What data will Italy's new digital ID collect and who controls access?
Executive summary
Italy’s IT‑Wallet will store digital copies of existing identity and entitlement documents — notably driving licences, health insurance cards and disability cards — and links public digital identity systems (SPID and CIE) with a state‑managed wallet infrastructure run through the IO app and state bodies such as the Department for Digital Transformation and IPZS (Italian State Printing Works and Mint) [1] [2]. Control of issuance and access is shared: documents are issued digitally by ministries and agencies (e.g., Ministry of Mobility, INPS), the wallet service is operated by the Department for Digital Transformation/PagoPA/IO app, and users authenticate via public digital identities SPID or CIE — a federated model that leaves identity providers and public authorities as gatekeepers [1] [3] [4].
1. What data the new digital ID (IT‑Wallet) will carry — short, concrete list
The initial IT‑Wallet release lets citizens add digital versions of the Driving Licence, Health Insurance Card and Disability Card to the IO app; future plans include a broader set of civil, electoral and professional certificates and other “attributes” linked to identity [1] [5] [4]. The system therefore handles both biographic attributes (name, tax number, document details) and credential attestations (entitlement to health services, driving privileges, disability certification) [1] [2].
2. Who issues and controls those data
Issuance is allocated to the state and specific ministries/agencies: IPZS is responsible for digitally issuing documents while ministries (e.g., Ministry of Sustainable Infrastructures and Mobility) and INPS provide the data needed for specific credentials; the Department for Digital Transformation is the “owner institution” coordinating the system [1]. Users must log into the IO app using SPID or CIE credentials, meaning identity providers (SPID IdPs) and the state‑issued CIE are the primary authentication controllers in practice [1] [3].
3. Who controls access to documents in practice
Access control combines client‑side wallet storage on the IO app and backend verification by public services. Users activate and store documents in IO after authenticating with SPID or CIE; public bodies and accredited private entities will accept these digital credentials for services, so access depends on authentication via those national identity systems and on which public/private services accept the wallet [1] [3]. The federated model means multiple parties (IdPs, the Department for Digital Transformation, IPZS and service providers) collectively control gatekeeping functions [4] [1].
4. Privacy, security and interoperability questions raised by reporting
Reporting highlights that Italy’s model links biometric electronic identity (CIE) and federated SPID, and debates focus on security hardening and biometric authentication; commentators emphasize European interoperability and “attributes” but note privacy and specification frictions in the EUDI rollout [4] [5]. Independent reporting documents large scale adoption numbers (tens of millions of SPID and CIE identities) and rapid uptake of wallet documents (e.g., >5.3 million active users and nearly 9 million digital documents activated since the Wallet feature launched) that raise stakes for robust controls [2].
5. Risks signalled by other coverage (centralisation, fraud, trust)
Analysts point out systemic risks from a federated model and high adoption: duplication or “double SPID” scams and other frauds have previously exploited federated architectures, and critics urge better safeguards and cross‑provider verification — concerns echoed in wider European debates over wallet specs and privacy [6] [4]. High user numbers (IPZS/CIE, SPID totals) mean breaches would affect many citizens; reporting documents backlog, migration timelines and municipal digitisation pressure that interact with security and exclusion risks [2] [1].
6. Competing perspectives and implicit agendas
Government and implementing agencies frame the IT‑Wallet as convenience, reduced bureaucracy and compliance with EU EUDI obligations, and emphasise state ownership/operation via IO, PagoPA and IPZS [1] [3]. Technology vendors and IdPs have commercial interests in wallet integration and market share (noted indirectly in industry reporting) while privacy advocates and some technologists stress risks of centralisation, interoperability gaps and the need for stronger anti‑fraud measures [4] [6]. Sources explicitly identify the Department for Digital Transformation as the “owner institution,” underscoring a public‑sector agenda to accelerate digital delivery [1].
7. What reporting does not (yet) say
Available sources do not mention the full technical specification for selective disclosure or attribute minimisation (i.e., whether the wallet supports sharing only necessary data fields per transaction) beyond general references to “attributes” and debates over privacy in EUDI rollout [4] [1]. Sources also do not provide a comprehensive data‑flow diagram showing third‑party access, retention periods, or auditing/consent mechanics for each credential — details not found in current reporting [1] [4].
Bottom line: Italy’s IT‑Wallet stores digital versions of state‑issued documents and relies on the state‑run IO app plus SPID/CIE authentication; control is split across ministries, IPZS, the Department for Digital Transformation and identity providers, and reporting flags both rapid adoption and unresolved security, interoperability and privacy questions that remain to be specified [1] [2] [4].