The Directive on Identity Management took effect on July 1, 2019. It replaced the Directive on Identity Management that was in effect from July 1, 2009 to June 30, 2019.This directive takes effect on July 1, 2019. This directive replaces the Directive on Identity Management, dated July 1, 2009. This directive is issued pursuant to the same authorities indicated in section 2 of the Policy on Government Security.The objectives of this directive are as follows: To manage identity in a manner that mitigates risks to personnel and organizational and national security, while protecting program integrity and enabling trusted citizen-centred service delivery; To manage identity consistently and collaboratively within the Government of Canada and with other jurisdictions and industry sectors, where identity of employees, organizations, devices and individuals is required; andTo manage credentials, authenticate users or accept trusted digital identities for the purposes of administering a program or delivering an internal or external service.The expected results of this directive are as follows: Interoperability, as appropriate, that supports participation in arrangements for trusted digital identity; and Integration of a standardized identity assurance level framework into departmental programs, activities and services, consistent with a government-wide approach.Program and service delivery managers are responsible for the following: Applying identity management requirements when any of the following conditions apply: Unique identification is required to administer a federal program or service enabled by legislation;Disclosure of identity is required before receiving a government service, participating in a government program, or becoming a member of a government organization; orAccuracy and rightful use by individuals, organizations and devices of credential and identity information are required;Ensuring that there is a need and the lawful authority for identification to support program administration, government-wide service delivery and, as required, to facilitate law enforcement, national security and defence-related activities;Documenting identity management risks, program impacts, required levels of assurance, and risk mitigation options;Selecting sufficient and appropriate identity attributes to distinguish a unique identity to meet program needs, in a manner that balances risk and flexibility and allows other methods of identification, where appropriate;Evaluating identity and credential risks by assessing potential impacts to a program, activity, service or transaction; Applying the required identity and credential assurance levels and related controls for achieving assurance level requirements, in accordance with Appendix A: Standard on Identity and Credential Assurance; Accepting trusted digital identities provided through an approved trust framework as an equivalent alternative to in-person interactions, by assessing the following: Identity and program-specific information: Selecting sufficient and appropriate attributes to uniquely identify individuals and personal information required to administer a program or deliver a service;Identity assurance and credential assurance, as outlined in Appendix A: Standard on Identity and Credential Assurance;Identity registration: Associating identity and personal information with a credential issued to an individual; andNotice and consent: Ensuring that notices are clear, appropriate for the purpose, and accessible in order to obtain meaningful consent for the collection, use and disclosure of personal information; Consulting the Chief Information Officer for the Government of Canada when establishing agreements or adopting trust frameworks; andUsing mandatory enterprise services for identity management, credential management and cyber authentication. Heads of Human Resources are responsible for the following: Assigning each federal public service employee a unique Personal Record Identifier (PRI) for the management of employee-related information and transactions; andAssigning an additional unique identifier to each employee who must be identified to an organization external to the federal public service.The roles of other government organizations in relation to this directive are described in section 5 of the Policy on Government Security.This directive applies to the organizations described in section 6 of the Policy on Government Security.The references indicated in section 8 of the Policy on Government Security apply to this directive.Members of the public may contact Treasury Board of Canada Secretariat Public Enquiries for information about this directive.Individuals from departments should contact their departmental security management group for information about this directive. Individuals from the departmental security group may contact the Security Policy Division at the Treasury Board of Canada Secretariat by email at SEC@tbs-sct.gc.ca for interpretation of any aspect of this directive.

Provides details on the minimum requirements for establishing an identity or credential assurance level for a Government of Canada program or service. The Standard on Identity and Credential Assurance can be found here: https://www.tbs-sct.gc.ca/pol/doc-eng.aspx?id=32612

Definitions to be used in the interpretation of this directive can be found in Appendix B of the Policy on Government Security.