https://identityassurance.blog.gov.uk/2014/12/11/what-it-means-to-be-a-certified-company/

What it means to be a 'certified company'

This post is about how certified companies are assured as being safe for people to use as part of GOV.UK Verify.

When you use GOV.UK Verify for the first time to access a government service, you'll choose a certified company to verify your identity. The certified company will ask you for some information and check a range of evidence to establish that it’s really you.

This process involves the certified company asking you for personal data, and the certified company will be responsible for making sure it's really you each time you come back to use GOV.UK Verify to access a service. So it’s important to be able to trust your chosen certified company to protect your privacy and keep your data safe and secure.

There are four main ways that certified companies are assured as being safe for people to use. Certified companies have to be:

Certified against industry standards for information security

Certified companies must have appropriate information security management systems in place to look after people’s data and keep it secure.

They have to be certified to confirm that they meet an industry standard for information security management. This involves demonstrating that they have adequate processes in place to look after information securely and safely - how they set up, maintain and continuously improve an ‘Information Security Management System’ (ISMS).

Under the current contractual framework, the relevant standard is ISO27001, the international standard for information security management. In the next procurement we may accept other equivalent standards.

Certified against government standards for identity assurance

Certified companies also have to be certified by an independent certification body such as tScheme to assure that their service meets the published government standards for identity assurance.

The service auditors are accredited by the United Kingdom Accreditation Service (UKAS) for carrying out service assessments.

Compliant with contractual requirements

Each certified company operates under a contract with the Cabinet Office. The contracts set out the requirements the certified companies have to meet.

GOV.UK Verify is designed to protect people’s privacy and give people a secure way to access government services. We work according to a set of principles developed by our privacy and consumer advisory group. These include things like making sure people have a choice of certified companies, making sure they are in control of what happens to their data, and minimising the amount of data that’s collected and stored.

The identity assurance principles are reflected in the requirements certified companies have to meet. For example, certified companies are not allowed to use people's data for any other purpose without the person's informed consent.

Before they can join GOV.UK Verify, certified companies have to go through a number of contractual ‘gates’ - formal processes where the Cabinet Office assesses the service to make sure it will meet the requirements contained in the contracts.

We'll be launching our procurement exercise for a new contractual framework for certified companies shortly - see other posts we’ve published about ‘procurement 2’ for more information about that process. We’ve posted separately about how we’re making sure the new contractual framework reflects the identity assurance principles.

Compliant with data protection law

Certified companies are ‘data controllers’ under data protection law. They have to comply with all the relevant legal requirements about the storage and processing of data.

 

 

2 comments

  1. Janette

    I question government departments use of records and their ability to keep safe let alone using outside 'identity agencies' and 'sub contractors'

    Link to this comment
  2. Janet cater

    Government departments are notorious for leaking sensative information. Their track record
    is not good!!!!!!!

    Link to this comment