This would go away if government's had safe, secure and unique identifiers for all individuals that would have all the necessary data attached to it and stored safely by the government. That way, the only thing a business needs to collect is your unique ID and some secure token controlled by the individual that allows the third party to confirm your data with the government. This whole "privacy" thing is probably a solvable problem if we think outside our comfortable box, but instead we're trying to optimize in the local maxima we've already inherited.
Exactly, it should be like an API token or a signed blob, that allows the ID owner X (the student) to ask the verifier V (part of Govt) to verify ID for query entity Q. This string can be checked by those holding the private key for Q.
X:Q = V->generatepair(Qpub)
// Generate a unique ID stri g for interacting with the university. Not confidential, because not verifiable by anyone.
Tok = V->encode(Xpriv, X:Q, Qpub, property:FullName, Vpriv)
// Generate a token string unique to the pairing of X:Q, for a specified property like FullName, signed by the verifier.
FullName = decode(Tok, Xpub, Qpriv)
// The query entity (university) can decide this blob, but no one else can.
If the Q looses confidentiality of Qpriv and all the Tok, then that data is lost. But having that doesn't let the attacker prove they are X to a different entity.
I'm sure more rigorous schemes have been thought out, but there is so much inertia in changing anything.
