Government response to the digital identity and attributes consultation
Updated 3 February 2023
Ministerial foreword
The digital economy offers a wealth of options for supporting and enriching our personal and professional lives. It is essential that people from all walks of life have the secure means and the confidence to prove things about themselves in this digital environment, and for others to be able to trust that proof as easily when transacting online as they do when dealing with others in the physical world.
Enabling the widespread use of secure digital identities and attributes, based on a range of trustworthy datasets, is the way we can achieve this. The UK digital identity and attributes trust framework and legislative proposals will lay the groundwork for the increased acceptance of digital identities across the UK. From making purchases, to starting a new job, or moving house, the ability for people to prove things about themselves digitally will provide more convenience, choice, and security in how they access products and services across the UK economy. This government is committed to unlocking the power of data to further enrich all of our lives, as set out in the National Data Strategy.
The government is delivering a wealth of interlinked policy initiatives to prepare the UK for the digital world. An example of this is the One Login for Government programme. The One Login for Government programme will provide a single account for citizens to login, prove their identity and access all central HMG services. It will enable more people to use more services online, improving inclusion and reducing reliance on offline routes. It will simplify and accelerate application processes. And it will reduce duplication and costs across government, including by preventing fraud.
Both the UK digital identity and attributes trust framework and One Login for Government programme are being designed with privacy, security and inclusion at their centre to ensure the needs of the UK public are put first.
Additionally, from 6 April 2022, landlords, letting agents, and employers will be able to use certified new technology to digitally carry out right to work and right to rent checks. This new technology will allow people to verify their identity remotely, and more conveniently prove their eligibility to work or rent. The same technological process is also being enabled for Disclosure and Barring Service (DBS) pre-employment checks.
A secure and trusted UK digital identity and attributes framework will support those who want and need to verify things about themselves not just domestically but across international borders. Our proposals will pave the way for international collaboration to enhance digital trade opportunities, and ensure an open, thriving, and safe international digital environment for people living and working in the UK and abroad, as well as for UK-based businesses wanting to operate internationally.
We have been encouraged by the number of people, organisations, and advocacy groups who have engaged with our proposals thus far, and we would like to thank those who replied to the consultation for taking the time to help us get the next steps right. Throughout the journey, we have made a concerted effort to consult stakeholders from as many quarters as possible. We have engaged with industry representatives and civil society, and worked hard with everyone to make sure the proposals we set out in the consultation were based on our principles for digital identity — privacy, inclusivity, transparency, interoperability, proportionality and good governance. Trust is essential for driving innovation, and it is vital that digital identities can be trusted by business, public bodies and most importantly by individual users. These principles and the proposals contained in this document will ensure people can trust digital identities.
Julia Lopez MP
Minister of State for Media, Data and Digital Infrastructure
Heather Wheeler MP
Parliamentary Secretary, Cabinet Office
Executive summary
The digital identity and attributes consultation was published on 19 July 2021 and brought together our key legislative proposals within a single document. The consultation was not intended to offer the final answer, but a route to seek views and feedback on our proposed approach to enabling the use of digital identities and attribute services in the UK economy.
This response provides an overview and analysis of key findings from the consultation. We received 270 responses from across the spectrum of likely end users including identity and attribute providers, relying parties, industry bodies, regulators, civil society, public bodies, and members of the public.
The government will seek to introduce legislation on measures detailed in this response when parliamentary time allows.
Those who responded directly to the questions we asked in the consultation welcomed our proposals for strong governance arrangements to underpin the trust framework. Respondents broadly agreed that such arrangements would help instil trust and confidence in the new system, providing a solid platform to make the most of the opportunities presented by the use of digital identities and attributes.
We noted that feedback from respondents concerning the location of a governance function was not conclusive, and that respondents were keen for governance arrangements to be flexible and proportionate as the standards of the trust framework evolved in response to the maturing market. We have therefore decided to establish an interim governance function within DCMS, to be named the Office for Digital Identities and Attributes (OfDIA). We will actively seek a permanent location for the governance function as the market develops and we gather data on the challenges associated with its operations. The interim governance function will work closely with industry, civil society and many other key stakeholders throughout this process.
We will seek to introduce legislation, when parliamentary time allows, that will enable a robust accreditation and certification process. This will allow organisations to prove their adherence to the rules of the trust framework. Organisations certified against the trust framework will be given a trust mark to demonstrate their compliance and will be defined as being a trust-marked organisation. Details of these organisations will be published by the governance function in a list of trust-marked organisations which will be publicly viewable.
Respondents were supportive of allowing trusted organisations to be able to complete checks against government-held data, noting that this would ensure greater adherence to high standards of security and privacy overall. We will seek to introduce legislation, when parliamentary time allows, that will give public bodies, that is government departments and agencies, the power to allow checks against personal data they hold — with people’s agreement — by trust-marked organisations.
A proposal to affirm the legal validity of digital forms of identification in legislation was well supported by respondents to give organisations the confidence to invest and innovate in digital products and services, and give relying parties confidence that data shared with them through the legal gateway can be relied upon. We will seek to introduce legislation, when parliamentary time allows, which will establish that data held by public bodies which is then shared digitally through the legal gateway, is equivalent to the same data shared through traditionally accepted forms of identification, such as physical passports.
Is the government proposing a system which could lead to the introduction of mandatory ID cards?
Many of the individuals who responded to the consultation said they were against digital identities in principle. The government has heard this and has no plans to make the use of digital identities compulsory. The government also understands that there is no public support for ID cards in the UK and has no plans to introduce ID cards.
