Person – Credential Documentation

About this Document

This document describes the Government of British Columbia’s Person credential to help potential verifiers determine whether it is suitable for their needs. The intended audience includes policy analysts, privacy specialists, solution architects, developers, and data architects.

Version History

Ver.	Date	Notes
1.0	25-Oct-2023	-
1.1	28-Mar-2023	Corrected Schema ID, updated description of Holders

Credential Overview

The Person credential is a verifiable credential (VC) issued to individuals to enable them to prove their identity and to digitally provide key personal information – name, data of birth, photo, address – to other parties (“verifiers”). The Person credential is intended to be used as a source of trusted identity information in a wide range of contexts, either alone or in conjunction with other credentials. The Person credential currently is only issued to the BC Wallet, a mobile application published by the Digital Identity & Trust Program (DITP) within the Office of the Chief Information Officer (OCIO) of the BC Ministry of Citizens’ Services.

Credential	Person
Issuer	Service BC, through its Provincial Identity Information Management (IDIM) Program, of the BC Government of British Columbia
Issuer DID	RGjWbW1eycP7FrMf4QJvX8
Schema	Person, version 1.0 Schema ID: RGjWbW1eycP7FrMf4QJvX8:2:Person:1.0 Documentation: ¹
Credential	Person, version 1.0 Cred Def ID: RGjWbW1eycP7FrMf4QJvX8:3:CL:13:Person
Data Registry	CANdy Ledger Ledger browser Ledger Pool Genesis File
Holders	The Person credential is currently only issued to individuals who have had their identity verified by the BC Services Card Program, have a valid BC Services Card, have authenticated with the BC Services Card app, and are at least 19 years of age.
Data Source	The Person credential data comes from the BC Services Card digital identity. More specifically: The individual’s name is from their Canadian foundational identity document (e.g., birth certificate, immigration document) unless taken from marriage or name change documents The individual’s date of birth is from the subject’s Canadian foundational identity document Address values are self-asserted and unverified Picture is taken by the BC Services Card program partner, the Insurance Corporation of BC (ICBC), at the time the individual presents their foundational identity documents
Revocation	A Person credential will be revoked – and will often be re-issued – due to both automated events (e.g., data updates) and manual events. These are described in greater detail in the Revocation section, below.
Assurance	The Person credential is issued to individuals who have been identified at a High (3) Identification Level as defined by the BC Office of the CIO Identity Assurance Standard.

¹The Person Schema documentation will be published and maintained by the CANdy Network through a forthcoming agreement between the provinces of BC, Ontario, and Quebec.

Attribute Summary

Attributes are fully described in the Attributes section, below.

Name	Attribute	Data Type
Given Names	`given_names`	String
Family Name	`family_name`	String
Date of Birth	`birthdate_dateint`	Integer
Street Address	`street_address`	String
Locality	`locality`	String
Region	`region`	String
Postal Code	`postal_code`	String
Country	`country`	String
Picture	`picture`	String, base64 encoded binary file
Expiry Date	`expiry_date_dateint`	Integer

Credential Details

Issuer

The Person credential is issued by Service BC, the division within the BC Ministry of Citizens’ Services that houses the BC Provincial Identity Information Management (IDIM) Program. IDIM is the digital identity issuer for the BC Services Card Program.

Issuer Data Source

The Person credential data comes from the digital identity record of the BC Services Card Program, which collects and verifies the personal information of people enrolled in the provincial Medical Services Plan (MSP). A consequence of this is that only people enrolled in MSP can be issued a Person credential. The following people may not enroll in MSP: new arrivals to the province, people who live more than half the year outside the province, military members, and some federal employees.
The BC Services Card Program collects name and date of birth from the subject’s Canadian foundational identity documents as well as, if the individual has changed their name, name linking documents (e.g., marriage certificate). Adults are required to present a government-issued photo ID (e.g., driver’s license, passport) during the identity-proofing process and to have their photo taken as part of the identity- proofing event. Address information is provided by the subject but is not verified; ICBC mails each BC Services Card to the address provided by the individual unless the individual arranges to pick it up in person.

