This blog post is the third and final post in a series of 3 where we look at each of the 9 Identity Assurance Principles and explain what they mean for our users.
Part 1 of this series covered user control, transparency and multiplicity and part 2 covered data minimisation, data quality and service user access and portability. Today, we cover the last 3 principles: certification, dispute resolution and exceptional circumstances.
Principle 7: Certification
I can have confidence in the identity assurance service because all the participants have to be certified against common governance requirements.
This principle is about assuring users that the verification process meets high standards.
GOV.UK Verify’s hub and document checking service have a National Cyber Security Centre assessor to ensure a rigorous level of inspection for government systems. All certified companies are also contractually obliged to obtain and maintain approvals for the security and quality of their services. This involves meeting a range of requirements and standards, including the:
- ISO27001 Information Security Management standard
- Good Practice Guide 44
- Good Practice Guide 45
- Identity proofing and verification operations manual.
The Cabinet Office works closely with tScheme, a certification organisation that provides the framework suppliers’ necessary independent assessment. A qualified independent auditor approved by tScheme inspects the certified company’s service and ensures they are compliant with these high standards.
It’s worth noting that all of our certified companies are certified by tScheme, but not necessarily separately. This is because when a certified company uses the same system as another company that is already tScheme certified, then there is no need for a second certification of the same system. However, if the certified company introduces anything different to the system for verifying identities, then they need to obtain their own separate certification.
If a certified company is unable to follow these policies and meet Verify’s high standards, then GOV.UK Verify has the right to suspend them.
Additionally, the certified companies’ contracts with GDS contain specific privacy requirements. These include submitting a privacy impact assessment and complying with all relevant legal obligations. Additionally, certified companies must have a clear and reasonable privacy policy that outlines how they meet the Identity Assurance Principles.
Finally, government services that want to use GOV.UK Verify also go through a robust onboarding process. The process includes a privacy review so we can have confidence that the connecting service is in line with the privacy principles.
Principle 8: Dispute resolution
If I have a dispute, I can go to an independent third party for a resolution.
All certified companies must offer users a way for them to make a complaint or request for help if they need to. Prior to connecting to Verify, we review all certified companies’ complaints processes as part of the onboarding process. If a user wants to raise a complaint, then they can do so through the certified company’s user support.
However, if the user is not satisfied with the result, then they can get in touch with the GOV.UK Verify user support team. They can look into the user’s problem to help offer a solution, and they can also raise the complaint with Verify’s Privacy Officer. The team would gauge whether or not the certified company is still adhering to its contract with government, and take appropriate action if necessary.
Whilst Principle 8 states the user can go to an ‘independent third party’ if a dispute arises, the Privacy and Consumer Advisory Group (PCAG) behind the Principles has confirmed that this requirement is currently fufilled by the GOV.UK Verify user support team. For example, user support has the ability to share anonymised and statistical outcomes with the independent PCAG for further investigation, if required.
However, if the volume or severity of complaints meet a threshold where a further dispute resolution process is required, then we will take the necessary steps to meet this need.
Principle 9: Exceptional circumstances
Any exception has to be approved by Parliament and is subject to independent scrutiny.
An exceptional circumstance within the privacy principles is defined as a situation where it’s agreed that the privacy principles we’ve just covered are not followed. We apply this principle by ensuring that user data is only used lawfully, and we take this responsibility very seriously.
GOV.UK Verify operates within current UK law, including the Data Protection Act 1998 and Human Rights Act 1998. No specific legislation exists to cover GOV.UK Verify or the certified companies that are contracted through the programme.
Principles that support the growth of GOV.UK Verify
These principles are not simply a checklist of privacy requirements for us to meet: they have shaped how we have built GOV.UK Verify and will continue to help shape its ongoing development. They help us and our certified companies to continue putting user needs first, and protect their privacy.
This finalises our overview of The Privacy and Consumer Group’s 9 Identity Assurance Principles. What’s your view? Could we be doing more? Let us know in the comments below.
6 comments
Comment by Simon O'Connell posted on
It's a load of rubbish. Unless you have a smartphone you can't use it. I suppose it's ok if you can afford one... Maybe I'll buy one and not eat for a couple of weeks.
Comment by Emily Ch'ng posted on
Hi Simon
Sorry to hear you've had trouble. You may still be able to use GOV.UK Verify without a mobile or a smartphone. All certified companies use two-step verification.
One of the certified companies offers the option to create your own PIN via a method called M-PIN, which appears on their webpage. Others will allow you to receive a one time code via a landline telephone.
Alternatively, if you have a tablet, some certified companies have their own authentication app you can use to receive your one time code or you can install an app of you choice by searching ‘authenticator’ in the app store.
If you return to the service, go back through the GOV.UK Verify path and select 'no' when asked if you have a mobile phone, you should see the landline line, M-PIN and app options and be able to chose a certified company that offers that method.
Comment by Geoffrey clements posted on
I be been trying to file my tax return for last four days in the same manner as the past 8 yrs on line but keep getting rejected as technical difficulties when I get to the same section.I be tried registering with verify and keep getting rejected for not enough I'd. HELP!!!!
Comment by Emily Ch'ng posted on
Dear Geoffrey,
I'm sorry to hear you've had difficulties. Can I first please check if you have using HMRC's Government Gateway, or GOV.UK Verify (which has blue start pages and verifies through certified companies?)
If you have been using Government Gateway, HMRC offer support for self assessment and you can find their contact details here https://www.gov.uk/government/organisations/hm-revenue-customs/contact/self-assessment
Comment by Mark S posted on
With a verification rate of only 72% I am rather shocked that this is the ONLY way of accessing some government online services, and that more than one in 4 member sof the public cannot be verified.
I recently attempted verification through two different providers, but was refused by both.
From my experience, and looking at that 72% rate, it seems there is a big disconnect here in terms of accessibility, particularly when the government is pushing its digital services to the public?
Comment by Emily Ch'ng posted on
Hi Mark,
Thanks for your feedback. The verification rate you see is the proportion of visits that result in the creation and verification of an account with a certified company, following a completed verification attempt. This rate is measured at the point where a user arrives back at GOV.UK from a certified company website, following a completed verification attempt.
I’m sorry you’ve had a bad experience. You'd might like to try contacting the certified companies' support details for help? https://identityassurance.blog.gov.uk/gov-uk-verify-certified-company-user-support-details/
GOV.UK Verify doesn’t work for everyone yet but we’re working to constantly expand and improve the service. We do appreciate how frustrating that can be for those we are unable to verify at this stage. However, please note that GOV.UK Verify is not the only way of accessing government services. Nobody is excluded from a service if they can’t be verified by GOV.UK Verify. Other channels will be available for people who are not able to use digital services, including if they are not able to verify their identity entirely digitally.
Your feedback on GOV.UK Verify is valuable – it will be used to make GOV.UK Verify better for others.