GOV.UK Verify has a part to play in making online public services more efficient and more secure across the European Union. This blog post is part of our series discussing the EU approach to identity assurance and is for anyone interested in developments in this area.
Last month we blogged on the EU approach to identity assurance and how EU countries’ identity assurance systems will work with each other. This post is about the approach to establishing trust between different national systems that supports that method and allows the overall system to work.
This trust is based on two things: outcome-based levels of assurance and a notification / peer review process.
European levels of assurance
The identity’s ‘level of assurance’ is a way of describing the degree of confidence the identity provider has that a user is who they say they are. The agreement between Member States on a common definition of these various levels of assurance means that for the first time, there is clarity across Europe about how to measure how sure an identity provider is about the identity of a citizen. In the UK, we will comply with these rules by mapping our levels of assurance against those detailed under the Regulation.
These European levels of assurance are ‘outcome based’. This means that each Member State can meet the required level in different specific manners, according to their national laws and preference. For example, a high level of assurance may include a requirement to perform counter fraud checks, but the legislation does not detail exactly how these checks should be done.
The ability of Member States to meet these level of assurance requirements in any way they deem fit strongly supports GOV.UK Verify’s approach of having several companies all working to the same standards. It also means digital service providers can be confident users have proved their identity to the same level, whatever system they’re using.
Notification and the peer review process
But how do we know we can trust the digital identity systems of other Member States? The answer to this is through the formal notification and peer review process that has been agreed across the EU.
Before a Member State’s digital identity scheme can be used to prove an identity in another country, the scheme must be officially ‘notified’. This process requires the Member State running the digital identity scheme to explain to other Member States the details of how the scheme works - this process is outlined in this piece of EU legislation on notification.
Once a scheme has been notified, other Member States will conduct a peer review of the notified scheme. They will analyse the notified scheme to ensure it complies with the interoperability framework and meets the required levels of assurance. After the peer review process the scheme can link up to the system of national nodes and start to transfer identity information when a user wants to access a service across borders. Our recent blog on the EU approach gives an overview of what this means.
The UK will be involved in these peer review processes to help ensure that the digital identity schemes of other Member States meet the required levels of assurance, and to share insights that may inform the development of GOV.UK Verify.
The decision on whether to notify GOV.UK Verify will require careful analysis. We’re currently considering the risks and benefits of doing so. When a decision has been made and we have a plan in place, we’ll publish an update on the blog.
For the latest news on GOV.UK Verify and the EU approach to identity assurance subscribe to the blog.