Latest News & Insights

According to ETDA, “Digital ID” refers to an identity or personal information collected in a digital format, such as an identification number, name, address, or Biometric data, among others. It is used to identify and verify a person’s identity when accessing services provided by both public and private organizations. This article will discuss how Digital ID has been used in Thailand, how it benefits personal data protection, and how it abides by the Personal Data Protection Act (PDPA).

Topic 1: How Digital ID Authentication works in Thailand and it supports Personal Data Protection

“Identity verification” is the process of collecting and verifying information about an person’s identity that the person and their identity information are real and related. Before the widespread use of computers and technology, identity verification worldwide—including in Thailand—has relied heavily on physical documents such as ID cards, passports, or driver’s licenses. People had to bring these documents to places for verification. This process was always complicated, requiring people to prepare multiple documents and travel to verification locations. It might occur the chance of personal data leakage, and personal information was disclosed more than necessary.

Nowadays, Thailand has developed Digital ID technologies to make identity verification more convenient. The most well-known example is the “ThaID” application by the Department of Provincial Administration (DOPA). Once verified through ThaID, users can access various government services—such as online tax filing, e-petitioning for legislation, digital health records, and consumer complaints systems—without re-verifying their identity each time.

To ensure standardization, government agencies must comply with Digital Government Standard DGS 1-2 (2564): DIGITALIZATION: DIGITAL ID - IDENTITY PROOFING AND AUTHENTICATION. The system must follow two key assurance standards: 

• IAL (Identity Assurance Level): Measures the strictness of identity proofing, divided into 3 levels: Level 1: Basic data collection without document verification. Level 2: Verification of supporting identity documents and Level 3: Includes biometric verification (e.g., facial recognition, fingerprint scanning) for higher security.
• AAL (Authenticator Assurance Level): Measures the security of the authentication process, also divided into 3 levels: Level 1: Single-factor authentication. Level 2: Two-factor authentication (e.g., password + biometric). Level 3: Multi-factor authentication involving secure hardware tokens.

The chances of personal data leakage form using digital ID is upon different levels of Data Protection.

In conclusion, Existence of Digital ID is beneficial to Personal Data in the process of identity verification as in the table below:

Topic 2: Digital ID and the Personal Data Protection Act (PDPA)

Digital ID authentication uses personal data (e.g., name, gender, national ID number, religion, facial images, or fingerprints) for identity verification and must comply with the security standards set by the Digital Government Development Agency (DGA). Under the PDPA, Digital ID is relevant and aligned to the PDPA as follows:

1. Key Parties under the Personal Data Protection Act (PDPA)

For Digital ID authentication, the related role in PDPA involves:

• • Data Controller: The organization that determines the purposes and means of data processing, e.g., the Department of Provincial Administration (DOPA). Their duty is to comply with PDPA by making privacy policy, privacy notice, RoPA and any related legal documents, providing channels for personal data subject to exercise their rights, implementing appropriate security measures, and establishing processes for handling personal data breaches.
• Data Processor: An external individual or juristic person to whom the Personal Data Controller discloses or transfers personal data for processing. The processor must process personal data only in accordance with the controller’s instructions and for the purposes determined by the controller. They could be, for example, external companies, vendors, or contractual partners that perform analytics or provide services for developing an identity authentication system. The processor is required to implement appropriate security measures to protect personal data and to prepare and maintain records of processing activities (RoPA) for personal data processors.
• Data Subject: The individual to whom the personal data relates. In the context of identity verification through Digital ID, this means the person who uses the Digital ID service. The user is entitled to rights under the Personal Data Protection Act (PDPA), including: receiving notice of the details and purposes of personal data collection; giving consent and withdrawing consent where the processing does not fall within a statutory exemption; requesting access to, rectification of, and trasferability of personal data; requesting restriction or suspension of processing; requesting deletion or destruction of personal data; and to complain in the event of a personal data breaches.

2. Lawful Basis for Identity Verification via Digital ID

Because Digital ID authentication involves processing personal data, processing must rely on one or more lawful bases under Section 24 and Section 26 of the PDPA. To specify the legal basis, it is depending on context—such as the controller’s role, type of data and purpose of collecting it.

For example, The activities of registeration and accessing the Digital ID system, which involve collecting identity data of service users (e.g., first name, last name, photograph, and signature), may rely on the contractual necessity basis under Section 24(3) for the purpose of registration and access to the system.

3. Required Legal Documents

To ensure that identity verification via Digital ID complies with the Personal Data Protection Act (PDPA), the Digital ID service provider, as a Data Controller, must consider and implement the required legal documentation under the PDPA as follows:

• Record of Processing Activities (RoPA) under section 39 of PDPA: it has been used to record personal data flows related to activities of data controller, to provide and overview and making it easier to find causes of data processing problems.
• Privacy Notice Under Sections 23 and 25: A document used to inform personal data subjects before or at the time of data collection, to inform the purposes of personal data processing and other relevant information as required by law. The notice may be provided via a website or displayed in an easily accessible place to data subjects. For example, the Department of Provincial Administration (DOPA) has issued a “Privacy Notice for Users of the DOPA-Digital ID System of the Registration Administration Bureau, Department of Provincial Administration,” which is available on its website.
• Consent Form under section 19 of PDPA: A document used to ask for data subject’s consent after the activities are considered as no legal basis for collecting personal data, or sensitive data has been collected without exception under Section 26 such as: using biometric data (finger print or Face scan) for identity verification

Moreover, the Digital ID service provider, as the Personal Data Controller, must review processing activities related to the provision of Digital ID services. For example, if personal data is disclosed or transferred to external organizations, it may be necessary to prepare additional legal documentation, such as a data processing agreement (DPA) or to have appropriate security measures to ensure compliance with the Personal Data Protection Act (PDPA).

Conclusion

The development of Thailand’s identity verification via Digital ID system not only enhances the efficiency of public and private services but also strengthens personal data protection for both service provider who have to comply with PDPA and for the users who should be aware of their rights on personal data protection so they can use Digital ID safely with confidence. It reduces the risk of data breaches, establishes secure and transparent authentication standards, and complied with the Personal Data Protection Act. Ultimately, Digital ID helps create public trust in digital identity systems, promotes paperless activity, and contributes to improving data subjects’ quality of life in this technology era.

References

• ETDA Digital ID Standard (DGS 1-2, 2021): https://standard.dga.or.th/wp-content/uploads/2021/09/3.Digital-ID-DGS-1-2_2564.pdf

• DOPA Digital ID Overview: https://multi.dopa.go.th/icad/assets/modules/news/uploads/...

• ThaID Application Information: https://www.bora.dopa.go.th/app-thaid/