Data Updates

When a Person credential is issued, its data reflects that of the individual's BC Services Card digital identity record. Changes to this digital identity record will trigger a revocation (and often re-issuance) of the Person credential to ensure the credential reflects the updated identity record; these cases are described in further detail in the section on Revocation, below.

The BC Services Card digital identity record may be updated by the individual in two ways:

An individual wishing to change their name, correct their data of birth, or update their photo must do so in-person and must present documents supporting their identity and the requested change
Change of address may be done online, with authentication based on shared secrets about the individual

The digital identity record may also be updated by the BC Services Card program, such as when a card expires or when the individual has been reported deceased by the BC Vital Statistics Agency.

Assurance

The Person credential is based on the BC Services Card digital identity, which is considered a high assurance digital identity credential by both the Government of British Columbia and the Government of Canada.

BC Services Card

By design, the BC Services Card digital identity meets the BC Office of the CIO Identity Assurance Standard requirements for a High (3) Identity Assurance Level. It meets this through the combination of its identity proofing process, the security of the issued credential, and the security of its two-factor authentication.
The BC Services Card digital identity has been assessed twice, in 2019 and 2021, by the Treasury Board of Canada Secretariat (TBS) against the Public Sector Profile of the Pan-Canadian Trust Framework (PSP- PCTF). In both cases, it was assessed as being a Trusted Digital Identity Level 3 (high), as defined in Appendix A of the TBS Directive on Identity Management.

Person Credential

The Person credential is based on the BC Services Card digital identity and is securely issued using BC Services Card two-factor authentication into the BC Wallet app. Of note:

The Person credential is issued to individuals who have been identified at a High (3) Identification Level as defined by the BC Office of the CIO Identity Assurance Standard. It is based on the identity record of the BC Services Card and requires the individual to prove who they are using a BC Services Card authenticator, ensuring a Person credential is issued to the correct individual’s wallet
The Person credential will only be issued to the BC Wallet, which requires authentication to use, protecting use of the Person credential by anyone other than the legitimate holder

Revocation

A Person credential will be revoked in the following cases:

When an individual is issued a new Person credential (with the same or updated identity information), any previous Person credentials issued to that individual will be revoked as part of the issuance process. An individual may only have one active Person credential at a time.
When an individual revokes their own credential, which they may do after logging into their BC Services Card Account.
When authorized IDIM staff revoke the credential, either in response to a support call from the individual (e.g., after losing a mobile device) or for other reasons (e.g., security concerns).
The individual’s physical card is suspended or deactivated (e.g., due to fraud) and/or the identity record is retired in the BC Services Card system e.g., due to death
The individual’s identity record changes from having been updated with a BC Services Card to one set up with other Canadian identity documents

A Person credential will be revoked and re-issued in the following cases:

The individual’s identity information (e.g., name, birthdate, address, photo) changes
The individual’s card type changes between one that has a photo to one that doesn’t, or from a card type that does not have a photo to one that does

A credential is re-issued by sending an offer, which the individual may choose to accept, to the individual’s wallet. This offer can only be made if the individual’s BC Wallet still has the same Contact² through which they were originally issued the credential.

²A “Contact” in the BC Wallet is, technically, a Hyperledger Aries Connection.

Credential Definition

Credential Schema

Person credential is based on the Person Schema³ published by the provinces of British Columbia, Ontario, and Quebec through the CANdy Network. See Credential Overview, above, for details.
This section describes how the Person credential implements the Person Credential Type. Unless noted otherwise below, the subject and attributes of the Person credential have been implemented as defined and specified in the Person Schema.

³ The Schema is a “template that defines a set of attributes” which is referenced by one or more Credential Definitions of one or more credential issuers; the credential definition is an issuer’s implementation of a schema (https://hyperledger.github.io/anoncreds-spec/#terminology). The Person schema is intended to be referenced in the credential definitions by multiple issuers in Canada (e.g., BC, Ontario).

