The next phase of the UK government’s plan to support a market of certified, interoperable digital identity providers is set to kick into gear, with digital infrastructure minister Matt Warman due to announce a series of important milestones in a speech tomorrow (13 July 2021).
Warman is likely to confirm that the Department for Digital, Culture, Media and Sport (DCMS) will publish the second version of its digital identity and attributes trust framework imminently – Computer Weekly understands it should be released by the end of July.
This iteration of the framework should include details on some of the potentially most contentious aspects of the proposals which were missing from the initial version, such as how certification will work and how to manage legal liability.
The minister is also likely to unveil plans for a consultation on legislation needed to support the framework, which is expected to include for the first time details on one of industry’s most important requests – greater access to government datasets to be used for identity verification.
Currently, only passport data can be used to verify private sector digital IDs, and only through a very limited pilot that, according to the original timetable, should have recently been completed.
Legislation will also be needed to give legal parity between physical and digital identities, and to establish the legal basis for some form of independent governance body to oversee the rules and regulations covering the various entities that will have a stake in the future digital identity market, which this whole process aims to create.
The consultation itself could be launched as early as next week, with a response timetabled for the end of the year.
It’s significant that Warman’s speech will be made at an event for the fintech industry. When the first version of the trust framework was published in February, DCMS received a lot of pushback from the tech and financial services sectors.
There were huge concerns that the proposed technical standards were incompatible with the anti-money laundering (AML) regulations that are driving the need for digital IDs in financial services. The fact that the proposed standards were the same ones underpinning the failed Gov.uk Verify system, and were supported by its developer, the Government Digital Service (GDS), lent a toxic feel to the plans among private sector players.
Computer Weekly understands that many in industry considered pulling out of the framework unless DCMS listened and acted on their concerns.
Since then, however, a lot of work has taken place behind the scenes to make sure DCMS understands what industry wants, with extra impetus provided by the Treasury-commissioned Kalifa review, which examined future opportunities for the UK fintech sector. Among the recommendations was a call for a “coalition on digital ID” – which led to the creation of a Digital Identity Taskforce led by trade bodies Innovate Finance and UK Finance.
As a result, the industry has been clear with DCMS about the basis on which support for the trust framework has been established.
As reported previously by Computer Weekly, the framework has been fudged sufficiently to make AML standards compatible. This potentially makes the framework a little looser than intended, but given that much of the future digital identities we will use in the private sector will most likely come through our personal banking relationships, then AML is the standard that matters.
The private sector sees access to government data as central to a digital identity ecosystem – and to much more than just passport and driving licence details. The Department for Work and Pensions, for example, already uses its own data to help verify the online IDs needed for claiming Universal Credit. HM Revenue & Customs does the same with its data for online tax systems. The government will need to legislate for any similar activity to be allowed with companies.
It’s important to note that this will not involve sharing of data – only a method by which a private sector digital ID operator can ask for confirmation that data provided by an individual conforms to the records held by government, to help verify their identity. This principle was established as part of the trials on passport checking.
Another stipulation is the creation and funding of the governance body to regulate and enforce the rules around the digital identity market. Funding for this organisation is expected to come from charging for membership of the trust framework and a per-transaction cost for accessing government data, which was also part of the passport checking pilot.
An unwritten goal here is to make sure the role of government is about ensuring wider trust for the framework rather than government being directly responsible for its operation, where it could be subject to the whims of politicians or in-fighting between Whitehall departments.
Industry has already seen that sort of in-fighting erupt over Verify, and no doubt sees the growing variety of different digital identity systems across the public sector as a problem. If digital identities are to ultimately be interoperable between private and public sector bodies, that confusion cannot be allowed to continue.
There is also a recognition that the public are hardly crying out for digital identities, let alone aware of the benefits of having one. If the investment that industry will have to make is to be rewarded, citizens will have to be educated in the purpose, process and reasons for having a digital identity in the first place. While industry expects to play its part in communicating that to its customers, any such campaign would have to start from government.
The DCMS work on the trust framework is also increasingly overlapping with emerging priorities elsewhere. For example, travel industry body IATA’s Travel Pass Initiative, which looks to establish a digital affirmation of Covid-19 vaccinations and testing, which would include passport details for international travellers. The involvement of NHSX in the UK’s NHS App, currently used as a vaccination credential but without passport details, is perhaps another example to the financial services sector of the confusion over identity attributes and verification across the public sector. Any UK work on Covid certificates should, ideally, be compatible with the trust framework.
Elsewhere, plans by the Department for Business, Energy and Industrial Strategy (BEIS) for a digital identity system for businesses have been put on hold while GDS determines its replacement for Verify. Banks, understandably, want a digital identity solution that is common for individuals and corporations – another area where Verify failed to deliver.
Once the revised trust framework is published, there will be a period of testing for the various commercial and technical aspects – effectively, creating a mini-ecosystem in a “sandbox” environment to enable simulated transactions and attribute sharing between the key players to make sure everything works as intended, and to iron out any rough spots before the framework moves to its final “beta” stage in advance of going fully live. That beta phase is unlikely to start before March 2022. GDS expects that its post-Verify system, labelled “One Login for Government”, will be available around the same time in prototype and with a more detailed development roadmap.
Overall, the process for creating the trust framework is in a much better place than it was six months ago. But industry is increasingly in the driving seat and expects the government to deliver on its promises.