Public-Sector Identification in the Age of AI

By Shaun McIver
CEO, Vayle

When a public-sector organization releases records to the wrong person, the consequences can be serious, including unauthorized disclosure of personal information, potential harm to affected individuals, reputational damage, and costly incident response. Effective identity verification requires a careful balance of risk, protecting individuals and the institution while keeping services accessible and efficient. Though Canada has a strong foundation of privacy guidance to draw from, day-to-day practices still vary widely, especially for “personal” access requests and other services that require proof of identity.

Start with risk-based verification, not “one-size-fits-all”

The Office of the Privacy Commissioner of Canada (OPC) explains that “identification and authentication are fundamentally about the management of risk: the risk to the organization of, through bad identification or authentication practices, either denying access to a legitimate customer or giving access to an impostor; or, the risk to individuals, that their personal information is lost or inappropriately disclosed, and that their identity, finances, or privacy are compromised”.

A practical implication is that the level of identity assurance should match the sensitivity of the records or service. A routine inquiry might not need strong identity proofing, but a request for one’s personal records, benefits information, or other sensitive files often does.

Treat government-issued ID as highly sensitive data

A key best practice is to treat copies of government-issued photo ID as sensitive personal information and handle it accordingly. That means minimizing collection (only collect what you need), limiting who can access it, and setting clear retention and deletion rules. The goal should be to avoid building a shadow “ID document repository” across email inboxes and shared drives.

The email-attachment problem: a common but risky pattern

Despite years of security guidance, many organizations still accept identity documents through email, often because it feels convenient and familiar. Public-sector organizations across Canada commonly request copies of government-issued photo ID by email to support access to personal information.

This matters because general-purpose email is often used as a convenience tool, not as a controlled channel for handling sensitive identity documents. When government-issued identification is shared as an email attachment, organizations may have limited visibility or control over how that information is handled, stored, or retained across inboxes and email systems.

The result is a paradox. In order to verify identity, individuals may be asked to share some of their most sensitive personal documents through channels that were not designed specifically for identity verification.

AI is raising the stakes: spoofing is easier than ever

The identity verification landscape is changing quickly. According to the Canadian Anti-Fraud Centre (CAFC), fraudsters are increasingly leveraging a range of technological tools to make their activities more convincing and harder to detect. The Centre notes that these tools include artificial intelligence, which can generate “realistic voices, deepfake videos, and convincingly fake text,” contributing to the growing sophistication of fraud schemes.

At the same time, fraudsters continue to rely heavily on fake identification and documents. The CAFC notes that fake IDs, passports, and other documents can be used to commit various types of ID fraud, including open fraudulent accounts, apply for loans or credit, exploit government benefits, and “bypass verification processes” by appearing credible across a wide range of fraud scenarios. As these tactics evolve, Canadian fraud authorities continue to highlight the importance of identity verification practices that are designed to detect and resist increasingly sophisticated forms of deception.

This shift has direct implications for identity verification. Static processes that rely on visually reviewing a photo of an identity document, particularly when that image is transmitted by email, or viewed via a video call, are increasingly vulnerable to manipulation. Checks that may have detected crude forgeries in the past are less effective against modern techniques capable of generating realistic identity documents, altering photos, or producing supporting materials that appear authentic. As these capabilities become more accessible, organizations that depend on manual or email-based ID review face a growing risk of impersonation and unauthorized disclosure of personal information.

What better practice looks like

Across Canadian privacy and security guidance, a few themes consistently show up in strong identity verification programs:

• Use secure, purpose-built channels for collecting identity evidence, rather than email attachments
• Verify at the point of submission and return an auditable verification result, instead of storing copies of ID in inboxes
• Layer controls for higher-risk services: document authenticity checks plus measures that reduce spoofing (e.g., biometric liveness check)
• Minimize and control retention so sensitive identity artifacts don’t persist longer than necessary

Bringing Best Practices to Public-Sector Identity Verification with Vayle ID

This is exactly why Vayle brought Vayle ID to market: to help public-sector organizations modernize identity verification for personal FOI requests and other information-access workflows without relying on email attachments.

Vayle ID is integrated with Vayle’s online form workflows and Vayle FOI, and is designed to verify an individual’s identity using government-issued photo identification and facial biometrics to support access to online services that require proof of identity, powered by Interac Verified™, using Interac® document verification service.

Rather than asking a requester to email a copy of their ID, organizations can validate identity in real time at the point of intake, receive a verification result directly within the workflow, and reduce the operational and privacy risks associated with manual handling of identity documents. As AI-driven spoofing continues to accelerate, modernizing identity verification is no longer simply an efficiency improvement. It has become a foundational control for protecting personal information and maintaining trust in digital public services.

To learn more about the AMO/LAS Streamlined FOI and Privacy Program Management program, please visit the website.