The proposals brought forward in this document will not require the introduction of ID cards. They are limited instead to creating trust and confidence in digital methods of proving identity and eligibility. This means that, when it suits people to prove things about themselves or others on the basis of a digital identity, this can be achieved with as much ease and security as is offered by physical proofs of identity such as a passport.
1. Introduction
This is the government’s analysis of responses to the digital identity and attributes consultation. This builds on previous government activities and engagement, including a Call for Evidence in 2019 and the launch of the digital identity and attributes trust framework in February 2021.
Our proposals
The proposals contained within the July 2021 digital identity and attributes consultation set out the legislative measures and policy interventions needed to enable a secure and trusted digital identity market for the UK economy. It sought views from respondents on how we can best achieve this. Our proposals came in three parts.
Proposal 1: Creating a digital identity and attributes governance framework
We outlined a possible model of governance for trust framework participants designed to enable innovation while protecting people’s data and privacy. The government’s aim is to provide effective and proportionate governance in order to build a trusted ecosystem for the safe use of digital identities and attributes across the economy. In order to achieve this we set out a series of high level objectives and functions for governance which will underpin the trust framework
We envisaged the governance function as one which would ensure that participation in the trust framework was based on a robust accreditation and certification process, along with ongoing monitoring for compliance and performance. Through collaboration with stakeholders and regulators, the trust framework would be kept up-to-date and refreshed as the market develops.
Proposal 2: Enabling a legal gateway between public and private sector organisations for data checking
We set out our intent to create a permissive legal power to allow digital identities and attributes in the UK to be built on a greater range of trustworthy datasets. We asked how best to allow government-held attributes to be checked for eligibility, identity, and validation purposes. This gateway would not compel government data holders to allow such checks, but rather would give them the power to do so if they see fit.
Proposal 3: Establishing the validity of digital identities and attributes
We outlined a proposal to introduce a statutory presumption affirming that digital identities and digital attributes can be as valid as physical forms of identification or traditional identity documents. This would support our commitment to increase choice and user confidence in the legal validity of digital identities and attributes, alongside the physical proofs of identity that businesses and individuals already trust.
Scale of responses
The digital identity and attributes consultation received 270 responses. This consists of 92 responses from organisations and 178 responses from individuals. The vast majority of responses received came through the online survey, but there were a small number of responses received via the email address provided in the consultation privacy notice. The majority of emailed responses we received provided a question by question response, but there were a small number of emailed responses that gave an overall opinion on our proposals.
Of the 270 responses received, 134 (50%) indicated they were against digital identity in principle. The vast majority of responses that indicated they were against digital identity in principle came from individuals who did not engage with the substance of the consultation. We counted a respondent as against digital identity in principle if their comments indicated that they were against any form of digital identity and they did not engage with the consultation questions, or if their opposition was predicated on claims which were not substantiated by the facts set out in the consultation. For example, if they claimed digital identities are going to be made mandatory for all people and opposed our proposals based on that false assertion. For the purposes of statistical analysis of the questions in the consultation, we have not included the 134 responses that did not engage with the questions. Nevertheless, outside the context of producing the statistical analysis, we have taken these responses into account as part of this consultation exercise. We will continue to work to address the types of concerns these respondents raised in our future policy decisions and communications, for example, as we strengthen the standards of the trust framework as we iterate from alpha to beta.
Separately, we have also removed from the statistical analysis of each question individual responses that did not answer the particular question being asked, such as by discussing something unrelated to the question, or by leaving the response area blank. Though we have read and considered these responses, we have not been able to include them in the final analysis. Therefore, the number of responses received, stated at the beginning of each question, will vary.
For each question, we have given as a percentage the number of respondents who highlighted a common theme. The sum of the percentages of the different themes highlighted in responses will not always total 100%. This is because the vast majority of questions in the consultation were open-ended which allowed respondents to raise multiple themes in their response to a question.
The consultation feedback shows that not all potential users of digital identity tools and products feel confident about the government’s proposals. We want to reassure people that the government is not seeking to make digital identities mandatory. Instead our proposals are designed to make digital identities and attributes secure and trusted, with robust procedures enshrined within the trust framework to protect personal data, so that users can have extra choice about how they prove things about themselves when they want to access products and services.
2. Summary of feedback received and government response
This section summarises the feedback received against each of the 25 consultation questions, along with the government’s response.
Proposal 1: Creating a digital identity governance framework
Questions 1-19 of the consultation asked for opinions on possible governance arrangements for implementation of digital identities and attributes. In the consultation, we suggested that an existing regulator might house the governance functions of the digital identity trust framework. Feedback received against each question and the government response are detailed below.
Overall, feedback from consultees (and more general stakeholder engagement) supports our proposal for governance to be placed in an existing regulator. However, feedback has not been conclusive on which existing regulator should house this governance function.
Whilst some respondents suggested the Information Commissioner’s Office (ICO) as a possible home for governance functions, other respondents disagreed. Some respondents argued that a regulatory remit on universally applicable law, such as that held by the ICO, is distinct from the role of a governance function for a non-mandatory initiative. Others felt placing governance responsibility in any regulator might cause confusion.
While the inconclusiveness of the responses stems in part from the differing perspectives of different types of respondents, it also relates to the fact that as yet, the trust framework-supported digital identity marketplace does not exist. As a result, determining the optimal governance arrangements is challenging.
