Notice

Register of digital identity and attribute services: privacy notice

Published 10 October 2024

© Crown copyright 2024

This publication is licensed under the terms of the Open Government Licence v3.0 except where otherwise stated. To view this licence, visit nationalarchives.gov.uk/doc/open-government-licence/version/3 or write to the Information Policy Team, The National Archives, Kew, London TW9 4DU, or email: psi@nationalarchives.gov.uk.

Where we have identified any third party copyright information you will need to obtain permission from the copyright holders concerned.

This publication is available at https://www.gov.uk/government/publications/register-of-digital-identity-and-attribute-services-privacy-notice/register-of-digital-identity-and-attribute-services-privacy-notice

This notice sets out your rights and how we will process your personal data. It is made under Articles 13 and/or 14 of the UK General Data Protection Regulation (UK GDPR). 

The Department for Science, Innovation and Technology (DSIT) is responsible for maintaining the UK digital identity and attributes trust framework (UK DIATF) conformity assessment scheme, and for managing applications to join the register of digital identity and attribute services. This notice sets out how we will process your personal data that is submitted as part of your application.  

For the purposes of processing your personal data, DSIT is the data controller. 

1. Your Data 

We will process the following personal data:  

  • Primary and secondary contact details for each digital identity provider, including name, job title and email address and contact number. 
  • Details of shareholding of the digital identity provider and parent company (if applicable); this may include full names of minority shareholders, shareholders with significant ownership, the nationality of individuals, their percentage of ownership, the shareholders with voting rights and details of their voting rights.  
  • Details of the Board of Directors of the digital identity provider and their parent company (if applicable); this includes their individual name, date of birth, position held, whether they are classified as a politically exposed person (PEPs). 

We also collect public open-source data that is necessary for us to exercise our functions as a scheme owner and to comply with UK national security laws. This can include opinions and news reports that include a broad range of categories of personal data, but only where these are necessary for us to exercise our functions as a scheme owner and to comply with national security laws. 

We may process the following criminal conviction category data: 

  • We may also process data on criminal convictions, offences and adverse media, where that is considered relevant in exercising our functions as a certification scheme owner and/or conducting our Due Diligence Review of a digital identity provider. 

How your personal information is collected: 

Where personal data is not collected directly from you, DSIT will source your personal data as described below.  

The personal data we collect directly from Conformity Assessment Bodies (CABs) : 

  • Primary and secondary contact details for each digital identity provider - this information will be collected from providers by their CAB as part of certification activities. This information will be shared by your CAB with DSIT as part of your application to join the register. 
  • CABs are also required to share with DSIT information about the digital identity providers they have certified, including either a Companies House registration number, a Charities Commission registration number or a Dun and Bradstreet (DUNs) number. DSIT will use this information to collect personal information concerning shareholders and directors. 

We may also receive personal information indirectly from the following third parties and/or in the following scenarios: 

  • Public authorities, including other government departments, regulators or law enforcement bodies 
  • Publicly available sources, including Companies House 
  • Public authorities, regulators or law enforcement in other jurisdictions 
  • Where you have made your contact information available on your organisation’s website and we use this to contact you and your organisation in our role as certification scheme owner 

In exercising its responsibilities as certification scheme owner, DSIT may observe, monitor, record, retain and share within government and with your CAB, internet data which is available to anyone.  

For the personal data you provide directly as part of surveys, your data will be processed by Microsoft Forms. For the purposes of this activity, Microsoft Forms are a data processor, providing services under the instruction of DSIT

2. Purpose 

The purposes for which we are processing your personal data are:  

  • To process your application to join the register of digital identity and attribute services 
  • To get in contact with you regarding your application  
  • To notify you of updates to your application 
  • To analyse survey responses to support the development of the register and ensure it meets user needs 
  • To communicate significant information about the certification scheme or the UK digital identity and attributes trust framework e.g. urgently communicating a security threat or a significant update to the trust framework 
  • To conduct a Due Diligence Review of your company 

Due Diligence Review 

As a certification scheme owner, DSIT is responsible for maintaining the digital identity scheme. Before joining the register, DSIT will conduct security checks on your organisation, your organisation’s parent company (if applicable), person(s) with significant control of your company, and company directors to ensure they do not pose a risk to the UK’s national security and are fit and proper persons to uphold the rules of the UK DIATF

This involves checking these individuals: 

  • are legitimate natural persons; 
  • are qualified to take up post as a director; 
  • do not pose a risk to the UK’s national security, for example appearing on a sanctions list; and 
  • do not pose a risk in bringing the rules of the trust framework into disrepute. 

The legal basis for processing your personal data under Article 6 of the UK GDPR is:  

  • 1(e) Public task: Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the data controller. In this case that is the exercise of DSIT’s functions as certification scheme owner for the UK DIATF conformity assessment scheme and to ensure individuals and business engaging in the UK digital identity market are safeguarded from fraud and security threats. 

DSIT will also be processing social media clips and other media pieces produced by media outlets, and whilst we may come across special category data during this processing, we will not be using or processing this data. 

The processing of personal data relating to criminal convictions and offences or related security measures is authorised because it meets one of the following conditions from Schedule 1 of the DPA 2018: Schedule 1, Part 3 of the DPA 2018 alongside the substantial public interest condition 36. 

An Appropriate Policy Document (APD) is in place to address this processing. 

