Government proposes principles on privacy for operation of ID assurance schemes

Out-Law News | 20 Jun 2013 | 3:40 pm | 2 min. read

Identity assurance (IDA) scheme providers will require the consent of individuals to pass on their details to others, under plans announced by the Government.

The Government is trying to establish overarching principles to govern the working of new ID assurance schemes which it wants developed in order to verify and validate the identity of individuals that use public services online.

Businesses involved in providing ID assurance services will be required to obtain individuals' consent to the sharing of their personal data if they wish to disclose that information to third parties, according to one of nine principles the Government is consulting on.

"Identity Assurance Providers or Service Providers cannot use or disclose IDA data without the Service-User's knowledge and agreement (i.e. consent)," according to the Government's draft proposals. "Service-users must be able to control/choose whether or not to use or disclose their IDA data and whether or how they assert their identities."

Any exemption from this principle could only be set out in new legislation and data sharing of personal data gathered through an IDA scheme under existing laws would be prohibited, it said.

"There are a myriad of data sharing laws each with different standards and rules," the Government said. "To engender trust in identity assurance and to improve Parliamentary scrutiny, it is proposed that only statutory gateways created by any legislation needed to establish the programme are valid."

Among the other principles that IDA providers would have to adhere to under the Government's proposals is a requirement that they only process "the minimum data that is necessary" to meet the needs of individual service users.

In addition, IDA providers would have to provide individuals with a right to access their personal data for free and transmit the data to another IDA provider "in a standard electronic format, free of charge and without impediment or delay" upon the request of a user.

"For the absence of doubt, such access includes access to logs of Service-User activity, disclosure logs of any Service-User data, and any audit data relating to that Service-User's activity but excludes any anonymised data that can no longer be linked or associated with a particular Service-User," the Government said.

"The prohibition is needed as there is a practice in the UK of requiring data subjects to use their subject access rights to criminal records and medical records and show the product of their access request to an employer or insurer. The prohibition stops unscrupulous use of the access right," it added.

The Government said that benefits can be derived from IDA services if individuals trust them.

"If individuals trust such an Identity Assurance Service then ... the Service Provider is less worried about ID theft and impersonation as fraudulent claims based on the use of diverse identities becomes well nigh impossible," it said. "At the same time, the individual citizen is reassured that their identity is secure and any transaction is safely delivered to the right organisation. This is a collaborative win-win outcome for the individual and all taxpayers; in summary everybody benefits."

"To deliver these objectives there has to be a framework (the Nine Identity Assurance Principles) that gives real meaning to terms such as 'individual privacy' and 'individual control'. By necessity, therefore, there has to be a degree of precision concerning the wording of these Principles to ensure that those participating in an Identity Assurance Service are left in no doubt it is designed around the needs of the individual (and not on the needs of any state body or commercial corporation)," the Government added.

A new identity assurance scheme is currently being developed for the Department for Work and Pensions (DWP). The scheme is to be used to verify the identity of individuals who register online and apply for benefits. Under the proposed service, the benefits claimants would be able to "choose who will validate their identity by automatically checking their authenticity with the provider before processing online benefit claims", DWP said last year.