Yoti blog
Stories and insights from the world of digital identity
Getting to grips with GDPR: The right to have data restricted
The sixth article in our series on GDPR rights is about the right to have data restricted. Catch up on previous articles on your right to be informed, the access right, correction right, deletion right, and the right to object. Part 6: The right to have data restricted This right is not strictly new, as current law provides for a court to be able to order an organisation to restrict their processing of certain data, but GDPR makes it a right you can exercise directly with an organisation. This right is essentially like putting your personal data in limbo – the organisation can continue to store it, but they cannot actively do anything with it. What’s new? You can ask an organisation to restrict your data in the following circumstances. Where you dispute the accuracy of the personal data you can ask the organisation to restrict it until the dispute is resolved. Where you have objected to the organisation processing your personal data (see part 5 of our blog post series for more information on the objecion right) you can ask the organisation to restrict it until the issue is resolved. When the organisation has processed your data unlawfully, you can request restriction instead of deletion. If the organisation no longer needs the personal data (and so would ordinarily delete it) but you need the data to establish, exercise or defend a legal claim. The UK’s draft Data Protection Bill to implement GDPR is currently being finalised but the current version maintains exemptions that mean that an organisation may not have to comply with your request in certain circumstances. The organisation also has to be able to verify your identity before taking action as a result of your request. Fees and timescales Under current UK law there are no set timescales for dealing with a deletion request, but organisations usually respond without delay. There is no charge for this kind of request. Under GDPR the organisation has 30 days to respond and cannot charge a fee. However, organisations can charge for ‘manifestly unfounded or excessive’ requests. They must base the fee on the administrative cost of providing the information. The current version of the UK’s draft Data Protection Bill provides for the Government to set limits on the fees. Organisations can also extend the response time to two months depending on the complexity and number of the requests. If they need to extend the response time, they should tell you within the first month. You can make a restriction request to privacy@yoti.com.
Getting to grips with GDPR: The right to object
The fifth blogpost in our series on GDPR rights is about the objection right. Catch up on previous articles on your right to be informed, your access right, your correction right, and your deletion right. Part 5: The right to object There is already a right to object in current UK data protection law (the right to prevent processing), but it is set out a little differently to the GDPR right. In both current law and GDPR there are two aspects to this right: The right to object to direct marketing. The right to object to other processing of your information. Objecting to marketing The right to object to marketing is a straightforward right that always applies. This means you can say ‘no thanks’ at any time to stop getting marketing from an organisation. All e-mail marketing should have an unsubscribe link in it (or other method to say no thanks). Organisations should tell you how and make it easy to stop getting marketing. GDPR adds to your right by including any profiling that has been carried out in relation to sending you marketing. Objecting to other processing The right to object to other processing is more complicated and only applies in certain circumstances. Under current UK data protection law, you can prevent processing of your personal information if that processing is causing, or could cause, you substantial and unwarranted damage or distress. However, this right doesn’t apply if you gave your consent to the processing, if it’s necessary to deliver the product / service, if it’s a legal obligation or if it’s in your vital interests (life or death scenarios). Under GDPR, there are similar restrictions on when the right applies, but there is no threshold of damage or distress. So you can object to processing where the lawful basis is ‘legitimate interests’ or ‘public interest’ or where the processing is for scientific / historical research purposes. (However, for research, the right doesn’t apply if the research necessary for a task that is being carried out for reasons of public interest.) When does the right not apply? An organisation does not have to stop processing your personal information if: they can demonstrate compelling legitimate grounds for the processing, which overrides your objection; or the processing is to establish, exercise or defend legal claims. You have objected to the organisation collecting/using your information and there are no overriding legitimate grounds for them to keep it. The UK’s draft Data Protection Bill to implement GDPR is currently being finalised but the current version maintains exemptions that mean that an organisation may not have to comply with your request in certain circumstances. The organisation also has to be able to verify your identity before taking action as a result of your request. Fees and timescales Under current UK law there are no set timescales for dealing with a deletion request, but organisations usually respond without delay. There is no charge for this kind of request. Under GDPR the organisation has 30 days to respond and cannot charge a fee. However, organisations can charge for ‘manifestly unfounded or excessive’ requests. They must base the fee on the administrative cost of providing the information. The current version of the UK’s draft Data Protection Bill provides for the Government to set limits on the fees. Organisations can also extend the response time to two months depending on the complexity and number of the requests. If they need to extend the response time, they should tell you within the first month. What is Yoti doing? For marketing: Yoti only has your e-mail addresses for marketing purposes if you gave it to us because you wanted to hear from us. If you want to unsubscribe from e-mail marketing, use the unsubscribe link in the e-mail. For other processing: most of the personal information processing we do in relation to our app, products and services is necessary to deliver the app, products and services. For biometric data processing as part of the app’s security, we ask for your consent, which you can withdraw in settings at any time. Therefore, for app users, the only processing we do on the basis of ‘legitimate interests’ and so that this right applies to, is our metrics to understand how our app is being used. We de-identify and aggregate that data so we have no way to connect it to an actual user. What other obligations do organisations have? As part of our other products and services (Dashboard, if you visit our office) we may have contact details from you as part of setting up accounts or signing in. The right to object applies to this information but we have justifiable business reasons for keeping it. You can contact our Data Protection Officer on privacy@yoti.com.