Subject of the Credential

The subject of a Person credential is the individual to whom it was issued, i.e., its holder. See the Credential Assurance section, above, for why a verifier can be confident that the holder of a Person credential is the subject of the credential.

Attributes

This section indicates which Person Schema attributes are used by BC, whether there are any BC-specific implementation notes, and some exceptions in the attribute data.

Notes	Attribute data will always be upper case (e.g., "SMITH" not "Smith") The only characters allowed are the letters A through Z, digits 0 through 9, and the following "special characters": hyphen, apostrophe, period, and space Characters are encoded using UTF-8

Name Attributes

The name attributes of a Person credential will – with some exceptions – reflect the name on the subject’s Canadian foundational identity documents.

Notes	If an individual's name has a special character (e.g., Á, Ê, Ç) or a number in their name on their foundational identity document, it will not be reflected in the name attributes of the Person credential The name in the Person credential will normally reflect the name on foundational identity documents or name linking documents (e.g. marriage certificates), but those documents may not reflect the individual’s name. For example Some names have special characters that the BC Vital Statistics can print on a birth certificate but does not pass on to the BC Services Card Program computer system Immigration, Refugees and Citizenship Canada (IRCC) will truncate an individual’s name (the combined given names and family name) at 45 characters on IIRC foundational identity documents (e.g., permanent resident card and the student, work, visitor, and temporary-resident permits) An individual may use the last name of their spouse without getting a legal name change. In these cases, their Person credential should reflect – via their BC Services Card record – their foundational identity documents, as individuals are required by law to update their BC Services Card when they change their name by marriage or otherwise. Individuals who do this may continue to use their original name in other contexts, and so their Person credential may not be consistent with their other identity documents or credentials bearing their name

Notes

If an individual's name has a special character (e.g., Á, Ê, Ç) or a number in their name on their foundational identity document, it will not be reflected in the name attributes of the Person credential
The name in the Person credential will normally reflect the name on foundational identity documents or name linking documents (e.g. marriage certificates), but those documents may not reflect the individual’s name. For example

Some names have special characters that the BC Vital Statistics can print on a birth certificate but does not pass on to the BC Services Card Program computer system
Immigration, Refugees and Citizenship Canada (IRCC) will truncate an individual’s name (the combined given names and family name) at 45 characters on IIRC foundational identity documents (e.g., permanent resident card and the student, work, visitor, and temporary-resident permits)

An individual may use the last name of their spouse without getting a legal name change. In these cases, their Person credential should reflect – via their BC Services Card record – their foundational identity documents, as individuals are required by law to update their BC Services Card when they change their name by marriage or otherwise. Individuals who do this may continue to use their original name in other contexts, and so their Person credential may not be consistent with their other identity documents or credentials bearing their name

Given Names

Attribute	`given_names`
Format	Maximum 47 characters Consists of three names, a first name and up to two middle names, delimited by spaces Each name may be up to 15 characters long
Rules	May be blank First and middle names over 15 characters are truncated If the individual has a mononym, this attribute will normally have no value and the mononym will appear in the family_name attribute
Notes	Names can start with special characters First Names and Middle Names with spaces or punctuation (e.g., “JO ANNE”, “JIAN U”, “D’ARCY”) will have the spaces and punctuation removed (e.g., “JOANNE”, “JIANU”, “DARCY”) To work around the removal of spaces, described above, a first name with a space (e.g. “JO ANNE”) may be entered as a first name and a middle name (e.g., “JO ANNE” is entered as “JO” and “ANNE”). This will appear as “JO ANNE” in the given_names attribute, which is indistinguishable from an individual whose first name is “JO” and whose middle name is “ANNE”. Similarly, a middle name with a space (e.g., “MARY LOU”) may be entered as two middle names (e.g., “MARY” and “LOU”). As such, spaces in the given_names attribute are not a reliable delimiter between names Some legacy records have only an initial for a middle name (e.g., "J" for "James") A mononym may be duplicated in this attribute and the family_name unless it has a space in it, in which case the first part may be recorded in this attribute and the second part in the family_name attribute

