We’ve blogged a lot about how user security and privacy is at the heart of GOV.UK Verify. We’ve also talked about the Privacy and Consumer Advisory Group (PCAG) and one of their key outputs: the Identity Assurance Principles. These exist to inform and guide the privacy-related aspects of identity assurance, especially in GOV.UK Verify.
The Identity Assurance Principles are intended to ensure that identity systems - like GOV.UK Verify - are fair, balanced and operate for the user's benefit.
But what do the principles really mean, and how do we implement them within the GOV.UK Verify journey? This blog post is the first in a series of 3 where we’ll be taking a look at each of the 9 principles and explaining what they mean for our users. Today we cover the principles of user control, transparency and multiplicity.
Principle 1: User Control
I can exercise control over identity assurance activities affecting me and these can only take place if I consent or approve them.
This principle relates to user control. The idea being that users control how and when their identity is used. If consent has not been provided then a certified company cannot carry out identity verification or provide information about the user to the government service they are trying to access. Users are also in control of when their information is passed to a government service.
This is embodied in the GOV.UK Verify user journey. Users only start setting up an identity account after visiting the start page of the service they wish to use on GOV.UK. Users choose a certified company that is most likely to be able to verify their identity, consent to the use of their data for identity verification purposes, and for their data to be released to the government service. If the user exits the journey at any point, their data is not released.
If a user can’t be verified by GOV.UK Verify, no one is excluded from using a government service. Other channels are available for people who are not able to use digital services, including if they are not able to verify their identity entirely digitally.
Principle 2: Transparency
Identity assurance can only take place in ways I understand and when I am fully informed.
The underlying relationships in GOV.UK Verify are built on trust, and users need to be able to trust their selected certified companies to collect and process data in the ways they expect and understand.
GOV.UK Verify has been designed to be clear and transparent, and inform users of what is happening with their data during the different parts of the user journey. In addition to the GOV.UK Verify privacy notice, the GOV.UK Verify team has worked with the certified companies to ensure that they have privacy notices and terms and conditions, written in simple terms, which meet the requirements set out in our Framework Agreement. We have also evaluated their user journeys as part of the certified company approval process to ensure that users are kept informed of what is happening with their data when they use GOV.UK Verify.
If a user ever gets stuck in the journey and needs support, certified companies provide user support specific to their services, which we assess for quality and clarity. There’s also a prominent link taking users to a feedback form where they can ask a question or report a problem to the GOV.UK Verify user support team. This team ensures that users who contact them understand how GOV.UK Verify works and provides them with all of the information they need to complete their task.
Principle 3: Multiplicity
I can use and choose as many different identifiers or identity providers as I want to.
Users can choose from a range of certified companies to provide identity assurance services, and can have identities with as many of those certified companies as they wish.
GOV.UK Verify offers a range of certified companies to choose from, and users may register, close or change relationships with these companies at any time.
This approach is essential to ensure that users have a choice: they can choose which certified company is most appropriate for their needs, and if their needs change they can also change their certified company. For example, if a user loses their account details or forgets which company they used to register for an identity then they have the option of simply re-registering with another certified company. If the user wishes to close their account with a certified company then they can do so too.
What do you think?
So that’s how we apply principles of user control, transparency and multiplicity. What’s your view? Are we applying them in the right way? Let us know in the comments below.
We’ll be publishing the next post in this series soon. Subscribe to the blog so you don’t miss the next installment.
6 comments
Comment by MarkK posted on
Isn't it rather misleading to invoke the EEA limitation for Verify when the services to which it connects are covered by
https://www.gov.uk/help/privacy-policy which clearly states:
"Where your data is stored....
It may also be stored outside of Europe, where it could be viewed by our staff or suppliers.
By submitting your personal data, you agree to this."
(Which abuse of consent in 2018 will not be consistent with GDPR recital 43.)
It's not obvious from a potential user perspective why I can't set up an account first so there's no delay when I want to use a service.
User choice and multiple simultaneous identifiers are separate issues. Presumably I should get an account with all to stop anyone masquerading as me? (A really odd way to view a market in providers....) The security is presumably that of the weakest provider, not the one(s) I select.
Comment by Emily Ch'ng posted on
Hi Mark
Thanks for your comment.
The privacy notice you linked to is the privacy notice for GOV.UK which differs from the GOV.UK Verify privacy notice (https://www.signin.service.gov.uk/privacy-notice). This privacy notice describes how user data is used in GOV.UK Verify, which is kept within the EEA. Additionally, each government department or service (for example, HMRC or DWP) using GOV.UK Verify have their own privacy notices which describe how and where they process user data.
