Can new rules unlock integrated public services without eroding citizen control?, asks Mark Burke in this latest opinion article.

For well over a decade, government departments have produced frameworks, strategies, and plans promising seamless digital services, efficiency, and integrated public administration. The National Development Plan 2030 identified efficient identity management as foundational to inclusive economic development. The Department of Home Affairs launched its modernisation programme in 2012. The Draft Official Identity Management Policy of 2020 sketched a comprehensive vision for transitioning from legacy systems to digital credentials. Until now, the gap between the search for efficient identity management as the basis for integrated service delivery and the reality of making it happen has remained stubbornly wide.

South Africa's public sector struggles with coordination across departments, agencies, and spheres of government. Institutional silos persist. Departments plan, budget, and report separately, and are held accountable mainly for their own mandates. Outcomes-based planning, inter-ministerial committees, cluster systems, and various coordination structures have all been tried. The results have been mixed at best. Citizens still queue at multiple offices to prove the same identity. Departments still duplicate verification processes. Data still sits in incompatible systems. The state has struggled to align institutional action toward coherent outcomes.

This is the context in which the Department of Home Affairs published draft amendments to the Identification Regulations, 1998, on 4 May 2026. These amendments may represent one of the more consequential institutional developments in South Africa's digital governance journey because they attempt to establish the governance architecture for how digital identity will function across the public sector and, significantly, between the state and private actors. Whether they succeed in unlocking integrated services while protecting citizen rights depends on the governance choices embedded in the regulations.

Understanding Digital Public Infrastructure

To grasp what these regulations aim to achieve, it helps to understand the concept of Digital Public Infrastructure (DPI). DPI is an approach to organising digital governance around shared infrastructure, common standards, interoperable systems, and institutional arrangements that enable coordinated service delivery across otherwise fragmented government structures. DPI consists of platforms, protocols, payment systems, data exchange mechanisms, and governance frameworks that enable different parts of the state and, in some cases, private actors to work from common foundations rather than building incompatible systems.

Digital identity sits at the centre of this model. Without trusted digital identity systems, building integrated digital services becomes nearly impossible. Authentication remains fragmented. Departments duplicate identity-proofing processes. Citizens repeatedly prove their identity to various agencies.

The proposed amendments attempt to address this by creating a regulatory framework for digital identity credentials, establishing mechanisms for identity verification across sectors, and setting rules for how identity data may be shared between government and private entities. They potentially establish a new digital identity governance system, a new relationship between citizens and the state, and a new framework for how public and private institutions verify identity and exchange identity-related information.

What the regulations propose

The draft amendments introduce several interconnected mechanisms that, taken together, would significantly reshape how identity functions in South Africa's digital ecosystem.

Digital identity credentials are defined as secure, cryptographically authenticated digital credentials issued by the Director-General of Home Affairs that verify a person's identity and hold equivalent legal status to physical identity cards. Importantly, the regulations specify that these credentials are voluntary. No person is compelled to obtain one, and physical identity cards remain valid. This optionality is a genuine safeguard, recognising that not all citizens have smartphones, reliable internet, or digital literacy.

Trusted entities are among the more significant innovations. These are accredited public or private organisations, such as banks, telecommunications providers, government agencies, and potentially others, that may establish "verified relationships" with citizens and access population register data through application programming interfaces (APIs). Trusted entities would verify the identities of their customers or users in real time, subject to data-sharing agreements approved by the Director-General. This creates a verification ecosystem in which private actors mediate access to services that require identity verification.

Data-sharing agreements govern how trusted entities may access population register information. The regulations require these agreements to specify the purposes of access, the categories of data to be shared, security requirements, and audit obligations. The Director-General has sole authority to approve these agreements.

Identity assurance levels establish a tiered framework for confidence in verification. Level 1 involves basic verification against population register data. Level 2 adds biometric comparison. Level 3 requires in-person enrolment with biometric capture and liveness detection, that is, verification that the biometric data comes from a live person rather than a photograph. This tiered approach aligns with international standards and allows risk-appropriate verification for different purposes.