However, what is clear from the responses we received is that we cannot wait for the market to develop before attaching governance to the working of the trust framework. Such oversight is necessary for ensuring the public can have trust in the digital identity market.
Questions 1-4: details of feedback received
Question 1: Do you agree an existing regulator is best placed to house digital identity governance, or should a new body be created?
This question received 101 responses. 57% of respondents agreed with this proposition, with 35% disagreeing, 7% not expressing a strong view either way and 1% providing a no/neither response.
However, there was some nuanced feedback. 19% of respondents highlighted the issue mentioned previously: that regulatory and governance roles are distinct and should not be confused. Further, some respondents argued that the case for having governance arrangements for what is essentially a voluntary framework is a questionable ambition. Some suggested that the initiative would be best served by industry-funded governance arrangements sitting outside of government.
Question 2: Which regulator do you think should house digital identity governance?
This question received 98 responses. The picture here was very mixed. The most frequently named regulator was the ICO. 47% of respondents suggested it as their preferred governance solution. However, 30% of respondents who did suggest the ICO as their preference expressed some reservation about its suitability (for instance naming it in the context of an overall preference for a new body). A further 13% of respondents expressed doubts about or rejected the ICO as an option, some citing its resource challenges, others questioning its suitability given its particular regulatory remit. 17% specified other regulators or public bodies, including the Security Industry Authority, the Department for Work and Pensions, Her Majesty’s Revenue and Customs, and the Financial Conduct Authority. 13% indicated that they were unsure or had no preference. 19% felt that a new regulatory body should be formed and 4% indicated the body should be impartial and independent.
The responses to questions 1 and 2 do not provide conclusive evidence for a particular governance home, however, they do provide a wealth of useful insight.
Question 3: What is your opinion on the governance functions we have identified as being required: is anything missed or not needed, in your view?
This question received 93 responses. 47% of respondents provided positive feedback on the proposed functions. 25% highlighted interoperability as an important additional function, with 16% mentioning collaboration. Importantly, 18% felt promotional and educational activities about digital identity should be central to the governance role. 10% suggested inclusion responsibilities.
14% of respondents felt some of the proposed functions were unclear and sought more clarity. 32% of responses proposed additional regulatory responsibilities. 6% of respondents also raised citizen redress issues and a further 5% mentioned issues around the auditing and monitoring process. Once again, however, there were some suggestions that governance and regulatory or enforcement roles were not usefully co-located.
Question 4: What is your opinion on the governing body owning the trust framework as outlined, and does the identity of the governing body affect your opinion?
This question received 85 responses. 61% of respondents indicated a positive opinion of the governing body owning the trust framework, with 4% providing a negative opinion of this proposition. 39% of respondents also commented that the identity of the governing body would affect their opinion whereas 20% said that it would not.
Again, a further 18% of respondents connected this question with the issue of regulatory scope versus governance responsibilities. Some of these respondents stated that ownership of the trust framework and regulation issues — such as the enforcement of universally applicable law (on data protection matters for example) and the investigation of relevant complaints — should be kept separate. Respondents noted that, even though the trust framework is not mandatory, there is a risk that locating governance of the trust framework in a regulator may lead to confusion on the obligation of digital identity providers and services to adhere to the trust framework. A small number of respondents (5%) wanted an even tougher regulatory framework.
In responses to this question, as well as elsewhere in the consultation, there was also an appetite for ‘co-creation’: that the evolution of the trust framework should feature input from industry and civil society stakeholders.
Questions 1-4: Government response
We will establish an interim governance function in the Department for Digital, Culture, Media and Sport, to be named the Office for Digital Identities and Attributes (OfDIA). This function will stand up a governance and coordinating role for the trust framework, which will not itself be set in legislation, and trust mark. Working with the UK Accreditation Service and certifying bodies, it will own the list of trust-marked organisations. The list of trust-marked organisations will be publicly available to give organisations and end users the opportunity to verify the provider they are interacting with is trust framework certified.
In discharging these functions, detailed throughout this response, the governance function will be committed to uphold and pursue clear principles, including inclusion, co-creation, and the promotion of innovation and growth. It will work with stakeholders in the development and refinement of its operations. As the market matures, and data on the challenges associated with its operations is generated, the path to a permanent institutional arrangement should become clearer. We will again involve stakeholders in developing the permanent solution.
Question 5: details of feedback received
Question 5: Is there any other guidance that you propose could be incorporated into the trust framework?
This question received 70 responses. 24% of respondents indicated they had no further guidance to suggest. 24% of responses highlighted interoperability with international standards and partners[footnote 1] and 10% referenced Good Practice Guide 45. 9% suggested guidance on inclusion and 4% mentioned transparency guidance. 41% of respondents suggested other additional pieces of guidance with wide ranging recommendations, such as guidance on auditing to ensure consistency across service providers, and guidance for service providers on how to help marginalised groups.
Government response
We were pleased to see a number of responses highlighting there was no need for further guidance within the trust framework, with some particularly welcoming the incorporation of Good Practice Guide 45. We have also noted the emphasis on security in many of the responses and we continue to see the incorporation of up-to-date security requirements as paramount to the success of the trust framework.
Some respondents suggested incorporating guidance or standards which are already part of the trust framework. To make it easier for readers to see which standards and guidance have already been incorporated we have included a full table in the most recent iteration of the trust framework published in August 2021. Where individual pieces of guidance were referenced that aren’t already incorporated into the trust framework they will be considered as the trust framework is iterated from alpha to beta. The trust framework testing process will inform any further action related to additional guidance.
