Part 1 of this series covered user control, transparency and multiplicity and part 2 covered data minimisation, data quality and service user access and portability. Today, we cover the last 3 principles: certification, dispute resolution and exceptional circumstances.
Principle 7: Certification
I can have confidence in the identity assurance service because all the participants have to be certified against common governance requirements.
This principle is about assuring users that the verification process meets high standards.
GOV.UK Verify’s hub and document checking service have a National Cyber Security Centre assessor to ensure a rigorous level of inspection for government systems. All certified companies are also contractually obliged to obtain and maintain approvals for the security and quality of their services. This involves meeting a range of requirements and standards, including the:
- ISO27001 Information Security Management standard
- Good Practice Guide 44
- Good Practice Guide 45
- Identity proofing and verification operations manual.
The Cabinet Office works closely with tScheme, a certification organisation that provides the framework suppliers’ necessary independent assessment. A qualified independent auditor approved by tScheme inspects the certified company’s service and ensures they are compliant with these high standards.
It’s worth noting that all of our certified companies are certified by tScheme, but not necessarily separately. This is because when a certified company uses the same system as another company that is already tScheme certified, then there is no need for a second certification of the same system. However, if the certified company introduces anything different to the system for verifying identities, then they need to obtain their own separate certification.
If a certified company is unable to follow these policies and meet Verify’s high standards, then GOV.UK Verify has the right to suspend them.
Finally, government services that want to use GOV.UK Verify also go through a robust onboarding process. The process includes a privacy review so we can have confidence that the connecting service is in line with the privacy principles.
Principle 8: Dispute resolution
If I have a dispute, I can go to an independent third party for a resolution.
All certified companies must offer users a way for them to make a complaint or request for help if they need to. Prior to connecting to Verify, we review all certified companies’ complaints processes as part of the onboarding process. If a user wants to raise a complaint, then they can do so through the certified company’s user support.
However, if the user is not satisfied with the result, then they can get in touch with the GOV.UK Verify user support team. They can look into the user’s problem to help offer a solution, and they can also raise the complaint with Verify’s Privacy Officer. The team would gauge whether or not the certified company is still adhering to its contract with government, and take appropriate action if necessary.
Whilst Principle 8 states the user can go to an ‘independent third party’ if a dispute arises, the Privacy and Consumer Advisory Group (PCAG) behind the Principles has confirmed that this requirement is currently fufilled by the GOV.UK Verify user support team. For example, user support has the ability to share anonymised and statistical outcomes with the independent PCAG for further investigation, if required.
However, if the volume or severity of complaints meet a threshold where a further dispute resolution process is required, then we will take the necessary steps to meet this need.
Principle 9: Exceptional circumstances
Any exception has to be approved by Parliament and is subject to independent scrutiny.
An exceptional circumstance within the privacy principles is defined as a situation where it’s agreed that the privacy principles we’ve just covered are not followed. We apply this principle by ensuring that user data is only used lawfully, and we take this responsibility very seriously.
GOV.UK Verify operates within current UK law, including the Data Protection Act 1998 and Human Rights Act 1998. No specific legislation exists to cover GOV.UK Verify or the certified companies that are contracted through the programme.
Principles that support the growth of GOV.UK Verify
These principles are not simply a checklist of privacy requirements for us to meet: they have shaped how we have built GOV.UK Verify and will continue to help shape its ongoing development. They help us and our certified companies to continue putting user needs first, and protect their privacy.
This finalises our overview of The Privacy and Consumer Group’s 9 Identity Assurance Principles. What’s your view? Could we be doing more? Let us know in the comments below.