Point 7 of the Digital by Default Service Standard for a live service requires us to:
Evaluate what user data and information the digital service will be providing or storing, and address the security level, legal responsibilities, privacy issues and risks associated with the service (consulting with experts where appropriate).
This post is about the privacy aspects of point 7, which are particularly important for GOV.UK Verify. We’ve posted separately about how we secure and protect the service, and our approach to managing fraud and information risk, covering the other aspects of point 7.
Privacy and trust form an essential part of the relationship between individuals and government online. Throughout GOV.UK Verify’s progress in public beta, we’ve blogged about a range of privacy-related issues. For example, you can read about how GOV.UK Verify is built to protect privacy, and the 9 Identity Assurance Principles that underpin our work.
I joined GOV.UK Verify in December 2015 to take up the role of Privacy Officer and assume full-time responsibility for privacy management. I’ve been lucky enough to join the programme at really exciting time: privacy law is changing rapidly and GOV.UK Verify is preparing to move from beta to live.
In the few weeks I’ve been here, I’ve had to quickly get to grips with the complexity of the work that’s underway. Since arriving I have reviewed the work to date on privacy for GOV.UK Verify, and checked that the certified companies’ services meet our privacy expectations as part of their acceptance into the live environment. The support of the Independent Privacy Adviser Toby Stevens has been really valuable when working with the certified companies as well as to the programme development as a whole.
The team here at GDS have taken the approach of building privacy into GOV.UK Verify from an early stage. It’s been encouraging to see that, in practice, this means concepts such as anonymity, data minimisation, transparency and user control have been baked into the underlying technical and commercial models for GOV.UK Verify.
I’ve met with the Privacy & Consumer Advisory Group to understand their needs and expectations. I’ll be their primary point of contact for GOV.UK Verify privacy matters. This will involve briefing the group on privacy-related developments, and feeding their advice and recommendations back into the work done within GOV.UK Verify.
All of our certified companies are contractually obliged to meet a number of requirements before their services are permitted to connect to GOV.UK Verify. These include checks on their operations, user experience, technical delivery and identity proofing and verification.
Every certified company must embed the Identity Assurance Principles into their service, including the requirements of data minimisation and user consent. We’ve been working closely with the certified companies to ensure that they have appropriate privacy policies and user terms & conditions in place. They’ve also had to demonstrate that they’re ready to bear their responsibility as data controllers, including notifications to data protection authorities as well as carrying out privacy impact assessments.
I’ve been impressed by the work that the GOV.UK Verify user research team has done with the certified companies, testing the variety of user journeys that are being developed and using their specialist insight to make the services more understandable - and more secure - for users.
As GOV.UK Verify moves towards live and beyond, I’ll be building a programme of work to lead the team through compliance, quality and maturity of privacy delivery within GDS and across the certified companies and other organisations associated with GOV.UK Verify. I’ll be responsible for managing the privacy dialogue between GOV.UK Verify’s users, the GOV.UK Verify delivery team, certified companies, and the departments with services using GOV.UK Verify. This will include publishing more information about our approach to privacy, including a privacy impact assessment: which we will publish before we go from beta to live.
The GOV.UK Verify team has extensive experience of building user-friendly digital services that protect users’ privacy and security. We want to ensure that as GOV.UK Verify matures it continues to meet both user expecations and service providers’ privacy obligations. As Privacy Officer I hope to bring an organised, comprehensive and users first approach to privacy governance and to make sure we always have the appropriate policies and processes in place to meet that goal.
Subscribe to the blog to keep up to date with GOV.UK Verify's journey from beta to live.