Question 6: details of feedback received
Question 6: How do we fairly represent the interests of civil society and public and private sectors when refreshing trust framework requirements?
This question received 92 responses of which 45% of respondents suggested that stakeholder representation on committees, boards or advisory groups would help to achieve this. 54% proposed continued engagement with stakeholders. 12% highlighted transparency measures and 12% pointed to inclusivity. 2% of responses suggested engagement with professionals in the digital identity space and 5% highlighted more user control of their data. 21% of responses provided other suggestions with a range of options.
Government response
Respondents highlighted a number of ways that we could fairly represent the interests of civil society, and public and private sectors as the market matures. Respondents also drew attention to our collaborative approach to the development of the trust framework and wider digital identity policy, and called for this approach to continue.
In order to help ensure the robust development of our policy, our approach has been underpinned by open and collaborative engagement with stakeholders across the public and private sectors, academia, and civil society. We strongly believe this approach helps us to ensure our policies are fit for purpose and future-proof.
We will continue to engage with a diverse range of stakeholders throughout the public and private sectors and civil society. This will include, but is not limited to, existing expert advisory groups, a range of organisations of different sizes and across different sectors, and different consumer advocacy groups. We will also ensure that the interim governance function continues this engagement to ensure trust framework requirements fairly represent stakeholders across the digital identity and digital attributes market.
Question 7: details of feedback received
Question 7: Are there any other advisory groups that should be set up in addition to those suggested?
This question received 81 responses. 60% of responses said yes and provided further information about what an advisory group should be responsible for, but did not name a group that was doing this work already. Conversely, 20% of responses said that no additional advisory groups should be set up. 14% of respondents specified an existing group for consideration and 6% said they were unsure.
Government response
The majority of responses to this question advocated the need for representation from across the digital economy to provide advice to the governance function as the digital identity market develops. The government will consider options for a digital identity advisory group, including the best time for it to be established. We will test these options openly with stakeholders to ensure that a range of voices are represented within the potential advisory group.
Question 8: details of feedback received
Question 8: How should the government ensure that any fees do not become a barrier to entry for organisations while maintaining value for money for the taxpayer?
This question received 94 responses. Responses to this question, on which 77% of respondents gave a range of fee and pricing suggestions, were inevitably affected by the absence of a fully functioning digital identity marketplace. Respondents speculated about issues such as what premium organisations might attach to the trust mark; how that would be affected by market density; what price elasticity would be in play; how far onerous charging regimes would stifle provider innovation (35% of respondents were keen to see smaller providers protected); the potential role of technology (cited by 2% of respondents). 17% of respondents advocated additional research, while 23% suggested that, at least in the first instance, relevant costs should be borne by the taxpayer.
Government response
The government will use the period of DCMS governance to engage with organisations and certifying bodies to explore charging options, with the intention being that organisations are charged an annual membership fee by the governance function. In all cases, the cost of certification against the trust framework will be borne by the organisations seeking it. The establishment of the governance function in DCMS will allow the government to bear a substantial proportion of the other costs, at least initially. The commitment of the governance function to principles of growth and innovation will help ensure that any pricing models are proportionate and do not have an unduly restrictive effect on market access.
Questions 9-12: details of feedback received
Question 9: Do you agree with this two-layered approach to oversight where oversight is provided by the governing body and scheme owners?
This question received 82 responses. 77% agreed with this proposition, with 13% disagreeing, while 10% sought more clarity on the issue. The separation of governance tasks from those of regulation was cited. Some respondents highlighted the complications flowing from a two-layered approach and suggested that role-definition in the arrangement would need to be clear. These points link to question 10.
Question 10: Do you agree the governing body should be an escalation point for complaints which cannot be resolved at organisational or scheme level?
This question received 81 responses. 90% agreed with this proposition, with 10% disagreeing. There were significant nuances within the responses relating to the relationship between regulation and governance. Some respondents specified that complaints would best be handled by a governance function not a regulator. Others made the opposite point. Responses were also linked in part to the issues considered in question 11.
Question 11: Do you think there needs to be additional redress routes for consumers using products under the trust framework? If yes, which one or more of the following?: a) an ombudsman service; b) industry-led dispute resolution mechanism (encouraged or mandated); c) set contract terms between organisations and consumers; d) something else.
If no, do you think the governing body should reserve the right to impose an additional route once the ecosystem is more fully developed?
This question received 96 responses. 79% of responses indicated there should be additional redress routes for consumers, with 21% disagreeing with this. In terms of the additional redress routes suggested, 54% selected a governing body-led Ombudsman service, 32% suggested set contract terms between organisations and consumers, and 25% favoured an industry-led dispute resolution mechanism. 13% of respondents suggested that the Ombudsman service should not be ‘governing body-led’ but wholly independent. 7% of respondents wanted additional redress routes. Respondents referenced the need to distinguish between (legal) regulatory redress and trust framework (optional, governance) redress.
Question 12: Do you see any challenges to this approach of signposting to existing redress pathways?
This question received 54 responses. Although 33% of respondents indicated they did see challenges with this approach, many of them were not opposed to it in principle, merely observing that there are always certain issues inherent in signposting (clarity of information and avoidance of confusion, potential cost implications, the need for seamlessness). 67% said they foresaw no problems with this approach.
Questions 9-12: Government response
Questions 9-12 provided extensive insight on how respondents view the potential operation of complaints and redress within the trust framework.
