Identification for Privacy vs Accountability

This document considers the counteracting requirements of privacy and accountability applied to identity management. Based on the requirements of GDPR 1 applied to identity attributes two forms of identity, with differing balances between privacy and accountability, are suggested termed "publicly-recognised identity" and "domain-specific identity". These forms of identity can be further refined using "pseudonymisation" and as described in GDPR. This leads to the different forms of identity on the spectrum of accountability vs privacy. It is recommended that the privacy and accountability requirements, and hence the appropriate form of identity, is considered in designing an identification scheme, and in the adoption of a scheme by data processing systems. Also, users should be aware of the implications of the form of identity requested by a system so that they can decide whether this is acceptable.