The Governance of Digital Public Infrastructure

Examines global DPI governance, proposing a framework based on inclusion, privacy, collaboration, and accountability principles.

Updated: Apr 2, 2025
paper By Avani Airan, Surabhi Hodigere, Soujanya Sridharan, Sarayu Natarajan

This consultation paper examines the governance of Digital Public Infrastructure (DPI) emerging worldwide, revolutionizing public service delivery in sectors like identity (Aadhaar, PhilSys), payments (UPI, Pix), health (ABDM), and commerce (ONDC) (p. 13). While DPI’s impact is significant, there’s a lack of codified best practices for its governance (p. 10). This paper aims to fill that gap by proposing a unified, principle-based governance framework drawn from global examples, offering a roadmap for effective, safe, and responsible DPI implementation (p. 10, 25).

Core Arguments & Findings

Defining DPI and the Need for Governance

  • What is DPI? The paper defines DPI as digital technologies enabling society-wide impact, acting as building blocks for other solutions, and facilitating effective service provision in public and private sectors (p. 17). DPI differs from Digital Public Goods (DPGs) which are the open components (software, data) used to build systems; DPIs are implemented, operational systems (p. 17). Digital infrastructure’s speed, flexibility, and data generation capacity differentiate it from physical infrastructure, necessitating distinct governance approaches (p. 18-19).
  • Why Govern DPI? The ‘DPI approach’ emphasizes common design, robust governance, and private sector participation (p. 10, 13). Robust governance is crucial to ensure DPI promotes inclusion, protects privacy, empowers users, and fosters fair competition, rather than leading to exclusion, surveillance, or market failures (p. 14).

Stakeholders and Institutional Roles

  • Multi-Stakeholder Landscape: DPI governance involves diverse actors: the public sector (regulation, funding, co-design), the private sector (innovation, standards), open-source communities, development actors (best practices, funding, intermediation), and end-users (co-design, feedback) (p. 20).
  • Role of Public Institutions: Nodal public institutions act as custodians, setting standards, regulations, and policies to guide DPI development and ensure security, privacy, and access (p. 21). Globally, institution-building trends vary: public sector-led (e.g., Estonia), private sector-led (e.g., US payments), or a combination approach (e.g., India) (p. 21-22).

A Principle-Led Governance Framework

The paper proposes a framework based on four core principles, operationalized through specific tools (laws, policies, standards, operational rules) across the DPI lifecycle (conception, development, operation, feedback/revision) (p. 25-29).

Principle 1: Build for Inclusion, Accessibility, and Equity

  • Goal: Mitigate the digital divide and ensure DPI benefits all, including marginalized communities (p. 32).
  • Tools & Pathways:
    • Offline Integration: Codify integration with offline architectures (e.g., Aadhaar offline e-KYC, UPI Lite for feature phones, Estonia physical ID option) (p. 33, 36).
    • Capacity Building: Invest in user/operator literacy, awareness, and intuitive design (e.g., NPCI simplification circulars, Aadhaar enrolment measures for marginalized groups, PhilSys law backing financial inclusion) (p. 33-34).
    • Budget Allocation: Use government budgets, subsidies, and innovative financing to support expansion, especially to underserved areas (e.g., Periodic UPI budget, ABDM’s Digital Health Incentive Scheme (DHIS)) (p. 34-35, 37).
    • Feedback Portals: Establish active feedback mechanisms for open communication and continuous improvement (e.g., UPI’s three-layered redressal, Aadhaar KM Portal, Estonia’s FAQs/channels, Ethiopia’s DAAS farmer feedback, Brazil’s Pix dispute process) (p. 35-36, 38).

Principle 2: Adhere to Privacy and Security Standards

  • Goal: Safeguard personal data, build trust, and protect against risks like breaches, profiling, and identity theft (p. 38-39).
  • Tools & Pathways:
    • Notice & Consent: Implement clear, informed, unambiguous consent mechanisms with opt-out options (e.g., ABDM Health Data Management Policy, Estonia Personal Data Protection Act) (p. 39-40).
    • Purpose Specification & Data Minimisation: Collect data only for specific, lawful purposes and retain only necessary data (e.g., ONDC data policy, ABDM policy restrictions, Estonia’s X-Road principle) (p. 40-41).
    • Breach Disclosure: Enforce prompt disclosure obligations to affected individuals and authorities (e.g., ONDC Network Policy, Pix Special Reimbursement Mechanism) (p. 41-42).
    • Decentralised Storage: Adopt approaches distributing data across nodes to reduce single points of failure (e.g., NPCI guidelines, ABDM policy, Estonia’s data embassies) (p. 42-43, 46).
    • User Control: Empower individuals to access, rectify, delete, or restrict data processing (e.g., ABDM policy, Aadhaar Authentication Regulation, Estonia Digital Signatures Act) (p. 43-44).
    • Encryption & Safeguards: Implement strong encryption (following standards like RSA 2048/AES 256 where applicable) and security measures based on privacy-by-design (e.g., UPI guidelines, eKYC API specs, Estonia ID card chip) (p. 44).
    • Audits & Risk Assessments: Conduct regular security audits and risk assessments (e.g., ONDC audit authority, RBI Master Directions for AA ecosystem) (p. 45).

