Global menu

Our global pages

Close

UK Government aims to lead on trust in Digital IDs

  • United Kingdom
  • Privacy, data protection and cybersecurity
  • Technology, Media and Telecoms

23-03-2022

DCMS invited calls for views in 2019 as part of a consultation on the use of Digital IDs in July last year. By way of background, UK government issued a Call for Evidence in 2019; the following year, it launched the digital identity and attributes trust framework, in February 2021 (which was subsequently updated in August last year).

On 10 March 2022, DCMS published its response to the consultation, views and comments received and resulting output (DCMS Response).

The DCMS Response underlines the importance of providing the means via which individuals can prove who they are in an online world - this has become increasingly important in the recent pandemic given the need to ‘social distance’ and use cashless payments. It is hoped that this, in turn, will enhance and maximise the opportunities presented in the digital economy (value estimated at £149 billion).

DCMS aims to achieve this by enabling the widespread use of secure digital identities (Digital IDs) and attributes, based on a range of trustworthy datasets. DCMS hopes that the ‘UK Digital ID and attributes trust framework and legislative proposals will lay the groundwork for the increased acceptance of Digital IDs across the UK.

The use of Digital IDs is already transforming key ‘life’ transactions such as buying a house, when people are required - often repeatedly and inefficiently - to prove their identity to a bank, conveyancer or estate agent, and buying age-restricted goods online or in person. The trust framework and Digital ID initiative seeks to streamline this, whilst adding significant protections for users.

UK Digital ID and attributes trust framework

The UK government ‘trust framework’ lays out a set of rules organisations should follow, including the principles, policies, procedures and standards governing the use of digital identity. The framework sets out areas such as:

  • how organisations should handle and protect people’s data
  • what security and encryption standards should be followed
  • how user accounts should be managed (e.g. when users are notified when changes are made to their account)
  • how to protect against fraud and misuse

It is intended that this framework will become law and determine how Digital IDs will need to be deployed and implemented to support the digital economy. In addition, organisations will be required to publish a yearly report explaining which demographics have been, or are likely to have been, excluded from their service and why. The move will help make firms aware if there are inclusivity problems in their products while also boosting transparency.

The framework also proposes to rely on a system of ‘vouching’, where trusted people within the community such as doctors or teachers ‘vouch for’ or confirm a person’s identity, as a useful alternative for those without traditional documents (e.g. passports and driving licences).

One Login for Government

An example of the UK government’s own Digital ID scheme is the ‘One Login for Government’ programme.

The One Login for Government programme will provide a single account for citizens to log in, prove their identity and access all central Her Majesty’s Government (HMG) services. It will:

  • enable more people to use more services online, improving inclusion and reducing reliance on offline routes,
  • simplify and accelerate application processes, and
  • reduce duplication and costs across government, including by preventing fraud.

Both the UK Digital ID and attributes trust framework and One Login for Government programme are being designed with privacy, security and inclusion at their centre to ensure the needs of the UK public are put first

In addition, from 6 April 2022, landlords, letting agents, and employers will be able to use certified new technology to carry out right to work and right to rent checks, digitally. This new technology will allow people to verify an individual’s Digital ID remotely, and more conveniently prove their eligibility to work or rent. The same technological process is also being enabled for Disclosure and Barring Service (DBS) pre-employment checks.

DCMS has sought to ensure that the consultation and associated responses centred around the following principles — privacy, inclusivity, transparency, interoperability, proportionality and good governance. The key to DCMS’s proposals will undoubtedly be dependent upon interoperability, consistency of standards and ease of use – i.e. how user-friendly the certification technology is, whilst, at the same time, balancing this with the need to prevent and limit fraud. The objective being to build and reinforce trust, whilst thwarting those seeking to steal and assume others’ identities and therefore commit ID fraud.

