GOV.UK Verify is designed to preserve users’ privacy when they access digital services. The identity assurance programme’s independent Privacy and Consumer Advisory Group recognised the need for GOV.UK Verify to go further than the requirements of the Data Protection Act (1998), and has provided nine Identity Assurance Principles. These principles are intended to guide the operation of the service, both by government and the certified companies.
We’ve been working with the Privacy and Consumer Advisory Group to embed these principles in the way GOV.UK Verify is designed and built. We need to reflect the way the service is structured - a range of certified companies that people can choose from to verify their identity, working to defined standards, rather than a single supplier working to one technical specification.
The first contracts for certified companies were drawn up before the Privacy and Consumer Advisory Group had developed its principles. They therefore included a general requirement to cooperate with the Cabinet Office in the development and implementation of the principles.
We’re going into a second round of procurement for our next framework for certified companies, and as part of that we’ve included some more specific requirements in respect of the Identity Assurance Principles. These will cover data minimisation, user control, transparency and certification.
Our proposed solution is similar to an approach used in the US, where the Federal Trade Commission (FTC) holds organisations responsible for living up to their own commitments.
Certified companies will then be held accountable for compliance with their own privacy policies. A breach of these commitments, or wilfully acting in a way that is contrary to the intent of the principles, would be treated as a breach of their contract with the Cabinet Office. This in turn will trigger remedies and penalties for the identity provider.
If the Privacy and Consumer Advisory Group needs to update the Identity Assurance Principles - for example, in response to changes in best practice, or to address a systemic problem - certified companies will need to update their privacy policies to reflect these changes.
This post is not part of the formal procurement process. More information regarding the next Framework Agreement will be included in the OJEU Contract Notice which is due to be published this month.