The Privacy and Consumer Advisory Group (PCAG) is an independent voluntary body comprising privacy and security experts from across the UK. It provides the UK government with independent expert review, analysis, guidance and feedback on all personal data and privacy initiatives by all departments, agencies and other public sector bodies. This includes GOV.UK Verify.
The group's remit is to ensure best practice in identity, privacy, security and technology to protect citizens’ interests, with a particular focus on ensuring data and personal information, and the technology used to manage it, is well designed, engineered and implemented.
Amongst other guidance, PCAG has published the Identity Assurance Principles to inform and guide the privacy-related aspects identity-related initiatives within government, and in particular the GOV.UK Verify programme.
The group also meets regularly to scrutinise the development of GOV.UK Verify across technical, legal and consumer perspectives and explore the implications of future plans.
The PCAG’s approach is to work in the open, with the Identity Assurance Principles made available for public consultation since their earliest drafts, and with public feedback informing subsequent updates. The agreed principles have been formally adopted by GOV.UK Verify.
The current version of the Identity Assurance Principles can be found here (building on the original principles from 2013). These are regularly reviewed as GOV.UK Verify develops, helping to ensure the robust protection of user data and personal information. In particular, PCAG aims to ensure the protection of user privacy and personal data through compliance with legal and consumer guidance and best practice technical and computer engineering. It also seeks to ensure that GOV.UK Verify is in compliance with its own stated policy of user data being placed under user control.
To ensure compliance in practice, the Independent Privacy Adviser has reviewed the central components of GOV.UK Verify and confirmed their compliance with the principles. Reviews will be conducted regularly as the programme develops and in response to major changes to assess continuing compliance.
The PCAG welcomes feedback by email, and will continue to develop and iterate the principles and guidance taking into account feedback. It will continue to develop and iterate the principles and guidance, taking into account public feedback, and to ensure compliance across the public sector.
Summary of the Identity Assurance Principles
- The User Control Principle: Identity assurance activities can only take place if I consent or approve them.
- The Transparency Principle: Identity assurance can only take place in ways I understand and when I am fully informed.
- The Multiplicity Principle: I can use and choose as many different identifiers or identity providers as I want to.
- The Data Minimisation Principle: My request or transaction only uses the minimum data that is necessary to meet my needs.
- The Data Quality Principle: I choose when to update my records.
- The Service-User Access and Portability Principle: I have to be provided with copies of all of my data on request; I can move/remove my data whenever I want.
- The Governance/Certification Principle: I can trust the Scheme because all the participants have to be accredited.
- The Problem Resolution Principle: If there is a problem I know there is an independent arbiter who can find a solution.
- The Exceptional Circumstances Principle: Any exception has to be approved by Parliament and is subject to independent scrutiny.
Dr Edgar A Whitley is an Associate Professor (Reader) in Information Systems in the Department of Management at the London School of Economics and Political Science. Dr Jerry Fishenden is a technologist and Senior Research Fellow at Bath Spa University’s Centre for Creative Computing. They are co-chairs of the Privacy and Consumer Advisory Group.
3 comments
Comment by MarkK posted on
It would be good if you could publish a privacy impact assessment (for the whole not the component parts) or at least the reviews. For good or bad, the principles seem to have been trampled on. A quick summary:
1. Consent - The new EU regulation notes that this is not a valid legal basis for public bodies to process personal data. As an added extra nice-to-have it is misleading since it is asked for before it is known who is giving consent.
2. Transparency - user awareness of use of financial info/credit card removed from initial interaction. The 90% target seems more important than user awareness.
3. Multiple - more than one identifier at same provider (married, maiden, professional name) not accommodated. Aspects related to not matching must be being circumvented to address fraud.
4. Minimisation - use of the (EU specified) minimum doesn't match the matching data set. Still based on address although no longer needed to post forms.
5. Update at time of choice - yes, service does operate outside office hours.
6. Copy of data - Yes, but is an existing data protection principle in law.
7 All certified - tScheme records show that Post Office has withdrawn.
8 Dispute resolution - no sign of an independent Ombudsman, not even in alpha.
9 Exceptions - Is there a list? DVLA responding yes/no questions is still processing personal data and appears to rely on the Secretary of state's (current) determination of reasonableness under the Road Vehicles (Registration and Licensing) Regulations 2002 differing from the published position in 2009.
Comment by Janet Hughes posted on
Hi Mark,
Thanks for your comments.
We’ve been keeping a close watch on the new EU GDPR and we’re confident that the underlying approach will remain compliant with the regulation. Until the final text of the law is released we’re not able to comment in detail, but we will do so once we’ve been able to see and review the text.
We've built GOV.UK Verify to reflect the identity assurance principles, and we have ongoing discussions with our Privacy and Consumer Advisory Group to help us apply them in the detail of everything we do. We are continually developing our approach as part of the development of GOV.UK Verify from beta to live, and will continue to do so once GOV.UK Verify is live in April. We're always open to feedback and ideas about how we can continue to improve.
We removed the page asking users if they had their credit card statements available because it is not always necessary, and we found in research that the page was not helpful to users in making it clear to them what was happening. If a certified company needs to ask a user about their credit cards, it will be clear to the user at that point and they will have a choice as to whether to provide the information or not.
I’m not sure I’ve understood what you are getting at in your point about more than one identifier (point 3 in your comment) - if you can elaborate I’ll be happy to respond.
You’re right in saying that the eIDAS regulation doesn’t require addresses to be included in the matching dataset, but addresses are included as optional. The main reason addresses are not required under the Regulation is that they are not required by all Member States as some use a single identifier for the individual (e.g. social security number) whereas we and others do not. The Regulation therefore makes address data an optional attribute for those Member States that need it for matching purposes because they don’t use a single identifier for individuals. In the UK as we don't have a single identifier for an individual (even the national insurance number is not universal), we rely instead on matching attributes relating to the identity, namely the name, address and date of birth of the individual.
Some of the principles do restate existing law. They are included in the principles to make clear how they relate to identity assurance in particular. This doesn't in any way detract from our or certified companies' legal obligations.
Post Office uses the same system as another provider which has been t-Scheme certified, so we have agreed that there is no need for a second certification of the same system unless and until Post Office introduces anything that is different in its system for verifying identities, in which case that would need to be separately certified.
We think the current arrangements for dispute resolution are adequate based on what we've learned so far, but we are doing some work on this now to review the dispute resolution arrangements ahead of going live. We'll post here when we have more news to share about this.
There are no exceptions to the principles at present.
Thanks again for taking the time to comment.
Best wishes,
Janet
Comment by MarkK posted on
The minimum data set is that which must be sufficient to register and thus the data that all notifying countries must provide.
If a UK public sector site needs more then it is excluding all foreigners whose country's system does not have the extra features you need, and would thus be non-compliant.
An extra issue, should HMG notify (assuming UK remains in the EU), it is not clear how Verify can possibly provide a unique identifier for users, even one that is only a 'unique identifier constructed by the sending Member State in accordance with the technical specifications for the purposes of cross-border identification and which is as persistent as possible in time'. Since all relying parties in at least public sector across Europe must accommodate such identifiers, they need to understand what it means, not least for risk assessment.
On 7 - The principle is written from the user's perspective and in my view is currently not satisfied: the user does't know the provider but can see that Post Office is not approved.