The Government has published six Principles that govern the development of its digital identity policy. As most governmental departments and businesses are providing more online services (encouraged by COVID), a citizen’s ability to prove his or her identity digitally is becoming more important (e.g. to facilitate interaction with Government or to authorise electronic payments).
The six digital identity Principles are: “Privacy, Transparency, Inclusivity, Interoperability, Proportionality” and “Good Governance” and can be found in Section 4.2 of a 5,000+ word text which describes Governmental proposals for digital identity (see references). In summary, the Principles are deficient for the reasons explained below; as currently worded their ambiguity offers little in the way of assurance.
DCMS, the responsible Government Department, has also established a Digital Identity Strategy Board (DISB) to provide oversight: the “Board has developed the principles to frame digital identity delivery and policy in the UK”. The Board is consulting on the Strategy; the Principles are reviewed annually.
Privacy Principle
The Privacy Principle reads: “When personal data is accessed citizens will have confidence that there are measures in place to ensure their confidentiality and privacy. Where possible, citizens select what personal data is shared. Organisations will have privacy standards to uphold and will need to prove their ongoing compliance”.
Commentary on Privacy Principle
Consider the sentence: “When personal data is accessed citizens will have confidence that there are measures in place to ensure their confidentiality and privacy”. The phrase “When personal data is accessed…” does not describe “Accessed by whom” or “accessed for what purpose”.
For example, the Principle could easily have read: “When personal data is accessed for ID related purposes…”. The fact that it does not say something like this permits the Principle to remain unbreeched even though there are other unspecified processing activities.
The segment “Where possible citizens select what personal data is shared…” creates doubt through the use of the word “possible”; this implies the existence of unspecified circumstances when “citizen” selection might not be possible. The 5,000+ word accompanying text does not explain what these other circumstances could be or indeed whether they exist.
The segment: “Organisations will have privacy standards to uphold and will need to prove their ongoing compliance” makes no reference to “data protection” or “GDPR” or “UK_GDPR” even though the Principle itself refers to “personal data”. The lack of a reference to current data protection regime casts doubt as to whether the Privacy Standards of the Principle could be weaker than those established by the GDPR.
Remember DCMS is leading on data protection and the Prime Minister’s Parliamentary Written statement of HCWS86; 3 February 2020 confirms that the UK wants to go its own way on Data Protection. In the post-Brexit world, it could be that DCMS is reluctant to affirm that GDPR standards apply to its Digital Identity policy.
Another way of raising this issue is the answer to the following question: “What sets the privacy standards if it is not the data protection regime?. The absence of an explicit reference to data protection is, in my view, will cause confusion at best and consternation at worst.
Transparency Principle
The Transparency Principle states that “Citizens must be able to understand by who, why and when their identity data is used [when using digital identity products].” Notice this is much less a commitment to transparency than the right to be informed requirements set out on A.13/A.14 of the GDPR. In general, discussion about the lawful basis for the processing of personal data (i.e. A.6) and the rights of data subjects (A.15-A.22) is absent from the associated 5,000+ word text.
The Principle also opens the door to the prospect that there could be no understanding by the citizen concerning the use of personal data [e.g. “when NOT using digital identity products]” and, given other Principles, is consistent with data sharing of personal data for non-identity related purposes (e.g. by public authorities).
The omission of a reference to the Purpose Limitation Principle (which would limit further processing of digital identity personal data) and the absence of the words “data subject’s consent” is astonishing; both will also serve to reduce confidence in the Digital Identity Principles.
Inclusivity Principle
The Inclusivity Principle states that “This means those who want or need a digital identity should be able to obtain one. We will look at how citizens could use different attributes (e.g. name, date of birth etc.) held across government and by other parties to support identity proofing”.
Commentary on Inclusivity Principle
The fragment (“those who want or need a digital identity should be able to obtain one”) begs the question of whether there is ONLY one digital identity is available? I hope this is not the case but the Principle is not at all clear. In my view, it would undermine the whole scheme if a single identity were intended; it risks a return to problems that surrounded general public sector access to the National Identity Register which underpinned the ID Card legislation of 2005.
The accompanying 5000+ word text is also silent on other important issues. For example “if a citizen does not have a digital ID can they be excluded”? (e.g. wait longer for benefits or a service). “Will a digital ID be required prior to booking a video consultation with a GP?” (i.e. no digital ID, no booking etc).