DCMS has decided to establish an interim governance function, within DCMS, provisionally named the ‘Office for Digital Identities and Attributes’ (ODIA). In due course, DCMS has indicated that it will actively seek a permanent location for the governance function as the market develops and it gathers data on the challenges associated with its operations.

How receptive were the responses to the concept of Digital IDs?

Of the 270 responses received, 134 (50%) indicated they were against Digital ID in principle (a large proportion did not engage with the specific questions raised and were therefore categorised as ‘against’ the proposal`). In response, DCMS has been quick to point out that, whilst not all potential users of Digital ID tools and products feel confident about its proposals, the government is not seeking to make Digital IDs mandatory (i.e. it is not attempt to introduce a citizen ID card). It is instead about ensuring such products and services are secure, developed with consistent standards in mind and include appropriate privacy enhancing technologies.

Interestingly, as some respondents pointed out, fraudulent use of identity is not itself an offence in law. Whilst the theft of another person’s identity is often a precursor to fraud, a recordable crime is only committed when a financial gain is made from the use of that person’s identity by another individual. This is intended to ensure that crimes are not double counted.

Accordingly, DCMS has confirmed there are currently no plans to introduce a new criminal offence of identity theft; existing legislation is deemed to be sufficient (this includes the Fraud Act 2006, the Computer Misuse Act 1990, the Identity Documents Act 2010 and the Data Protection Act 2018).

Comment and issues to consider

Philip James, Partner, Global Privacy & Cybersecurity Group, observes: “Digital ID is becoming an increasingly common cornerstone of transacting online, accelerated by the pandemic. Whilst Digital IDs present a great opportunity for facilitating digital economy growth - as well as preventing potential fraud - if implemented poorly, Digital IDs could significantly damage trust and privacy and prejudice the vulnerable; and, in a worst case scenario, could allow a fraudster to assume another’s ID (and even lock out) that individual from their own authorised account/life.” 

Emma Gordon, Partner, Corporate Crime & Investigations, comments: “Identity fraud costs the global economy billions. As a result of the vast amount of personal data shared online, fraudsters can obtain and use stolen identities with relative ease. With the huge increase of cybercrime (including identity fraud) during the global pandemic, we will watch these developments with interest to see to what extent these proposals in relation to secure digital identities maximise cybersecurity and minimise fraud.”

Gayle McFarlane, Partner, Technology and Global Privacy & Cybersecurity Groups, recommends that: “Organisations developing and/or using Digital IDs should ensure that they have carried out a full impact assessment to consider how they operate effectively and ethically within their broader data governance framework. This means that the benefit and ease of use of Digital IDs should be balanced against any potential adverse impact, particularly on marginalised communities.”

Wherever possible, a consultation with those affected and relevant user-groups, considering the benefits and potential disadvantages to users of services or employees as a whole (including less represented groups) is advised (if not essential). If the ID is biometric, for instance, an organisation will definitely need to carry out a data privacy impact assessment (DPIA), but it would likely be required beyond those specific use cases too - so these are important considerations, beyond the initial benefit.

In turn, Digital IDs may also assist and support the Online Safety Bill and Age Verification schemes (such as Age Check Certification Scheme (ACCS)).

The ACCS’ ‘Age Appropriate Design Certification Scheme’ (AADC), became the first UK Information Commissioner (ICO) approved criteria for the ICO Children's Code. As such, the ACCS can provide UK GDPR approved certification to businesses in scope of AADC. Similarly, its GDPR certification for Age and ID check providers has also received similar approval.

Where to now?

DCMS has stated that it is now proceeding with our plans to test the trust framework – firstly employing a certain volume and variety of applications for alpha testing; this will, in turn, inform the beta version. The beta test version will use data in real world scenarios to ensure the robustness of the trust framework.

Please contact the contributor(s) below or the appropriate member of our Privacy & Cyber Security or Fraud & Financial Crime teams if you have any queries about the DCMS Response, Digital IDs or any of the issues raised.

Return to the article series>