Understanding attributes
A guide for organisations interested in being an 'attribute service provider' certified against the UK digital identity and attributes trust framework.
0.a. Read this guidance if you collect or create attributes and are interested in being an ‘attribute service provider’ (ASP) certified under the UK digital identity and attributes trust framework.
0.b. Anyone who becomes an ASP must follow the rules on how to create and share attributes.
0.c. Attribute providers can choose to:
-
share attributes they hold; and
-
build and run services that let other people share attributes.
1. What attributes are
1.a. Attributes are pieces of information that describe something about a person or organisation. Attributes can help people prove that they are who they say they are, or that they are eligible or entitled to do something. Some examples of attributes are:
-
someone’s hair colour;
-
someone’s A-levels or trade qualifications;
-
someone’s bank account number; or
-
the number of people that work for a company.
1.b. It is likely that you already handle attributes in some way. You might call them something else, like ‘data’, ‘claims’ or simply ‘information’.
1.1. Recognising attributes
1.1.a An attribute can be anything that:
-
a person or organisation is;
-
a person or organisation has; or
-
is issued to a person or organisation by another person or organisation.
Example
Someone’s age is something they are, and their fingerprint is something they have. Their bus pass (which gives them discounted travel) is something that was issued to them by an organisation.
1.2. Recognising attribute providers
1.2.a. Anyone or anything that collects or creates attributes could become an attribute service provider. For example, an attribute service provider could be:
-
any organisation that keeps information in a database;
-
an organisation that runs a personal data store (PDS) app, which an individual can use to keep information about themselves;
-
a rail company’s app that stores a customer’s train tickets;
-
a handwritten list showing who has reservations at a restaurant; or
-
an organisation that can give qualifications, like a university or a driving test centre.
1.2.b. In the current UK digital identity and attributes trust framework, only organisations can become attribute service providers.
1.2.c. Attribute service providers do not necessarily own the attributes they hold. A person or organisation may have control over their attributes and how they are used, regardless of how many attribute providers have them.
2. Attribute qualities
2.1. Changes to attributes over time
2.1.a. Some types of attributes will not change over time. For example, someone will not be able to change their natural eye colour, and the date a company was founded will always stay the same.
2.1.b. Other attributes might change over time. For example, someone’s address will change whenever they move. Their passport number will change when they get a new passport.
2.1.c. These attributes can become less valuable if the attribute service provider that collects or creates them does not check they are up to date.
Example
A passport number that has been checked recently is a valuable attribute for some organisations. It can become less valuable over time because the passport might have since expired or been cancelled.
2.1.d. There is separate guidance on how to check when an attribute was last updated.
2.2. Attribute metadata
2.2.a. All the attributes you collect or share should include ‘metadata’ (information about the characteristics of the data).
2.2.b. The metadata describes something about the attribute or its history. For example, it might include:
-
who created the attribute;
-
when it was created; or
-
when it was last checked for updates.
2.3. Combining attributes
2.3.a. A single attribute can contain more than one piece of information.
Example
Someone’s postcode can be an attribute in itself. It can also be part of an ‘address’ attribute.
Someone’s postcode can tell you if they are eligible for certain things, such as becoming a patient at a nearby GP. When this happens, a person will be asked to provide either their postcode or their full home address.
Example
Someone’s date of birth tells you when they were born, and it can also tell you if they are over 18.
2.3.b. You can combine attributes yourself. You might do this to increase their value, to help users meet relying parties’ requirements or to save time.
Example
Each user on a social media site has an ‘identity’ attribute. This is the name the user gave, which does not have to be their legal name.
The site can create another attribute by checking the person or organisation’s identity. For example, they might use the guidance on how to prove and verify someone’s identity to check they are satisfied that a person is who they say they are. This could be recorded as ‘verified’ in an attribute called ‘verified status’.
The site could then combine the identity and verified status attributes to get a ‘verified identity’ attribute.
2.3.1. Digital identities
2.3.1.a. A digital identity is a specific example of how a combination of attributes can be used. For example, most people’s digital identities will include their name and date of birth (along with any other attributes needed to uniquely identify them).
2.3.1.b. You cannot prove or verify digital identities using this guidance. To prove or verify digital identities, you need to become an ‘identity service provider’ under the UK digital identity and attributes trust framework.
3. Sharing attributes
3.a. When a user wants to do something online, they usually need to give the organisation they are interacting with some information about themselves. For example, if someone is disabled, they could get help buying a new car from the Motability Scheme. They must receive a qualifying benefit to apply. They currently need to prove this by taking some documents to a car dealer.
3.b. This information might exist as an attribute that was created or verified by an attribute service provider, like a government department.
3.c. If the car dealer can request a digital version of the attribute, the user will not:
-
have to spend time finding the documents they need;
-
need to give any documents to the car dealer in person; or
-
give the car dealer any wrong or incorrect information.
3.d. The car dealer and attribute provider are responsible for doing certain checks before they share any attributes they hold.
3.1. The benefits of sharing attributes
3.1.a. There are several benefits to sharing attributes you hold with other organisations or individuals.
3.1.1. Make it easier for people to do things online
3.1.1.a. People can find it frustrating when they are asked to give information about themselves before they do something online, especially if they:
-
have already given the same organisation that information before; or
-
cannot easily get or find the information they need.
3.1.1.b. They will not need to do this as much if their digital attributes can be shared.
3.1.1.c. This will reduce the amount of time a user spends entering information about themselves, making it quicker and easier for them to do things online.
3.1.2. Prevent users from giving wrong or incorrect information
3.1.2.a. There is a risk that a user could give an organisation wrong information. They might do this:
-
by accident, for example if they spell something incorrectly; or
-
on purpose, for example if they pretend they are over 18 to place a bet online.
3.1.2.b. An organisation is more likely to request information from an attribute provider that can supply reliable information. This is because attribute providers have a process for checking the:
-
information is correct; and
-
the attribute belongs to the right person or organisation.
3.1.2.c. This will help reduce the amount of time other organisations spend processing and checking the quality of their data.
3.1.3. Increased security benefits
3.1.3.a. Sharing attributes will also mean there are opportunities for data minimisation, using ‘attribute confirmation checks’. This is when information is only shared if it is needed to give a user access to a service.
Example
When buying some age-restricted products, a retailer only needs to check that a user is over 18. They do not need to know their exact date of birth.
3.1.3.b. Following the attributes guidance will help make sure that attributes are managed and shared securely. This can help to protect people and organisations from identity fraud.