Family Names

Attribute	`family_names`
Format	Maximum 35 characters
Rules	Never blank Family names over 35 characters are truncated
Notes	Last Names with spaces or punctuation (e.g., “St. John”, “O’Brian”, “van Cleef”, “Scott-Bigsby”) will have the spaces and punctuation included if the individual has a photo BC Services Card but removed if the individual has a non-photo BC Services Card family_name unless it has a space in it, in which case the family_name attribute

Date of Birth Attributes

Date of Birth

Attribute	`birthdate_dateint`
Rules	Never blank

Address Attributes

Notes	All address attributes in a Person credential are for a single address The address is the address provided by the individual or, for children, their guardian The address is usually in BC, but may be in another part of Canada or in another country The address in a Person credential is usually – but not always – both the residential and the mailing address of the subject The address in the Person credential is the address provided by the individual (or, for a child, their guardian) when they first apply for MSP, when they renew their BC Services Card (generally required every 5 years), or when the individual notifies a BC Services Card program partner of a change to their address or updates their address through AddressChangeBC online. Some individuals may provide another person’s address to HIBC or ICBC, e.g., young adults moving for university may continue to use their parent’s address Some individuals may provide a Post Office Box Individuals are legally required to notify HIBC and ICBC within two weeks of a change of address, but not everyone complies

Notes

All address attributes in a Person credential are for a single address
The address is the address provided by the individual or, for children, their guardian
The address is usually in BC, but may be in another part of Canada or in another country
The address in a Person credential is usually – but not always – both the residential and the mailing address of the subject

The address in the Person credential is the address provided by the individual (or, for a child, their guardian) when they first apply for MSP, when they renew their BC Services Card (generally required every 5 years), or when the individual notifies a BC Services Card program partner of a change to their address or updates their address through AddressChangeBC online.
Some individuals may provide another person’s address to HIBC or ICBC, e.g., young adults moving for university may continue to use their parent’s address
Some individuals may provide a Post Office Box
Individuals are legally required to notify HIBC and ICBC within two weeks of a change of address, but not everyone complies

Street Address

Attribute	`street_address`
Format	Maximum 66 characters, comprised of up to two rows of up to 32 characters each, with a carriage return/line feed pair ("\r\n") delimiting the rows
Rules	May be blank

Locality

Attribute	`locality`
Rules	May be blank

Region

Attribute	`region`
Format	For Canadian addresses, this will be a two-character Province or Territory code For U.S. addresses, this will be two-character State code For other addresses, the format is not defined
Rules	May be blank

Postal Code

Attribute	`postal_code`
Format	Maximum 10 characters Canadian postal codes will have a space, e.g., "V8V 3P6"
Rules	May be blank
Notes	This may be a US ZIP Code or a postal code of another country

Country

Attribute	`country`
Rules	May be blank

Other Attributes

Picture

Attribute	`picture`
Format	The picture is a 230 by 300 pixel portrait, in JPG format, in base 64 encoding in a Data URL
Rules	May be blank Starting in Fall 2023, credentials will be issued with a picture if there is one on the individual’s current BC Services Card
Notes	During the initial pilot program, the Person credential was issued without a picture. Those credentials are to eventually be revoked and replaced with ones that include a picture The image is a passport-style picture of the individual taken during the identity proofing event

Expiry Date

Attribute	`expiry_date_dateint`
Rules	Always blank – BC does not include an expiry date in its Person credential

Person – Credential Documentation

About this Document​

Version History​

Credential Overview​

Attribute Summary​

Credential Details​

Issuer​

Issuer Data Source​

Data Updates​

Assurance​

BC Services Card​

Person Credential​

Revocation​

Credential Definition​

Credential Schema​

Subject of the Credential​

Attributes​

Name Attributes​

Given Names​

Family Names​

Date of Birth Attributes​

Date of Birth​

Address Attributes​

Street Address​

Locality​

Region​

Postal Code​

Country​

Other Attributes​

Picture​

Expiry Date​