API-based verification means that trusted entities would access the population register through encrypted, authenticated digital interfaces rather than manual processes. The regulations require that all API access be authenticated and encrypted, with the Director-General determining the security standards and terms.

Audit and logging requirements mandate that all access to the population register be recorded, with logs maintained for at least seven years. These logs must capture the identity of the accessing entity, the purpose of access, the data accessed, and the timestamp.

Cybersecurity obligations require continuous monitoring, anomaly detection, data segmentation, regular vulnerability assessment, and strong authentication measures for administrative functions.

Private-sector enrolment points would allow accredited entities to assist citizens with enrolling in the digital identity system, expanding access beyond Home Affairs offices.

These provisions, read together, suggest a system in which a citizen's digital identity credential could become a gateway to a broad range of services, verified through standardised mechanisms, logged comprehensively, and governed by data-sharing agreements overseen by the Director-General.

Why government may believe this is necessary

The policy case for these regulations is not difficult to understand. South Africa's identity management system has documented weaknesses. Identity fraud costs the economy significantly. Citizens without official identity documents face exclusion from banking, social grants, employment, and healthcare. The Smart ID card rollout, begun in 2013, improved the security of physical documents but did not resolve the underlying fragmentation of digital identity verification.

Minister Schreiber's accompanying statement frames the digital identity system as "the ultimate expression of our vision to leverage digital transformation to deliver Home Affairs @ home." The stated objectives include combating identity theft, financial crimes, corruption, and illegal immigration while improving service delivery and privacy protections. These are legitimate public policy goals. And they are critical to paving the way for full digital identity implementation in South Africa.

From a governance perspective, the regulations attempt to solve a real coordination problem. Without a common framework for digital identity verification, each department and private entity develops its own processes. The result is duplication, inconsistency, and exploitable gaps. A properly governed shared digital identity infrastructure could reduce these inefficiencies and create a foundation for genuinely integrated services.

The possibilities

If implemented well, these regulations could open several possibilities.

Integrated public services become more feasible when identity verification is standardised and interoperable. A citizen applying for a social grant, registering a business, or accessing healthcare could authenticate once, with the verification recognised across systems rather than repeated at each point of contact. This reduces administrative burden on both citizens and officials.

Digital inclusion could improve if enrolment is expanded through private-sector partners and if the system is designed with accessibility in mind. Rural citizens who cannot reach a Home Affairs office might enrol at a bank or mobile service point.

Fraud reduction is a genuine prospect. Cryptographically secured digital credentials, combined with biometric verification and comprehensive logging, are harder to forge or misuse. The regulations' liveness-detection requirements and encrypted biometric storage address known attack threats.

Interoperability across the public sector could advance. When departments share a common identity verification backbone, the technical and legal barriers to data sharing for legitimate service delivery purposes diminish. This does not automatically produce better services, but it removes one significant obstacle.

These possibilities are real. They explain why many countries have pursued similar digital identity frameworks, and why the Department of Home Affairs has invested significant effort in developing these regulations.

Where the regulations may not go far enough

These possibilities depend significantly on governance design, and here the regulations raise questions that deserve careful attention. Several areas appear to fall short of what is needed to ensure that citizens retain meaningful control over their identity data.

Citizen control over personal data is limited in ways that matter. While digital credentials are optional, once a citizen enrols, there appears to be no mechanism to request deletion of biometric data from the population register. The credential may be cancelled or allowed to lapse, but the biometric templates (fingerprints, facial geometry) presumably remain stored indefinitely. This creates an asymmetry. Citizens can opt in, but they cannot fully opt out. This is inconsistent with, for example, the European Union's right to erasure under the General Data Protection Regulation (GDPR, Article 17) and with the principle of citizen control that underpins frameworks such as the Modular Open Source Identity Platform.