Getting to grips with GDPR: The right to request deletion
The fourth article in our series on GDPR rights is about the deletion right. Catch up on previous articles that cover your right to be informed, the access right, and the correction right. Part 4: The right to request deletion There has been a lot of hype and misleading information about this right and it is often called ‘the right to be forgotten’. The reality is that there is no such right, and it has always been the case that your right is to request deletion, not demand it. This is a complicated right in that it only applies in certain circumstances and, even where it applies, organisations won’t have to delete your information in some scenarios. In current UK law, this right is part of the right to correct data, in that a court can also order an organisation to delete inaccurate personal data. In practice, organisations will usually consider any deletion request they receive without insisting you go to court. Most organisations in most circumstances will have legitimate reasons for having or using your information, so they will not be required to delete it. The most likely reason for needing to delete it is if they should have already done so, and are continuing to hold information they no longer need. What’s new? GDPR provides a direct right to have an organisation delete your personal information in certain circumstances. The information is no longer necessary for the purposes for which the organisation collected/used it. The organisation collected/used the information based on your consent, and you withdraw that consent, and there is no other lawful grounds to keep it. You have objected to the organisation collecting/using your information and there are no overriding legitimate grounds for them to keep it. You object to your information being used for direct marketing purposes. The organisation has collected/used the information unlawfully. The organisation has a legal obligation to delete the information. The organisation has collected the information to offer an online service to a child. What does this mean? The reality is that if you ask an organisation to delete your information, they will only have to do so where they have not complied with other GDPR or legal obligations. Essentially this is a ‘safety net’ right making sure that if an organisation still has information it shouldn’t, it must delete it. There are two exceptions in the list above, relating to marketing and children. The right to say ‘no thanks’ to marketing and have that respected has not changed under GDPR, so organisations will have to stop using your information for marketing if you ask them to. It is important to know that in practice the organisation will not actually delete the information, they will add your details to a suppression list. This is a list of contact details for everyone who has objected, and organisations check against this list when doing marketing, to make sure they don’t contact anyone who has said ‘no thanks’. If they deleted your data completely, they might collect it again somewhere else and not know that you have said you don’t want marketing. With regard to children, there is still uncertainty as to what the right to deletion means. The section in GDPR on offering online services to children (that this right refers to) is quite narrow, and is essentially a requirement to get parental consent, instead of the child’s consent, if the lawful grounds you are using is consent. (There are multiple lawful grounds an organisation can use, and consent isn’t always the most appropriate.) It’s not clear if the right to deletion applies only to the consent-based information collected to offer a child online services, or whether it applies to any information collected from or about a child when offering online services. In the UK the regulator (ICO) is drafting guidance on the children’s aspects of GDPR, so we hope to get clarity on this point soon. Automatically deleting your data For the above scenarios, GDPR describes this right as both the right for you to get your data deleted, and the obligation for an organisation to delete the data without undue delay. However, automatically deleting data might not actually be the best outcome or be in individuals’ interests. As mentioned above for marketing, deleting your data rather than adding you to a suppression list might mean you get more unwanted marketing! Also, if an organisation has been doing something it shouldn’t have with personal data, deleting the data may delete the evidence and prevent a regulator investigation or the ability for individuals to take legal action. What other obligations do organisations have? If the organisation has to delete your information, but has already made it public, they are obliged to inform other organisations who have it that you have requested its deletion. These other organisations should then delete their copy of your information or any links to it. What does that really mean though? This aspect of the right has come from court cases against Google relating to whether information they link to in search results should still be available. (See below for more information.) When does this right not apply? As mentioned in the first paragraph, even if your request for deletion matches one of the above list of circumstances, the organisation might still not have to delete your information, if one of the following