurements, and receive confirmation that they are addressed by service providers.

• DPI should embed technical rules that enforce core privacy principles (e.g. data minimization, provisions to delink, and the ability to limit observability by purpose and time) and governments should enact legal safeguards around them.

Long-term effectiveness of DPI is contingent upon a robust legal, regulatory and institutional framework that promotes transparent and participatory governance focused on safety and inclusion.

Practices

• Require the creation of detailed documentation for every architecture component.

• Allocate resources to develop user-friendly tools and platforms for generating and disseminating reports on system performance.

• Invest in the integration of continuous feedback loops and audit mechanisms within the system design.

• DPI should share and reuse open protocols, specifications, Digital Public Goods (DPGs) and other building blocks. This enhances flexibility and assures that proprietary systems do not limit the ability to improve safety and inclusion.

• As DPI systems form the basis of a society’s infrastructure, they should be accompanied by a sustainable financing model. Governments can take lead in the build phase, and local digital ecosystems or the private sector can participate in operations and maintenance.

Not all individuals experience DPI in the same way, and some continue to face barriers and challenges related to their access or use. DPI should not exacerbate existing challenges or introduce new barriers and inequalities.

Practices

• Advocate for pricing models that ensure DPI accessibility, drawing inspiration from the West African Economic and Monetary Union (WAEMU) to reduce transaction costs across 60 different payment types.

• Encourage governments to enforce subsidies, similar to India's model where citizens with digital identities and accounts receive government support, allowing the poorest individuals to access DPI services at no cost.

• Support technical assistance to implement affordability models effectively.

Practices

• Require the creation of detailed documentation for key architecture components, balancing the need for transparency with protecting proprietary elements created by private sector participants.

• Allocate resources to develop user-friendly tools and platforms for generating and disseminating reports on system performance.

• Invest in the integration of continuous feedback loops and audit mechanisms within the system design.

Practices

• Encourage the establishment of a pooled fund, where donors, governments, and ecosystem participants contribute financial resources specifically earmarked for supporting community engagement.

• Provide direct funding to grassroots and community-based organizations that represent affected groups, empowering them to lead engagement efforts.

A process is a series of activities required to produce a result which may occur once or be recurrent or periodic. In the Framework, principles are translated into processes relevant to responsible authorities at appropriate life cycle stages.

Practices

• Encourage a mixed-financing approach for DPI, leveraging both public funds and contributions from private sector partners, as seen with Belgium’s Itsme platform. Promote the adoption of a not-for-loss revenue model, like India’s Unified Payments Interface (UPI), where sustainability is achieved through low transaction fees or data services.

Practices

• Require the creation of detailed documentation for key architecture components, balancing the need for transparency with protecting proprietary elements created by private sector participants.

• Allocate resources to develop user-friendly tools and platforms for generating and disseminating reports on system performance.

• Invest in the integration of continuous feedback loops and audit mechanisms within the system design.

• Independent, transparent and continuous assessments (such as human rights due diligence and data protection) should engage with people, review evidence and rapidly cease or initiate activities that contain heightened risks or harms.

F4.1.1 Plan for and produce detailed documentation and ensure it is available for every architecture component, covering design, implementation, and decision-making processes.

F4.1.2 Create accessible platforms where this information can be easily retrieved by stakeholders, ensuring transparency.

F4.1.3 Implement a process for regularly updating and reviewing architectural documentation to reflect system changes and maintain accountability.

Practices

• Start by funding pilot projects that demonstrate cross-sector applicability, such as India's DigiLocker, which began as a digital storage solution for government-issued documents and has since expanded to health, education, and financial services.

• Encourage collaboration among developers and stakeholders to refine and adapt these components, ensuring they meet the specific needs of diverse sectors while maintaining interoperability and reducing development costs.

Practices

F5.1.1 Require informed consent before using personal data for secondary, unrelated purposes, unless legally mandated or authorized (e.g. when necessary and proportionate).

F5.1.2 Implement an administrative error correction process to increase speed and reduce costs, avoiding judicial procedures where possible.

Resources

Practices

• Conduct public campaigns for all population to educate on the available legal remedies.

• Monitor remedial mechanisms to ensure they are inclusive and effective.

Resources

Practices

• Utilize strategic litigation to address cases where the DPI fails vulnerable and marginalized communities, bringing these issues to public and legal attention.

• Provide counseling and support for affected and marginalized communities to document their experiences and challenges with the DPI.

• Set the agenda based on the work of civil society organizations by using documented cases and findings to advocate for changes in the DPI and influence policy discussions.

Practices

• Provide grants and funding to local organizations that offer digital literacy training, particularly in underserved communities.

• Fund the creation of educational materials (e.g., online courses, video tutorials, and printed guides) that cater to different literacy levels and are available in multiple languages.

