The UK government has published draft rules for digital identities in the private sector, with ‘sandbox-style’ testing on the cards ahead of finalised rules becoming law.
The ‘UK Digital Identity and Attributes Trust Framework’ includes principles, policies, procedures and standards governing the use of digital ID to allow for the sharing of information to verify citizens’ identities or personal details, such as their age or address, in a consistent way. Overall objectives include enabling citizens to prove who they are without needing physical documents such as passports and driving licences.
The framework contains standards and requirements for organisations that provide or use digital ID services including: having a data management policy that explains how they create, obtain, disclose, protect, and delete data; following industry standards and best practice for information security and encryption; and, where appropriate, having a detailed account recovery process and notifying users if organisations suspect someone has fraudulently accessed their account or used their digital ID.
The framework – unveiled by the Department for Digital, Culture, Media and Sport (DCMS) following a consultation and roundtables – also promotes the use of ‘vouching’, where trusted people such as doctors or teachers ‘vouch for’ or confirm a person’s identity, as an alternative for those lacking hard-copy documents.
‘Cornerstone of future economies’
Having an agreed digital ID that citizens can use easily and universally will be the ‘cornerstone of future economies,’ digital infrastructure minister Matt Warman writes in the draft framework’s foreword.
The government is seeking feedback by 11 March, after which a second iteration – which will contain details of how organisations will be certified – will be published ‘in short order’. There will then be ‘sandbox-style’ testing.
Rules will be ‘outcome based’, recommending that digital ID suppliers follow ‘open technical standards to strengthen interoperability between participants’. This should enable digital ID providers ‘to focus on innovating and developing products and services that work best for users, without being restricted to using certain technologies’.
DCMS plans to consult on the framework’s legal underpinnings later this year but – at present – it is undecided who will oversee the finalised framework. ‘The trust framework would be owned and run by a governing body established by the government,’ the government says.
‘Lack of reliable digital ID severely limiting UK’
Publication of the framework comes amid growing pressure to establish the UK’s digital ID governance regime.
Policy Exchange, a Westminster think-tank, published a 60-page report last October that described ‘the lack of reliable digital ID services [as] a severe limitation to the UK’s digital infrastructure’.
Just last month the head of the UK’s Pension Dashboards Programme (PDP) told Global Government Fintech that the absence of a national digital ID scheme was one of the PDP’s biggest challenges.
The PDP is aiming to make pensions dashboards – digital interfaces that enable citizens to access all their personal pensions data in one place – live in the UK from 2023, and Curry described the importance of the UK having a “robust, reliable and trusted ID verification service that isn’t too onerous for people to use”. He that the PDP planned to work with government and private sector to “make sure that we get the best ID solution – and make sure it’s flexible enough for what is likely to come in the future”, adding that “almost certainly there will be some form of national digital ID and we want to make sure that when that arrives we can take advantage of it.”
Trust framework ‘central’ to single sign-on target
At present, public sector institutions and government departments operate different digital ID schemes. These include Gov.UK Verify, the much-criticised platform launched by the Government Digital Service (GDS) almost five years ago.
In a speech last September, Cabinet Office minister Julia Lopez said the government’s “vision is for members of the public to be able to access any online central government service simply, safely and securely using a single sign-on”.
The government describes the trust framework as ‘central’ to the GDS’s work with other departments to develop a new cross-government single sign-on and identity assurance solution.
Cabinet Office minister Michael Gove last week wrote to government departments saying that ‘all public-facing central government services should migrate onto [a common digital ID system] and legacy systems will be phased out’, according to Computer Weekly.
*** The government-owned Post Office this week announced a partnership with digital ID and biometric tech company Yoti that will see the rollout of products including a free app that uses biometrics to create an ID on a person’s mobile phone. Almost four million UK citizens hold a Post Office Gov.UK Verify account.
Trust frameworks ‘gaining traction globally’
Citing developments in Canada, Australia, Sweden and New Zealand, the UK government describes digital ID trust frameworks as ‘gaining traction globally’.
The UK government says it plans to ensure the country’s standards are interoperable with those abroad, ‘so in the future [citizens] can use [their] digital ID around the world and UK businesses can trust digital identities created elsewhere’.
The Digital Identification and Authentication Council of Canada (DIACC) announced the launch of the ‘Pan-Canadian Trust Framework’, a set of digital ID and authentication industry standards, five months ago. Meanwhile in Switzerland the electorate will vote on legislation introducing a federally recognised electronic identity, the e-ID, on 7 March.