applies. The organisation needs the information to exercise their right to freedom of expression and information. (This is likely to be more relevant to news organisations and publishers.) The information is necessary to comply with a legal obligation. (This could be where organisations are required by law to keep certain data for a certain amount of time for audit, tax or other purposes.) The information is necessary for an activity the organisation is carrying out that is in the public interest or as part of their official duties. (This is likely to be relevant to public sector bodies.) The information is necessary for reasons of public interest in the area of public health. The organisation needs the information for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, if deleting the data would make those purposes impossible or seriously impair the organisation from achieving its aims. (This is most likely to be used by official archiving or research bodies.) The organisation needs the information to establish, exercise or defend legal claims. The UK’s draft Data Protection Bill to implement GDPR is currently being finalised but the current version maintains exemptions in current law that mean that an organisation may not have to comply with your request in certain circumstances. The organisation also has to be able to verify your identity before taking action as a result of your request. The right to be forgotten by search engines As already mentioned, some aspects of this right come from court cases against Google, where individuals requested that certain information no longer appear in searches on their name. This is really about being delisted from search results, as the original publication of the information may have to remain. The court cases have looked at the balance between privacy and freedom of expression to set the lines on when each prevails. The decision in each of the cases depends on the facts of the case, and sometimes the court has decided the information is no longer relevant and so must not be linked to, whereas in other cases they found in favour of Google. Fees and timescales Under current UK law there are no set timescales for dealing with a deletion request, but organisations usually respond without delay. There is no charge for this kind of request. Under GDPR the organisation has 30 days to respond and cannot charge a fee. However, organisations can charge for ‘manifestly unfounded or excessive’ requests. They must base the fee on the administrative cost of providing the information. The current version of the UK’s draft Data Protection Bill provides for the Government to set limits on the fees. Organisations can also extend the response time to two months depending on the complexity and number of the requests. If they need to extend the response time, they should tell you within the first month. If an organisation decides it can’t comply with your request, they should explain why, without undue delay and at the latest within one month. They should also tell you about your right to complain to the regulator (ICO). What is Yoti doing? You are able to delete your account at any time from within the app settings. If you delete the app before deleting your account you just lose the connection to your data, and it remains ‘orphaned’ in our system. We delete orphaned data after three years. If you use our Dashboard to create pages and applications as a way to collect personal information from others, you can also delete your account. Yoti will need to keep certain information for billing records and auditing purposes. You can make a deletion request to privacy@yoti.com
Yoti’s CEO Robin Tombs on the BBC Breakfast sofa talking biometrics
We knew something had to be done to fix the world’s broken identity system, and that the solution must put the consumer firmly in control of something as precious as their identity. It made no sense to us that while the rest of our lives were going digital, the way we proved who we are was stubbornly clinging to paper and card. We decided to use the advancements in biometrics and smartphones to develop a modern digital identity solution that gives people a simpler, faster and secure way to prove who they are. Yoti has been built using the latest technology including facial recognition, with the intention of solving the challenge of proving our identity. We use facial recognition to match people’s biometrics to their ID documents, giving them a secure digital identity they can use online and in person. This helps reduce identity theft, fraud and can help build trust online. The individual always consents to using their biometrics and knows how they will be used. Individuals also consent whenever sharing their details, and always get a receipt of what information they have shared. We believe in putting individuals in control of their data. We do not snoop on individuals using Yoti and we can’t see the details being shared. We charge a business a small fee for receiving verified details from a user. We have a simple, principled, transparent business model and an increasingly popular app with 1.1m installs and climbing. We have built Yoti in a way individuals told us they wanted digital identity to work. There are 6.3 billion smartphone users and we believe many of them will choose to create a digital identity to have an easier and safer way of proving who they are, online and in person.