Practices

• Develop and implement design protocols that recognize and respect the diverse identities of ethnic, religious, gender and other minority groups, ensuring these identities are accurately represented in DPI systems.

• Incorporate specific design measures that ensure accessibility for persons living with disabilities, including features like screen readers, voice commands, and easy-to-navigate interfaces.

• Develop legal guarantees that ensure the recognition of diverse identities in official identity documents.

Resources

Practices for Government

• Create and maintain active platforms, including digital tools and online spaces, where diverse stakeholders are engaged in DPI projects.

• Implement capacity building programs to enhance stakeholders' understanding and effective participation.

• Ensure participation from all groups (CSO, Government, Technology providers, Regulators, minorities, etc..)

Practices for Advocates

• Advocate for and facilitate platforms where all stakeholders are engaged on DPI projects.

• Ensure participation from all groups (CSO, Government, Technology Providers, Regulators, minorities, etc..).

Practices for Government

• Engage collectives and civil society organizations in the design process to ensure that solutions are co-created with the input of those who will benefit from them.

• Regularly test prototypes with gender-diverse users to gather feedback on functionality and accessibility.

• Continuously refine and improve prototypes based on the results of usability testing and feedback sessions.

Practices for Technology Providers

• Offer ongoing training for designers and developers on gender-inclusive design principles to enhance their understanding and implementation of these practices.

• Collaborate with women’s organizations and civil society groups to support continuous improvement in gender-inclusive design.

• Actively work to identify and resolve any negative effects uncovered during social audits and assessments.

Practices for Government

• Identify and engage key ministries and partners, such as the Ministry of Telecoms/ICT, CSOs, Ministry of Social Development, Ministry of Health, and Ministry of Women, based on the specific infrastructure being developed.

• Recognize and communicate from the outset that this is a collective effort, fostering cross-ministerial collaboration and shared ownership of the safeguards and their implementation.

Practices for Donors

• Identify and engage key ministries and partners, such as the Ministry of Telecoms/ICT, CSOs, Ministry of Social Development, Ministry of Health, and Ministry of Women based on the specific infrastructure being developed.

• Recognize and communicate from the outset that this is a collective effort, fostering cross-ministerial collaboration and shared ownership of the safeguards and their implementation.

Practices for Government

• Evaluate a mixed-financing approach, incorporating both government funding and external financial vendors, similar to Belgium's Itsme platform, which combines public and private sector resources.

• Consider adopting a not-for-loss revenue model like India’s Unified Payments Interface (UPI), where transaction fees or data services sustain operations without prioritizing profit.

Practices for Donors

• Encourage a mixed-financing approach for DPI, leveraging both public funds and contributions from private sector partners, as seen with Belgium’s Itsme platform. Promote the adoption of a not-for-loss revenue model, like India’s UPI, where sustainability is achieved through low transaction fees or data services.

Practices

• Launch public awareness campaigns to educate communities about the importance of data privacy and the potential risks associated with DPI. Use tools like social media, webinars, and public forums.

• Develop and distribute easy-to-understand guides and resources on data privacy best practices for the general public.

Practices

• Delineate liability and recourse mechanisms within the legal framework, ensuring that individuals have clear protections against inappropriate data access, undue surveillance, and unlawful profiling.

• Empower independent regulatory bodies with specific powers and consistent funding to oversee the enforcement of these legal frameworks, fostering public trust.

• Balance regulatory and self-regulatory models to promote innovation and investment without compromising legal protections or stifling competition.

• Establish legal and regulatory frameworks that ensure cross-border interoperability and mutual recognition of identification systems (and other DPI systems).

Resources

This page contains the practices for Process F4.1 for Principle F4 to mitigate risks R9

Practices

F4.1.1 Plan for and produce detailed documentation and ensure it is available for every architecture component, covering design, implementation, and decision-making processes.

F4.1.2 Create accessible platforms where this information can be easily retrieved by stakeholders, ensuring transparency.

F4.1.3 Implement a process for regularly updating and reviewing architectural documentation to reflect system changes and maintain accountability.

F4.1.4 DPI operators must provide frequent, comprehensive reports on system performance, usage statistics, incident responses, and any significant changes or updates. These reports should be easily accessible to the public and presented in a format understandable to non-technical audiences.

Practices

• Mandate that the specific purpose for data collection and exchange is clearly defined, documented and communicated to the data owners.

• Initiate special audits or surveys to understand the operators' feedback on the operation and the impact of purpose limitation clauses.

Resources

Practices for Regulators

• Create an independent oversight body with the authority to investigate complaints and ensure fair treatment.

• Implement accessible reporting channels and support services to assist individuals in filing grievances.

Practices for Advocates

• Develop toolkits and resources to help individuals understand and access these remedies, and create platforms for reporting and documenting issues.

• Facilitate workshops and training sessions to empower individuals and advocate for their rights.

• Build alliances with legal experts to provide pro bono assistance and amplify voices calling for justice and accountability.

