Digital identities washed up or kicked out?

POSTED BY ALICE POWELL |
| 4 min read

In the wake of the wash-up that followed the announcement of the general election on 22 May 2024, plans for development of the UK’s digital identities regime have been delayed. However, the King’s Speech indicates new law to support digital identity verification remains on the Labour Government’s agenda.

A snap general election

Following Rishi Sunak’s call for a snap general election, a wash-up occurred where the UK government set about passing any pending bills seen as a priority before Parliament dissolved for the general election. Any legislation not passed during this two day window, would not then progress any further through the legislative process and would be halted in its tracks.  

One of the bills that did not make it through this wash-up period was the Data Protection and Digital Information Bill (the DPDI Bill).  The DPDI Bill, among other things, promised to establish the basis in law for a UK Digital Identity and Attributes Trust Framework to provide a clear structure for using and sharing digital identities.

How has the election impacted the proposed changes to digital identity verification?

The DPDI Bill had been progressing through Parliament before the general election was called and had reached the committee stage of the House of Lords. The DPDI Bill included reform of UK data protection legislation, particularly the UK GDPR. We have previously discussed the DPDI Bill in the context of digital identity verification Trust in Digital Identities - Mills & Reeve (mills-reeve.com). Specifically, we commented on the fact that the DPDI Bill was covering:

  • A new UK Digital Identity & Attributes Trust Framework (Trust Framework)
  • The creation and maintenance of a digital verification services (DVS) register for providers conforming to certain accreditation requirements
  • An information gateway to allow identity and eligibility checks to be made against data held by public authorities
  • Designation of a trust mark that can be used by accredited DVS providers registered on the DVS register

The collapse of the DPDI Bill was frustrating for those invested in its progress. However, the King’s Speech on 17 July 2024 announced the intention to introduce a new Digital Information and Smart Data Bill. The briefing notes provided by the Government confirm this will cover DVS, which “will help people and businesses to make the most of identity-checking technologies with confidence and peace of mind”.

It seems likely that the previous developments in the digital identity regime will be built upon rather than discarded. For example, we already have a beta version of the Trust Framework published. One of the things the beta version of the Trust Framework does not do is explain what governance arrangements are needed to make sure the Trust Framework is ready for use in the economy.  Instead, the question of governance has been the subject of consultation previously, the conclusions of which appear to be:

  • An interim governance function, named the Office for Digital Identities and Attributes (OfDIA), will be established.
  • The OfDIA will run the Trust Framework, and update its requirements to ensure they remain fit for purpose as technology evolves. It will work with the UK Accreditation Service and certifying bodies to own the list of trust-marked organisations and it will defer to existing regulators where a breach is covered by existing legislation. Meaning, for example, the OfDIA will signpost complaints and defer enforcement action relating to data breaches to the Information Commissioner's Office. 
  • The OfDIA’s potential to bite will arise if a breach of the Trust Framework is not covered by existing law.  In serious cases the OfDIA may remove the non-compliant entity from the DVS register and retract its right to use the trust mark. The OfDIA is not expected to have powers to issue monetary fines or enforce compensation payments to affected consumers.

Much seemed to have been made of the fact that the Trust Framework was not mandatory under the DPDI Bill, meaning some care was felt needed to avoid disincentivising participation in the Trust Framework. 

It is hoped that when the Government’s Digital Information and Smart Data Bill is introduced in Parliament, the Government’s plans in relation to DVS, the Trust Framework and the OfDIA will become clearer.  Particularly whether the Trust Framework will be mandatory.

Written by Alice Powell and Paul Knight

Our content explained

Every piece of content we create is correct on the date it’s published but please don’t rely on it as legal advice. If you’d like to speak to us about your own legal requirements, please contact one of our expert lawyers.

Posted by

Tags

Search

Mills & Reeve Sites navigation
A tabbed collection of Mills & Reeve sites.
Sites
My Mills & Reeve navigation
Subscribe to, or manage your My Mills & Reeve account.
My M&R

Visitors

Register for My M&R to stay up-to-date with legal news and events, create brochures and bookmark pages.

Register
Visitor Login

Existing clients

Log in to your client extranet for free matter information, know-how and documents.

Client Extranet

Staff

Mills & Reeve system for employees.

Staff Login

Our use of cookies

To help improve your experience of our website we would like to use cookies. This means we collect some information on your activity while you are on the website. For more information read more about our use of cookies here, your setting can be changed at any time.
Please accept our use of cookies and help us improve your experience.

Accept Cookie settings
Close overlay