The implications of identity assurance for public services

Jerry Fishenden, chairman of the ID Assurance privacy and consumer stakeholder group, says a new approach to identity will transform government IT.

As chairman of the government’s Identity Assurance Programme privacy and consumer stakeholder group, I recently blogged about some of the draft principles that we hope will underpin the government’s approach to identity. These principles are an important cornerstone of the work to rebuild trust between government and citizens and demonstrate how far thinking has matured following the failed and costly debacle of the now-abandoned national identity card programme. They place the citizen, rather than government, at the centre of the design.

The new approach to identity is based on a trust framework in which the citizen will be able to choose their identity provider from an open and competitive marketplace. In return, government organisations will be mandated to accept assurances of identity from appropriately accredited providers. 

The system will use open technical standards and make smart re-use of what already exists, rather than attempting - as in the past - to impose “special” government requirements on the market. If successful, it will touch every part of the technical ecosystem spanning the delivery of online digital services.

Since government first attempted to put an integrated portal of public services online in the mid-1990s, there has been significant progress with tackling problems of identity, notably in the private sector. Online banking and retail services have developed a range of ways of tackling identification, verification and authentication, and even government’s own previous attempts, with for example the Government Gateway, have supported the use of third-party credentials.

Those designing and operating online public services will need to integrate with this new model. Some of that discipline already exists in the public sector, with departments such as HM Revenue & Customs and the Department for Work and Pensions using older technical specifications around the Government Gateway. Others, such as the Student Loans Company and DVLA, have traditionally gone their own way, but in future all public sector organisations will be required to play by the same rules and place the citizen at the centre of the design of their services rather than their own self-interests.

For “digital by default” to be successful, government will need to remove the historic complexity and duplication of everyone doing their own thing believing that they are somehow “different” or “special” and don’t need to adhere to a common set of standards.

The private sector will also draw on its own experience of technical integration with government services. The early days of the Government Gateway saw numerous third parties integrate their digital certificates with online public services to enable users to authenticate using credentials of their own choosing. That initiative waned when digital certificates failed in the marketplace, although more recently EMV cards - better known to consumers in their use as chip-and-PIN cards - have successfully been used on a small scale with online services.

Alongside the need for technical alignment, there is a more pervasive cultural change explicit in the new approach that will have a significant impact on government organisations. The old model that placed government at its centre is obsolete and in its place is a model that places citizens and businesses at the centre. There is an assumption that citizens should have control over their own data and of data minimisation – that the minimum amount of data should be acquired and used. This is a significant departure from the old model that assumed the department owned the data – an assumption reflected in a technical approach that captured and held citizen data in multiple places, leading to problems with information management, data quality, privacy and security.

The draft principles represent an important step in the redesign of the UK’s public services, with significant implications for the way that identity will work across both the public and private sectors. They will help deliver citizen control over their own data and help simplify and improve information management. Even those who do not use new online services directly will benefit as public servants and intermediaries will be able to use the improved digital services on their behalf: enabling finite public resources to be better focused on those who need them most.

Publishing the draft principles for open review and comment is only one part of a more iterative and inclusive approach to the design of public services. It’s another practical demonstration of how government IT is changing – from placing its own interests first, to those it is there to serve.

Jerry Fishenden (pictured) is chairman of the government’s ID Assurance Programme privacy and consumer stakeholder group. The views expressed are his own.

Read more on Identity and access management products