The digital identity trust framework will operate within the constraints and obligations of existing law. We anticipate, as many respondents have argued, that most issues affecting users of identity and attributes solutions would thus be covered by redress arrangements that are already available, from escalation of data breaches to the ICO, to recourse to contract law, and, once in place, redress relating to the use of certain technologies, such as age assurance, under the forthcoming Online Safety Bill.
This still leaves to be addressed any organisational breaches of trust framework rules that are not covered by existing legislation.
Accordingly, the government proposes to provide signposting support within the governance function for complaints to existing regulatory and redress channels. In cases where the trust framework itself has been breached, an investigation of a trust-marked organisation’s compliance with the trust framework will be investigated by the relevant certification body.
We will keep under review the types of complaints received and will take further action if additional capacity or modes of redress are needed.
Question 13: details of feedback received
Question 13: How should we enhance the ‘right to rectification’ for trust framework products and services?
This question received 68 responses. 22% of responses suggested transparency and clear rules, 6% mentioned easier access routes for consumers and 19% indicated there should perhaps be shorter time frames for rectification than what is required under UK GDPR. 7% suggested an alternative dispute resolution or ombudsman type process and 21% provided other suggestions. 40% of responses commented that no further additional rules were needed.
Government response
The interim governance function will keep the matter under review during the early trust framework operations, to see whether enhancements are needed to build trust amongst businesses and individuals.
Question 14: details of feedback received
Question 14: Should the governing body be granted any of the following additional enforcement powers where there is non-compliance to trust framework requirements? a) Monetary fines; b) Enforced compensation payments to affected consumers; c) Restricting processing and/or provision of digital identity services; d) Issue reprimand notices for minor offences with persistent reprimands requiring further investigation.
This question received 82 responses. 63% of respondents selected monetary fines, 66% indicated enforced compensation payments, 71% chose restricting processing and/or provision of digital identity services, and 72% selected the issuing of reprimand notices for minor offences. 13% of responses gave suggestions of additional powers. 6% of respondents said there should not be any additional enforcement powers granted. Some responses talked about a distinction between regulatory competence and governance oversight.
Government response
There are two categories of complaints for which enforcement action may be needed: those which are covered by existing legislation, for example data protection breaches, and those which constitute a breach of the trust framework not covered by existing law, for example if GPG 45 was incorrectly applied.
Due to the voluntary nature of the trust framework, we do not wish to go beyond existing law in areas in which it applies. Instead, the governance function should defer to the existing regulator for that area.
Where complaints focus solely on issues about trust framework breaches, rather than breaches of existing law, the governance function will liaise with the certification body who provided certification as such an issue may be a breach of certification requirements.
In either case, if the breach is deemed serious enough then removal from the publicly visible list of trust-marked organisations will be the ultimate sanction, along with retraction of the trust-mark. As per the response to Question 20, removal from this list will also entail organisations no longer being able to make checks against government data under the new legal gateway.
We will keep under review whether this is sufficient as the market develops.
Question 15: details of feedback received
Question 15: Should the governing body publish all enforcement actions undertaken for transparency and consumer awareness?
This question received 94 responses. The majority of respondents (72%) said yes to this proposal, whereas 14% said no. A further 14% said yes but caveated their stance with additional considerations. These included the need to ensure that reporting was proportionate and wasn’t an undue reputational disincentive to participation in the trust framework. Other respondents highlighted the effectiveness of dispute resolution mechanisms that focused on improvements without creating a ‘blame culture’.
Government response
The government will be as transparent as possible about problems and failings. In the early operation of the trust framework, the interim governance function will work with providers, industry and civil society representatives on how transparency can be achieved without creating disincentives or reducing the pragmatic focus on optimising compliance.
As set out in the response to question 14, removal from the list of trust-marked organisations is the ultimate sanction the governance function will apply. This list will be publicly viewable and as such enforcement action inherently visible.
Question 16: details of feedback received
Question 16: What framework-level fraud and security management initiatives should be put in place?
This question received 82 responses. 38% of responses indicated existing domestic and international standards and guidance, 29% of respondents supported the establishment of information sharing structures with and between trust framework participants and key stakeholders and 22% supported engagement with experts/industry/regulators. A further 6% proposed biometric security features.
Many respondents supported the proposal set out in the consultation for the governance function to set up information sharing structures with and between trust framework participants and key stakeholders to maximise security and minimise fraud. They considered it to be a practical and appropriate measure to safeguard users and organisations.
Several organisations stated that it was crucial that the trust framework used existing international standards rather than ‘reinventing the wheel’. They argued that this would enable greater system and international interoperability of digital identity solutions.
Respondents highlighted the importance of keeping fraud and security requirements flexible and subject to frequent reviews and updates. This was said to be important both because new fraud strategies will emerge and because digital identity services are still in their infancy.
Respondents suggested that the fraud and security requirements should be developed and updated in conjunction with relevant stakeholders. In particular, they suggested that law enforcement agencies, industry organisations and civil society organisations should be involved.
Some respondents, the majority members of the public, suggested that there should be changes to the legal status of identity theft, making it into a crime in its own right. They considered this to be the only way to appropriately deter fraudsters.
A number of respondents demonstrated concern that the digital identity and attributes trust framework trust mark could be fraudulently used. They noted that there would be incentive for organisations to maliciously replicate the trust mark in order to obtain trust from users and misappropriate their data.
