Out-Law News | 22 Mar 2022 | 2:09 pm | 3 min. read
Government departments and public bodies will be able to share data they hold to help businesses verify individuals’ identity under plans endorsed by the UK government.
The government confirmed it will provide “a legal gateway between public and private sector organisations for data checking” in its response to a consultation it held last year on digital identity (ID) and attributes.
Disclosure of government-held data will not be made mandatory under the plans, but the government said it will be open to “government data holders” to share information with “trust-marked organisations”. A new code of practice will be developed to inform data sharing under the new gateway, it said.
Checks carried against government-held data will also be able to be transferred “where appropriate” to allow others to benefit from the trust obtained from the initial checking process when carrying out identity and eligibility verification of their own. Public bodies will, however, be able to “put such limits on onward transfer as it deems appropriate”, while existing legislation such as data protection laws will govern the “onward transfer of government-confirmed attributes” too.
The proposals are part of wider government plans to support a new system of accreditation, certification and trust frameworks that allow individuals to create new digital IDs. The idea is that other organisations will be able to rely on those digital IDs to confirm that someone is who they say they are when onboarding new customers or providing that person with access to services.
“Future legislation will establish a robust accreditation and certification process, enabling organisations to prove that they follow the rules of the trust framework,” the government said. “Organisations who have been certified against the trust framework and agreed to be subject to governance will be given a trust mark as a visible sign of their trustworthiness, entered into a list of trust-marked organisations held by the governance function, and defined as being trust-marked organisations.”
“Legislation will also enable public bodies to allow digital checks against data they hold by trust-marked organisations and to firmly establish the validity of data shared this way. This will mean that people can choose to build digital identities on trusted government data, and relying parties can be clear they can rely on it,” it said.
Technology law expert Luke Scanlon of Pinsent Masons said: “The development of a legal gateway between government-held data and private sector use cases is essential to unlocking many of the critical services consumers need remote access to, including but not limited to those in the financial services sector. The more clarity that is provided around this gateway and the extent to which it becomes certain that regulatory hurdles can be overcome when government-held identity data is used for other private sector purposes will create conditions for significant innovation.”
The government is currently in the process of developing a new trust framework to support the use of digital IDs. The framework has undergone ‘alpha’ testing and the framework’s ‘beta’ publication is planned. The trust framework will set out rules that organisations will need to adhere to, to become trust-marked – including requirements concerning user control of their data. Organisations will also be expected to handle data in accordance with existing legal requirements, such as those outlined in the UK General Data Protection Regulation (UK GDPR).
Being able to access government-held data will help organisations “prove they follow the rules of the trust framework” and “help streamline due diligence processes”, the government said.
A list of trust-marked organisations will be published by the government, which is to create a new Office for Digital Identities and Attributes (ODIA) with the Department for Digital, Culture, Media and Sport to act as an interim governing body for digital identities while a long-term solution for performance of the governing function for the new regime is identified.
Organisations that rely on information shared with them through the trust framework “will not need to be certified themselves” but could be subject to “flow-down conditions from identity or attribute service providers”, it said.
The government confirmed that while anti-fraud and security measures will be put in place, if people fail digital checks they will not be automatically banned from accessing services. Alternative pathways for verifying identity will be open for “legitimate consumers” to account for situations where, for example, the data that verification checks are made against is out-of-date.
The government said it would also legislate “to affirm that digital identities and digital attributes can be as valid as physical forms of identification, or traditional identity documents”.
“This statutory presumption will provide parties that rely on government-held data with the clarity and confidence they need to trust the data being shared with them,” it added.