https://identityassurance.blog.gov.uk/2015/07/30/gov-uk-verify-privacy-and-consent/

GOV.UK Verify: privacy and consent

We are building GOV.UK Verify to protect people’s privacy and security. To help us to do this, we have a Privacy and Consumer Advisory Group consisting of privacy and security experts. The group has developed a set of Identity Assurance Principles which we’ve embedded in to the way we’ve designed and built GOV.UK Verify.

One of the Identity Assurance Principles for GOV.UK Verify is “I can exercise control over identity assurance activities affecting me and these can only take place if I consent or approve them.” This means that certified companies must get your consent before they can collect personal information from you, or provide services to you.

When you first use GOV.UK Verify, we may ask you some basic questions help you choose a certified company with which to complete the verification process, for example your age or citizenship status. We treat this as personal information, even though we do not ask for your name, address, date of birth or other identifying information. We delete this information as soon as you choose a certified company.

When a certified company collects personal information from you, or refers to information about you held in other sources such as credit reference files, they are obliged to explain the purpose and nature of their processing, and to obtain your consent through your acceptance of the terms, for example by ticking an opt-in box. They are contractually prevented from using your data for any purpose other than providing your GOV.UK Verify service unless we approve that use and you provide explicit consent to it.

Once you have provided consent to the certified company processing your information, it uses a subset of that information - your name, address, date of birth, gender, and (if relevant) previous name(s) and address(es) - to let the service you want to use know who you are. The other information you provided to verify your identity is not shared with us or with the government department with which you are dealing.

We’re often asked if we release personal information to certified companies. We do not. When you use GOV.UK Verify, your chosen certified company may verify your identity based upon government documents such as your passport or driving licence, and / or other evidence, using information that you provide to them. We enable certified companies to check the accuracy of driving licence and passport information given to them by users, but we do not release any information about you other than to confirm whether the details you provided are correct.

Keep up to date with the latest on the development of GOV.UK Verify by signing up for email updates.

6 comments

  1. MarkK

    If someone is trying to impersonate me, it would seem that they, not I, would be the one giving consent to looking at my information. This means the IDP would be getting my information without my consent. Why is consent demanded BEFORE it is established who it is?

    Link to this comment
    • Janet Hughes

      Hi Mark - thanks for your question.

      The certified company needs to get your consent in order to go through the process of verifying your identity, since this involves checking data you provide against official and commercial sources of data.

      GOV.UK Verify requires certified companies to meet defined levels of confidence in 5 separate elements of identity assurance - see this post for a fuller explanation of how that works: https://identityassurance.blog.gov.uk/2014/11/21/how-does-a-certified-company-establish-that-its-really-you/ This combination of elements is designed to establish a high level of confidence that it's really you, protecting you against impersonation and identity theft. As part of this, they need to validate information you provide against commercial and official sources of data.

      The checks against official sources do not release any data beyond the data that is sent for checking; they provide a yes/no answer to the certified company to confirm whether the data you provide matches a valid record (we've posted about this elsewhere - https://identityassurance.blog.gov.uk/2014/10/10/introducing-the-document-checking-service/). The commercial sources are generally checked by asking you multiple choice questions (for which no answer is shown).

      You are right that a fraudster could provide 'consent' when impersonating someone else, but in that case the checks would reveal that they are not the person they are claiming to be, and they would not be verified. In such cases, the certified company would retain a record of the attempted fraud but is not permitted to use that information for any purpose other than the prevention and detection of further fraud attempts.

      Link to this comment
  2. MarkK

    Not sure where the confidence that only the real person can answer the questions comes from. A motivated person such as an ex-spouse or a teenage child could easily know the answers, but just guessing the answers at random for the case in your video would give a false positive one itme in 650 - which is hardly negligible. Applying to two independent providers at the same time (which is legitimate and reasonable) could result in questions such as
    "What are the last four digits of your current account?" in one window offering
    A. 1314 B, 1066 C. 1945 D. 8121
    and in the other
    1. 2378 2. 1945 3. 2451 4. 7845
    So no guess required to answer both providers correctly.
    And what would be done with a record of attempted/suspected fraud (which might make it harder for the innocent real person)?
    Perhaps all will be explained in a system Privacy impact assessment (since individial IdP ones would not suffice).

