Directive on Identity Management

Ensures effective identity management practices by outlining requirements to support departments in the establishment, use and validation of identity information.
Date modified: 2019-07-01

Supporting tools

Guidelines:

Standard:

More information

Policy:

Terminology:

Topic:

Hierarchy

Archives

This directive replaces:

View all inactive instruments
Print-friendly XML

Note to reader

The Directive on Identity Management took effect on July 1, 2019. It replaced the Directive on Identity Management that was in effect from July 1, 2009 to June 30, 2019.

1. Effective date

  • 1.1This directive takes effect on July 1, 2019.
  • 1.2This directive replaces the Directive on Identity Management, dated July 1, 2009. 

2. Authorities

  • 2.1This directive is issued pursuant to the same authorities indicated in section 2 of the Policy on Government Security.

3. Objectives and expected results

  • 3.1The objectives of this directive are as follows:
    • 3.1.1To manage identity in a manner that mitigates risks to personnel and organizational and national security, while protecting program integrity and enabling trusted citizen-centred service delivery;
    • 3.1.2To manage identity consistently and collaboratively within the Government of Canada and with other jurisdictions and industry sectors, where identity of employees, organizations, devices and individuals is required; and
    • 3.1.3To manage credentials, authenticate users or accept trusted digital identities for the purposes of administering a program or delivering an internal or external service.
  • 3.2The expected results of this directive are as follows:
    • 3.2.1Interoperability, as appropriate, that supports participation in arrangements for trusted digital identity; and 
    • 3.2.2Integration of a standardized identity assurance level framework into departmental programs, activities and services, consistent with a government-wide approach.

4. Requirements

  • 4.1Program and service delivery managers are responsible for the following:
    • 4.1.1Applying identity management requirements when any of the following conditions apply:
      • 4.1.1.1Unique identification is required to administer a federal program or service enabled by legislation;
      • 4.1.1.2Disclosure of identity is required before receiving a government service, participating in a government program, or becoming a member of a government organization; or
      • 4.1.1.3Accuracy and rightful use by individuals, organizations and devices of credential and identity information are required;
    • 4.1.2Ensuring that there is a need and the lawful authority for identification to support program administration, government-wide service delivery and, as required, to facilitate law enforcement, national security and defence-related activities;
    • 4.1.3Documenting identity management risks, program impacts, required levels of assurance, and risk mitigation options;
    • 4.1.4Selecting sufficient and appropriate identity attributes to distinguish a unique identity to meet program needs, in a manner that balances risk and flexibility and allows other methods of identification, where appropriate;
    • 4.1.5Evaluating identity and credential risks by assessing potential impacts to a program, activity, service or transaction;
    • 4.1.6Applying the required identity and credential assurance levels and related controls for achieving assurance level requirements, in accordance with Appendix A: Standard on Identity and Credential Assurance;
    • 4.1.7Accepting trusted digital identities provided through an approved trust framework as an equivalent alternative to in-person interactions, by assessing the following:
      • 4.1.7.1Identity and program-specific information: Selecting sufficient and appropriate attributes to uniquely identify individuals and personal information required to administer a program or deliver a service;
      • 4.1.7.2Identity assurance and credential assurance, as outlined in Appendix A: Standard on Identity and Credential Assurance;
      • 4.1.7.3Identity registration: Associating identity and personal information with a credential issued to an individual; and
      • 4.1.7.4Notice and consent: Ensuring that notices are clear, appropriate for the purpose, and accessible in order to obtain meaningful consent for the collection, use and disclosure of personal information;
    • 4.1.8Consulting the Chief Information Officer for the Government of Canada when establishing agreements or adopting trust frameworks; and
    • 4.1.9Using mandatory enterprise services for identity management, credential management and cyber authentication.
  • 4.2Heads of Human Resources are responsible for the following:
    • 4.2.1Assigning each federal public service employee a unique Personal Record Identifier (PRI) for the management of employee-related information and transactions; and
    • 4.2.2Assigning an additional unique identifier to each employee who must be identified to an organization external to the federal public service.

5. Roles of other government organizations

  • 5.1The roles of other government organizations in relation to this directive are described in section 5 of the Policy on Government Security.

6. Application

  • 6.1This directive applies to the organizations described in section 6 of the Policy on Government Security.

7. References

  • 7.1The references indicated in section 8 of the Policy on Government Security apply to this directive.

8. Enquiries

  • 8.1Members of the public may contact Treasury Board of Canada Secretariat Public Enquiries for information about this directive.
  • 8.2Individuals from departments should contact their departmental security management group for information about this directive.
  • 8.3Individuals from the departmental security group may contact the Security Policy Division at the Treasury Board of Canada Secretariat by email at SEC@tbs-sct.gc.ca for interpretation of any aspect of this directive.

Appendix A: Standard on Identity and Credential Assurance

Provides details on the minimum requirements for establishing an identity or credential assurance level for a Government of Canada program or service. The Standard on Identity and Credential Assurance can be found here: https://www.tbs-sct.gc.ca/pol/doc-eng.aspx?id=32612

Appendix B: Definitions

Definitions to be used in the interpretation of this directive can be found in Appendix B of the Policy on Government Security.

© His Majesty the King in Right of Canada, represented by the President of the Treasury Board, 2017,
ISBN: 978-0-660-09646-9

Date modified: