GOV.UK Verify will provide users with a simple, trustworthy and secure means of accessing public services. Privacy is an essential component of that trust relationship. I’m an independent privacy specialist working alongside the GOV.UK Verify team to ensure that the system meets privacy expectations.
The GOV.UK Verify approach is a good starting point for a ‘privacy-positive’ authentication system, since concepts of anonymity, data minimisation and user control are baked into the underlying technical and commercial models. There will always be areas where we are obliged to retain or share data - for example where providers might need to hold audit records for the prevention and investigation of crime - but controls will ensure that these controls are transparent to the user, and cannot be abused by government or providers.
The privacy approach is guided by the Privacy and Consumer Advisory Group, an independent voluntary body comprising experts on privacy, civil liberties and identity management. They have developed nine Identity Assurance Principles, which define specific privacy goals, and which form the cornerstone of the privacy approach (in addition to duties under the Data Protection Act). Every identity provider and service provider, including the Government Digital Service, will be expected to embed those principles into their identity assurance services, and to demonstrate that they have done so.
As GOV.UK Verify enters public beta, we’re reviewing every aspect of the service to assure the users - and ourselves - that the service meets those privacy expectations. A comprehensive assessment will test how well it lives up to the requirements, and what more needs to be done. We are checking the procurement to ensure that it mandates good privacy practices, including the Identity Assurance Principles, and does not close the door on possible future privacy requirements.
Privacy is not a fixed deliverable, but a fundamental quality of the identity assurance programme, so this work is just the first step in ensuring that GOV.UK Verify builds and maintains users’ confidence that their privacy will be protected.
Follow @tobystevens on Twitter.