This Government has made a commitment to improve the way that data and information is shared and used across the public sector to deliver better, joined up services and exceptional outcomes for our citizens. People often access government services in times of great need, and services must provide the best possible experience for users, while maintaining privacy, trust and building confidence.
The Digital Economy Act was designed and passed in 2017 to give us flexibility to introduce new data sharing gateways to support the delivery of key services, as the need arises, by secondary legislation and with a pre-consultation stage. This consultation sets out proposed data sharing legislation that would make it easier for citizens to prove who they are online when accessing government services.
The proposed legislation will also unlock the full benefits of a new government identity verification system, known as GOV.UK One Login. As part of the Cabinet Office, the Government Digital Service (GDS) is developing GOV.UK One Login, through close collaboration with other government departments.
Inclusion is at the heart of GOV.UK One Login. The proposed data-sharing legislation will ensure that more people than ever before will be able to prove their identity online and access government services, so that anybody who wants to use online services is able to. Furthermore, the government is committed to realising the benefits of digital identity technologies without creating ID cards.
GOV.UK One Login and the proposed legislation will ensure the government continues to drive inclusive digital transformation, to level up opportunities across all corners of the UK, and deliver brilliant public services. To drive this inclusive digital transformation even further, this Government is separately legislating to enable the use of trusted digital identities in the UK under Part 2 of the Data Protection and Digital Information Bill. This policy initiative is owned by DCMS and will enable citizens to prove things about themselves in a secure and trusted way to access commercial products and services online. DCMS is doing this in a way that maintains people’s choice, security and control of their data, and supports growth and technical innovation across the economy.
I welcome responses from anyone with an interest or views on identity verification services to respond to this consultation.
Executive summary
This consultation sets out the Cabinet Office’s proposal to enable data sharing between specified public authorities to support delivery of identity verification services to individuals and households.
Introduction
The Public Service Delivery (‘PSD’) power (Chapter 1 of Part 5 of the Digital Economy Act 2017) allows specified public authorities to share personal information for objectives which are set out in regulations. This information sharing power is aimed at improving or targeting public services to individuals or households in order to improve their well-being. It also includes safeguards to make sure that the privacy of citizens’ data is protected when shared by public authorities.
New objectives can be created providing they meet the criteria in Section 35 of the Digital Economy Act 2017 and secure parliamentary approval. The criteria are as follows:
- condition 1: the purpose is the improvement or targeting of a public service provided to individuals or households, or the facilitation of the provision of a benefit (whether or not financial) to individuals or households;
- condition 2: the purpose is the improvement of the well-being of individuals or households; and
- condition 3: the purpose is the supporting of the delivery of a specified person’s functions, or the administration, monitoring or enforcement of a specified person’s functions
In order to exercise the PSD power, the government must, via regulations, set specific objectives for which data may be shared and identify the specific public authorities to which they apply. The Code of Practice for the PSD power provides the principles and guidance on using the power and on ensuring compliance with data protection legislation.
This consultation paper sets out:
- a proposed objective to support identity verification services and the draft Digital Government (Disclosure of Information)(Identity Verification Services) Regulations 2023 which would enact it;
- a proposal for 4 new public authorities to be added to the schedule of authorities able to use objectives under the public service delivery data sharing powers, subject to this public consultation and parliamentary approval;
- a proposal for those 4 new specified public authorities to be able to use the new objective to support identity verification services specifically; and,
- a proposed list of public authorities already in Schedule 4 of the Digital Economy Act 2017 to be able to use the new objective to support verification services specifically.
This consultation is aimed at the general public, UK public authorities and other government departments, arm’s length bodies, non-departmental public bodies or other organisations who may consider they could be affected by the draft regulations. It may also be relevant to other bodies that have an interest in identity verification services.
Government has completed a number of impact assessments against the proposed secondary legislation to ensure that all intended and unintended effects have been considered and mitigations established where appropriate. We have published a summary of the Public Sector Equality Duty assessment with this consultation.
Responses are welcome from anyone with an interest in or views on the subject covered by this consultation.
The proposal
The Government Digital Service (GDS), part of the Cabinet Office, is developing, in collaboration with other government departments, a digital identity verification service which will allow people to create and reuse digital identities to access public services. Known as GOV.UK One Login, this will make it easier for people to find and access government services, allows users to prove their identity online, protects the privacy of users and reduces identity fraud and theft. The proposed legislation will allow more people than ever before to successfully prove their identity online and access government services.