Yoti and CitizenCard launch new digital ID card
Everyone needs a way to prove their identity. Whether it’s to collect a parcel from the post office, buy an age restricted item, open a bank account or apply for a job. For many young people, they’re too young to have a driving licence and their parents don’t want them to carry around a £49 passport simply to prove their age to see a film, buy a game or purchase a child’s train ticket. With almost 20% of people losing an ID document at least once a year, young people need a safer and more affordable way to prove their age and identity. Introducing the Yoti CitizenCard We’ve teamed up with CitizenCard to offer young people a £9 digital ID. Unlike other ID solutions, the Yoti CitizenCard allows young people to prove their age online and in person. They’ll be able to use the Yoti CitizenCard to: Prove their age and identity when travelling on public transport, going to cinemas, on nights out, and when buying games and age restricted goods like energy drinks and alcohol. Prove their age and identity to businesses online. Log in to websites without having to remember passwords. Verify the identities of people they meet online for safer encounters. They can also share specific attributes (i.e. just their name or age) without disclosing their full identity with a paper ID document; helping to protect from the ever-growing risk of identity fraud. Yoti CitizenCards display the Home Office-endorsed PASS (Proof of Age Standards Scheme) hologram and UV mark. The logos of the National Police Chiefs’ Council (NPCC) and the Security Industry Authority (SIA) also feature. The card is accepted by retail and night economy businesses. The Yoti SmartChip in the card will, in future, allow people to simply tap on a card reader to prove their identity. It could also enable payments, where parents top up the card with their child’s pocket money to bring safer spending than carrying cash – or be used for storing tickets and travel passes. Our solution is designed to give parents peace of mind, knowing that their child has a recognised national ID that’s safer to carry than passport, which if lost or stolen contains a large volume of sensitive personal data. We believe that everyone should be able to prove who they are when they choose to – but ID should be private, secure, voluntary and controlled by the individual, not by organisations. Private – prove ‘what’ you are without necessarily revealing who you are Secure – NO big database of profiles that reveals how and where people use it Voluntary – ID should empower people not be a means of tracking people This is just the start of a great partnership with CitizenCard. We’re excited to give families around the UK a simple and secure way to prove their identity, online and in person.
Yoti selected as the official identity provider for the Government of Jersey
Today marks a landmark day for Yoti. We have been selected as the identity provider for the Government of Jersey. Securing our first government contract is a huge milestone in our journey and something all of the team are incredibly proud of. Jersey’s search for an ID solution In August 2017, Jersey’s Government issued a tender which called for a digital ID solution. This was part of the eGov initiative to get more services online, such as filing a tax return, registering to vote and accessing the citizen portal. The Government wants to offer a greater range of online services but needs to be certain that the users are who they say they are. What does this mean for Jersey citizens? Yoti will give islanders a simple, fast and secure way to prove their identity, online and in person. They’ll be able to use Yoti to: Prove who they are when dealing with the States of Jersey online and in person, making it more convenient when using digital services and reducing the risk of identity theft and fraud Log into websites more securely without having to remember usernames and passwords – helping to protect online accounts and personal information Leave valuable ID documents safe at home and prove their age with their phone Prove their identity to businesses without showing and photocopying paper documents Jersey’s visionary choice to use a digital identity system will help its government bodies, businesses and citizens to get things done in a simple and secure way, with less risk of fraud – an issue which costs the global society billions every year. By giving individuals a free digital identity which they can create in minutes, businesses across a range of sectors can begin to leverage the benefits of digital identity into their own products and services, including finance, voting, healthcare, physical asset management, and many more. Assistant Minister, Deputy Scott Wickenden, said: “One of the reasons we have chosen Yoti is that its verification system can be used by many other organisations. People are more likely to sign up with a service that they can use for a number of different purposes, and because Yoti can verify identity, and therefore age, this means that a wide range of industries – from financial services to hospitality – can use it to verify the identities of their customers.” The States of Jersey’s Chief Executive, Charlie Parker, said: “This important piece of technology is fundamental to the restructuring of our public services and the provision of integrated, online services to islanders. We have established one set of standards for all our online services and now we have a digital ID system that allows islanders to interact with government on a confidential, secure basis. This is a vital step in modernising the States of Jersey, and in developing an effective, efficient and responsive public sector, with outstanding services at its core.” This is just the start of a great partnership with Jersey. We hope that their government, businesses and citizens will benefit from a secure digital identity system for many years to come. Time to raise a glass and celebrate!?
