Conformity Assessment Scheme: Digital Trust and Identity for use by Public Sector and Regulated Programs
Please note that the national standard CAN/CIOSC 103-1: 20XX (Second Edition) | Digital Trust & Identity – Part 1 is currently available for public review until Sept 21, 2022. You can comment on the draft directly on the website (be sure to select the lower second button)
Digital Trust and Identity systems are emerging as critical infrastructure and now becoming the crucial underpinning of government and private sector digital services. To address the market need and to ensure confidence in these systems, CIOSC is developing conformity assessment schemes and has applied for accreditation with Standards Council of Canada.
This repository defines the conformity assessment scheme for Trusted Digital Identities for use by Public Sector and Regulated Programs. This scheme intended to applied in conjunction with the national standard CAN/CIOSC 103-1: Digital Trust and Identity (this link is to the current edition and of the standard a public preview of the next edition of the standard). This standard (and editions thereof) is based on the Public Sector Profile of the Pan-Canadian Trust Framework Version 1.4
- a Public Sector Programs are any public programs or services using a trusted digital identity that is directly provided by a federal, provincial, territorial or municipal government. The services may include, but are not limited to: government sign-in services, online benefits delivery, or licensing and permits. Examples of trusted digital identity services used in this context are the BC Services Card and MyAlberta DigitalID programs.
- a Regulated Progams are any private sector or not-for-profit programs or services using a trusted digital identity that is subject to regulatory requirements such as Know Your Client (KYC), or Anti-Money Laundering (AML). These services include the broader public sector, not-for-profit organizations, and for-profit organizations subject to regulatory requiremens. Examples include, but are not limited to: educational institutions, open banking, insurance, health care, hospitals, or any commercially-available service. Examples of trusted digital services used in this context are the Canada Post IdentityComplete program.
-
The scope of the conformity assessment scheme and its application may be restricted to assess a service or program in relation to assessing a the provision of attributes related trusted digital identity only,or
-
The scope of the conformity assessment scheme and its application may be broadened to assesss a service or program in relation to assess the provision of additional attributes, required for the purposes of eligibility (beyond the strict defintion of trusted digital identity). Examples of additional attributes may include, *citizenship, residential address, health status, income level, professional qualifications, etc.
In all cases, scope and application must be agreed on and documented at the beginning of the assesment enagement.
Link to Scheme Manual
Conformity assessment scheme documents available for direct download are found in this folder. As these documents are subject to change, please note the commit details when you download. Alternatively, you can fork or: git clone https://github.com/CIOSC/CAS-TDI-Public.git to maintain your own copy of the repository.
A Primer Document is being developed for those who are unfamiliar with the standards development and certification process.
An Orientation Video to guide users around the various pieces of the repository (subject to change)
An Overview Video describing the global context and the benefits to the public sector: [Accreditation: A global tool to support public policy]
The scope of the scheme Trusted Digital Identities for use by Public Sector Services may include part or all the following:
- Persons: all citizens and residents of a jurisdiction (including deceased persons) for whom an identity has been established within a jurisdiction.
- Organizations: all organizations registered within a jurisdiction (including inactive organizations) for which an identity has been established within that jurisdiction; and/or,
- Relationships: of persons to persons, organizations to organizations, and persons to organizations.
The scope of assessment is finalized as part of the assessment and certification engagement.This is detailed in the Scheme Manual currently under development.
- This scheme is intended to be used in conjunction with, but not limited to, accredited conformity assessment bodies and standards.
- This scheme is technology-agnostic and defined in a manner to allow for the impartial assessment of different platforms, services, architectures, and technologies. As such, this scheme does not recommend one technology solution over another.
- This scheme does not confer authority and is intended to work with existing legal, policy and governance frameworks.
- This scheme may be be applied in other contexts (international, domestic, etc.)
- The scheme has been designed so that minimal tailoring is required for different contexts.
Stakeholders include, but are not limited to:
- Any public or private sector entity wishing to become certified as an issuer of trusted digital identies for use by public services.
- Business owners and program managers – to enable identity solutions in order to achieve business objectives or program outcomes.
- Regulatory and oversight bodies – to understand the implications on their role in the digital ecosystem; and
- Digital Identity technology and service providers – to understand where they fit in the digital ecosystem and to help define requirements for their products and services.
Users include but are not limited to:
- Relying Parties who are accountable to providing high-value services to individuals and organizations in a safe, secure, and inclusive manner.
- Programs or business units who are accountable for issuing trusted digital identities for persons that are intended for use by public sector programs.
- Independend Auditors wishing to provide conformity assessment or related services.
- This document contains information licensed under the Open Government Licence – Canada. Details of the licence can be found at: https://open.canada.ca/en/open-government-licence-canada
- CAN/CIOSC 103-1 Digital Trust and Identity: Fundamentals. Preview Draft of 2nd edition for Public Review
- Public Sector Profile of the Pan-Canadian Trust Framework Version 1.4
- Conformity Assessment Tools to Support Public Policy
