Millions of transactions are conducted at a distance every day, and the use of digital identity verification technologies have emerged as a means of combatting the risk of fraud associated with these transactions and allowing people to access certain good and services by proving their age and identity. Here we examine the progress of digital identities in the UK to date and consider what regulatory milestones lie ahead.
Digital identities provide a method of asserting one’s identity digitally, without the need for traditional paper-based documents. This allows individuals and representatives of organisations to prove who they are in both online and offline contexts, proving their eligibility to complete a transaction as a result of possessing certain attributes, such as their name or being over 18.
Interest in how digital identities could be applied increased significantly following the COVID pandemic, where people were no longer able to prove their identity physically. The UK Government is now giving more attention to these technologies to streamline identity verification processes, which in turn can simplify and secure key processes, save businesses time and money, and unlock economic growth.
In the UK, physical identity documents such as passports and driving licences are not centrally issued identity cards and instead operate as proxies. In fact, the UK Government has not issued centralised forms of identification since 2011, when identity cards were scrapped following widespread opposition to their existence. Digital identities are not, therefore, a new way to assert identity but a way to assert identity based upon existing documentation. This adds layers of complexity to the development of digital identities in the UK as compared to Europe, where centrally issued identity cards exist.
Whilst the UK lags behind Europe, steps are being taken to enable a market for digital identities to develop. Key to this development is the creation of trust in digital identities, and at the heart of this is a market framework which will be based upon the following features:
(i) Trust Framework: in 2021, the first iteration of the UK digital identity and attributes trust framework was published. The trust framework sets the standards that various categories of service providers (identity service providers, attribute service providers and orchestration service providers) must meet to provide a trusted digital identity product. The trust framework has been subject to continued enhancement and change and is mapped against international frameworks. The most recent version is the beta version, which published in June 2022.The trust framework also complements other connected frameworks, such as data protection regulation, rather than existing as a standalone system. The trust framework has been already used as a benchmark for the application of digital identities in right to work, rent and criminal record checks.
(ii) Certification: trust framework compliance is not mandated but is incentivised through certification. The certification process allows providers to demonstrate the requirements of the trust framework have been met, following a UKAS certification process operating independently from the UK Government. Ultimately this gives users, businesses and regulators comfort that the provider meets the standards required by the trust framework.
(iii) Public Registers and Trust Marks: certified providers will receive a trust mark. This will enable them to appear on the Government register and access Government held data that can be used to verify identities. Displaying the trust marks allows consumers and relying parties to use the product with more confidence and trust. A public register of certified providers means it is easy to identity who is a trusted provider without having to use more complex or time consuming channels.
(iv) Information Gateway: legislation allows the Government to give certified providers the right to check data in the Government information gateway, provided the individual has consented to this. This ultimately enables the functioning of the digital identity product.
The market framework is being developed alongside supporting legislation. Of particular note in this area is the Data Protection and Digital Information Bill (the Bill), which is currently being considered in the House of Lords and is anticipated to come into force in spring 2024 (though this timeline could be subject to significant alteration, particularly if there is delay and any impact by a prospective change of government).
The explanatory notes to the Bill identify a gap in the UK with respect to digital identities, in that there is no existing legislation governing how private organisations provide digital identities. The Bill looks to address this by building trust in this space to enable the market to develop. To do this, the Bill proposes to impose obligations on the Secretary of State and grant certain powers, which it will exercise through the Office of Digital Identities and Attributes. Examples include:
Whilst legislation is being developed alongside the regulatory framework, a number of use cases have emerged for using digital identities. Examples include:
The next steps in the UK will be further development of the regulatory framework and roll-out of digital identity use cases. The ultimate aim will be to see organisations (including regulators, service providers, suppliers and customers) across industry buying into the use of digital identities so that adoption can become more widespread. However, as this area develops it is vital that the framework and those operating in this space are able to tailor their products to mitigate the risks that widespread application of digital identities may bring:
Combatting these risks will require service providers to conduct adequate internal due diligence on their processes as the regulatory system develops in tangent. Ensuring an adequate understanding of the trust framework will not only be essential to achieve certification as a trusted provider, but will be key to developing appropriate systems and protections which can allow the benefits of digital identities to be realised without these risks emerging.
The next steps for digital identities in the UK are likely to be:
1) further progression of the Bill through the House of Lords and its entering into law, subject to any delays which may be caused by a change to government;
2) testing of the beta version of the trust framework and continued iterative changes which will take place as the system grows and more providers are certified; and
3) more applications of digital identity technologies to broader industries, expanding on the multiple use cases identified above. In particular, providers will be keen to attract buy-in from specific industry regulators.
We will continue to update on further changes as and when information becomes available.