Digital identity and trust
Latest developments
June 2022 – the beta version of the UK digital identity and attributes trust framework was published, superseding version 2 of the alpha framework.
June 2023 – government publishes its response to the consultation on draft legislation to support digital identity verification.
July 2023 – the most recent update to the beta version of the UK digital identity and attributes trust framework, relating to rules on using expired documents as identity evidence, was published.
March 2024 – government consultation on using digital IDs for age verification in relation to alcohol purchases closes. The response to the consultation is awaited.
May 2024 – the Data Protection and Digital Information Bill fails to become law during the ‘wash-up’ prior to the UK general election.
Summary
The UK Government has been developing the UK digital identity and attributes trust framework (“UK DIATF”) since February 2021. UK DIATF will let people use and reuse their digital identities, without the need for National IDs. It will also give people a way to share their attributes with other people and organisations more easily. It sets out the rules and standards that providers of digital identity verification products need to adhere to achieve certification as a trusted provider. The rules an organisation must comply with is determined by the type of service it provides (identity service providers, attribute service providers and orchestration service providers).
Any organisation that wants to participate in UK DIATF must undergo certification by one of the approved certification bodies. Despite testing of UK DIATF being ongoing, organisations can already obtain certification against UK DIATF.
UK DIATF is being developed alongside legislation to support the delivery of digital identity verification services. The Data Protection and Digital Information Bill (DPDI Bill) had been going through the legislative process and reached the committee stage of the House of Lords. The DPDI Bill would have enabled the Secretary of State to produce a statutory version of the trust framework, whereby compliant organisations would be issued trust marks and permitted to use the Government information gateway to verify identities where the individual had consented to this.
However, the DPDI Bill was not passed into law during the parliamentary wash-up in May 2024 so its progress has halted. For now, the beta version of UK DIATF will continue to apply. Any new bill introduced by an incoming government which seeks to put in place a statutory basis for UK DIATF will now need to start the legislative process afresh.
How could it be relevant for you?
The DIAT Framework is directly relevant for those operating as identity service providers, attribute service providers and orchestration service providers who will need to comply with the rules to achieve certification as a trusted provider under the framework. The rules are also relevant to parties who rely on these services, such as airlines, banks, retailers and gambling operators.
Next steps
Although testing of the beta version of UK DIATF was ongoing, focusing on areas which were updated as part of the beta publication such as user agreement, biometric technologies and flow down terms for relying parties, the upcoming election means that it is now unknown whether, and in what form, the previous government’s plans for UK DIATF will continue. The intention was to move towards publishing a live trust framework with statutory status, at which point trust marks will be issued to organisations which adhere to the applicable rules under the trust framework.
It is unclear whether, and in what form, the DPDI Bill will be revisited following the general election. As such, the timeline for establishing a statutory regime in the UK for a digital identity framework remains very uncertain.
Written by Elizabeth Dunn and Callum Granger
*Information is accurate up to 3 June 2024