4. Recipients 

Your personal data will be shared by us with: 

  • Microsoft and Amazon Web Services - as part of our IT infrastructure, your personal data will be stored on systems provided by our data processors, Microsoft and Amazon Web Services. This does not mean we actively share your personal data with these entities; rather, they are technical service providers who host infrastructure supporting our IT systems. 
  • Microsoft Forms - your data will be processed by, but not actively shared, with our survey platform provider Microsoft Forms.
  • Your Conformity Assessment Body (CAB) - where it is necessary in discharging their responsibilities under the scheme. 
  • Other government departments or agencies, or law enforcement bodies - where it is necessary to do so for the prevention, investigation, detection or prosecution of criminal offences. 
  • Regulatory authorities - when it is necessary for the purposes of their regulatory functions. 

5. Retention  

Your personal details are kept in a master record by your respective CAB, which maintains the accuracy of your personal data. A copy of this personal data will be kept by DSIT for six months, or until your application is removed, to allow time for full analysis and to inform policy decision making on the future of this project.  

During the initial registration period of your candidacy, if you have not confirmed your interest in proceeding with the application process within 14 days, your personal data will be removed within 30 days by DSIT in its records. Similarly, after the application process, if you have not confirmed your interest in publishing your name in the registry within 14 days, your personal data will be removed within 30 days by DSIT in its records. 

The copy of your personal data retained by DSIT is your primary and secondary contact name and email address. This will be kept by DSIT until it is notified by your Conformity Assessment Body (CAB) that these details have changed, and any updates will be deleted/replaced. In the case of the removal of your name from a CAB’s registry, DSIT will be notified by the CAB and DSIT will remove and delete from its records your personal data within 30 days.   

If you are successful in getting on to the register, details of your primary and secondary contact will be kept on record until: 

  • such a point that you request that these details be changed. Digital identity providers are required to make these requests through their CAB. When a CAB receives a request of this nature, the CAB is required to inform DSIT by email. DSIT will then manually change this information on the system. 
  • such a point that you are removed from the register. For example, digital identity providers will be removed from the register if they no longer hold a valid UK DIATF certificate. If a digital identity provider is removed from the register, for whatever reason, their details including primary and secondary contact details will be deleted 30 days after removal from the register.  

Opening the loop: 

  • if your primary contact hasn’t confirmed interest to proceed with an application within 14 days of the email being sent, deletion happens within 30 days.  

Closing the loop: 

  • if your primary contact hasn’t confirmed interest to proceed with publishing your information on the register within 14 days of the email being sent, deletion happens within 30 days.  

You have the right to withdraw your name from the digital identity and attribute services registry at any point via your respective CAB, after which processing of your personal details will be handled as described above. You may also withdraw your name from the digital identity and attribute services register by contacting DSIT using the following email address: digital.identity.register@dsit.gov.uk. DSIT will contact your respective CAB accordingly, after which processing of your personal details will be handled as described above. 

6. Automated decision making   

Your personal data will not be subject to any automated decision making.  

7. International transfers  

Your personal data will be processed in the UK. 

Personal data will be stored on DSIT’s/DESNZ’s IT infrastructure, supported by Microsoft and Amazon Web Services. Personal data may therefore be processed in data centres outside of the UK but within the European Economic Area (EEA). The personal data will receive the same level of protection in the EEA as it does in the UK through the safeguard of Adequacy Decisions. 

8. Your rights 

You have the right to request information about how your personal data are processed, and to request a copy of that personal data. 

You have the right to request that any inaccuracies in your personal data are rectified without delay. 

You have the right to request that any incomplete personal data are completed, including by means of a supplementary statement. 

You have the right to request that your personal data are erased if there is no longer a justification for them to be processed. 

You have the right in certain circumstances (for example, where accuracy is contested) to request that the processing of your personal data is restricted. 

You have the right to object to the processing of your personal data. 

You have the right to withdraw agreement to the processing of your personal data at any time. To do so, please contact the following email address: digital.identity.register@dsit.gov.uk 

To exercise your rights please contact the Data Protection Officer using the contact details below. 

9. Contact Details 

The data controller for your personal data is the Department for Science, Innovation and Technology (DSIT). You can contact the DSIT Data Protection Officer at:  

DSIT Data Protection Officer  
Department for Science, Innovation & Technology  
22-26 Whitehall  
London  
SW1A 2EG

Email: dataprotection@DSIT.gov.uk  

If you are unhappy with the way we have handled your personal data, please write to the department’s Data Protection Officer in the first instance using the contact details above.  

10. Complaints 

If you consider that your personal data has been misused or mishandled, you may make a complaint to the Information Commissioner, who is an UK independent regulator.  The Information Commissioner can be contacted at:  

Information Commissioner’s Office 
Wycliffe House 
Water Lane 
Wilmslow 
Cheshire 
SK9 5AF

Telephone: 0303 123 1113 

Website: Make a complaint

Any complaint to the Information Commissioner is without prejudice to your right to seek redress through the courts.  

11. Updates to this notice 

If this privacy notice changes in any way, we will place an updated version on this page. Regularly reviewing this page ensures you are always aware of what information we collect, how we use it, and under what circumstances we will share it with other parties. The ‘last updated’ date at the bottom of this page will also change. 

If these changes affect how your personal data is processed, we will take reasonable steps to let you know. 

Last update: 1 October 2024

Back to top