Identity Assurance – a matter of Principle & Accountability?

It looks like the government has Big Brother Watch to thank for enabling it to meet it’s 2020 commitment to take a policy-based approach to digital identity.1 Published versions of the UK Digital Identity and Attributes Trust Framework (DIATF) have not defined the principles that would underpin such an approach, so it is refreshing to see that BBW has tried to rectify this omission. Their briefing has been taken on as the basis for the following government amendment to the Data Protection and Digital Identity Bill (DPDI), which is currently in the House of Lords.

Originally proposed by the Privacy and Community Advisory Group (PCAG) in 2014, the nine Identity Assurance Principles are

  • User control
  • Transparency
  • Multiplicity
  • Data minimisation
  • Data quality
  • Service user access & portability
  • Certification
  • Dispute resolution
  • Exceptional cirtcumstances

In November 2023 the PCAG, having met regularly for ten years, was closed and merged with the Privacy and Inclusion Advisory Forum, becoming the One Login Inclusion and Privacy Advisory Group (OLIPAG).

The focus of this new group is solely on the government’s own digital identity scheme – GOV.UK One Login. OLIPAG does not have a remit to assess inclusion and privacy across the ecosystem of digital identity schemes and services that will inevitably develop under the Digital Verification Services (DVS) Trust Framework.

It is also worth noting that GOV.UK One Login is only one of a plethora of schemes that will exist in five years time and citizens may not consider it the most important, as they seek to use their digital identity in all aspects of their daily lives.

The DVS Trust Framework will be the primary governance framework for regulating the UK’s digital identity ecosystem but it’s important that citizens understand that governance is but one element of control designed to provide them with confidence that their identities are secure within the ecosystem. Other elements of control include the proposed trustmark, use of recognized international standards, zero trust policies, implementation of approved technical, cryptographic and biometric standards, fraud monitoring and management, together with cyber security and risk management controls. Evidence that service providers operating under the framework have implemented all these controls will establish that the Identity Assurance Principles are being applied.

Who is going to assess whether the IA Principles are being applied and provide assurance to citizens?

My suggestion is that a new independent supervisory body is established to report on the application of the Identity Assurance Principles across the whole trust framework; an OLIPAG with a remit for the whole ecosystem. This is not a role that can be provided by the proposed interim Office of Digital Identity and Attributes as it’s primary responsibility is likely to be the delivery and management of the trust framework itself. A permanent OFDIA would not be sufficiently independent to hold service providers to account for the application of these principles.

This new organisation would be the Digital Identity equivalent of the Joint Money Laundering Steering Group (JMLSG); lets call it the Identity Assurance Steering Group (IASG). The role of the IASG would be to assist those in the digital identity ecosystem by:

  • providing guidance that enables them to comply with their obligations under the DVS Trust Framework;
  • independently reporting on how members of the digital identity ecosystem are implementing the Identity Assurance principles; and
  • undertaking independent risk assessments of specific use cases that are governed by the DVSTF.

Identity Assurance embraces the whole of the UK’s proposed digital identity ecosystem because it’s all about providing an appropriate level of confidence in that ecosystem to all stakeholders. Ultimately, though, it is the UK public that has most to gain from the digital identity ecosystem but only if they have sufficient confidence to trust their identities to the new system.

More about the importance of Identity Assurance in a future blog!

  1. 2020 government response to Call for Evidence on Digital Identity stated that they would follow a principle-based approach to develop a legal framework to remove regulatory barriers to the use of secure digital identities and establish safeguards for citizens. Those principles were identified in the response as privacy, transparency, inclusivity, interoperability, proportionality and good governance. ↩︎