GOV.UK Verify is a new type of service, being delivered in a new way for the first time anywhere in the world, so our social media accounts present some interesting challenges. I'm responsible for GOV.UK Verify's digital communications channels, and this post is about how we're developing our approach to digital engagement to meet a range of needs.
What GOV.UK Verify's digital channels are for
Because of the way GOV.UK Verify works, we're aiming to meet quite a wide range of needs through our digital channels.
Like any digital service, we need to respond to users' queries about GOV.UK Verify through whichever channel they've chosen whether it's our support desk, our Twitter account or our blog.
We've designed and built GOV.UK Verify according to identity assurance principles developed for us by our privacy and consumer advisory group; we need to make sure we protect users' privacy and comply with these principles in all our contact with users, including contact through our social channels.
As well as responding to operational questions from users, we also need to be able to take part in conversations about policy, commercial, delivery and technology issues relating to the service, and respond to wider questions about how we've designed and built it and how it works.
GOV.UK Verify operates a federated model for identity assurance. We work with a number of certified companies who verify people's identity on behalf of GOV.UK Verify. So users may come to us looking for information specific to their experience with their chosen certified company.
GOV.UK Verify is not a service in its own right. Rather, it provides a way into services on GOV.UK. So users who contact us through our social media channels may be seeking a response to comments relating to those services
How we're using digital channels to meet a range of needs
We're interested in connecting with people who care about what we're doing, sharing the lessons from the work that we do, and helping our users as effectively as we can. GOV.UK Verify has two social media channels that allow us to do this: the identity assurance blog and the @GOVUKVerify account on Twitter.
As GOV.UK Verify is currently in public beta, being constantly expanded and improved, these channels provide a space for us to have valuable conversations that can shape the development of GOV.UK Verify. Whether we’re answering specific questions about how GOV.UK Verify works, or discussing the broader issues around identity assurance, we want our blog and Twitter feed to be credible sources of information, showing empathy when our users share feedback, and competence when they want answers.
We look to the GDS Social Media Playbook for guidance on best practice and follow the GDS house rules (which cover operating hours and response times) but we’ve also come up with a few rules of our own. Here’s some of the things we’re doing to ensure that users get the most out of engaging with GOV.UK Verify on social media:
- Our contact with users, regardless of the channel, should be directed at resolving any issues they are having using GOV.UK Verify quickly, efficiently and in full compliance with the identity assurance principles.
- We will not ask for or encourage users to share any personal data through social media channels, including which service they are trying to access or which provider they are trying to use. Where there's a need to provide individual support, we will move to private channels (eg direct message or email).
- We will make sure that users receive consistent answers and responses regardless of the channel they use to contact us.
- We will not publish individual support requests that appear in the form of blog comments and/or tweets. Where a user is having a specific problem, we will direct them to the GOV.UK Verify service desk for resolution.
- We will not respond on behalf of certified companies, or comment on them individually, but suggest that the user should contact the certified company support desk directly in the first instance.
- We will not respond to feedback or questions on behalf of government services that use GOV.UK Verify. Instead, we will suggest that the user should contact the relevant support channel in line with any agreements we may have with departments, or generically if we don’t know which service the user is trying to use.
- We will respond to user support requests through social channels according to our overall response time targets (4 hours, during working hours). We will not reply outside office hours unless there is an overriding business need for us to do so.
- We will ‘favourite’ news coverage and other commentary about GOV.UK Verify, and about identity assurance in general, as this is a useful piece of curation for our community. Similarly, we will follow accounts that are relevant to identity assurance / technical issues that we think our community might find useful.
- We will not retweet comments about GOV.UK Verify - positive or negative - unless they add value to the community
What do you think?
We'd be very interested to hear from users of our digital channels, and anyone else who's dealing with similar challenges in managing social channels for transactional services, about how you think we can improve and develop our approach.
Get the latest news by subscribing to this blog or following us on Twitter.
7 comments
Comment by Richard posted on
In my view, federated identity should be seamless, so if there is a fault don't push the user back to the certified companies, but instead adopt a collaborative approach. Perhaps agree a mechanism with certified companies where you can jointly handle faults, bring their support agents onto your channel with the user, where you can all work together. The worst thing you can do for a service user is throw their problem over a support wall.
Comment by Rebecca Hales posted on
Thanks for sharing your thoughts, Richard.
Whilst we don't respond on behalf of certified companies, the team on our service desk does work collaboratively with all certified companies to resolve support issues on behalf of users who have contacted us. We suggest that users contact their chosen certified company's support desk in the first instance simply because the company can quickly check the status of a user's identity account and troubleshoot accordingly.
Comment by simonfj posted on
Hi Rebecca,
Would you give this one some thought as it would be a good time to start building a global community around this IDA stuff. As you know, there are so many initiatives being run in parallel, by different govs around the world. Eventually, they will need to address how ID's can be used in order for their teams to share their learning; both Nationally and Globally.
I'll point you at this ongoing discussion by the Aussie DTO as an example. https://www.dto.gov.au/blog/talking-digital-id
One issue, so far as the UK approach to identity is concerned. At present you have private companies being certified to offer IDAs to central gov services. So, as far as federated IDA's go that's the only difference that could be considered "a new type of (federated ID) service". Most unis around the world are already working on the same basis, and have been for some time. There are lots of nice stories about how researchers around the world collaborate. http://services.geant.net/edugain/eduGAIN%20USERS/Pages/eduGAIN-Success-Stories.aspx
We're in this Catch-22 situation where people in National gov departments, because they don't use a federated approach, haven't developed a Global learning culture. Not that they aren't trying. e.g. http://ec.europa.eu/isa/ It's unfortunate that the only time that people in GOV.UK are seen to collaborate with their peers OS, is when they are using a private platform (and ID) like LI. e.g. https://www.linkedin.com/grp/home?gid=5139031
The best we can do at present is point to where the discussions between people inside a national gov do talk behind closed doors. e.g. https://govdex.gov.au/ The concept of co-designing services with users hasn't made it into the halls of gov.
