4th Industrial Revolution 4 mins read

DCMS guest blog – building trust in digital identities

My team in the Department for Digital, Culture, Media and Sport (DCMS) is working to enable the use of trusted digital identity products across the UK economy. This means ensuring there are secure digital ways to prove people are who they say they are, or are entitled to do particular things, without repeatedly having to present a mish-mash of documents and bills.

Right from the start, we have been asking people what they want from these products. We heard time and time again that people want to be able to trust the services they use. People have to input personal data about themselves and they don’t want to have to wade through pages of incomprehensible terms and conditions to assure themselves it is safe to do so. They want to know rules are in place, that they’re being followed and that there is a way to complain if things go wrong.

The use of digital identities can unlock huge economic wins – more than £800 million a year if we get it right – but we need to be sure that we’re not opening up new risks too. How can we be sure fraud, privacy and cyber security are preserved? And how can we ensure that the UK gets a range of digital identity products and services so that everyone who wants to prove their identity digitally can do so, not just people with a smartphone?

In answer to these questions, we developed and tested a set of standards and rules, the UK Digital Identity and Attributes Trust Framework. The framework places rigorous fraud management, privacy, cyber security and inclusion requirements on organisations, based on robust international standards. It’s been developed in conjunction with the National Cyber Security Centre, as well as other expert stakeholders such as the ICO.

Our work in this area became reality when we collaborated with the Home Office and Disclosure and Barring Service to allow digital identity services to be used for right to work, right to rent and DBS checks.

The right rules are important, but only helpful if we know they’re being followed. We needed a way of making sure providers met the robust standards of the trust framework and knew certification could be used to do this.

We all rely on certification processes to give us peace of mind. Knowing the person fitting your new boiler has a ‘Gas Safe’ certificate means you know they have the knowledge, skills and processes in place to enter your home and install a potentially dangerous appliance. Knowing that your digital identity product has been certified under the trust framework provides similar reassurance. You don’t need to understand every detail of the standards in place, but you can be sure that an expert has asked all the right questions, and that these experts are subject to checks too.

We’ve worked with the UK’s national accreditation body, UKAS, to make sure all identity service providers included in our Digital Verification Services register, which will list  organisations with trusted digital identity services, will be formally assessed against the UK Digital Identity and Attributes Trust Framework by Certification Bodies who are all currently undergoing accreditation with UKAS. They can then be checked again, at any time, through spot audits, fraud audits, exception or surveillance audits, including when any risks are identified in the system.

The Certification Bodies doing the audits have undergone DCMS certification and assurance and will be regularly assessed in the future as part of UKAS’s normal processes to ensure they are upholding the standards we have set out in the trust framework. UKAS itself is also subject to an internationally-recognised set of checks and balances to ensure it is upholding the highest standards in conducting its work. This international certification and accreditation ecosystem is robust and already underpins almost everything we buy and use in our daily lives.

People can be confident these checks and balances will deliver secure digital identity products that people and businesses can trust and use to make their lives easier. The well-established system of accreditation and certification, to which UKAS is so central, will underpin this trust, ensuring that the digital identity products we use comply with the standards we’ve created to be as secure as can be.