Consent mechanisms are weak. The regulations treat the act of applying for a digital identity credential as implied consent to the associated data processing. This differs from international standards that require consent to be freely given, specific, informed, and unambiguous, demonstrated by clear affirmative action (GDPR, Article 4(11)). Citizens are not explicitly informed, at the point of enrolment, about which entities may later access their data, for what purposes, or how they might revoke that access.

Visibility into who accesses identity information is absent. While the regulations require comprehensive logging, they do not grant citizens a right to access these logs or to receive notification when their identity data is verified by a trusted entity. A citizen might have their identity checked dozens of times across banking, telecommunications, and government services without ever knowing who accessed what, when, or why. The Estonian digital identity system, by contrast, enables citizens to view who has accessed their records and to challenge unauthorised access. This is a feature central to public trust in that system.

Selective disclosure, that is, the ability to reveal only specific identity attributes rather than one's full profile, is not provided for. The EU's eIDAS 2.0 Regulation mandates selective disclosure as a core feature of its Digital Identity Wallet, allowing citizens, for example, to prove they are over 18 without revealing their full date of birth. The South African regulations focus on verifying the authenticity of mandatory particulars rather than enabling citizens to control which attributes are disclosed in specific contexts. This is important because every full verification exposes more data than the transaction itself requires, increasing the risk of profiling.

Redress mechanisms are underdeveloped. Citizens who believe their identity data has been misused, who dispute the accuracy of population register records, or who allege unauthorised access have no specific administrative remedy under the regulations beyond the general rights provided by the Protection of Personal Information Act (POPIA) and the Promotion of Administrative Justice Act (PAJA). The Information Regulator has the authority to investigate POPIA complaints, but its capacity constraints limit its effectiveness.

Accountability for the Director-General's decisions is limited. The Director-General exercises extraordinarily broad discretion over virtually every aspect of the digital identity system, including setting standards, accrediting entities, approving data-sharing agreements, establishing cybersecurity requirements, and determining fees. There is no independent appeals mechanism for accreditation decisions, no requirement for public consultation before standards are determined, and no mandatory parliamentary reporting on the exercise of these powers.

Governance concerns that merit attention

Beyond specific rights limitations, the regulations raise structural governance concerns that go to how power is distributed in the emerging digital identity ecosystem.

Concentration of power is perhaps the most significant. The regulations centralise regulatory, operational, supervisory, and enforcement authority in the Department of Home Affairs and, specifically, in the office of the Director-General. This concentration across multiple dimensions of power, such as setting rules, managing infrastructure, overseeing private actors, and policing compliance, departs from international best practice that recommends distributing these functions across institutions to prevent arbitrary exercise and enable meaningful accountability. The accumulation of multiple forms of power in a single office raises concerns that the South African Constitution's founding values of accountability, responsiveness, and openness are designed to prevent.

Trusted entities and the platformisation of government identity create new dependencies that did not exist under the physical identity card system. When banks, telecommunications providers, and other private actors become gatekeepers to identity verification, citizens may find that participation in economic and social life increasingly depends on their relationship with these intermediaries. The regulations do not establish independent, ongoing oversight of the conduct of trusted entities. The Director-General can suspend or revoke accreditation, but this is reactive rather than preventive. There is no requirement for regular independent audits, no mandatory reporting of security incidents to an oversight body, and no mechanism for citizens to file complaints specifically about misconduct by trusted entities within the digital identity framework.

Cross-sector data sharing and metadata generation carry profiling risks that the regulations do not adequately address. When multiple trusted entities access population register data for verification purposes, aggregating access logs could enable the reconstruction of individuals' activity patterns across financial, telecommunications, government, and commercial domains. The South African regulations contain no prohibition on aggregating verification data for profiling, marketing, or behavioural analysis.

Surveillance risks and function creep are inherent in comprehensive identity infrastructure, even if surveillance is not the stated purpose. The combination of biometric data, a centralised population register, API-based real-time verification, seven-year audit logs, and data-sharing agreements with public and private entities creates technical capacity for extensive monitoring. Function creep, the tendency for identity systems to expand beyond their original purposes, is well-documented globally. The South African regulations list permissible data-sharing purposes, but the Director-General's broad discretion to determine standards and issue instructions creates flexibility that could enable gradual expansion.

