DPI should be developed with democratic participation, have public oversight, promote fair market competition and avoid vendor lock-in. All partnerships should be transparent, accountable and publicly governed.

Ensure that everyone (especially indigenous communities with sui generis rights), on their own or with assistance, can take control of their data, promote their agency, exercise choice, and contribute to their society’s well-being.

All stages of the DPI life cycle should centre on the needs and interests of individuals and communities at risk. They should participate at critical junctures and provide feedback actively in an environment of transparency and trust.

Complaint response and redress mechanisms, avenues for appeal without reprisal, supported by robust administrative and judicial review, should be accessible to all in a transparent and equitable manner during service delivery.

DPI should be introduced with a clear legal basis, with required legal and regulatory aspects embedded into its design, supported with capacity for sector specific tailoring (such as health), implementation, oversight and regulation by law.

All individuals, regardless of intersecting identities, should have unbiased access and equal opportunity. Risks due to the circumstances of all vulnerable communities, historically marginalized groups and those who opt-out should be mitigated.

• DPI should foster an increasingly inclusive environment for public and private innovation such that market players compete and introduce diverse solutions that cater to the emerging needs of all participants in society.

• DPI should embed technical rules that enforce core privacy principles (e.g. data minimization, provisions to delink, and the ability to limit observability by purpose and time) and governments should enact legal safeguards around them.

• Independent, transparent and continuous assessments (such as human rights due diligence and data protection) should engage with people, review evidence and rapidly cease or initiate activities that contain heightened risks or harms.

Driving continuous trust and adaptation:

O1. Leverage market dynamics

O2. Evolve with evidence

03. Ensure data privacy by design

O4. Assure data security by design

05. Ensure data protection during use

O6. Respond to gender , ability or age

O7. Practice inclusive governance

• Have strong and transparent security standards in place, ensure they are well communicated in procurements, and receive confirmation that they are addressed by service providers.

• DPI should embed technical rules that enforce core privacy principles (e.g. data minimization, provisions to delink, and the ability to limit observability by purpose and time) and governments should enact legal safeguards around them.

Long-term effectiveness of DPI is contingent upon a robust legal, regulatory and institutional framework that promotes transparent and participatory governance focused on safety and inclusion.

• As DPI systems form the basis of a society’s infrastructure, they should be accompanied by a sustainable financing model. Governments can take lead in the build phase, and local digital ecosystems or the private sector can participate in operations and maintenance.

Not all individuals experience DPI in the same way, and some continue to face barriers and challenges related to their access or use. DPI should not exacerbate existing challenges or introduce new barriers and inequalities.

• DPI should share and reuse open protocols, specifications, Digital Public Goods (DPGs) and other building blocks. This enhances flexibility and assures that proprietary systems do not limit the ability to improve safety and inclusion.

The building blocks for safe and inclusive DPI:

• F1. Do no harm

• F2. Do not discriminate

• F3. Do not exclude

Principles are core propositions that form the foundation of a flexible, universal framework that guides the effective functioning of a DPI. The purpose of DPI is to maximize participation, agency and trust for all individuals. This implies that the risks described in the previous sections need to be mitigated, and residual risks need to be managed in the context of each country’s sociopolitical environment. To achieve this, all responsible authorities should be guided by a set of principles to ensure trust and coordinated responses throughout the DPI life cycle. These principles form a common language that helps to build mutual understanding and support ongoing cooperation.

The principles listed in the Framework are shaped by various research methods, including consultations with diverse stakeholders, a review of secondary resources, case study analysis and discussions with country-based implementers. As the DPI landscape evolves, these principles should be periodically reviewed and updated.

The principles are divided into two categories: (1) and (2) . The former refers to principles that should serve as the basis for any DPI, while the latter refers to principles that come into play at an operational level and may vary across contexts.

Inculcating foresight is key to anticipating and limiting long term and inter-generational harms. For example, mitigating the environmental impact with a net-zero strategy or minimizing resource needs with reuse of software.

Harms to individuals may not be immediately obvious. A human rights-based framework should be integrated throughout the DPI life cycle to anticipate, assess, and effectively mitigate any potential human rights harms and power differentials.

All individuals should have a choice of channels (digital/non-digital) to access and benefit from services enabled by DPI based on their individual capacity and resources. Access should not be limiting, conditional or mandatory — explicitly or in practice.