Trust in Digital Identities
The issue of digital identities is a hot topic within the UK technology sector and the government has introduced proposed legislation to tackle some of the issues digital identities present.
What do we mean by Digital Identity?
A digital identity is a digital representation of your identity, like your name and age, which can be used as an alternative to physical ID such as passports or bank statements. Digital identities can also include biometric information, such as your fingerprint or face scan.
The case has been made by the likes of techUK that digital identity safeguards are key to unlocking the full potential inherent in a thriving UK digital economy. This is because online fraud has a detrimental impact on people’s willingness to engage with digital innovation, but adoption of secure, regulated, digital identity solutions can play an important part in reducing online fraud.
New legislation
In March 2023, the Data Protection and Digital Information (No.2) Bill (DPDI Bill No 2) had its first reading in Parliament and the previous Data Protection and Digital Information Bill (DPDI Bill No 1) was withdrawn. Much of the focus on these Bills has been on reform of the data protection legislation, particularly the UK GDPR. However, the DPDI Bill No 2 also sets the legislative basis for:
- a new UK Digital Identity & Attributes Trust Framework (Trust Framework)
- creation and maintenance of a digital verification services (DVS) register for providers conforming to certain accreditation requirements
- an information gateway to allow identity and eligibility checks to be made against data held by public authorities
- designation of a trust mark that can be used by accredited DVS providers registered on the DVS register
The DPDI Bill No.2 is expected to come into force at some point in 2023.
Some benefits and challenges
We’ve been working on a major procurement of a digital credentials solution recently. Digital credentials are awarded to prove someone’s qualification or achievement. In the absence of an established Trust Framework, we’ve found some provider resistance to make commitments about the interoperability of their digital credentials solution with other systems. Establishing a set of rules that must be met to join the DVS register and to enable organisations to use the trust mark should encourage more interoperability within the digital identity market, including in the context of digital credentials.
The digital identities ecosystem is comparatively complex, with a variety of different types of organisations involved. Examples include:
- identity service providers
- attribute service providers
- orchestration service providers
- relying parties
- scheme owners and users
Explaining to users how their data will be used, and by who, in a manner that is easily understood will require skill. It will be important this is done effectively, both to comply with data protection legislation and to ensure public confidence in the new Trust Framework and the trust mark.
A new Office for Digital Identities and Attributes is expected to oversee security and privacy for digital identities and the Trust Framework – tech businesses wanting to participate in the digital identities ecosystem are advised to look out for further developments on this.
Written by Paul Knight and Alexandra Ranaghan