https://identityassurance.blog.gov.uk/2014/12/04/how-were-embedding-the-identity-assurance-principles-in-gov-uk-verify/

How we're embedding the Identity Assurance Principles in GOV.UK Verify

GOV.UK Verify is designed to preserve users’ privacy when they access digital services. The identity assurance programme’s independent Privacy and Consumer Advisory Group recognised the need for GOV.UK Verify to go further than the requirements of the Data Protection Act (1998), and has provided nine Identity Assurance Principles. These principles are intended to guide the operation of the service, both by government and the certified companies.

We’ve been working with the Privacy and Consumer Advisory Group to embed these principles in the way GOV.UK Verify is designed and built. We need to reflect the way the service is structured - a range of certified companies that people can choose from to verify their identity, working to defined standards, rather than a single supplier working to one technical specification.

The first contracts for certified companies were drawn up before the Privacy and Consumer Advisory Group had developed its principles. They therefore included a general requirement to cooperate with the Cabinet Office in the development and implementation of the principles.

We’re going into a second round of procurement for our next framework for certified companies, and as part of that we’ve included some more specific requirements in respect of the Identity Assurance Principles. These will cover data minimisation, user control, transparency and certification.

We also want certified companies to be clear and transparent about how they approach these important issues as part of their service, so we will require them to publish and comply with a privacy policy. Forcing one privacy policy on all certified companies runs the risk of ’one size fitting nobody’. That would be inflexible for users, and stifle innovation and diversity among certified companies.

Our proposed solution is similar to an approach used in the US, where the Federal Trade Commission (FTC) holds organisations responsible for living up to their own commitments.

Each company’s privacy policy must comply with relevant legislation and regulations in their sector, and they must also explain how they will embed the Identity Assurance Principles in their service. They will have to submit their terms and conditions and their privacy policy to the Cabinet Office as part of the requirements they need to meet before joining GOV.UK Verify.

Certified companies will then be held accountable for compliance with their own privacy policies. A breach of these commitments, or wilfully acting in a way that is contrary to the intent of the principles, would be treated as a breach of their contract with the Cabinet Office. This in turn will trigger remedies and penalties for the identity provider.

If the Privacy and Consumer Advisory Group needs to update the Identity Assurance Principles - for example, in response to changes in best practice, or to address a systemic problem - certified companies will need to update their privacy policies to reflect these changes.

This post is not part of the formal procurement process. More information regarding the next Framework Agreement will be included in the OJEU Contract Notice which is due to be published this month.

1 comment

  1. Comment by David Moss posted on

    QUOTE

    Our proposed solution is similar to an approach used in the US, where the Federal Trade Commission (FTC) holds organisations responsible for living up to their own commitments.

    UNQUOTE

    But what you're proposing is not like the US system.

    QUOTE

    Each company’s privacy policy must comply with relevant legislation and regulations in their sector, and they must also explain how they will embed the Identity Assurance Principles in their service. They will have to submit their terms and conditions and their privacy policy to the Cabinet Office as part of the requirements they need to meet before joining GOV.UK Verify.

    Certified companies will then be held accountable for compliance with their own privacy policies ...

    UNQUOTE

    In the governance structure you outline, the certified companies would be under contract to the Cabinet Office and enforcement of privacy policy would also be conducted by the Cabinet Office.

    The US would segregate duties more and I suggest that we should, too.