The Gov needs to specify how document identifiers are stored by organizations, not just that they be used for user verification, and retained for possible audit or law enforcement purposes.
One way is the document ID is encrypted with the Gov issuer’s public key and then stored by the business. The original plain text is discarded.
Only the issuer will know the related private key to decrypt it.
If the, say, passport ID needs to be checked against user information held by a business, then the encrypted version will need to be sent to the passport issuer for decryption. Same for medicare, licence, etc.
Another way is to only store a hash of the original. The business again discards the original ID. Only the document holder, and the document issuer will know the original ID used to create the hash value.
In both cases a data breach of a business will not reveal document IDs that could be used by hackers.
The business could of course not have user verification functions that relied on users providing IDs in plain text against data held in their databases in the encrypted case, but hashing certainly yes since the hash value will match.
