Identity assurance - how it will affect public services and your personal data

Computer Weekly examines some of the key issues around the government's identity assurance project for accessing public sector services.

Computer Weekly examines some of the key issues around the government's identity assurance project for accessing public sector services.

The success of the government's "digital by default" agenda, a central drive in its ICT strategy, will depend to a large extent on how comfortable the public feels in transmitting personal data online.

Identity assurance (IDA) will play a central role for the government in delivering digital public services - seen as an important way to cut the cost of the public sector. IDA is the process citizens will need to go through to verify who they are to access public services online. Part of the government's remit under the IDA project is to create a market of private sector identity assurance services to enable access. Individuals will be given the option to choose a certified private sector company to assure their identity, which will be used to confirm their personal data, in a manner analogous to how an e-commerce provider turns to credit card companies to assure you are the registered cardholder.

As take-up of IDA will be essential in increasing online transactions - and crucially driving down service costs - it's little wonder that Bill McCluggage, deputy government CIO, is keen to get the message across that the IDA project is a trust-building exercise rather than an identity project. The government is also eager to put as much distance as possible between IDA and the failed identity card system under Labour, as some critics have accused it of resurrecting that unpopular programme under a different name.

The IDA project is fundamentally about shifting channels online and moving forward the digital by default agenda, says McCluggage. "We have to be customer focused - the customer has to be protected under the Data Protection Act. As servants of the taxpayer, we have a duty of care," he said.

McCluggage is chair of the steering executive team and senior responsible owner for the project. His team will do the early work building an authorising environment, and then hand IDA over to Mike Bracken, the new government director of digital.

"We are looking to leverage other capabilities, it's not going to be a 'build it and they will come' situation. Our ICT strategy is all about re-use," said McCluggage.

The first service to be delivered using identity assurance will be the Department for Work and Pensions' Universal Credits scheme; HM Revenue & Customs' One Click and Real-Time Information; NHS HealthSpace; and the Skills Funding Agency Customer Identification project.

David Rennie, Identity Assurance lead at the Cabinet Office, believes giving the citizen choice should help build their digital engagement with government. "That's why a federal approach is best, and we can't take up a single solution such as ID cards. The user decision [of who to choose as a ID assurance provider] will always be different in every context," said Rennie.

"The technology aspects are the easiest parts to the project. The real issues are around customer needs and communicating to them what we are trying to do," he said.

NHS HealthSpace will be a key area because it touches so many people, says Rennie. "The opportunity there is enormous. It could involve hundred-of-millions of clicks per year. But at the moment [health services] do very little digitally.

As this area involves sensitive data relating to people's health, the process will need to be gradual, adds McCluggage. Consequently there is no timeline for the uptake of digital health services. "You don't build trust so much as earn it, so with something like health we will be starting small," he said.

A prototype for IDA will be completed by the end of the year. The first services will be developed and tested by February 2012, with IDA due to be rolled out for initial public services by autumn 2012.

McCluggage's team are keen to get the message across that they are taking the issue of privacy seriously and are engaged with various privacy groups to address the concerns about IDA. But some campaigners have expressed concern that companies designing IDA systems could capture public information which could later be used for their commercial benefit.

Nick Pickles, director of civil liberties and privacy campaign group Big Brother Watch, says a digital-by-default service delivery model is the right direction for the government to move, but care must be taken to ensure that data is only stored where absolutely necessary.

"Particularly where private companies are involved, I would expect the government to put safeguards in place to protect the privacy of users, and to actively monitor where data is held and how it is being accessed," he said.

As IDA is still in the early stages, it's hard to gauge the exact architecture the system will eventually take and the consequent implications on public data. But most agree that if the government's online presence is to shift from being fundamentally publications-based to a more transactional model, a robust identification process will be needed.

Arguably the best way of ensuring the project won't get derailed into another massive database, and that it doesn't create a system open to data breaches, is to keep the building process open to public scrutiny. Of course this could disappear entirely behind a curtain of invisibility, but the government seems to understand that making IDA work is a two-way process and it will need a dialogue with the public if it is to bring us all on board.

Read more on IT risk management