Identification for Accountability vs Privacy

This document considers the counteracting requirements of privacy and accountability applied to identity management. Based on the requirements of GDPR applied to identity attributes, two forms of identity, with differing balances between privacy and accountability, are suggested, termed "publicly-recognised identity" and "domain-specific identity". These forms of identity can be further refined using "pseudonymisation" and as described in GDPR. This leads to the different forms of identity on the spectrum of accountability vs privacy. It is recommended that the privacy and accountability requirements, and hence the appropriate form of identity, are considered in designing an identification scheme and in the adoption of a scheme by data processing systems. Also, users should be aware of the implications of the form of identity requested by a system, so that they can decide whether this is acceptable.