After months – some would say years – of frustration and delay, tech suppliers have largely welcomed the latest government initiative to establish a digital identity ecosystem in the UK.
The Department for Digital, Culture, Media and Sport (DCMS), which is responsible for supporting digital identity in the private sector, has held a series of “listening exercises” with interested companies to outline its plans for a UK digital identity and attributes trust framework.
Computer Weekly has seen some of the information shared with suppliers, and it appears to give those suppliers most of what they have been asking for, namely:
- Not being prescriptive about specific technologies, standards or products.
- A legal framework to operate within.
- Access to government attributes, such as passport data – and, if suppliers get their way – driving licence data.
- A governance body to oversee the trust framework.
- Updated legislation to put digital identity on a par with physical documents such as signatures.
- Interoperability between government and private digital IDs, allowing access to digital public services from framework-compliant supplier services.
This approach could also be broadly summarised as: the very few things industry liked about Gov.uk Verify, while getting rid of all the many things they hated.
The framework will determine what “good” identity verification looks like, allowing for reuse of digital identities across any schemes that comply with the rules. Those rules will be “outcome based” – unlike the previous approach that the Government Digital Service (GDS) preferred of specifying standards as the basis of any and all schemes that wanted access to online public services. (It didn’t help that GDS’s chosen GPG 44 / 45 standards were seen by industry as outdated and no longer appropriate).
“This will give members of the trust framework more ownership of the things they build,” said DCMS – an openness that many have called for, for a long time.
Within the framework there will be any number of compliant ID schemes, any of which can establish identities and attributes that can be shared with other compliant schemes.
It’s notable that DCMS includes GDS’s Identity and Attributes Exchange (IAX) – the supposed successor to Verify – as just one example of a scheme. This means we are likely to see schemes coming through from the financial services sector – led by work already underway related to open banking and anti-money laundering regulations – as well as accommodating the many other digital identity schemes across government.
As disillusionment grew with Verify – and with GDS’s bewildering state of denial over the troubled project’s failure – new schemes have proliferated across the public sector. HM Revenue & Customs (HMRC), the Department for Work and Pensions (DWP), the NHS, the Scottish government, the Home Office, and the Department for Business, Energy and Industrial Strategy, are all pursuing their own plans.
Even GDS has come up with a separate identity scheme, called Gov.uk Accounts, to pilot a simple login and password system across the Gov.uk website – Verify’s complexity was one of the many contributory factors in its troubled history.
GDS hoped to establish IAX as a gateway between the public and private sector digital identity spaces, but its lack of communication and collaboration may have already scuppered that goal.
Earlier this month, the Think Digital Identity for Government event – which has become one of the primary get-togethers for the key players in this sector – held a session to discuss IAX. GDS declined to participate, and the digital ID experts who did take place acknowledged that all they knew about IAX came from an article published by Computer Weekly in June. (Disclosure: I was also one of the panellists in that session).
HMRC, DWP and the Home Office – whose public support for Verify has always been grudging and has hidden their strong private criticism and desire to take their own path – will be happy with the structure of the trust framework. Given their involvement in the new Digital Identity Strategy Board, that’s likely to be enough to take the plans for the private sector in a more productive direction than under GDS.
The one area that may still be contentious is, who oversees the trust framework? DCMS has only said that it will be “run by a governing body chosen by the UK government”.
“The role of the governing body and the way it manages the trust framework are still being defined. DCMS is presently researching options for governance and will be consulting widely with stakeholders on the design for a governance body,” said DCMS in its information to suppliers.
Industry will be hoping – expecting – to play a significant role in that body. That in itself will come as a relief after years of being dictated to by GDS or, in many cases, excluded entirely from decision-making.
DCMS does seem, at last, to be consulting widely with industry and listening to its advice and concerns. Apparently the robust letter sent by trade body TechUK to DCMS secretary of state Oliver Dowden in July, calling for digital identity policy to be “urgently” resolved, struck a chord.
Digital minister Matt Warman announced at the recent Identity Week event that the trust framework will be published “as an alpha” – that is, a first draft – in the new year.
Progress is being made after years of false starts and failed promises. Suppliers are expressing guarded optimism. But as Verify moves closer to being finally discarded, the pressure and expectation to make up for lost time means DCMS will quickly need to deliver on its latest proposals.