3 minutes read

Digital identities washed up or kicked out?

In the wake of the wash-up that followed the announcement of the general election on 22 May 2024, plans for development of the UK’s digital identities regime have been delayed. However, the King’s Speech indicates new law to support digital identity verification remains on the Labour Government’s agenda.

A snap general election

Following Rishi Sunak’s call for a snap general election, a wash-up occurred where the UK government set about passing any pending bills seen as a priority before Parliament dissolved for the general election. Any legislation not passed during this two day window, wouldn't then progress any further through the legislative process and would be halted in its tracks.  

One of the bills that didn't make it through this wash-up period was the Data Protection and Digital Information Bill (the DPDI Bill). The DPDI Bill, among other things, promised to establish the basis in law for a UK Digital Identity and Attributes Trust Framework to provide a clear structure for using and sharing digital identities.

How has the election impacted the proposed changes to digital identity verification?

The DPDI Bill had been progressing through Parliament before the general election was called and had reached the committee stage of the House of Lords. The DPDI Bill included reform of UK data protection legislation, particularly the UK GDPR. We have previously discussed the DPDI Bill in the context of digital identity verification Trust in Digital Identities - Mills & Reeve (mills-reeve.com). Specifically, we commented on the fact that the DPDI Bill was covering:

  • A new UK Digital Identity & Attributes Trust Framework (Trust Framework)
  • The creation and maintenance of a digital verification services (DVS) register for providers conforming to certain accreditation requirements
  • An information gateway to allow identity and eligibility checks to be made against data held by public authorities
  • Designation of a trust mark that can be used by accredited DVS providers registered on the DVS register

The collapse of the DPDI Bill was frustrating for those invested in its progress. However, the King’s Speech on 17 July 2024 announced the intention to introduce a new Digital Information and Smart Data Bill. The briefing notes provided by the Government confirm this will cover DVS, which “will help people and businesses to make the most of identity-checking technologies with confidence and peace of mind”.

It seems likely that the previous developments in the digital identity regime will be built upon rather than discarded. For example, we already have a beta version of the Trust Framework published. One of the things the beta version of the Trust Framework does not do is explain what governance arrangements are needed to make sure the Trust Framework is ready for use in the economy. Instead, the question of governance has been the subject of consultation previously, the conclusions of which appear to be:

  • An interim governance function, named the Office for Digital Identities and Attributes (OfDIA), will be established.
  • The OfDIA will run the Trust Framework, and update its requirements to ensure they remain fit for purpose as technology evolves. It will work with the UK Accreditation Service and certifying bodies to own the list of trust-marked organisations and it will defer to existing regulators where a breach is covered by existing legislation. Meaning, for example, the OfDIA will signpost complaints and defer enforcement action relating to data breaches to the Information Commissioner's Office. 
  • The OfDIA’s potential to bite will arise if a breach of the Trust Framework is not covered by existing law.  In serious cases the OfDIA may remove the non-compliant entity from the DVS register and retract its right to use the trust mark. The OfDIA is not expected to have powers to issue monetary fines or enforce compensation payments to affected consumers.

Much seemed to have been made of the fact that the Trust Framework was not mandatory under the DPDI Bill, meaning some care was felt needed to avoid disincentivising participation in the Trust Framework. 

It is hoped that when the Government’s Digital Information and Smart Data Bill is introduced in Parliament, the Government’s plans in relation to DVS, the Trust Framework and the OfDIA will become clearer. Particularly whether the Trust Framework will be mandatory.

Written by Alice Powell and Paul Knight

Our content explained

Every piece of content we create is correct on the date it’s published but please don’t rely on it as legal advice. If you’d like to speak to us about your own legal requirements, please contact one of our expert lawyers.

Contact

Paul Knight

+441612348702

How we can help you

Contact us