https://identityassurance.blog.gov.uk/2016/03/03/managing-privacy-and-mitigating-risk/

Managing privacy and mitigating risk

Point 7 of the Digital by Default Service Standard for a live service requires us to:

Evaluate what user data and information the digital service will be providing or storing, and address the security level, legal responsibilities, privacy issues and risks associated with the service (consulting with experts where appropriate).

This post is about the privacy aspects of point 7, which are particularly important for GOV.UK Verify. We’ve posted separately about how we secure and protect the service, and our approach to managing fraud and information risk, covering the other aspects of point 7.

Privacy and trust form an essential part of the relationship between individuals and government online. Throughout GOV.UK Verify’s progress in public beta, we’ve blogged about a range of privacy-related issues. For example, you can read about how GOV.UK Verify is built to protect privacy, and the 9 Identity Assurance Principles that underpin our work.

I joined GOV.UK Verify in December 2015 to take up the role of Privacy Officer and assume full-time responsibility for privacy management. I’ve been lucky enough to join the programme at really exciting time: privacy law is changing rapidly and GOV.UK Verify is preparing to move from beta to live.

In the few weeks I’ve been here, I’ve had to quickly get to grips with the complexity of the work that’s underway. Since arriving I have reviewed the work to date on privacy for GOV.UK Verify, and checked that the certified companies’ services meet our privacy expectations as part of their acceptance into the live environment. The support of the Independent Privacy Adviser Toby Stevens has been really valuable when working with the certified companies as well as to the programme development as a whole.

The team here at GDS have taken the approach of building privacy into GOV.UK Verify from an early stage. It’s been encouraging to see that, in practice, this means concepts such as anonymity, data minimisation, transparency and user control have been baked into the underlying technical and commercial models for GOV.UK Verify.

I’ve met with the Privacy & Consumer Advisory Group to understand their needs and expectations. I’ll be their primary point of contact for GOV.UK Verify privacy matters. This will involve briefing the group on privacy-related developments, and feeding their advice and recommendations back into the work done within GOV.UK Verify.

All of our certified companies are contractually obliged to meet a number of requirements before their services are permitted to connect to GOV.UK Verify. These include checks on their operations, user experience, technical delivery and identity proofing and verification.

Every certified company must embed the Identity Assurance Principles into their service, including the requirements of data minimisation and user consent. We’ve been working closely with the certified companies to ensure that they have appropriate privacy policies and user terms & conditions in place. They’ve also had to demonstrate that they’re ready to bear their responsibility as data controllers, including notifications to data protection authorities as well as carrying out privacy impact assessments.

I’ve been impressed by the work that the GOV.UK Verify user research team has done with the certified companies, testing the variety of user journeys that are being developed and using their specialist insight to make the services more understandable - and more secure - for users.

As GOV.UK Verify moves towards live and beyond, I’ll be building a programme of work to lead the team through compliance, quality and maturity of privacy delivery within GDS and across the certified companies and other organisations associated with GOV.UK Verify. I’ll be responsible for managing the privacy dialogue between GOV.UK Verify’s users, the GOV.UK Verify delivery team, certified companies, and the departments with services using GOV.UK Verify.  This will include publishing more information about our approach to privacy, including a privacy impact assessment: which we will publish before we go from beta to live.

The GOV.UK Verify team has extensive experience of building user-friendly digital services that protect users’ privacy and security. We want to ensure that as GOV.UK Verify matures it continues to meet both user expecations and service providers’ privacy obligations. As Privacy Officer I hope to bring an organised, comprehensive and users first approach to privacy governance and to make sure we always have the appropriate policies and processes in place to meet that goal.

Subscribe to the blog to keep up to date with GOV.UK Verify's journey from beta to live.

3 comments

  1. MarkK

    The publication of a PIA is very good news.
    GPG 43 annex A notes the privacy expectation as
    "Online public services will not unnecessarily compromise the privacy of actual or potential users, or the general public, in respect of their personal, financial, or business information."
    Please explicitly include the interests of non-users whose identity might be usurped. These members of the general public do not seem to appear in your stakeholder list as they are not users in any reasonable sense of the term.
    Although subject to confirmation by peer review in due course, it would be helpful if you could also indicate in the assessment whether the level of assurance is claimed to be 'low', 'substantial' or 'high' under eIDAS definitions. This is important for those producing services that may have to accept foreign notified services, whether or not UK elects to notify.

    Link to this comment
    • Orvokki

      Thanks Mark, I note your points for future blog posts and, as I said above, we'll be sharing the privacy impact assessment soon.

      This won't include the rights of those who have had their identities stolen and subsequently used to verify as that's an issue related to fraud. However, we'll be blogging shortly about what kind of fraud our standards prevent so you might want to keep an eye out for that.

      Link to this comment
      • MarkK

        It seems curious to exclude considerations of the victims' interests when there is crime.
        Whilst masquerading may involve computer misuse or obtaining services by deception (Theft Act 1978), without intent (for gain, loss or to expose to risk) this is not fraud (2006 Fraud act), nor is it theft ("permanently depriving" - Theft Act 1968).

        The PIA for the system as a whole will presumably explain on what basis banks (or other data sources) are being asked for corroboration of personal data (about even the existence of an account), since at least my bank, as a data controller, would not be compliant with the DPA as such processing would not be by consent, emergency, or contract (the retail banking terms and conditions cover release to many organisations for sundry reasons, but IdPs are not listed). Exemptions for fraud investigations must be case-by-case, not automated.

        The extra data sources needed to reach 90% target still have not been announced, but if in the public sector would presumably need enabling legislation to override the second data protection principle (purpose), for which a data protection impact assessment would be essential for MPs' consideration.

        Link to this comment