https://identityassurance.blog.gov.uk/2016/05/19/privacy-assessment-in-public-beta/

Privacy assessment in public beta

We’ve blogged regularly about how users’ privacy and security is at the heart of GOV.UK Verify’s development. When I joined the GOV.UK Verify team as Independent Privacy Advisor in 2014, I wanted to analyse the privacy implications of the service.

GOV.UK Verify was subject to a Privacy Impact Assessment and Data Protection compliance check before the programme started in 2013, but things had evolved significantly since. It made sense to write a fresh Privacy Impact Assessment, also known as a Data Protection Impact Assessment. Initially designed as an internal project document, the Privacy Impact Assessment (PIA) is an analysis of core aspects of GOV.UK Verify from the perspective of a user, and is intended to help us understand their privacy-related needs.

The GDS Design Principles encourage us to make things open as it makes things better and for GOV.UK Verify we want to share what we’re doing whenever we can. We thought that the PIA would be of interest both to our users and others across government building services where privacy is a central concern. This post is a summary of the PIA for anyone who wants to know how we assessed privacy-related risks and their potential impact on users during our public beta phase. We’ve also published the full document (PDF, 706 KB).

Why we did it

According to the Information Commissioner’s Office, PIAs are a tool that can help organisations to identify the most effective way to comply with their data protection obligations and meet individuals’ expectations of privacy. Conducting a PIA is not a legal requirement, but it is recommended best practice, and has been mandated across government. The PIA provides an analysis of a system and/or process from the perspective of the data subject (the user) to understand what the privacy-­related needs – and associated protections – are from their point of view.

A PIA is complementary to a security risk assessment, which generally considers risks from the  perspective of the data controller. In the case of GOV.UK Verify, this would be the hub (which allows communication between the user, the certified company, and the service on GOV.UK) or the certified companies’ service (which verifies your identity and confirms it to government). A PIA does not form part of the formal security accreditation process, but can inform it and support broader security outcomes.

The PIA also benefits the data controller since it gives the organisation a firm understanding of privacy­-related risks, and whether existing and planned controls are suitable to mitigate those risks to acceptable levels. Remediation plans can be prepared and measured against recommendations.

The PIA is just a ‘snapshot’ of privacy-related risk, and as such it needs to be maintained as a project document so that it reflects the current situation at any time, and can be used to support decision-making processes where privacy is a factor.

Managing the scope of work

The Information Commissioner’s Code of Practice for Privacy Impact Assessments provides an excellent proposed methodology for a PIA, which was used as a starting point for the review of GOV.UK Verify.

Conducting the initial PIA in early public beta meant that the procurement excercise for certified companies was complete, but the new companies had not yet connected to GOV.UK Verify.

Furthermore, given that each certified company is a data controller under the terms of the Data Protection Act (1998), with their own internal privacy management processes, we determined that they should complete their own PIAs, rather than including each company’s operation within the scope of a single review. Completion of a PIA became a mandatory checkpoint for each company’s acceptance on to the GOV.UK service.

Likewise, government services are provided by other departments, each of which has its own privacy team, who are responsible for maintaining their own privacy controls and to ensure that these are in place before they connect to GOV.UK Verify.

Therefore, the PIA covered the GOV.UK Verify hub and generic operations of the incumbent certified companies and government services connected at that time, without inspecting the operations inside those companies and services. The review included GOV.UK Verify’s interface to the Document Checking Service (DCS), but did not look at the detailed operation of that service, since the DCS interface can only return a yes/no answer to a verification test.

What’s in the PIA?

The PIA consists of three documents:

  • A detailed PIA considering stakeholders, assets, threats and impacts, with resulting privacy-related risks and recommendations for remediation
  • A compliance check of GOV.UK Verify against the Data Protection Act (1998)
  • A compliance check of GOV.UK Verify against the Identity Assurance Principles developed for us by our Privacy and Consumer Advisory Group.

What we found

The PIA was completed in February 2015, and found no critical privacy issues with GOV.UK Verify’s service delivery. However, I made recommendations to ensure the ongoing management of personal data across the system continues to reflect service user expectations, and follows best practice in privacy management. Since my initial review, the primary recommendations have been implemented by the GOV.UK Verify team. The new Privacy Officer continues to build upon all recommendations that require ongoing activity, including:

  • Refining and improving internal privacy policies and processes to apply across GOV.UK Verify, and ensure that every member of staff is aware of the policies and their duties to follow them
  • Checking that controls are in place for new government services as they connect to GOV.UK Verify
  • Minimising data collection when we provide user support
  • Advising on appropriate technical controls both inside and outside of GOV.UK Verify
  • Establishing procedures to create and maintain a record of use of personal data across GOV.UK Verify
  • Establishing protocols to ensure the regular review of retention periods for personal data

Next steps

The GOV.UK Verify PIA has been revised regularly since it was first written, and will continue to be revised as the project progresses. We also have a privacy screening process that we use to test the implications of new functions and major changes, and ensure that they are consistent with our privacy expectations.If you have any thoughts on the PIA, please do let us know in the comments below. Alternatively, more detailed feedback can be submitted by email.

We are planning to enhance the privacy programme and develop governance, policies and processes to support the expansion of GOV.UK Verify. With this in mind, our new Privacy Officer will be looking at new ways to keep you updated on privacy related activities. Keep an eye on the blog for further news on this.

You can subscribe to updates from the GOV.UK Verify blog.

4 comments

  1. Comment by MarkK posted on

    It has already be noted that this doesn't cover non-users (victims of ID theft) as stakeholders (despite mention in GPG43), but it is disappointing that the significant known issues with the GDPR have been sidelined even after the final version was promulgated. E.g. (recital 43) ...public authorities should not use consent....
    eIDAS minimum data set doesn't match the matching data set; this doesn't matter in law if Verify is only low assurance on the EU scale, but then it can hardly count as the basis for an interoperable secure system.

    Meanwhile, DPA Schedule 2 - 5(c) is (remarkably) generic but does call for necessity. Since there are (as asserted) other ways, it can't be 'necessary'. There are differences between this and https://www.gov.uk/help/privacy-policy on where data may be stored.

    • Replies to MarkK>

      Comment by Rebecca Hales posted on

      Hi Mark

      Thanks for your comments.

      The final text of the GDPR was published on 4 May. The PIA covers GOV.UK Verify's public beta phase and pre-dates this regulation.

  2. Comment by Philip Virgo posted on

    I thought that HMG was closely involved with the production and agreement of both the GDPR and eIDAS. Also is it true that Verify still cannot cope with those who have more than one legal identity - e.g. married women doing business under their maiden name while paying tax under their married name.

    • Replies to Philip Virgo>

      Comment by Rebecca Hales posted on

      Hi

      We'll be publishing an update on our work relating to eIDAS soon.

      On the point about having had a change of name or using multiple names, the evidence submitted by a user has to reflect the name associated with the identity that they are trying to assert, otherwise it doesn't prove their identity. With GOV.UK Verify you can prove either a current or previous name as long as this is demonstrated by the identity evidence you have to hand. If you provide evidence for a different name, your chosen certified company will be unable to verify you and you will be required to provide different evidence.