    Link to this comment
    • Janet Hughes

      Hi Mark,

      GOV.UK Verify requires the providers to reach a required level of confidence against 5 separate elements. The element I think you're referring to is element C, which is the requirement to establish a link between the identity being asserted and the person who is asserting it. One way of achieving this is to ask a combination of questions that only the owner of the identity is likely to know the answer to. If they use this method, the provider has to ask a combination of questions including questions that are particularly hard to guess such as those relating to dynamic data like a changing balance or payment amount (rather than static data such as an account number). This is to mitigate the risk of someone guessing the answers and fraudulently claiming someone else's identity. (Other methods include, for example, comparing a photo on an official document with a selfie taken by the user.)

      However this is only one of 5 elements of identity assurance, and the risk of this element being compromised is also mitigated by the other four elements. Each element in itself entails a high level of assurance - the certified companies have to reach a defined level of confidence in each element. But it's the combination of all 5 that gives the overall level of confidence that the user is who they say they are. We explained the 5 elements in another post late last year - https://identityassurance.blog.gov.uk/2014/11/21/how-does-a-certified-company-establish-that-its-really-you/

      If a provider detects an attempted fraud, then they won't verify the identity because the required level of assurance has not been reached.

      Thanks again, and let us know if you have any further questions - we'll be happy to answer.

      Link to this comment
  3. MarkK

    Your analysis conflates ISO's vaildation and verification. Checking that the person exists protects against making up someone, but isn't an issue for masquerading as the checks would confirm that claimed person exists. My question on fraud was about the retained record, not the immediate response.

    Meanwhile, European Interoperability is about to be required (in September), and the agreed annex states

    The minimum data set for a natural person shall contain all of the following mandatory attributes:....
    (c) a unique identifier constructed by the sending Member State in accordance with the technical specifications for the purposes of cross-border identification and which is as persistent as possible in time.

    This seems incompatible with the principles, but the promised public workshops never happened (an OIX presentation doesn't really count), there was no disposition of comments for the consultation, and the published SAML specifications remain those from September 2013. So...
    (Apart from gov.scot where it obviously works) How will that work for a person using verify, and (separate question) doesn't it mean that anyone (including UK citizens) with a foreign ID can register for an HMG service using that even if it doesn't include an address (which is not part of the minimum set)?

    Link to this comment
    • Janet Hughes

      Hi Mark

      The 5 elements that a certified company is required to fulfil include both establishing that the identity exists (elements A and B) and also that it belongs to the person who is asserting it (element C). Element C is designed to mitigate the risk you mention, of someone stealing identity evidence and using it to assert a real identity that's not theirs. We've published a guide about these elements and how they work (see https://www.gov.uk/govuk-verify-checks-identity-providers-must-perform), and they are more fully described in Good Practice Guide 45 (see https://www.gov.uk/government/publications/identity-proofing-and-verification-of-an-individual).

      We've blogged separately about our work to prepare for the implementation of the eIDAS regulation, and we'll blog more as that time approaches and the details of how it will work are all agreed (they are not, yet). We won't be required to comply with the regulation until September 2018 at the earliest - there is a 3-year period after agreement of the implementing acts to allow Member States to prepare. We expect the implementing acts to be agreed in September, at which point some of the detailed potential requirements you're referring to will be published and we can start talking in more detail about how GOV.UK Verify will work in the context of the regulation.

      If you have some outstanding comments about the identity assurance principles, please let me know and I'll be happy to pass them on to our Privacy and Consumer Advisory Group for consideration.

      Link to this comment