GOV.UK Verify is the new way for people to prove their identity when accessing government services. It is primarily for people who want to access digital services for individuals - services relating to things like personal tax, passports and driver licences.
Many government services relate to organisations, not just individuals. It’s important for those services to be able to make sure that the person accessing a service on behalf of an organisation really has the authority to do that, particularly where the service involves payments or confidential data.
Identity assurance for organisations is complex
Identity assurance is more complex for organisations than for individuals. It includes a number of extra elements beyond proving a person is who they say they are, such as:
- does the organisation exist?
- what type of organisation is it?
- who in the organisation is officially in charge, and how does the individual doing the transaction relate to them?
- does the person have authority to act on behalf of the organisation in general and permission to access this specific record, service or transaction in particular on behalf of the organisation (known as ‘authority management’)?
Our interest in identity assurance for organisations
The identity assurance programme has a potential role in this work. We have an existing mandate and knowledge that might be applied to the problem, and a role in setting government standards for identity assurance which includes the standards for organisation identity and authority management.
There is also a potential direct relationship between GOV.UK Verify for individuals and identity assurance for organisations: in theory, a service could use GOV.UK Verify to verify an individual's identity and then separately match them to an organisation. This verified identity could then be linked to any permissions the individual has to act on behalf of their organisation.
Discovery and alpha work
Earlier this year we did some discovery work with colleagues across government and some users of business services to start to understand more fully the needs for identity assurance for businesses. We then did an alpha project to develop and test a prototype user journey.
The sorts of question we wanted to understand included:
- what do users need when they’re accessing a digital service on behalf of an organisation?
- is there a generic need across government for a way for people to prove, using digital means, that they have authority to do a specific thing on behalf of an organisation?
- can the needs be met from existing solutions in the market, or is there a need to build something new?
- if we were to build something new, should it be a cross-government service like GOV.UK Verify?
- how can someone prove, entirely digitally, that an organisation exists and they have authority to act on its behalf?
What we've learned
We learned that where a service is for a very small organisations of 1 or 2 people, GOV.UK Verify can be used as the way for people to prove their individual identity. But when it comes to larger organisations, people using government services don’t expect to have to prove their identity as an individual before being allowed to act on behalf of an organisation they work for. Also, organisations expect to be able to manage their own delegations of authority, rather than them being managed by a government service.
On the basis of this work we’ve concluded that at this stage there isn’t a case, or a sufficiently developed or proven set of generic needs, for a government-wide business identity service built by GDS and directly linked to GOV.UK Verify.
For now, we think it’s more appropriate for individual departments and services to take forward this work, with us playing a supporting, convening and facilitating role. This is for three main reasons:
- the needs for organisation identity assurance are not standard across different services - for example, different services deal with different types and sizes of organisation, and different methods are needed for proving that different types of organisations are real and that the person has authority to act on their behalf
- some services have existing relationships and ways of establishing that an individual has the authority to act on behalf of the organisation so they don’t actually need a cross-government service
- there are solutions in the marketplace that can meet many of the needs we identified, so there isn’t a compelling case for us to build a new product to meet the full range of needs
So we think the way forward is for services that have a need to identify people acting on behalf of organisations to develop alpha and beta projects, with a view to sharing what they learn and potentially allowing others to re-use some or all of their work.
We’ll use what we learned in our discovery and alpha projects to help services to do this. To start with, we’re offering our supporting to services that are working to develop local solutions that might then be re-used in whole or in part by other services. Our support will take the form of sharing what we’ve learned and giving advice based on our understanding of how identity assurance works for individuals and might work for organisations. We will also play a convening role where it’s needed to bring different services and departments together to work on common issues.
We’re working to revise the standards for organisation identity and develop new standards for authority management to reflect what we learned in our discovery and alpha work. We’re planning to publish these by April 2015. We’re also working with the European Commission and other EU Member States to develop European-wide levels of assurance in support of the new eID Regulation, which includes levels of assurance for organisation identity - we need to make sure our work in the UK is appropriately aligned with developments at the European level.