How Personal Data Licenses Can Keep Digital Identity Private

The world is in the early stages of supplementing old-school paper identity documents with digitally secured identification, licensing, and other credentials. This major technological and infrastructure shift offers big benefits in privacy, security, and convenience for everyday people.

Digital identity has the potential to vastly improve your control over your personal data. Already, many verifiable digital credential (VDC) formats support a feature known as “selective disclosure,” which lets users choose exactly what data fields they hand over during a verification. 

We can go even further to give users broader, long-term control over data sharing of their information, including the ability to closely monitor who has permission to use it–and even to exercise their right to have their data deleted with the tap of a button.

For example, millions of Americans today spend countless hours on phone calls and dust off the fax machines to send information across primary care physicians and healthcare specialists. We could vastly improve the efficiency of electronic health record systems and the patient experience by describing handling rules for a patient’s protected health information (PHI) in human and machine-readable format called a “personal data license,” which is digitally signed by the patient.

A blood test result, for instance, is shared to a patient’s primary care physician (PCP) along with a new personal data license, which describes that the test results may be stored for up to 5 years across all entities and is shareable with their cardiologist without the patient needing to fill out any additional forms.

After 5 years, or when the patient decides to revoke the personal data license with a tap in their app, the data would need to be deleted under the HIPAA privacy framework. The patient could also update the personal data license to allow for other counterparties to also receive the data, or extend the sharing duration. Depending on the reporting requirements described in the license, the patient could also track when, where, and to whom their PHI was shared further.

We call this kind of system “Personal Data Licensing,” and it can work not only with health records but also with digital identity, professional credentials, and anything of value that is paper or plastic today but will be digital tomorrow. Making it a reality will involve technology working hand in hand with privacy-focused public policy.

If you haven't already, subscribe to our blog to stay tuned for part 2 on this topic, where we will describe in detail how it works in practice.

About SpruceID: SpruceID is building a future where users control their identity and data across all digital interactions.