Essential reading
Get up to speed on what kind of company we are
How Curio traders in Malawi could benefit from digital identity
As we go about our social purpose work we regularly get to speak to local, national and international non-profit organisations. Over the years, we’ve found that many struggle to understand the many ways digital identity solutions might help them in their work. As part of our wider efforts to help the sector make sense of the technology, today we’re publishing the last in a series of articles looking at the use of digital identities in six different humanitarian and environmental settings. Please note that, while the technology use case is real, the scenarios are hypothetical in nature, and the projects do not exist as stated. Location Malawi Scenario Security for Curio Traders Background Visitors to Malawi are spoiled for choice when it comes to selecting authentic curios and souvenirs to take home with them. Apart from locally produced paintings, baskets and batiks, there are countless beautiful wooden carvings that are made on site and sold to visitors. Malawi has always been known for its talented wood carvers who create a diversity of sculptures and plaques depicting mostly African scenery, people and animals. Carved pieces by Malawian artists can be found in Buckingham Palace and the Vatican Museum, as well as in several churches in western countries, where they decorate the walls. Wood carving is a traditional Malawian art form and a skill that is passed from fathers to sons. Selling the pieces to tourists is a way for many families to earn a living as the ornate detail and beauty of the indigenous hardwoods from which they are made, are prized by tourists. Curio vendors have been assisted by the Malawian government, building markets in which the vendors may display their wares and conduct business. This has resulted in improved sales as the vendors do not need to pack up their wares and take them away each evening or cease business during times of inclement weather. The government promotes wood carving as a potential earner of foreign exchange through exports and a generator of income for poor Malawians. Challenge Since early 2020, the curio vendors in Malawi have suffered serious financial setbacks. With the start of the Covid-19 pandemic, international borders have been closed and tourism has ground to a halt. Some vendors have given up and moved back to rural areas where they hope to cultivate enough food to stave off starvation. Others remain at the markets where they spend the days polishing dust off their carvings and hoping that someone will come along and purchase something that day. A group of struggling vendors have got together to explore the possibility of sending small consignments of carvings to neighbouring South Africa which has a much larger and more affluent population. They hope that there will be a market for their goods, despite the current travel restrictions. Unfortunately, none of the men have passports and they have reservations about trusting an unknown transporter who may cross the border with their carvings and never be seen again. Solution The curio vendors set up a network of trusted members using certain digital identifiers. Members include wood carvers and potential transporters with driving licences and vehicles. To become a member, an individual must produce two significant pieces of identity documentation. These could be a national ID card, bank card, birth certificate, marriage certificate, driver’s licence or personal testimony from a village head. The documentation is photographed and stored in a database which also includes a photograph of the face of each member. Thereafter, members can identify themselves as authentic, bona fide traders using their photographs. This system would allow a registered and known transporter to collect a consignment of high-quality curios from verified members of the group. The transporter may agree to pay a sum of money as a deposit before leaving for the border with the curios. Once the curios have been sold to retailers in South Africa, the customs fees and transporter’s costs can be deducted and the remainder of the income paid to the Malawian vendors before the next consignment is collected. Read our other scenarios on how digital identity might: be used to monitor food and cash rations be used to help make cross-border trading easier help protect endangered southern ground hornbills in Zimbabwe promote education in Angola improve maternity and childcare in Kenya
How could digital identity improve maternity and childcare in Kenya?
As we go about our social purpose work we regularly get to speak to local, national and international non-profit organisations. Over the years, we’ve found that many struggle to understand the many ways digital identity solutions might help them in their work. As part of our wider efforts to help the sector make sense of the technology, today we’re publishing the fifth of six articles looking at the use of digital identities in six different humanitarian and environmental settings. Please note that, while the technology use-case is real, the scenarios are hypothetical in nature, and the projects do not exist as stated. Location Kenya Scenario Maternity and Childcare Clinic Background According to the World Health Organisation, 60% of mothers in sub-Saharan Africa give birth without ever consulting with a healthcare worker. This leads to an increase in the likelihood of complications that can cause maternal and child death. In Kenya, in particular, the mortality rate of mothers during pregnancy and childbirth is considered to be high and was given as 342 deaths per 100,000 live births in 2019. The reason for this is that many women live in rural areas where there are no health care clinics and they can therefore not access antenatal guidance or the help of trained health professionals. Transport to clinics in larger towns is also costly and this adds to the likelihood that pregnant women in Kenya will be unable to consult a health care worker for assistance. UNICEF states that “The causes of maternal death are mostly preventable”, and links decreased maternal mortality with regular attendance at an antenatal or primary health care clinic. Historically, Kenyan women had to pay a fee to attend a maternity clinic and this added to the inaccessibility of these services to the average mother-to-be. In 2013, the Kenyan government implemented a Free Maternity Service policy which resulted in an increase in the number of women who attended maternity clinics. In addition, Kenya has made great progress in recent