Even though digital IDs are officially optional, some people could still be left out. If more and more government and private services start requiring digital identity checks, then choosing not to get a digital ID may not be a real choice in practice. South Africa's significant digital divide, particularly affecting rural communities, older persons, and low-income households, means that a digital-first approach risks compounding existing inequalities. Regulation 49(5) requires that the implementation not unreasonably exclude persons without suitable devices or internet access, but it lacks specificity. There are no concrete requirements for alternative access channels or mandates for digital literacy support, for instance.

The legislative sequencing question

A further concern goes to the legal foundation for these regulations. They are made under section 22 of the Identification Act, 1997. This statute was enacted before smartphones, mobile applications, API-based data sharing, or cloud computing existed. Section 22 empowers the Minister to make regulations regarding matters "required or permitted" by the Act, and generally regarding matters "necessary or expedient" to achieve the Act's objects.

The Constitutional Court has held that the delegation of legislative power is an exception to the separation of powers and must be construed narrowly. Subordinate legislation that makes substantive policy choices rather than operationalising existing statutory schemes risks being struck down as beyond the power conferred.

The regulations introduce entirely new categories of legal relationships ("verified relationships" between trusted entities and citizens), create new criminal offences punishable by imprisonment, and establish a comprehensive digital identity ecosystem that goes considerably beyond what the Identification Act explicitly contemplates. The National Identification and Registration Bill, currently before Parliament, would provide a more appropriate statutory foundation for this expanded governance framework. Making substantive digital identity policy through subordinate regulations before this primary legislation is enacted risks regulatory pre-emption by establishing governance arrangements that may be difficult to modify when the Bill eventually becomes law.

What the regulations do not yet address

Several governance gaps remain unaddressed by the draft regulations and would require broader frameworks to resolve.

Independent oversight is the most significant absence. No independent body is specifically tasked with monitoring the digital identity system. The Information Regulator's general POPIA jurisdiction is necessary but insufficient given its capacity constraints and the specialised nature of digital identity governance. Judicial review provides accountability but is practically inaccessible for most citizens.

The sequencing of implementation is acknowledged, as the regulations provide for a phased rollout based on readiness assessments, but the criteria for determining readiness are not specified, and there is no requirement for independent assessment before each phase.

Cybersecurity readiness beyond the regulatory text is uncertain. The regulations mandate controls but do not address incident response plans, breach-notification procedures specific to digital identity, or disaster-recovery protocols.

In reflection

The draft amendments to the Identification Regulations matter because they may help unlock integrated digital public services that South Africa has long promised but struggled to deliver. They demonstrate awareness of contemporary digital identity challenges and incorporate genuine safeguards, including optional participation, biometric encryption, identity assurance levels, cybersecurity controls, and comprehensive audit requirements. These features reflect engagement with international practice in the South African context and a sincere attempt to balance innovation with protection.

Notably, the regulations also embody governance choices that concentrate significant power in a single administrative office, limit citizen control over biometric data, and create new dependencies on private actors without corresponding accountability mechanisms. The tension between making substantive digital identity policy through subordinate regulations, rather than through primary legislation debated and enacted by Parliament, raises fundamental questions about the appropriate scope of delegated legislative power.

The significance of these regulations should not be understated. They will shape the institutional landscape of identity governance in South Africa for years to come. The choices made now about the distribution of power between state and citizen, about the role of private actors in public identity infrastructure, and about the balance between security and privacy will have enduring consequences. The regulations are currently open for public comment until 6 June 2026. This is not merely a technical or legal process. Rather, it is a governance question about the future relationship between citizens, the state, and digital systems in South Africa. Informed public engagement with these proposals is essential.

Written by Mark Burke, a researcher and advisor with expertise in digital governance, and a focus on public-sector digital transformation. His research interests are digital identity, privacy, and citizenship in the digitalisation of public services.