We’ve completed our procurement exercise for a new framework for certified companies.
Nine companies have this week signed framework agreements to become certified companies for GOV.UK Verify:
Barclays
Digidentity
Experian
GB Group
Morpho
PayPal
Post Office
Royal Mail
Verizon
Four of the companies have call-off contracts under the existing framework (Digidentity, Experian, Post Office and Verizon). These companies will continue to provide services for GOV.UK Verify and transition smoothly onto the new framework over the next few months.
Mydex, the fifth company with a call-off contract under the first framework, will not be joining the public beta. We’ve blogged separately about Mydex’s contribution to the development of GOV.UK Verify and their important ongoing role in the development of identity assurance and personal data policy and services.
Paypal was also on the first framework for certified companies but did not sign a call-off contract under that framework. PayPal, along with the four other new companies (Barclays, GB Group, Morpho and Royal Mail), will begin the process of joining GOV.UK Verify shortly. We will confirm their timescales for joining the public beta once we’ve started working with them to agree detailed plans.
This wider range of certified companies will offer people more choice of who they would like to verify their identity, and will bring more data and more methods, extending GOV.UK Verify’s demographic coverage and increasing the overall success rate for people attempting to verify.
12 comments
Comment by Anil John posted on
Congratulations! This is indeed good news from both traction and value aspects of GOV.UK Verify.
From the perspective of a potential customer, am really looking forward to seeing how you will be applying your UX expertise to dealing with the 'tyranny of choice' this introduces (which, BTW, is a good problem to have to solve)
Comment by Marisol posted on
Hi,
Coming from a department which does not have much business with Verify, is there a blog post which explains simply what Verify is and does? It's always helpful to unpack these concepts in a line or two for those who might not know.
Thanks.
Comment by Rebecca Hales posted on
Hi Marisol, thank you for your comment.
Here's a brief introduction to GOV.UK Verify: https://www.gov.uk/government/publications/introducing-govuk-verify/introducing-govuk-verify
Alternatively, you may find it useful to watch a short film about the service: https://www.youtube.com/watch?v=_4tGc9Rp_Vs
Comment by Claire Durrant posted on
Great news that PayPal is getting involved. I regard them very highly and would feel comfortable completing this process with them.
Comment by John Turpin posted on
We are trying to arrange transfer of tax allowance online. We picked a certified company and filled all required data. No mention of passports or driving licenses and were told my wife could not be verified. It seems that unless you have a mortgage or loan you stand no chance.
Comment by Rebecca Hales posted on
Hi John
Thank-you for contacting us via the Identity Assurance blog.
I’m sorry your chosen certified company could not verify your wife. There are lots of reasons why a certified company may not be able to verify you. We do appreciate how frustrating that can be for those we are unable to verify at this stage.
GOV.UK Verify is in beta (trial), which means it is constantly being developed and improved based on feedback from people who use it. We’re not able to verify everyone yet using GOV.UK Verify but we’re working to constantly expand and improve the service. Verifying someone's identity without talking to them or sending things in the post is a complex process and it will take us some time to make it work for everyone.
Whilst we are in the trial period and still developing GOV.UK Verify, there are always other ways to access services. If you haven't already done so, please return to the service you were trying to access and use one of the other available ways to access it.
Comment by mr r pegg posted on
Hi
Our chosen certified company cannot verify my wife. What other ways are available?
Comment by Rebecca Hales posted on
Thank-you for your comment Mr Pegg.
I’m sorry your chosen certified company could not verify your wife.
GOV.UK Verify is in beta (trial), which means it is constantly being developed and improved based on feedback from people who use it. We’re not able to verify everyone yet using GOV.UK Verify but we’re working to constantly expand and improve the service.
Whilst we are in the trial period and still developing GOV.UK Verify, there are always other ways to access services if GOV.UK Verify doesn't work for you. If you haven't done so already, your wife should return to the service she was trying to access and use one of the other available ways to access it.
Comment by Stephen HIrst posted on
The govt. isn't a business it can't choose its customers and customers don't have choice either. What was wrong with govt. gateway and why are you using third party companies?
Comment by Rebecca Hales posted on
Hi Stephen
Thank-you for your comment and question.
Government Gateway does not verify an individual to the required level of assurance for modern digital by default services, and users can’t register entirely online - it relies on codes and other documents being sent through the post. GOV.UK Verify offers a service that is faster and more secure for users, suitable for new digital by default services and is re-usable across a range of services.
