Public Services > Central Government

Manzoni calls in McKinsey to conduct review of online identities for public services

David Bicknell Published 03 October 2017

Work likely to consider Verify ‘next steps’ including commercial model and governance as well as how to deliver on Transformation Strategy goal of having 25m Verify users by 2020


The government is understood to have called in management consultancy McKinsey to do a ‘Next Steps’ review of how Whitehall can make online identity assurance for public services work.

The review, which is expected to include the future of the Government Digital Service’s (GDS) GOV.UK Verify identity assurance scheme is believed to have been instituted by Civil Service chief executive and Cabinet Office permanent secretary John Manzoni.

The work is expected to provide important work as the government moves towards publication of a commercial model for Verify. A proposal for a commercial model is due to be presented at an OIX members meeting on the economics of identity in November.

The identity review is also likely to have to discuss governance issues around Verify, including how to deal with verification disputes as the government tries to roll out Verify to wider usage.

The government has not given any indication of a timescale for the review, though it is likely to have been underway since the General Election. That may explain the lack of any recent public detail of what is happening with Verify.

Identity assurance specialists have noted  there have been no Verify-related blogs written since the end of March, though some of that time was taken up by the General Election campaign and accompanying purdah.

One of the last Verify-related blogs was one written by a digital team leader at Northumberland County Council who discussed working with GDS on  two pilot projects  to transform older people’s concessionary travel and residential parking permit services using Verify. 

It is likely that the review will pay close attention to whether it is possible for the government to deliver on a priority outlined in the Government’s Transformation Strategy of “making better use of GOV.UK Verify by working towards 25 million users by 2020 and exploring options for delivery of identity services for businesses and intermediaries.”

The review’s remit is understood not to have been a review of the role of GDS itself. Some whispers had indicated this was the case, but these have been denied.

A spokesperson for Cabinet Office said: '"As is the case in many large scale programmes such as Verify, the government draws on a wide range of advice to ensure we deliver the best possible service for users and value for taxpayers. Details of specific contracts awarded are published regularly on Contracts Finder."

McKinsey told Government Computing it never comments on its relationships with clients or potential clients.

GDS has recently been investigating the international interoperability of Verify and the potential to enable UK citizens to use their Verify accounts internationally.

According to a document on the Digital Outcomes and Specialists (DOS) marketplace, GDS is looking for a partner to support building the capability of the UK's digital identity scheme to enable UK citizens to use a Verify identity to access services abroad.

The scheme of work is to scope the feasibility of potentially connecting Verify to the eIDAS framework and provide sizings and estimates for the next phase.

The news that the Cabinet Office appears to be having a closer look at identity services and the future development of Verify follows a call earlier this year for a rethink from noted privacy and data specialist Jerry Fishenden.

Fishenden, who until earlier this year was co-chair of the Cabinet Office’s independent Privacy and Consumer Advisory Group, has argued there is an urgent  need to step back and review how best to make online identity for public services work.

Fishenden has previously pointed out that proving someone is online and letting them access their personal data – such as their tax, welfare, pension or medical records – often get lumped together as a single problem.

He said in a blog called The Identity/Data Divide , “Prove who someone is and, Voila!, access to their data happens automatically.

“If only reality were that simple. Reliably matching someone to their data often turns out to be a bigger problem than identifying who they are. As ever, the devil is in the detail.”

Fishenden added, “….while a trusted framework for proof of identity would help improve some aspects of our online lives, it won’t provide a magic bullet. One trumpeting pink elephant in the room remains the significant problem of matching a proven identity to data held by different organisations – often referred to either as “identity matching” or “data matching”.

“Even a so-called “gold standard” of identity, involving both the biometric and biographic data – and the central register(s) – proposed by ID card enthusiasts, wouldn’t magically solve this difficult issue of matching an identity to existing personal data records maintained across multiple systems and organisations.

“The reason for this matching problem is that there’s no such thing as a single universal “identity” for most people. Even where a trusted third party identity provider such as a bank is prepared to vouch that someone online is say “Joan Smith” it doesn’t solve the problem of providing “Joan Smith” with automatic access to the right services and personal data.”

Identity specialists have pointed out that although its identity remit is wider than simply Verify, it is likely to have to cover off criticism that Verify is “the wrong hammer for the wrong nail” and that Verify does not currently ensure that the person entering the information is in fact the person he or she is purporting to be; rather it focuses on verifying that the person exists.

Another key area likely to be considered by the review is how to create the right open, commercially robust environment for private sector identity and hub service providers. Identity specialists have already signalled that this area requires significant commercial work around governance and dispute resolution. There are some fears that the working landscape in the face of the incoming General Data Protection Regulation (GDPR) could become an identity minefield. One solution to this, some argue, is by having an open market for digital identity based on an exchange model.

We have updated our privacy policy. In the latest update it explains what cookies are and how we use them on our site. To learn more about cookies and their benefits, please view our privacy policy. Please be aware that parts of this site will not function correctly if you disable cookies. By continuing to use this site, you consent to our use of cookies in accordance with our privacy policy unless you have disabled them.