Government response
We are exploring potential formats for an information sharing function to enable the detection and prevention of fraud and security incidents. As stated in the consultation, we will use and learn from existing sharing initiatives as appropriate, such as the National Cyber Security Centre’s Cyber Security Information Sharing Partnership.
The current trust framework alpha version uses various international standards as part of its fraud prevention and security requirements. We will continue with this approach, using established international standards and guidance wherever possible and appropriate.
As stated in the consultation, we expect that the requirements within the trust framework - including those relating to fraud and security - will need periodic refreshing and updating to ensure they keep pace with external changes, trends, and technical and service innovation. We will make provisions within the governance arrangements to assess current and future fraud and security guidance periodically, in order to respond to developments in fraud practises and evolving digital identity technology.
The fraud and security requirements, as well as all other aspects of the trust framework, will continue to be developed through extensive stakeholder engagement. In particular, we are bolstering our engagement with standards bodies and other actors in the standards landscape. As part of its broad policy responsibility, the governance function will be charged with monitoring the incidence of fraud and security breaches and optimising the trust framework resilience.
As some respondents noted, the fraudulent use of identity is not itself an offence in law. Whilst the theft of another person’s identity is often a precursor to fraud, a recordable crime is only committed when a financial gain is made from the use of that person’s identity by another individual. This approach ensures that crimes are not double counted. There are currently no plans to introduce a new criminal offence of identity theft, as existing legislation is in place to protect people’s personal data and prosecute those that commit crimes enabled by identity theft. These include the Fraud Act 2006, the Computer Misuse Act 1990, the Identity Documents Act 2010 and the Data Protection Act 2018.
Building on this existing legislation, we believe that the most effective way of preventing identity theft is to improve the safety and security of identity systems, particularly online.
We are considering various design options for the trust mark in order to avoid its fraudulent use. Individuals and businesses will also be able to check whether organisations are legitimately certified by accessing the publicly viewable list of trust-marked organisations. The governance function will be responsible for publishing and maintaining this list.
Question 17: details of feedback received
Question 17: How else can we encourage more inclusive digital identities?
This question received 82 responses. 27% of responses highlighted either education or communication programmes. 40% suggested making more government datasets available for checks. 5% indicated this could be achieved by giving users more control of their data and 10% felt this could be achieved by keeping digital identities voluntary. 10% of respondents suggested that affordable and accessible devices will help enable inclusivity. 52% specified other measures to encourage inclusivity with wide ranging suggestions, such as allowing in-person creation of digital identities and incentivising identity service providers to offer a range of identity proofing methods.
Government response
The responses to this question showed strong support from organisations and members of the public for an inclusive policy on digital identities and attributes. The broad range of suggestions reflects the challenge and complexity of promoting inclusion, but also sends a clear message about the willingness of people and organisations to engage with the government on this important topic.
The government is committed to building inclusion into policy development for digital identities and attributes. As set out in the consultation, there are no plans to make digital identities mandatory, but we recognise they are an emerging technology and people may not be fully aware of the privacy and security benefits. Therefore we will take steps to increase understanding amongst potential users and engage with civil society groups to receive their expert feedback on how to increase inclusion, now and into the future.
Question 18: details of feedback received
Question 18: What are the advantages and disadvantages with this exclusion report approach?
This question received 60 responses. 30% of respondents signalled the exclusion report would help to improve inclusivity and 17% highlighted other advantages.
45% of responses (almost all from organisations) suggested this approach could be burdensome on organisations. 8% raised concerns with the self-reporting process and a further 8% voiced concerns about the report’s effectiveness. 32% of responses noted that the term ‘exclusion report’ created a false impression that the market is overly exclusionary, and doesn’t take account of reasonable exclusion by design, such as for age-restricted products.
Government response
These responses demonstrated an appetite from many respondents for measures to improve inclusion, but many iterated that this should be balanced against the reporting burden placed on businesses. The suggestion that the term ‘exclusion report’ brings with it some reputational risk and may give an inaccurate impression of the purpose of the report is a valid concern. We therefore propose changing the name to ‘inclusion monitoring report’. This will more accurately reflect the objectives of the report: to encourage inclusive digital identity solutions, and to provide an evidence base so that the governance function can determine whether any further action is needed.
Question 19: details of feedback received
Question 19: What would you expect the exclusion report to include?
This question received 46 responses. 35% of respondents suggested demographic information of users. 24% felt the report should include information concerning the actions organisations are taking to improve inclusivity. 50% gave other suggestions with a wide range of opinions. 26% of responses indicated they saw no value in an exclusion report and 4% of responses suggested providing a figure on the number of aborted transactions.
Government response
The government is not intending to mandate that organisations collect information solely for the purposes of reporting. The information included in the report will be designed to map the avenues to acquiring a digital identity, and to encourage a diversity of avenues across the market. The intention of this report is to improve inclusivity in the trust-marked digital identity market.
Proposal 2: Enabling a legal gateway between public and private sector organisations for data checking
Questions 20-24 of the consultation asked for opinions on our proposals to introduce a legal gateway in order for private organisations to make checks against government-held data for the purposes of identity and eligibility verification. Feedback received against each question and the government response are detailed below.
Question 20: details of feedback received
Question 20: Should membership of the trust framework be a prerequisite for an organisation to make eligibility or identity checks against government-held data?
This question received 95 responses. The majority of respondents (65%) agreed with this proposition, with 28% disagreeing and 6% unsure.