years in institutionalising community primary health services. Numerous small maternity clinics have been established in rural areas, usually with the help of NGOs, donors and other stakeholders such as UNICEF and USAID. Trained nurses and midwives at these clinics focus on educating mothers-to-be about nutrition, childbirth and hygiene, and on assisting and supporting during the birth of the baby. Challenge With maternity clinics and antenatal services more accessible to Kenyan women than ever before, there has been a significant increase in the number of women seeking to register at these facilities. However, many of the women have no documentation and are unable to identify themselves officially. In rural communities, children are mostly born at home and their births are not recorded in a hospital. This means that many people in these communities have no birth certificates. In Kenya, a birth certificate is needed in order to apply for a national identity card which is, in turn, required for a biometric identity number – known as a Huduma Namba, or “service number” in Swahili. Rural women may therefore remain undocumented, along with millions of others in the Kenyan population. Solution A maternity clinic could register pregnant women who wish to make use of the antenatal and health care services offered. Registration would involve recording a woman’s name, address details and any other relevant information, along with a scan of her fingerprint or face. This is the same technology currently used by the Kenyan government authorities in their drive to register every citizen with a digital identity and work number. The database could be stored at the clinic of the woman’s choice, with an undertaking that she must return to the same clinic where she registered for all subsequent check-ups and health issues. Each time a patient returns for a check-up, she would use her fingerprint to authenticate her identity. This would enable the clinic to monitor the progress of the woman’s pregnancy and ensure she attended antenatal classes regularly, to educate her on issues of nutrition, hygiene, breastfeeding and baby care. If she failed to attend one of the classes, the clinic staff would be alerted and may decide to visit her home to ascertain if problems had arisen. After childbirth, the baby’s immunisation schedule and growth could also be monitored and the data stored under the mother’s digital identity file. This data could also be accessed when the woman returned to the clinic for subsequent pregnancies. Read our other scenarios on how digital identity could: be used to monitor food and cash rations be used to help make cross-border trading easier help protect endangered southern ground hornbills in Zimbabwe promote education in Angola
How digital identity could help promote education in Angola
As we go about our social purpose work we regularly get to speak to local, national and international non-profit organisations. Over the years, we’ve found that many struggle to understand the many ways digital identity solutions might help them in their work. As part of our wider efforts to help the sector make sense of the technology, today we’re publishing the fourth of six articles looking at the use of digital identities in six different humanitarian and environmental settings. Please note that, while the technology use-case is real, the scenarios are hypothetical in nature, and the projects do not exist as stated. Location Angola Scenario Resources for Trainee Teachers Background When Angola gained independence from Portugal in 1975, the new government estimated the level of illiteracy in the country to be between 85% and 90%. There then followed 27 years of civil war, during which the country’s education system (what there was of it) was left in chaos. Not only did most of the qualified teachers leave the country, but schools were damaged by gunfire and landmines and civilians became displaced. When the civil war ended in 2002, UN figures indicated that about 45% of Angolan children did not go to school. Those who did attend school often experienced a lack of teachers, overcrowding in unsuitable classrooms or a total absence of classrooms or classroom supplies. However, the Angolan government quickly focused attention on improving the education system and introduced four years of free, compulsory primary education (between the ages of 7 and 11). With the help of aid agencies such as UNESCO, the government has rebuilt many schools and opened hundreds of new ones. By 2018, it employed 17,000 teachers but still estimated that a further 200,000 trained teachers would be needed in order to give all Angolan children a primary school education. Challenge Teachers are particularly needed in rural areas and the NGO, known as ADPP (Aid for the Development of the People by the People), which works with the Angolan Ministry of Education, has set up secondary schools in rural areas specifically to train teachers to work in local primary schools. The three-year training promotes teaching skills through a combination of studies, courses and experiences, and students are expected to research topics for themselves, share ideas and ask questions. The students are usually from poor backgrounds and only have a few years of primary school education themselves. They are not able to purchase textbooks or access internet resources in order to fulfil the research aspects of the training course. In addition, many of them are not in possession of the national ID card due to the problems with access to, and issuance in, rural areas. Solution Each of the new training schools, called Training Colleges for the Teachers of the Future (CTFs), has a library that contains relevant references and study material for the courses offered. Students who register for a course have their personal details recorded, along with a fingerprint and face scan. They are also issued with a student card displaying their photograph. Access to the library involves scanning a student’s fingerprint, whereafter he or she is authorised to enter and borrow resource material. In addition, this gives access to the computer terminals available for research. Students who have already graduated as Teachers of the Future but who may still need to use the resources in the library for reference and guidance may also be given access, via fingerprint scan, for a period of time after completing their training. Read our other scenarios on how digital identity could: be used to monitor food and cash rations be used to help make cross-border trading easier help protect endangered southern ground hornbills in Zimbabwe