This post is about how certified companies are assured as being safe for people to use as part of GOV.UK Verify.
When you use GOV.UK Verify for the first time to access a government service, you'll choose a certified company to verify your identity. The certified company will ask you for some information and check a range of evidence to establish that it’s really you.
This process involves the certified company asking you for personal data, and the certified company will be responsible for making sure it's really you each time you come back to use GOV.UK Verify to access a service. So it’s important to be able to trust your chosen certified company to protect your privacy and keep your data safe and secure.
There are four main ways that certified companies are assured as being safe for people to use. Certified companies have to be:
- certified by a certification body to confirm that they meet industry standards for information security
- certified by an independent body (such as tScheme) to confirm that they meet government standards for identity assurance
- compliant with the requirements in their contracts with the Cabinet Office
- compliant with data protection law
Certified against industry standards for information security
Certified companies must have appropriate information security management systems in place to look after people’s data and keep it secure.
They have to be certified to confirm that they meet an industry standard for information security management. This involves demonstrating that they have adequate processes in place to look after information securely and safely - how they set up, maintain and continuously improve an ‘Information Security Management System’ (ISMS).
Under the current contractual framework, the relevant standard is ISO27001, the international standard for information security management. In the next procurement we may accept other equivalent standards.
Certified against government standards for identity assurance
Certified companies also have to be certified by an independent certification body such as tScheme to assure that their service meets the published government standards for identity assurance.
The service auditors are accredited by the United Kingdom Accreditation Service (UKAS) for carrying out service assessments.
Compliant with contractual requirements
Each certified company operates under a contract with the Cabinet Office. The contracts set out the requirements the certified companies have to meet.
GOV.UK Verify is designed to protect people’s privacy and give people a secure way to access government services. We work according to a set of principles developed by our privacy and consumer advisory group. These include things like making sure people have a choice of certified companies, making sure they are in control of what happens to their data, and minimising the amount of data that’s collected and stored.
The identity assurance principles are reflected in the requirements certified companies have to meet. For example, certified companies are not allowed to use people's data for any other purpose without the person's informed consent.
Before they can join GOV.UK Verify, certified companies have to go through a number of contractual ‘gates’ - formal processes where the Cabinet Office assesses the service to make sure it will meet the requirements contained in the contracts.
We'll be launching our procurement exercise for a new contractual framework for certified companies shortly - see other posts we’ve published about ‘procurement 2’ for more information about that process. We’ve posted separately about how we’re making sure the new contractual framework reflects the identity assurance principles.
Compliant with data protection law
Certified companies are ‘data controllers’ under data protection law. They have to comply with all the relevant legal requirements about the storage and processing of data.