Could the absence of a digital identity infer an individual has no right to remain in the UK, if that individual is picked up by the Border Agency? Finally: “can the obtaining of at least one Digital ID become compulsory?”( the elephant in the room)?
All these types of issues should have been dismissed by the text of the Principles; leaving them hanging in poorly drafted Principles will allow suspicions to develop about the motives underpinning the digital identity proposals.
The text of this Principle strongly suggests that this identity scheme is primarily for Government Departments and for identity issues mandated by Government or Regulators (e.g. Know Your Customer; employee vetting).
This view is reinforced by the use of the words “We will look at how ….” in relation to other identity related issues. The “looking at” is an aspiration; it is not particularly strong commitment which relegates non-mandatory identity proofing by the private sector to a secondary concern.
Interoperability Principle
The Interoperability Principle states: “Setting technical and operating standards for use across the UK’s economy to enable international and domestic interoperability”.
Notice that this implies the development of data sharing (e.g. of digital identity personal data) on an international basis.
Proportionality Principle
The Proportionality Principle has nothing to do with A.8 ECHR; it states that: “User needs and other considerations such as privacy and security will be balanced so digital identity can be used with confidence across the economy”.
It is not clear what is being “balanced”; the use of the words “such as” permits the balancing of other unspecified considerations that are different to security or privacy. In addition the wording “can be used” begs the question “used by whom?”. Finally, does security mean security of personal data or security in the sense of public safety, crime prevention or national security? Who knows?
Good Governance Principle
The Principle states “Digital identity standards will be linked to government policy and law. Any future regulation will be clear, coherent and align with the government’s wider strategic approach to digital regulation.”
Commentary on the Governance Principle
The fragment “The Digital identity standards will be linked to government policy and law” is open ended. If the government policy is, for example, the Government’s data sharing policy, then the chances are data sharing will not require permission of the citizen (as it could be authorised by law) via the text of the “Privacy Principle”.
This is reinforced by the Governance Principle’s reference to “and law” as this could include “existing law”. In other words, legislation which did not consider the Government’s Digital ID initiative, could permit access to personal data and be consistent with the Privacy Principle.
I give two classic examples of such data sharing from history: the Taxes Management Act 1970 was used to facilitate disclosure of personal data to HMRC even though computing in 1970 predated the DPA1984 by 14 years and Regulations under the Telecoms Act 1984 allowed the national security agencies lawful access to bulk personal data before 2016. The common thread: old legislation contained powers which were used by the authorities decades later.
The reference to “Any future regulation” ignores the status of existing legislation thus reinforcing the fact that existing law could be used to justify data sharing – as described in the previous paragraph. The reference to “regulation” implies the Secretary of State will be given wide ranging powers over the Digital Identity. Such powers are not usually subject to detailed Parliamentary scrutiny and could be used to modify the Digital ID law to meet Governmental requirements (in theory, in a way which can be detrimental to the citizen’s concerns.
Concluding comment
As a reference point, I attach in the references the document on the Identity Assurance Principles produced by the PCAG Group for Verify.Gov; if you look at the document you will see the detail we went to produce Principles that contain none of the problems identified above.
The PCAG Principles had an emphasis on user consent, the data protection regime, a reference to data quality and to data minimisation, the ability to use of multiple identities, an independent ombudsperson in case of error and a procedure for exceptions (e.g. when the authorities gain access to identity personal data). All these are missing from the DCMS Identity Principles.
The current DCMS Principles are so vague that I for one will not volunteer for a voluntary ID; urgent revision needed.
Upcoming Data Protection Courses (in Autumn)
All courses lead to the relevant BCS qualification: September’s course is full☹
- Data Protection Foundation: London, Oct 13-15 (3 days)
- Data Protection Upgrade Practitioner: London, Nov 3-4 (2 days)<LAST ONE
- Data Protection Practitioner: Edinburgh, Starts Nov 23 (5 days)
Full details on www.amberhawk.com of by emailing [email protected]
References
The Nine Identity Principles produced by PCAG from Verify.Gov for comparison; you can see what is missing immediately [download Download IDA Principles workshop v3 as published April 2014]
The 6 ID Principles are in the 5000+word text at: https://www.gov.uk/government/consultations/digital-identity/outcome/digital-identity-call-for-evidence-response
Comments