A number of respondents stated this was a crucial step to build trust in the proposed data checking system. They highlighted that requiring membership of the trust framework to use this legal gateway would safeguard user data by ensuring that organisations who make checks are operating to high standards.
Respondents also set out how this requirement will help in procuring robust digital identity and attribute solutions, reducing costs associated with due diligence.
Of the respondents who disagreed, a small number considered this requirement to be an unnecessary commercial restriction or one which could stifle innovation. Almost all of this group were either identity service providers or organisations which represented identity service providers, though they formed a minority of respondents from that sector.
Several responses appeared to believe that we were proposing that relying parties also ought to be certified against the trust framework and based their response on this misconception.
Government response
As set out in the consultation, there are clear advantages to requiring digital identity and attribute organisations who wish to make checks through the proposed legal gateway to prove they follow the rules of the trust framework. It will build public trust, protect people’s data, and ensure user control of data is at the heart of this gateway. It will also help streamline due diligence processes.
We will therefore require such private sector organisations to become certified against the trust framework before they are able to make checks against government-held data through the proposed legal gateway.
We do not think this requirement presents an unnecessary commercial restriction. The trust framework will continue to be developed openly and transparently, in collaboration with industry and civil society. We remain committed to enabling innovation while ensuring appropriate protections are in place for future users.
Relying parties — those organisations who are defined in the trust framework as relying on products or services from trust framework participants - will not need to be certified themselves, but may be subject to flow-down conditions from identity or attribute service providers. For example, an employer who receives a confirmation of a potential employee’s identity from the potential employee’s identity service provider will not need to be themselves certified, but will need to agree to not share that information more widely. Throughout, all organisations will be required to comply with any existing legislation including the UK GDPR.
Question 21: details of feedback received
Question 21: Should a requirement to allow an alternative pathway for those who fail a digital check be set out in legislation or by the governing body in standards?
This question received 92 responses. The majority of responses (88%) agreed with the proposal to require an alternative path for users who fail to prove something about themselves through a digital check, with 12% opposing this.
Out of the 88% of respondents that agreed with the proposal, 41% did not specify their preference for an alternative pathway for those who fail a digital check to be set out in legislation or by the governing body. However, 38% stated it should be set out in standards while 21% believed it should be a legislative requirement.
A number of respondents stated that putting such a requirement in standards would maintain flexibility, allowing for periodic review as technology and the market develops. Such respondents often argued that to put this requirement in legislation would be too restrictive in a nascent market.
A smaller number of respondents felt that the legal clarity of putting the requirement for an alternative pathway into legislation would be beneficial.
Some respondents who disagreed with the existence of this requirement had concerns that it could lead to increased fraud.
Government response
We strongly believe that digital identities should help, not hinder, people to access services. No-one who could legitimately access a service today should be denied that access in the future because of proposals outlined in this consultation.
As such, we will continue with our plan to ensure there is a requirement that those who fail to prove something about themselves using a digital check against government-held data have access to an alternative pathway, if they are legitimate consumers. For example, if a person fails an address check because the government service they accessed only knew of their old address they should be able to prove their new address through a different means. More authoritative sources like passport data may have different requirements, to address the issues raised around fraud.
Organisations who make checks against government-held data may be required through standards to facilitate such a pathway. This requirement will be periodically reviewed to ensure it acts in the best interests of all those involved, including both the people using digital identities as well as relying parties. We will work together with fraud experts, inclusivity advocates, and industry to make sure we get this right.
Question 22: details of feedback received
Question 22: Should disclosure be restricted to a “yes/no’’ answer or should we allow more detailed responses if appropriate?
This question received 99 responses. The majority of respondents (79%) felt that more detailed responses should be allowed where appropriate, with 21% of the opinion that disclosure should be restricted to yes/no answers.
Many respondents stated that, while yes/no attribute checking was sufficient in many cases and ought to be considered the default, wider attribute checking should be enabled. Respondents said that it would be difficult to envisage all possible future applications of attribute checking and so flexibility was important.
A number of respondents argued that if the data subject requested a more detailed response and that data is only shared with trusted organisations then there is no need to restrict the ability of government data-holders to respond.
Of those who felt disclosure should be restricted to a yes/no response, a number stated that this would minimise the sharing of personal data. However, other respondents stated that enabling more detailed responses than yes/no does not preclude data minimisation.
Government response
The consultation set out that we believe attribute checks are best made through yes/no attribute checking. This approach matches that of ongoing pilots where government-held data is disclosed to participants.
However, we argued that, while this approach ought to be the default position when sharing data, there are circumstances where a more detailed disclosure may be appropriate. We are pleased that the majority of respondents agreed with this position.
We will thus look to enable wider disclosure through this proposed legal gateway while setting out clearly in standards that yes/no attribute checking should be the default way data is checked. Any data checking must be compliant with existing legislation including UK GDPR. It must comply with the principles relating to the processing of personal data including the data minimisation principle[footnote 2].
Question 23: details of feedback received
Question 23: Would a code of practice be helpful to ensure officials and organisations understand how to correctly check information?
This question received 80 responses. Of those who expressed an opinion, the overwhelming majority of respondents (96%) agreed with the publication of a code of practice with 4% disagreeing with this proposition.
A small number of respondents expressed confusion as to which organisations the code of practice would apply.
Government response
We set out in the consultation that a code of practice could help clarify the obligations public sector organisations must meet when using the proposed legal gateway, and what they may wish to require of private sector companies with whom they contract. An example of the latter may be the requirement for an alternative pathway as described in the response to question 21. We are committed to working transparently with industry and people, and stating clearly what rules both public and private sectors should follow is part of that.