In order to successfully deliver this service, participating public authorities will need to be able to check and share several types of government-held personal data with the identity verification service to allow users to prove they are who they say they are.
To support identity verification services, the UK Government is proposing to create a new objective under Chapter 1 of Part 5 of the Digital Economy Act 2017. The proposed objective will enable data sharing by specified public authorities currently included in Schedule 4 of the Act to deliver digital identity verification services to citizens. The proposal also includes 4 new public bodies to be added to Schedule 4 and for them to be able to share data for the purposes of identity verification services.
As required by the Code of Practice, the proposed new objective has been approved by the Public Service Delivery Review Board.
What is the new data sharing objective?
The Digital Government (Disclosure of Information)(Identity Verification Services) Regulations 2023 will create a new PSD objective to allow sharing personal information in order to deliver identity verification services to individuals and households. It would enable data sharing between the public authorities specified in Annex 4 of this consultation. The data sharing would provide those specified public authorities with the ability to share data for the purposes of identity verification for the benefit of individuals and households.
The data sharing objective would enable public bodies to share a wider range of specified data than is currently possible. This benefits individuals and households by improving digital inclusion, reducing the burden on individuals of providing the same information to different public authorities many times, and makes access to services easier.
Who may process data and why?
Only the public authorities shown in Annex 4 may process data to support identity verification services under the proposed power. The public authorities listed in Annex 4 hold personal data about individuals in the course of their normal operations. This includes organisations which hold documents which are typically used in identity verification, such as the Home Office holding passport information, and organisations holding information which can be used to support identity verification, such as HMRC holding personal data for tax purposes. Alternatively, some of the public authorities listed may deliver the identity verification service, for example the Cabinet Office, and will therefore need to process personal data.
Health and adult social care bodies are not currently included in the scope of the Digital Economy Act 2017 for data sharing purposes.
What data will be processed?
Public authorities will process the minimum number of data items, known as attributes, necessary for verifying the identity of an individual. Examples of attributes include:
- user’s full name;
- date of birth;
- home address;
- email address;
- photographic images;
- various identifiers such as passport number or driving licence number;
- attributes held by government departments necessary for verifying the identity of an individual;
- the outcome of identity checks previously performed on a user; and
- transactional data, for example, income
Other data items may be processed as identity verification services develop. This may include special category data and processing will only take place in line with the relevant guidance (see paragraph below). However, any additional information to be shared will comply with the ‘data minimisation’ principles so that only the minimum amount of data is disclosed as is necessary for any identity check. At this time the service will not be aimed at children under the age of 13.
Special consideration will also be given to the handling of all personal data belonging to individuals who cannot consent to the service for whatever reason and may have a third party acting on their behalf.
How will the data be shared?
Different government services have unique identity verification criteria depending on the level of confidence required in an identity. An individual using the identity verification service to access a government service would present data to be validated against data already held by specified public authorities. This should confirm that the information submitted by the individual matches that information held by a public authority and increases the confidence that the individual is the claimed identity. Only the minimum necessary amount of data will be requested from the individual to validate the match.
The data returned to the government service that initiated the identity verification check on the individual will include the result of the identity check, and a minimum set of attributes required to identify the individual whose identity was checked. For example, this might include the individual’s name, date of birth, and any additional data attributes that the government service requested were collected from the individual, such as the individual’s address.
In line with the Code of Practice and prior to sharing any data, all parties to the data share will complete an agreed business case, information sharing agreement, data protection impact assessment and security plan which will specify the data items to be shared. Data sharing will take place in accordance with data protection legislation, UK GDPR, the Commissioners for Revenue and Customs Act 2005, the Information Commissioner’s Office Data Sharing Code of Practice and all other relevant statutory guidance and codes of practice.
All public authorities who are parties to the data sharing will continue to ensure that data is held securely, to the appropriate security and information management standards, maintained to the appropriate quality, used only for the specified purpose of identity verification services, kept as long as required for the specified purpose of identity verification services, and then securely deleted.
Any and all data shares under the proposed objective will be included in the Register of information sharing agreements established under the Digital Economy Act 2017.
As part of the verification process provided by GOV.UK One Login, checks will be made to assure a user’s identity and ensure that the identity is not fraudulent or being misused. This protects the individual, ensuring that their identity is not used to access services on their behalf without their permission.
If the outcome of these checks is that GOV.UK One Login suspects the user is not the identity they claim to be, the service will alert the relevant service or government department. GOV.UK One Login will not take punitive action. It will protect against fraud by making identity theft more difficult by including many more digital checks than under the current system and protecting access at the gateway to government services.