Digital Identities in the UK

What are digital identities?

Digital identities provide a method of asserting one’s identity digitally, without the need for traditional paper-based documents. This allows individuals and representatives of organisations to prove who they are in both online and offline contexts, proving their eligibility to complete a transaction as a result of possessing certain attributes, such as their name or being over 18.

Interest in how digital identities could be applied increased significantly following the COVID pandemic, where people were no longer able to prove their identity physically. The UK Government is now giving more attention to these technologies to streamline identity verification processes, which in turn can simplify and secure key processes, save businesses time and money, and unlock economic growth.

In the UK, physical identity documents such as passports and driving licences are not centrally issued identity cards and instead operate as proxies. In fact, the UK Government has not issued centralised forms of identification since 2011, when identity cards were scrapped following widespread opposition to their existence. Digital identities are not, therefore, a new way to assert identity but a way to assert identity based upon existing documentation. This adds layers of complexity to the development of digital identities in the UK as compared to Europe, where centrally issued identity cards exist.

Regulatory Developments

Whilst the UK lags behind Europe, steps are being taken to enable a market for digital identities to develop. Key to this development is the creation of trust in digital identities, and at the heart of this is a market framework which will be based upon the following features:

(i) Trust Framework: in 2021, the first iteration of the UK digital identity and attributes trust framework was published. The trust framework sets the standards that various categories of service providers (identity service providers, attribute service providers and orchestration service providers) must meet to provide a trusted digital identity product. The trust framework has been subject to continued enhancement and change and is mapped against international frameworks. The most recent version is the beta version, which published in June 2022.The trust framework also complements other connected frameworks, such as data protection regulation, rather than existing as a standalone system. The trust framework has been already used as a benchmark for the application of digital identities in right to work, rent and criminal record checks.
(ii) Certification: trust framework compliance is not mandated but is incentivised through certification. The certification process allows providers to demonstrate the requirements of the trust framework have been met, following a UKAS certification process operating independently from the UK Government. Ultimately this gives users, businesses and regulators comfort that the provider meets the standards required by the trust framework.
(iii) Public Registers and Trust Marks: certified providers will receive a trust mark. This will enable them to appear on the Government register and access Government held data that can be used to verify identities. Displaying the trust marks allows consumers and relying parties to use the product with more confidence and trust. A public register of certified providers means it is easy to identity who is a trusted provider without having to use more complex or time consuming channels.
(iv) Information Gateway: legislation allows the Government to give certified providers the right to check data in the Government information gateway, provided the individual has consented to this. This ultimately enables the functioning of the digital identity product.

Regulatory Updates

The market framework is being developed alongside supporting legislation. Of particular note in this area is the Data Protection and Digital Information Bill (the Bill), which is currently being considered in the House of Lords and is anticipated to come into force in spring 2024 (though this timeline could be subject to significant alteration, particularly if there is delay and any impact by a prospective change of government).

The explanatory notes to the Bill identify a gap in the UK with respect to digital identities, in that there is no existing legislation governing how private organisations provide digital identities. The Bill looks to address this by building trust in this space to enable the market to develop. To do this, the Bill proposes to impose obligations on the Secretary of State and grant certain powers, which it will exercise through the Office of Digital Identities and Attributes. Examples include:

• a requirement for the Secretary of State to publish a trust framework, which must be reviewed and updated every 12 months following consultation with appropriate parties to ensure it remains effective (section 53);
• a requirement for the Secretary of State to maintain a list of certified organisations providing digital identity verification services (section 63);
• a power for the Secretary of State to designate trust marks to organisations registered to provide digital verification services i.e. those who have complied with the trust framework (section 79);
• a power enabling public authorities to share information relation to an individual with an organisation registered in the DVS register, provided the individual has made a request to provide the information (section 74); and
• a requirement for the Secretary of State to publish a code of practice regarding disclosing information, consistent with the data sharing code prepared and issued under the Data Protection Act 2018 (section 78).

Applications and risks

Whilst legislation is being developed alongside the regulatory framework, a number of use cases have emerged for using digital identities. Examples include:

• digital identity certification for right to work, right to rent and criminal record checks;
• Government consultation on whether digital identities can be used for age verification for alcohol sales;
• FATF consultation on the application of digital identities in customer due diligence, to help prevent against money laundering; and
• cinemas using digital identities as a means of age verification, through a partnership between the UK Cinema Association and a digital identity service provider.

The next steps in the UK will be further development of the regulatory framework and roll-out of digital identity use cases. The ultimate aim will be to see organisations (including regulators, service providers, suppliers and customers) across industry buying into the use of digital identities so that adoption can become more widespread. However, as this area develops it is vital that the framework and those operating in this space are able to tailor their products to mitigate the risks that widespread application of digital identities may bring:

• Privacy: it is vital that privacy is protected to enable the growth of trust in the use of digital identities. Whilst producing innovative applications for digital identities will lead to greater interest in using such products, failing to protect privacy rights will undermine trust in the framework and discourage use of the products. The powers granted to public authorities under section 74 (as referenced above) are driving these concerns, as there is a risk that sharing information could increase privacy risks. To mitigate this, there must be trust in the framework. Those operating in this space must commit to privacy and data security considerations and achieve this using tools such as Data Protection Impact Assessments. It is notable that data protection issues will continue to be regulated by the ICO, so it is pivotal that regulators are able to work cohesively to enhance privacy protection and build trust in the application of digital identities.
• Inclusiveness: the digital identities system must develop in a way which does not exacerbate pre-existing inequalities. It is vital that the digital identities system is a complementary way of proving identity and not an exclusive means of doing so which could prejudice marginalised groups, such as those who are less computer literate or possess language barriers. Messaging to this effect must be communicated to maintain trust in the system.
• Security: as with any digital system, there needs to be sufficient security processes in place to ensure that the system is not vulnerable to security breaches which could undermine the efficacy of the systems and lead to significant reputational damage for the affected providers, and therefore undermine trust in the system.

Combatting these risks will require service providers to conduct adequate internal due diligence on their processes as the regulatory system develops in tangent. Ensuring an adequate understanding of the trust framework will not only be essential to achieve certification as a trusted provider, but will be key to developing appropriate systems and protections which can allow the benefits of digital identities to be realised without these risks emerging.

Next Steps

The next steps for digital identities in the UK are likely to be:

1) further progression of the Bill through the House of Lords and its entering into law, subject to any delays which may be caused by a change to government;
2) testing of the beta version of the trust framework and continued iterative changes which will take place as the system grows and more providers are certified; and
3) more applications of digital identity technologies to broader industries, expanding on the multiple use cases identified above. In particular, providers will be keen to attract buy-in from specific industry regulators.

We will continue to update on further changes as and when information becomes available.