Principle 3: Promote Collaboration and Co-creation for Public Benefit

  • Goal: Leverage diverse expertise and collective intelligence to foster innovation and ensure DPI serves the common good (p. 47).
  • Tools & Pathways:
    • Codified Consultation: Establish formal processes for public/stakeholder input on new developments (e.g., ABDM consultation papers, ONDC user council meetings, Estonia Bills Information System) (p. 48-49).
    • Open Technology Architecture: Promote open APIs, open standards, and tech sharing to foster innovation (e.g., UPI/Aadhaar open APIs, NDEAR mandate for open source, AA Master Directive for tech specs) (p. 49-50).
    • Interoperability & Modularity: Mandate design principles allowing different systems to connect and evolve independently (e.g., NPCI interoperability mandates, ONDC strategy, Estonia’s X-Road federation) (p. 50-51, 54).
    • Diverse Expert Committees: Establish advisory boards with broad stakeholder representation (e.g., UPI advisors, ABDM governing board, Ethiopia DAAS consortium) (p. 51-52, 61).
    • Sandboxes: Provide controlled environments for testing new ideas (e.g., RBI/Beckn Sandbox for UPI/ONDC, ABDM/NDEAR/UIDAI sandboxes, X-Road community) (p. 52-53).

Principle 4: Ensure Transparency and Accountability with Appropriate Grievance Redressal

  • Goal: Build public trust through openness, clear responsibilities, and effective mechanisms for addressing issues (p. 54-55).
  • Tools & Pathways:
    • Publish Vision & Strategy: Make goals, objectives, and rationale publicly accessible (e.g., ONDC strategy paper, NITI Aayog/ABDM strategy documents) (p. 55).
    • Independent Nodal Agency: Establish impartial bodies with authority to operate, monitor, and resolve issues (e.g., NPCI for UPI, UIDAI for Aadhaar, PhilSys Policy and Coordination Council (PSPCC)) (p. 56-57, 61).
    • Clear Procurement & Success Metrics: Use transparent, fair procurement processes and define metrics to measure impact (e.g., UPI open RFPs, NHA public tenders, Brazil’s Pix network security enforcement) (p. 57-58).
    • Disclose Appointments & Authority: Publish details on key roles, responsibilities, and decision-making structures (e.g., ONDC repository of committees/policies) (p. 58-59).
    • Grievance Redressal Mechanisms: Implement responsive, independent, multi-layered systems (internal and external) aligned with principles like the UNGPs (e.g., UPI three-tiered system, ONDC’s proposed IGM/ODR, Pix Joint Resolution) (p. 59-60).

Methodology

The paper employed a four-stage methodology (p. 15):

  1. Desk Research: Gathered guiding definitions and goals for DPI governance.
  2. Expert Interviews: Gained insights from individuals with deep expertise in the DPI ecosystem.
  3. Case Studies: Conducted in-depth analysis of specific DPI initiatives (Aadhaar, ABDM, ONDC, UPI, AA, e-Estonia, Pix, PhilSys, FarmStack), considering factors like age, structure, maturity, and key actors (p. 13, 15).
  4. Stakeholder Consultations: Engaged government entities, regulators, industry, civil society, and tech experts to collaboratively build and validate the proposed governance framework.

Key Conclusions & Recommendations

  • Conclusions: DPI offers significant potential but requires deliberate governance to ensure positive outcomes (p. 63). Existing governance practices are fragmented; a unified, principle-based approach is needed (p. 63). Common governance patterns are emerging globally around authority, procurement, security/privacy, and redressal (p. 64). Effective DPI governance requires ongoing dialogue and adaptation (p. 64).
  • Recommendations:
    • Adopt the proposed framework centered on Inclusion, Privacy/Security, Collaboration, and Transparency/Accountability (p. 63).
    • Operationalize these principles using a mix of laws, policies, technical standards, and operational rules tailored to the specific DPI context and lifecycle stage (p. 26-27, 64).
    • Prioritize establishing clear lines of authority, transparent procurement processes, robust security and privacy safeguards, and accessible grievance redressal mechanisms (p. 64).
    • Foster multi-stakeholder collaboration and invest in capacity building and digital literacy (p. 20, 33-34, 64).
    • Ensure DPI governance remains a central focus in national strategies and international forums like the G20 (p. 10, 64).

Key Questions Addressed or Raised

The paper concludes by posing key consultation questions for strengthening DPI governance, particularly in India (p. 66-67):

  • How can DPI governance align with public benefit, welfare, and inclusive access?
  • What measures are imperative for data privacy and security while respecting rights?
  • How can multi-stakeholder collaboration (government, private sector, civil society) be fostered?
  • What mechanisms ensure transparency, public scrutiny, feedback, and accountability?
  • How should responsive and independent grievance redressal mechanisms be designed and enforced?
  • What international best practices can India leverage for responsible, inclusive DPI?
  • What additional considerations arise from emerging technologies and societal needs?
  • What are the key challenges and opportunities in implementing the proposed framework in India?

Key Points

  • Effective DPI governance is crucial but lacks comprehensive documentation of best practices.
  • The 'DPI approach' involves common design, robust governance, and private sector participation.
  • A robust governance framework is needed to ensure DPI promotes inclusion and safeguards rights, rather than exclusion or surveillance.
  • Core governance principles for DPI include: Inclusivity/Accessibility/Equity, Privacy/Security, Collaboration/Co-creation for Public Benefit, and Transparency/Accountability/Redress.
  • These principles are operationalized through tools like laws, policies, technical standards, and operational rules across the DPI lifecycle.
  • Governance involves multiple stakeholders: government, regulators, industry, civil society, and tech experts.
  • Common lawmaking patterns across countries include establishing clear authority, transparent procurement, robust security/privacy safeguards, and accessible grievance redressal.