The Privacy and Consumer Advisory Group (PCAG) is an independent voluntary body comprising privacy and security experts from across the UK. It provides the UK government with independent expert review, analysis, guidance and feedback on all personal data and privacy initiatives by all departments, agencies and other public sector bodies. This includes GOV.UK Verify.
The group's remit is to ensure best practice in identity, privacy, security and technology to protect citizens’ interests, with a particular focus on ensuring data and personal information, and the technology used to manage it, is well designed, engineered and implemented.
Amongst other guidance, PCAG has published the Identity Assurance Principles to inform and guide the privacy-related aspects identity-related initiatives within government, and in particular the GOV.UK Verify programme.
The group also meets regularly to scrutinise the development of GOV.UK Verify across technical, legal and consumer perspectives and explore the implications of future plans.
The PCAG’s approach is to work in the open, with the Identity Assurance Principles made available for public consultation since their earliest drafts, and with public feedback informing subsequent updates. The agreed principles have been formally adopted by GOV.UK Verify.
The current version of the Identity Assurance Principles can be found here (building on the original principles from 2013). These are regularly reviewed as GOV.UK Verify develops, helping to ensure the robust protection of user data and personal information. In particular, PCAG aims to ensure the protection of user privacy and personal data through compliance with legal and consumer guidance and best practice technical and computer engineering. It also seeks to ensure that GOV.UK Verify is in compliance with its own stated policy of user data being placed under user control.
To ensure compliance in practice, the Independent Privacy Adviser has reviewed the central components of GOV.UK Verify and confirmed their compliance with the principles. Reviews will be conducted regularly as the programme develops and in response to major changes to assess continuing compliance.
The PCAG welcomes feedback by email, and will continue to develop and iterate the principles and guidance taking into account feedback. It will continue to develop and iterate the principles and guidance, taking into account public feedback, and to ensure compliance across the public sector.
Summary of the Identity Assurance Principles
- The User Control Principle: Identity assurance activities can only take place if I consent or approve them.
- The Transparency Principle: Identity assurance can only take place in ways I understand and when I am fully informed.
- The Multiplicity Principle: I can use and choose as many different identifiers or identity providers as I want to.
- The Data Minimisation Principle: My request or transaction only uses the minimum data that is necessary to meet my needs.
- The Data Quality Principle: I choose when to update my records.
- The Service-User Access and Portability Principle: I have to be provided with copies of all of my data on request; I can move/remove my data whenever I want.
- The Governance/Certification Principle: I can trust the Scheme because all the participants have to be accredited.
- The Problem Resolution Principle: If there is a problem I know there is an independent arbiter who can find a solution.
- The Exceptional Circumstances Principle: Any exception has to be approved by Parliament and is subject to independent scrutiny.
Dr Edgar A Whitley is an Associate Professor (Reader) in Information Systems in the Department of Management at the London School of Economics and Political Science. Dr Jerry Fishenden is a technologist and Senior Research Fellow at Bath Spa University’s Centre for Creative Computing. They are co-chairs of the Privacy and Consumer Advisory Group.