When 14 million Australasian customers had their drivers’ licences, passports and other data exposed in a recent cyberattack, Liz McPherson, New Zealand’s Deputy Privacy Commissioner, had a clear message for businesses: “Don’t collect or hold onto information you don’t need. The risk is simply too high.”
However, according to leading paytech experts Worldline, New Zealand organisations don’t necessarily have the right tools to safely collect the data they need without also collecting unnecessary extra information. This creates big data security risks.
Avoiding that risk requires new ways of sharing information securely – which is why digital identity services will be a vital piece of the data security puzzle in the future, says Julia Nicol, Head of Public Affairs at Worldline.
Digital identity is a verified record of your essential information. It can help let others know ‘what’ you are without necessarily sharing ‘who’ you are. For example, it can confirm if you are old enough to buy restricted goods or services, if you have a licence to drive a car, and if you are a student and so qualify for certain discounts. That information is kept only by you and can be stored digitally on your phone, requiring a robust authentication method to access or share – such as your fingerprint or face.
When a business needs an item of data, such as confirmation you are 18 or over, it sends a request to your phone. It’s effectively asking: Is this person over 18? If you choose to share that information, your phone would essentially reply: Yes, this person is over 18. The information is encrypted and nothing more would be shared. Even your date of birth remains unshared, and you don’t need to pull out a card, physical document, or driver’s licence.
Presently Nicol says we’re sharing too much information – and certainly more information than is required for the services sought:
“I hired a car recently and had to hand over my credit card and my driver’s licence. The car rental company was given information they need, and information they don’t. They wrote down everything on a piece of paper, including my credit card number, and put it in a drawer. The business had a whole file of documents containing people’s personal details in a drawer,” says Nicol.
“Even if they scan these and then store them in a file on their computer system somewhere, that’s a situation just waiting for a data security problem to happen.”
Risks can also arise when applying for a loan through a financial advisor or mortgage broker – or any other time you need to prove your identity, as part of usual anti-money laundering processes. These companies need to verify your identity, but it’s common for them to take copies and store those in a way that puts them at risk of a cybersecurity breach.
One of the major advantages of a digital identity, says Nicol, is that only the information that is truly required is handed over and, when it is, it’s encrypted.
“Right now, if someone wants to buy a house, they have to share a lot of information with a lot of different parties, such as banks, mortgage brokers, accountants, lawyers and real estate agents,” she says.
“A digital identity service would mean less friction – as you do not need to cart around physical documents – and the data is already verified, so it can be trusted. This means you wouldn’t need to get your paperwork certified by a JP or a solicitor, and you’re only sharing the bare minimum required information with the parties that need it.”
Even something simple, like age verification, often leads to data oversharing. If you want to buy a bus ticket and make use of an age-related discount, you’ll often need to show a student ID or driver’s licence.
But all the merchant needs is verification of your age bracket or that you’re over a certain age, says Nicol. They don’t need your actual date of birth, place of study or address.
With digital identity, the bus ticketing system would send a request to confirm your age bracket. You would agree and consent to share information that you are within that bracket – and that information alone would be shared, with no date of birth required. It would instantly ping back to the bus ticketing system and the purchase for the correct ticket would be completed.
“You can make sure you’re getting the right ticket and your information is being better protected,” says Nicol. “It’s also good for the bus company because they’re not being defrauded.”
She points out that better age verification will also reduce harm by preventing unlawful access to restricted products and services like firearms, pornography, gambling and online alcohol purchases: “People who are underage won’t be able to access those as easily.”
Nicol says Worldline started the groundwork with Online EFTPOS, an open banking payments product: “With Online EFTPOS, you simply enter your phone number on your banking app, the merchant pushes out a notification, and if you confirm the transaction, that confirmation allows the payment to go ahead.
“At no point do you need to enter your banking login or password into a third-party payment site – which is a security risk.”
Digital identity services take this convenience and security much further, allowing people to significantly minimise the risk of personal information being leaked in a data breach.
“The government is already working on a framework for digital identity providers, which will allow digital identity service providers to become accredited,” says Nicol.
“A central digital identity could streamline health services, births, deaths and marriages – and you could even share vaccine information without anyone needing your name or date of birth.”
Digital identity services will have huge benefits for consumers and businesses. They will allow consumers to be more in control of their own information and should make it much easier for organisations to comply with the Privacy Act.
“At Worldline, we take information protection seriously and digital IDs will open up better ways to share information and make payments,” says Nicol. “This is a really positive change that will make the digital world safer.”