We will thus require, as part of our legislative proposals, that a code of practice be created, similar to that produced for Part 5 of the Digital Economy Act 2017. Public sector organisations who are disclosing data to private sector organisations through the proposed legal gateway will have to have due regard for this code of practice before data is disclosed. It will be consistent with the Information Commissioner’s statutory code of practice for Data Sharing.
Question 24: details of feedback received
Question 24: What are the advantages or disadvantages of allowing the onward transfer of government-confirmed attributes, as set out?
This question received 80 responses. 79% of respondents gave at least one advantage to this proposition, while 30% gave at least one disadvantage.
Some respondents argued that onward transfer of government-confirmed attributes would lead to a simplified, speedier process and in turn to a better user experience. Others claimed that enabling such transfer would provide more control to users over data which concerns them. Certain respondents also identified potential cost savings as a benefit of enabling such transfer.
A number of respondents were concerned that information could become out of date if onward transfer of it were enabled. They claimed that the relying party may not have faith in such data.
Government response
The responses to the consultation have indicated that there are many advantages to enabling the onward transfer of government-confirmed attributes, although it is important to recognise that the availability of government confirmed attributes will vary across demographics. Allowing the trust generated from a check to be passed to another organisation can simplify the process for users and let them use a digital identity more easily and in more contexts.
As such, we will look to enable such transfers where appropriate. This matches the approach taken in the Document Checking Service pilot, which permits pilot participants to pass on the trust generated from a check to a third party, so long as the purpose of the third party check conforms with the requirements of the pilot.
The public body which permits a check against data it holds may put such limits on onward transfer as it deems appropriate. Regulators and relying parties in particular sectors, like financial services, may also wish to require that a fresh check is made before the identity or eligibility process is completed to ensure the veracity of information.
As with the initial data checking, any onward transfer of personal data must also be for the purposes of identity and eligibility verification, be compliant with existing legislation including UK GDPR, and abide by the trust framework requirements concerning user control of their data.
Proposal 3: Establishing the validity of digital identities and attributes
Question 25 of the consultation asked for opinions on whether it would be helpful to set out in legislation that digital identities and attributes can be as valid as the traditional forms of identification with which we are familiar. Feedback received against this question and the government response are detailed below.
Question 25: details of feedback received
Question 25: Would it be helpful to affirm in legislation that digital identities and digital attributes can be as valid as physical forms of identification, or traditional identity documents?
This question received 87 responses. The majority of respondents (92%) agreed that this would be helpful, with 8% disagreeing.
Some respondents commented that this would help to build trust and confidence in the trust framework. They highlighted that clarification on this point would dispel concerns over the legal standing of digital identities and attributes and help drive forward adoption. Respondents also noted that legal affirmation of the equal validity of digital and physical proofs of ID will provide a boost to the digital economy. They highlighted that this will provide companies with the impetus to focus and invest in innovating new digital identity products and services for consumers.
Of those who disagreed, two respondents considered it would be more appropriate to remove laws which currently prevent the use of digital identities as an acceptable form of identification. One respondent suggested that strong and persistent communication of the equivalence between digital and physical proofs of identity would be a more effective means of establishing the validity of digital identities and attributes than legislation.
Government response
The consultation described a number of potential opportunities to enable the wider use of digital identities. We recognise that affirming the validity of digital identities and attributes in legislation will help to build confidence with guidance holders that they can more clearly signpost digital solutions in their guidance. This will in turn give assurance to organisations and individuals that digital identities are a trusted method of making checks.
We will therefore seek to introduce legislation, when parliamentary time allows, to affirm that digital identities and digital attributes can be as valid as physical forms of identification, or traditional identity documents.
This statutory presumption will provide parties that rely on government-held data with the clarity and confidence they need to trust the data being shared with them.
3. Next steps
Digital identities and digital attributes can bring enormous benefits to the United Kingdom, both for people and business. The digital identity and attributes trust framework remains at the heart of this programme. The rules and requirements within the framework provide protections and reassurance that are vital if digital identities are to be trusted. As the most recent version of the trust framework made clear, we are now proceeding with our plans to test the trust framework. The volume and variety of applications for alpha testing will helpfully inform the beta publication. We will then proceed with beta testing — using data in real world scenarios to ensure the robustness of the trust framework.
Future legislation will establish a robust accreditation and certification process, enabling organisations to prove that they follow the rules of the trust framework. Organisations who have been certified against the trust framework and agreed to be subject to governance will be given a trust mark as a visible sign of their trustworthiness, entered into a list of trust-marked organisations held by the governance function, and defined as being trust-marked organisations.
Legislation will also enable public bodies to allow digital checks against data they hold by trust-marked organisations and to firmly establish the validity of data shared this way. This will mean that people can choose to build digital identities on trusted government data, and relying parties can be clear they can rely on it.
The governance function will be temporarily housed within DCMS. As we learn more about how the market develops we will actively seek a permanent institutional home for governance, drawing on data gathered during this interim period.
Throughout, we will continue to work collaboratively with industry and civil society to co-create a digital identity marketplace which prioritises inclusion, innovation and growth alongside respectful and secure handling of personal identity information.
-
In general respondents did not cite examples. Where they did these include the European Union’s Electronic Identification and Trust Services (eIDAS) Regulations and the trust frameworks developed by Canada and Australia. ↩