GOV.UK Verify involves people choosing a certified company to verify their identity and allow them to access digital government services. Over time, we want as many people as possible to be able to verify their identity using GOV.UK Verify. To do this, we’ll need certified companies to be able to use a broader range of data sources.
The main data sources certified companies can refer to
To verify a person’s identity, the certified company needs to be able to refer to a combination of official and commercially available data sources. This enables them to validate data provided by the person and establish that they are who they say they are to the required level of assurance.
The main ways certified companies refer to data sources today are:
- validating details provided by users about their passport or driving licence against official government records through the document checking service.
- drawing on data from credit reference agency files to validate evidence provided by the person about a bank or credit account, generate questions to the person that help establish that they are the owner of the identity they’ve asserted, and establish that an identity has been active over time.
Why we need to expand the range of data sources certified companies can refer to
This range of data means that to verify their identity using GOV.UK Verify today, users will need a passport and/or a driving licence and they will need to have been financially active over time (for example by holding a credit card, bank account, loan or mortgage).
So GOV.UK Verify will already work for most people, because the majority of people hold either a driving licence or passport and have a range of financial activity that a certified company can refer to. But some people won’t be able to verify their identity through GOV.UK Verify yet if they don’t have the necessary official documents and/or financial history.
To allow those people who don’t have a driving licence, passport and / or financial history to access GOV.UK Verify, we need to expand the range of data sources that are available to and used by certified companies.
There are two main ways to do this: expanding the scope of the document checking service and encouraging certified companies to make use of more commercially available data sources.
Expanding the scope of the document checking service
We’re working to identify more government data sources to add to the document checking service. We’re hoping to be able to say a bit more about our plans on this in the new year.
The use of any additional official data sources would be subject to formal agreements on how the data can be used, and government data sources will only be used on the basis of informed user choice and consent.
Encouraging certified companies to use a wider range of good quality, relevant data sources - our next procurement exercise
We’re about to publish a Contract Notice in the Official Journal of the European Union, inviting companies to bid to be part of our new identity assurance framework.
We want to choose between four and ten certified companies (formally known as ‘identity providers’). We’re going to choose them using an evaluation mechanism that places equal weight on three factors: their price, the quality of their solution and the breadth and depth of the datasets they plan to use and refer to.
By using this approach, rather than simply selecting the cheapest providers who get over a technical or capability hurdle, we’re hoping to increase the range of data that GOV.UK Verify can draw upon.
There will be two main parts to the evaluation process: the selection stage, a process to make sure we select suitable organisations; and the award stage, where we choose the bidders that we consider will provide the best value.
To pass the selection stage, bidders need to demonstrate that they have the right skills and resources to provide the required services.
Award Stage 1
The first part of the Award Stage is designed to assess the overall quality of the bidders’ proposals. Bidders will be required to provide evidence showing how their proposed service would meet a number of criteria. These will include, for example, showing how the bidder proposes to fulfil each of the five elements of the identity proofing and verification (IPV) process.
Bids will be scored according to a marking scheme set out in the evaluation questions. Higher marks will be available for bids that demonstrate a wider range of high quality methods and approaches to Identity Proofing and Verification (IPV) and a high quality approach to service design and improvement.
To pass Award stage 1, the proposal must match or exceed the minimum pass mark for each criterion. If a bidder scores less than the minimum acceptable score against any of the criteria at Award Stage 1, they will not go through to the next stage (Award Stage 2) and will not be awarded a place on the Framework Agreement.
Any bidder that scores at least the minimum score against all of the criteria in Award Stage 1 will progress to Award Stage 2.
The scores from Award Stage 1 will contribute to the final combined score for Award Stage 2.
Award Stage 2
Award Stage 2 will be used to choose a number of successful bids by assessing them on:
(a) the quality of their solution as assessed at Award stage 1
(b) the characteristics of the datasets they propose to use
(c) their price.
The evaluation mechanism will allocate a score to each of these criteria and those three scores for each bid will be combined to create a single overall score. Those combined scores will then be ranked and we will choose our identity providers based on that ranking.
Assessment of data
We want to encourage certified companies to use more large, high quality datasets that are likely to help increase the number and volumes of available high quality datasets. This will increase the number of people who can use GOV.UK Verify to verify their identity, and provide choice about what kind of evidence they want to use.
The bidder must list each of the datasets it proposes to use to fulfil elements A to E of the Identity Proofing and Verification (IPV) requirements, as defined in Good Practice Guide 45 and the IPV Operations Manual.
Each dataset will be scored against the following criteria:
- quality (a measure of how much the data can be relied upon as evidence about someone’s identity)
- timeliness - how frequently it’s updated
- longevity and median age - how long the data goes back historically
- volume - how many unique individuals are covered by the dataset
Once each dataset has been scored against these criteria, a combined score will be calculated using this formula:
Quality x (Timeliness + Longevity + Median age) x Volume.
We’ll publish detailed guidance on how to score datasets in the procurement documents.
This blog post is an introduction only; it’s not a formal part of the procurement process. The details will be set out in detail in the Contract Notice and that’s where interested parties should look for definitive instructions. We wanted to share our thinking now, as it's a new approach we've developed in the light of feedback we received at our market briefing event.
6 comments
Comment by R Brearley posted on
There have been many breaches of data security in the past, so why should we believe that by giving these companies (or the government for that matter) our data, that it will be secure now?
Comment by Rebecca Hales posted on
Thanks for your comment.
We take the security and privacy of our users very seriously. GOV.UK Verify was designed in close conjunction with CESG and the Privacy and Consumer Advisory Group. The whole process, starting from the government department the user wishes to transact with, through choosing a certified company to verify with and then being passed back to the government department is conducted over a secure channel, as identified by the green lock you will see in your browser. The identity proofing process has been certified by government and also complies with the international security standards set out in ISO 27001.
You can find further information on how we enable secure delivery on government digital services at https://www.gov.uk/government/collections/identity-assurance-enabling-trusted-transactions.
You can also read more about how we protect your privacy on our blog at https://identityassurance.blog.gov.uk/2014/11/05/tech-arch-privacy/. This shows the data you enter, where we process it, what data is stored, and by whom.
Comment by S. Flynn posted on
With the advent of the eIDAS regulations (ignoring the June 23rd elephant in this question!) will Verfiy.gov.uk expand to take on the verification of commercial entities including LLPs, sole traders etc?
Comment by Rebecca Hales posted on
Hi Stevie
At the moment there are no plans for expansion in this way - GOV.UK Verify is for individual citizens to verify their identity to allow them to access government services for personal transactions and eIDAS will not impact this.
Comment by Jimmy Fong posted on
Who do I need to speak to about becoming a potential supplier to GOV?
Comment by Emily Ch'ng posted on
Hi - Can I please ask for some more specific details. Do you mean for GOV.UK Verify, or government in general?