Practices

F8.1.1 Ensure DPI systems clearly display the responsible public authority and contact information for complaints and inquiries, especially when serviced by third-party providers.

F8.1.2 Advocate for the integration of secure grievance and redress mechanisms into DPI systems.

F8.1.3 Support initiatives that provide legal aid to help individuals navigate the redress process.

F8.1.4 Promote the need for independent judicial oversight.

Practices

F3.1.1 Establish physical locations to ensure accessibility in underserved areas.

F3.1.2 Train staff to provide consistent and respectful service, with language support and feedback mechanisms.

F3.1.3 Implement legal protections to access essential services and participate

Practices

• Engage in active advocacy for the inclusion of environmental impact assessments in DPI projects by organizing awareness campaigns and public forums.

• Collaborate with environmental experts to create guidelines that highlight the importance of aligning with NDCs and promoting carbon neutrality.

• Monitor and report on the adoption of green technologies and practices within DPI initiatives, and use this data to lobby for stronger regulations and incentives for sustainable practices.

This page explains the practices for the and to minimize the

Practices

F6.1.1 Ensure all communications about data usage are clear, concise, and can be easily understood by non-technical audiences. Mandate sample and demonstrative tools for open and granular consent.

Practices

O6.1.1 Design systems to manage different language.

Practice

• Conduct baseline studies and contextual analyses to assess the feasibility, benefits and risks of DPI in specific settings.

• Compare DPI with alternative policy options, considering factors like inclusivity, scalability, cost-effectiveness, and potential for unintended consequences.

• Engage stakeholders, including civil society, industry experts and end-users in the evaluation process to gather diverse perspectives.

Practices

• Implement independent monitoring of DPI to ensure efficiency, transparency and compliance with applicable laws, while identifying issues such as exclusion, misuse, or system failures.

• Establish mechanisms for rapid, low-cost reviews of disputes related to DPI and personal data by independent administrative and judicial authorities. These authorities should have the power to provide suitable redress without adding barriers for individuals seeking resolution.

Resources

Practices

• Create a centralized internal platform or dashboard where feedback from stakeholders can be collected, organized and categorized.

• Ensure that all input is reviewed and prioritized before being communicated to DPI implementors.

Resources

This page dives into practices for Process F9.1 and Principle F9 to mitigate risks R

Practices

F9.1.1 Example: For carbon neutrality, reference to NDC can be made.

Practices

• Enforce regulations that recognise individuals as the primary owners of their personal data, granting them the right to access, correct and delete their data.

Resources

Practices

• Set up assessments to evaluate market conditions and take proactive steps to prevent against monopolies.

Resources

Practices

O1.1.1 Facilitate capacity-building initiatives that empower civil society organizations (CSOs) with the knowledge and tools needed to engage with DPI effectively. This could include training sessions, resource sharing and technical support.

O1.1.2 Establish and strengthen connections between CSOs, government entities, and private sector organizations to foster collaboration and enhance the impact of civic tech solutions.

O1.1.3 Advocate for private sector engagement with last-mile organizations and rural-based civic tech groups to ensure that DPI is inclusive and accessible to underserved communities.

Practices

• Ensure clear separation between the role of supervisor/regulator and infrastructure operator.

• Include market participants in multi-stakeholder governance and standard-setting processes.

Resources

Practices

• Allocate dedicated funding to support a local developer ecosystem, ensuring continuous access to skilled talent.

• Establish procurement processes that prioritize local developers, providing them with the tools, infrastructure and training necessary to maintain and advance digital public infrastructure.

Resources

Practices

• A user interacting via the DPI with other parties is protected from tracking and profiling by privacy-enhancing technologies like pairwise-pseudonymous identifiers, zero-knoweldge proofs and unlinkability, while allowing for responsible data use in cases such as financial inclusion where responsible tracking is critical to address user needs.

• Users should be free to chose to be identified with more than one identifier.

Resources

Practices

• Clearly define what constitutes 'coercion' in the context of legally binding consents, including threats, undue pressure, manipulation or exploitation.

• Account for coercive practices when used for legally binding consents, such as credit contracts, payments, or matters of divorce and custody.

Practices

• Consider wider scenarios for data leakage, including potential vulnerabilities in data sharing and storage practices.

• Analyse stakeholder interests and concerns to ensure safeguards align with their needs and expectations, particularly regarding data privacy and security.

• Establish liability regimes for data leakage scenarios, clearly defining accountability and responsibilities to protect stakeholder interests.

Practice

• Incorporate detailed provisions within the legal framework that specify permissible data collection, usage, and sharing practices, to name a few, particularly focusing on data protection, privacy, and user rights.

• Issue practice directions for the review of security services’ requests for data access, stipulating minimum evidentiary requirements for such approvals, which must be granted by properly constituted courts with requisite knowledge of the subject matter.

• Assess the legal framework regularly.