Digital Identity in the UK: the story so far.
The long debate over digital identity in the UK
At the height of the last Labour government, Prime Minister Tony Blair attempted to revive a scheme Britain hadn’t seen since the years immediately following the Second World War. His idea wasn’t rationing or a campaign to grow your own veg – it was the re-introduction of national ID cards.
The then Home Secretary David Blunkett drew up plans for the rollout of national IDs at an estimated cost of £3bn. The plans included the creation of a “national identity register,” in which the personal information of millions of individuals would be stored. Immediately, the government was faced with robust opposition from groups concerned about both the cost of the plans and the impact on civil liberties. The coalition government ultimately scrapped the scheme and destroyed the register, with Deputy Prime Minister Nick Clegg describing it as “a direct assault on our liberty.” Damian Green, Home Office Minister at the time, said the decision to scrap the scheme was about “people having trust in the government to know when it is necessary and appropriate for the state to hold and use personal data.”
Blair has not given up on the idea of a national identity scheme. Last year, he partnered with his former adversary at the despatch box, William Hague, to publish a report calling for all UK individuals to get IDs. The difference? These IDs would be digital.
The report claims that government records are “still based in a different era,” and was followed up by a paper arguing that public services could be transformed through digital identity. The paper highlights that there are currently 190 different ways for people to set up accounts with government services, and that many people don’t know which personal information about them is held, how it is being used, or how secure it is.
As an alternative, it proposes a single digital wallet which can be securely accessed by each individual, within which digital identity documents could be stored, for example a digital driving licence. A range of use cases are proposed, from education (using digital ID to “build a complete picture of each student’s lifelong learning journey” resulting in the potential for “bespoke AI learning assistants”) to healthcare (a “digital health account”, reducing NHS back-office bureaucracy and facilitating earlier intervention). Any concerns around government data usage could be assuaged by “robust privacy safeguards, transparent data practices and clear accountability measures.” Sounds convenient, right?
Perhaps. But for an incoming Labour government, introducing such a scheme would eat up a huge amount of political capital. Civil liberties campaigners would no doubt robustly oppose such a scheme, on the basis that it would further erode the right to privacy. When discussing how digital identity could lead to efficiencies in the immigration system, for example, the paper claims that it would make it “harder for undocumented migrants to disappear into the underground economy.” This may lead to concerns that it would make it harder for anyone to “disappear,” or exercise their right to privacy. More broadly, while data-driven approaches to our education, healthcare, and welfare systems may drive efficiencies, they also continue a drive towards a world in which our lives are increasingly defined by the huge amounts of data collected on us.
Whichever side of the fence you fall on, one thing is clear: any such moves will be subject to intense political scrutiny and debate.
Digital Identity in the UK today
While the coalition government scrapped Blair’s national identity scheme, it is widely agreed upon that antiquated bureaucracy is a constant thorn in the side of Britain’s public services.
The government are currently trialling a One Login system to allow citizens to access multiple government services using one set of details. But their proposed method to fully unlock the potential of digital identity goes further. It is a common set of rules and standards which private suppliers of digital identity products can become certified against, providing consumers with a level of trust in their services. The government has worked with over 250 organisations across civil society, industry, standards bodies and academia to produce this scheme, which is known as the "Digital Identity and Attributes Trust Framework" (the “Trust Framework”).
The logic behind the Trust Framework is simple. It allows the private sector to innovate while encouraging the adoption of common standards, which facilitate interoperability between different technologies. And the private sector has innovated: existing digital identity methods range from technologies that employ biometrics to match an individual to their ID document, to products that rely on connecting with your digital banking app to verify your identity. When a digital identity provider is certified against the framework, it will receive a “Trust Mark”, which will make it easier for users and relying parties to identify trustworthy providers.
But how can one framework universally apply to a huge number of use cases? The government’s answer is overlay schemes. These can be thought of as “bespoke” versions of the framework, in which additional requirements can be introduced or removed to make it appropriate for a particular use case.
For example, a digital identity product may be used to verify a customer’s age to buy alcohol online. In this case, the alcohol vendor would not need to know the customer’s name, address, or even date of birth. They would only need to know that the customer is over 18 – a single “attribute.” Indeed, the data protection principle of data minimisation under GDPR requires services to limit their processing of personal data only to what is necessary for a specific purpose. In this case, an “age assurance” overlay scheme may wish to emphasise that any technologies certified against it limit the data shared with the relying party only to whether or not the individual is 18 or over.
The story of digital identity in the UK is far from over, however. The Trust Framework is still going through iterations of testing. Ultimately, it will be underpinned by the Data Protection and Digital Information Bill, which is still progressing through Parliament.
What are the implications of the Trust Framework on the UK’s digital regulatory landscape?
The UK’s online regulatory landscape is changing. The Online Safety Act places a duty of care on online services to implement proportionate systems and processes to protect their users, especially children, from harm. To do this, certain services will need to know which of their users are children; others may need to offer their users the option to only interact with verified users. In addition, the Information Commissioner’s Office (ICO) has recently updated it’s Children’s Code (formerly Age-Appropriate Design Code), which sets out how services can use age assurance as part of their approach to reducing risks to children that result from the processing of their personal data. All the while, the number of emerging technologies promising to verify individuals’ identities, or individual attributes, in a privacy-preserving way is continuing to grow.
If you need help making sense of your place in this landscape or understanding how to comply with new regulations in an effective, responsible way, illuminate tech can help. We combine deep expertise in the latest online safety technologies with a sophisticated understanding of the UK’s regulatory landscape to deliver insight at pace.