Certified companies have to work to the same published government standards and the same robust onboarding process when they verify your identity (https://www.gov.uk/government/collections/identity-assurance-enabling-trusted-transactions). Therefore, you are able to register with as many providers as you choose, but it is the standards the companies abide by which protect your identity.
Comment by Chris posted on
You say that this approach is "essential to ensure that users have a choice" - but a critical choice is missing here: The choice of not handing my personal data over to a private sector organisation for the purpose of using public sector digital services.
I know plenty of private sector organisations rightly or wrongly already hold a significant amount of data about me, but you are effectively giving them a government stamp of approval for collecting, storing, and processing data that is not strictly required for their business - or not at all required in the case of choosing an identity provider that I have no other relationship with.
Whilst I appreciate that for historical reasons Britain struggles with the concept of a "central government database" of citizens and residents, surely farming this responsibility out to the private sector doesn't solve any of the underlying moral issues? How is this any better than providing a simple central government Single Sign On service with document verification in e.g. local council offices and some form or shape of Two Factor Authentication, as is used in many other countries?
Finally, you mention that "if a user can’t be verified by GOV.UK Verify, no one is excluded from using a government service". What about a user who doesn't *want* to be verified by Verify? Given that use of Verify will soon be mandated in the Digital Service Standard (or so I've heard), is there a commitment to enable a route of using digital services without Verify? Or will I, as a highly digitally capable user who happens to have privacy concerns, be forced to go back to pen and paper?
Comment by Emily Ch'ng posted on
Thank you for your comment.
To provide some clarification, users of GOV.UK Verify are generally not providing new information to certified companies, rather they are confirming the information the certified company has is or is not correct. A user is only asked to provide new information if they choose to use a certified company that can use credit or debit card details to help verify a user’s identity by authorising a non-value transaction from their account via a secure payments service.
The reasons we ask people to choose a certified company, rather than interacting directly with government or a single supplier on behalf of government, are:
- it protects people’s privacy because it means there is no single identity database, the certified company doesn’t know which service you are accessing, and government services don’t have access to the data you provide to prove your identity;
- it allows people to choose a certified company to verify their identity, rather than having to use a single supplier chosen by government;
- we are trying to create a market of identity services so that different suppliers will innovate and compete to provide better services for people.
This contract is similar to any contract you would enter into with a digital service provider such as a bank or retail organisation online, in that it sets out the terms and conditions of using their service. It is not intended to be onerous or restrictive, but to set out expectations and responsibilities on each side.
There are always other ways to access services if you are unable to or do not wish to use GOV.UK Verify. If you do not wish to use GOV.UK Verify, you can go to a government service and use one of the other available ways to access it.
Comment by MarkK posted on
"confirming the information the certified company has" is implausible since, apart from Experian, why would any of the approved companies have any information on the average person? Even Barclays customers are told "we don’t link your Barclays Identity Service profile with your Barclays customer record". (A later blog mentions that the service isn't necessarily provided by the named company, for example, The Post Office but by a certified company working for them, so perhaps the obscured ones do.) The original 2010 model assumed re-use of existing customer information, but none of the envisaged organisations (BA exec club, supermarkets...) joined. Presumably they could not see a return on investment in the imagined market.
Allowing private provision does not answer why there is no option to use public sector provision as well, as envisaged in the US, where no single record is proposed. Excluding public - especially local authority- provision would appear to have been a political decision about competition inappropriately taken by the Cabinet Office in about 2011, but I would be happy to be corrected with an explanation of how it is consistent with the public sector support called for in the National Assistance Act 1948.
Normal contracts include a 'consideration' paid by one party in return for goods or services by another, not an unknown amount paid by a third (or perhaps here fourth) party where there is no clear liability provision. However, most interactions with many departments, e.g. HMRC, are governed by statute, not contract law.
Comment by Emily Ch'ng posted on
Hi Mark
I should clarify that certified companies have the means to look at a wider range of information to establish a person is who they say they are.
We are using a range of certified companies that users can choose from so we can take advantage of value and innovation in the market, and so we can avoid creating a central database of personal data within a single supplier or within government.
This approach will have wider economic benefits as well as making the service more resilient (there’s no single point of failure), better for users (competition between certified companies will result in improvements over time) and less expensive for government.
The information that the certified company may ask a user to verify their identity is either available from their credit file, other publicly available sources, and also if a user has a Barclays account and has used Barclays as a certified company, their Barclays current account.