GOV.UK Verify uses certified companies because although different parts of government may hold information about you, they do not hold the range of information necessary to establish that you are who you say you are on the balance of probabilities. Certified companies have the means to look at a wider range of information to establish this. Working with certified companies means we can take advantage of value and innovation in the market, and government can avoid creating a central database of personal data within a single supplier or within government. This means your information is safer.
Comment by Frustrated reader posted on
You make a big leap in logic in your last sentence - the government could happily achieve a privacy sensitive identity assurances system that is safe and also avoids one big database without the involvement of the private sector.
The fact is that your programme and Minister made a choice not to do this - and that is a potentially a legitimate choice but please be honest and transparent and admit this. Doing otherwise undermines your credibility as an organisation that has sufficient caution to protect the data that your users must give to private sector companies.
What is more worrying is that in assuming private sector delivery is automatically better (and there is evidence against that in spades as well as evidence for it), you provide very little practical information to the public about how you are ensuring that our data is safe. You note that your certified companies must meet certain standards but have not published any detail about what how you directly verify this on a regular basis. You trust that they will keep their word and essentially outsource checking. You have made commitments on complaints resolution process but have been quite evasive on detail and timelines for putting these protections in place. Thousands are using your service but these are things that you state you are still working on and will provide further information 'soon'. That hardly makes for a reassuring picture given the high profile breaches that impact on private sector companies (and a general corporate culture of seeking to do the minimum possible to meet legal requirements in general where it would impact on the bottom line - e.g the tax avoidance measures taken by many of your certified companies).
Given all that doubt - isn't it a little trite to say your approach makes our data safer without giving very explicit proof that this is the case
Comment by Janet Hughes posted on
Hello, and thanks for your comment.
I'm sorry you're frustrated and hope I can help.
We don't think either the private or public sector is automatically better at building services, and we don't think there is only one 'right' way to provide online identity assurance. I'm sorry if we've given a different impression here. However, we do think having a diverse range of providers all working to the same published standards, allowing users to choose which one to use, will be better for users than a single provider and / or no user choice. We also think having a market-based approach will give more benefits, more rapidly and fully, than government attempting to verify people's identities and manage users' credentials itself. This approach:
- makes it clear and transparent to users who has their data and how it is being used and stored
- gives users a choice over which provider verifies their identity
- provides a diverse range of approaches and solutions, so will achieve greater overall demographic coverage at a lower cost than a single provider (government or private sector) trying to cover the whole population
- protects people's privacy
- is more secure and resilient, because data and services are disaggregated and only minimal data is passed between providers and the services you use through GOV.UK Verify
- enables us to make the most of rapidly developing technology and capabilities in the market, such as new ways to validate identity evidence online, and new ways to establish that a user is who they say they are
- is helping to grow a market for identity assurance that will be able to meet user needs not just in relation to central government services, but also for local, health and private sector services
Protecting users' privacy and security is at the heart of everything we do, and we take it extremely seriously. I'm sorry if that hasn't come across clearly in this context and we've given you a different impression as a result of that. We've built GOV.UK Verify to meet identity assurance principles developed for us by independent experts on our Privacy and Consumer Advisory Group (https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/361496/PCAG_IDA_Principles_3.1__4_.pdf). The federated approach, where the user can select from a list of different certified companies, helps us meet the principles of multiplicity, transparency, data minimisation, user control, and service user access and portability.
We've published our contractual framework, and all the certified companies work to published government standards (details are available elsewhere on the blog about these). All the certified companies have to maintain relevant industry and government standards, and be independently certified as doing so. If they fail to do that, then they are liable to users (and government) for any loss or damage caused. In the event of negligence on their part, their liability to users is unlimited.
All the providers are required to have a complaints process in place. Anyone who believes a certified company has breached data protection requirements, and the company has failed to resolve their complaint, can complain to the Information Commissioner's Office as with any other data controller. We are looking at whether any other dispute resolution measures might be needed to deal with complaints that fall outside the existing scope of the Information Commissioner's Office, and we know we need to conclude this work as part of our work to take GOV.UK Verify from beta to live.
Thank you for taking the time to comment. We're continuing to work to make sure that users have access to all the information and support they need, and we'll use the points you've raised to help us carry on improving how we do that.