Learning, it has been said, is a two way street. Yet govs are yet to walk the walk, primarily because they haven't set up trust fabrics between institutions that end in .gov. This is, while funding their .edu institutions, who do. http://www.ncbi.nlm.nih.gov/books/NBK83558/
Perhaps we need to start using GOV.UK as the place where we can pull some of these Local, National and (perhaps) Global discussions together. It's funny. When I read this page. https://www.gov.uk/service-manual/the-team We can see what you and your (Local and Global) peers/teams require in the way of a (virtual and shared) working environment.
But in order to share, they will require a trust fabric between their institutional networks. So you might consider this question. When will the Scot's myaccount be used to access GOV.UK services? http://blogs.scotland.gov.uk/digital/2014/04/07/myaccount-signing-in-to-on-line-services/
Comment by MarkK posted on
There's a political aspect to this which means it would be hard for civil servants to know even which holding reply to give. As an outside observer who has asked the same questions in other parts of this blog, I would note that HMG is caught between the rock of voters in Glasgow and the hard place of Brussels lawyers. gov.scot has taken an approach using a permanent identifier, as in Nordic and many other countries, which is fundamentally different from using a current name and address with date of birth and multiple independent and overlapping registries. Regardless of politics, it was a pragmatic decision two years after what is now called Verify didn't deliver (as stated in OJEU), and as it is entitled to for devolved services. It's a also a state-provided service, which is anathema to Whitehall, where local government was explicitly excluded from provision.
The eIDAS regulation has two aspects in relation to what is used by government: accepting and providing. Providing is optional, and involves taking on liability and free provision of a service, so unless there's political pressure to be seen to be European, expect no decision from UK ad infinitum. Indeed it's not clear that a government should be involved in interactions between people and other governments. For an individual, it's no longer required to use any particular one (as in early drafts) so everyone has the option of (at least) Estonian eID. There's nothing inherently stopping gov.scot system working abroad, but eIDAS doesn't force it on Whitehall - that's a domestic issue. Accepting notified foreign IDs is required, but only forced after 3 years. There's a possible small print exemption in the English language version, going against the entire spirit but a matter of what 'required' qualifies, that might mean it's only if the service is only online. Details of how HMG would comply are certainly still to be worked out since something has got to give; the EU website confirms that the interoperability framework has been agreed, but the proposals on levels of assurance were rejected by (population) majority vote, although not enough to block the Commission. So unless it misses the 18 September deadline, three new mandated LoA definitions for the EU will be announced, and, with so many voting against, presumably some expensive changes will be needed; how significant we don't yet know - and probably will not do before the UK political party season is over.
You might find more active relevant and inclusive international government and industry cooperation by following the US IDESG online, although the whole public/private federation issue at higher levels has long since been sorted out under TSCP.ORG. For Australia, what's wrong with the working and privacy-friendly Canadian federal system?
Comment by simonfj posted on
Thanks Mark,
Great comments. Could you point us at a few of the links you mention?
(especially "the 18 September deadline, three new mandated LoA definitions for the EU will be announced" and "local government was explicitly excluded from provision")
This conversation, as you know, has been going around the global traps forever. So it would be useful if we could use the links as proof, and explanation, of what's going/gone on. Would save us all a lot of revisiting the same pages all the time as these discussions bring IDA peers in different countries together. It'll be the DTO (Aussie's GDS) blog's ID threads in .au.
I'll leave these ones for this UK group's reference library.
https://www.gov.uk/government/publications/local-authority-review-citizen-online-identity-assurance/local-authority-review-citizen-online-identity-assurance
https://www.idecosystem.org/
https://www.tscp.org/
Comment by MarkK posted on
The 18 September deadline is for the relevant delegated acts of the EU eIDAS regulation linked in all official languages from
http://eur-lex.europa.eu/legal-content/EN/TXT/?uri=uriserv:OJ.L_.2014.257.01.0073.01.ENG
Note also that if what's currently available turns out not to meet the definition of 'substantial' it will be deemed 'low assurance' and not subject to mandatory interoperability:
6(c) "the relevant public sector body uses the assurance level substantial or high in relation to accessing that service online."
Local government was explicitly excluded from provision:
http://ted.europa.eu/udl?uri=TED:NOTICE:68791-2012:TEXT:EN:HTML&src=0
"capabilities that are already available or will be developed in the private sector, allowing users to choose the private sector partner(s).."
Note that foreign providers are not excluded, and many of the players are foreign companies (and typically ones unknown to the average British taxpayer).
Estonia
https://e-estonia.com/e-residents/about/
Canada
http://www.servicecanada.gc.ca/eng/online/mysca.shtml
New Zealand
https://www.realme.govt.nz/
Comment by simonfj posted on
Thanks For the links Mark, especially the ted.eu stuff. Nice to get the latest from Brussels.
You mention the .ca approach, and why don't the Aussies take that way. Probably will in time. Every team in a gov will approach the elephant from their own perspective. Only Europe must approach citizens' ID from a gov-to-gov perspective. These things do take time.
I'd be interested in your (and anyone else's) thoughts on this: https://www.dto.gov.au/comment/1586#comment-1586
Brain says "All the parts required to deliver a eID system already exist. All that is required is trust hierarchy model to establish the layers of trusted entities and how they interact".
We know that the ID (and inter-networking) technologiesare mature. We also know that the UK and Australian approach is much the same (federated ID). So the challenge now is in helping the silos of govts to view "trust fabric" developments from a citizen's perspective.