Public Services > Central Government

UK can take global ID assurance standards lead during "messy" 2016

Neil Merrett Published 12 January 2016

Open Identity Exchange chairman says GOV.UK Verify launch will bring issue of permission to re-use data for ID assurance into the light


US and EU governments are expected to closely scrutinise Whitehall's work around building identity assurance standards based on the GOV.UK Verify platform during 2016 as a means to potentially set out their own best practice for ID management to access public and commercial services online.

Looking ahead at what he anticipates will be a "messy and interesting" year for ID assurance, Don Thibeau, chairman of the Open Identity Exchange (OIX) not-for-profit organisation, said the anticipated launch of Verify in April was expected to open up debate around identity and data use.

Citing similar challenges facing both public and private sectors worldwide around supporting secure online access, Thibeau said there was significant interest around whether the UK can develop standards capable of balancing a need to ensure privacy with innovative service delivery.

GOV.UK Verify is being developed by the Cabinet Office as a platform to allow users to select one of several pre-chosen companies to perform a check on their identity in order to securely access its online services - rather than relying on a single government database.

At present, there are four companies - Post Office, Experian, Digidentity and Verizon - accredited to support the identity assurance platform. Nine ID providers in total are expected to be accredited to support the service when it goes live from April.

As part of this development, Thibeau said that the development of standards on how personal data can be used - regarded as a "boring" aspect of ID assurance - was the vital plumbing underpinning secure ID services for government agencies as well as private operators.

He noted that "permissible re-use" relating to how individuals allow their personal information to be provided and shared potentially between different government departments or organisations was a key part of these standards.

Thibeau said there were no wider rules of the road in the UK about sharing information for the purpose of securely gaining access to services.

"For example, is it permissible to do this with my data? In the UK there is an opportunity for this in the form of permissions for GOV.UK Verify," he said. "Partnership is needed here between government and the private sector as the whole marketplace needs rules."

Thibeau accepted that the issue of standards was hugely complex in a market where individuals are often happy to give personal details to acquire goods or fast food through convenient online services, but sceptical around the issue of giving permission for public service providers to handle their information.

However, with GOV.UK Verify set to become a live service this year, he argued the planned launch was likely to bring the complex issues of data use to the forefront of public consciousness, notably around standards for the re-use of information and how permission can be obtained.

"When, for example, can HM Revenue & Customs (HMRC) have access to data I gave permission to another department to use to access services and in what situations can this be re-used? These are the key questions that need to be answered," he said.

Thibeau added that OIX itself had lots of work to do around facilitating discussions on how the emergence of ID assurance standards may allow for interoperability between organisations like local councils and health services to ensure secure access to services.

With the European Court of Justice (ECJ) last year invalidating the longstanding 'Safe Harbour' data agreement declaring the US was able to provide adequate levels of protection for personal data transferred under the arrangement, OIX expects some impacts on its work from a wider European perspective. The organisation expects it will need to take a much more localised remit even between separate member states on sharing and data re-use.

Thibeau argued that in the global and increasingly online economy, traditional means of market controls such as national regulation may not always hold scrutiny of a more dynamic worldwide ecosystem for online service providers.

To ensure user and market confidence nationally and globally for identity assurance, clear standards are seen as a complex, but vital requirement to ensure innovation.

Related articles:

GDS expects to define local ID assurance plans from April

Government rejects ID assurance study's security fears

London boroughs back common standards-led data approach

Barclays and PayPal to support GOV.UK Verify

We have updated our privacy policy. In the latest update it explains what cookies are and how we use them on our site. To learn more about cookies and their benefits, please view our privacy policy. Please be aware that parts of this site will not function correctly if you disable cookies. By continuing to use this site, you consent to our use of cookies in accordance with our privacy policy unless you have disabled them.