19 May 2021
ID Please! What does the Digital Identity Framework Mean for Data Protection and for Organisations?
By Faye Cheung, Researcher
The Digital Identity and Attributes Trust Framework
In February 2021 the UK Government published its draft policy paper on a digital identity and attributes trust framework. The trust framework provides rules and standards for organisations who create, provide or use digital identity services. Therefore, the framework will be relevant to large number of organisations from a wide range of sectors. These could include libraries, universities, shops selling alcohol or products with legal restrictions, banks, solicitors, and any organisation who wants to carry out pre-employment screenings before hiring someone new.
A digital identity is a ‘digital representation of who you are’, which you can use to prove your identity during interactions and transactions. These are not ID cards and the government is not mandating how the market develops these digital identities. Instead, the government’s framework only asks that they are safe and secure. In addition to digital identities the framework also provides for digital attributes, which can apply to individuals and organisations. For example, a Companies House company number or the number of employees in a company might be the type of attributes that an organisation may want to prove or demonstrate using a digital attributes service provider.
Pros and Cons for Data Protection
Whilst digital identity and digital attributes systems can provide a more efficient solution to paper-based identity checks for both organisations and the public they also raise issues about inclusivity, and of course, data protection and privacy.
The UK’s information rights regulator, the Information Commissioner’s Office (ICO), recently published a detailed response to the Government’s draft trust framework. The response, set out in a 20 page document, fundamentally supports the introduction of a digital identity and attribute framework because of the economic and privacy benefits it can bring in comparison to a system that relies on paper identity records.
Some of the privacy benefits might be seen with regards to purpose limitation and data minimisation. These are two key principles of the UK GDPR. Together they seek to ensure that only relevant data is processed and only with consent from the data subject. An example of how digital ID systems will support purpose limitation, as provided by the Department for Digital, Culture, Media and Sport (DCMS), is someone trying to prove their age in order to enter a bar. That person may need show their passport or driving licence to do this, which entails that person divulging their name, date of birth and address to a member of staff. A digital system might allow the bar to scan a QR code from that customer’s phone to receive confirmation that the person is over 18 years old, without that person needing to show any irrelevant data.
However, the ICO’s response expresses concern over whether organisations including public bodies and the government will draw a clear dividing line between the processing of data for digital identity verification purposes and all other purposes such as marketing or profiling. Not doing so would be a breach of the UK GDPR, but in addition to its regulatory work, the ICO is calling for the framework’s governing body to have a significant role in ensuring data used in digital identity is limited for this purpose in practice.
The ICO also emphasise the importance of ensuring that the UK GDPR accountability principle is embedded throughout any such digital identity schemes from the start. In particular the ICO highlight their expectations around undertaking Data Protection Impact Assessments (DPIAs) and argue that the Government themselves should be conducting these during this policy development stage. DIPAs may not apply to Government when acting in a policy-making capacity if they are not a data controller, but ‘given the scale and scope of the trusted digital identity system’, the ICO have stressed the benefits of the Government implementing an overarching assessment of privacy risks linked to the framework.
What Organisations Should Know?
A key takeaway from the Government paper for organisations to consider is the introduction of the ‘trust mark’. The trust mark will be something that the public or businesses look out for in other organisations to demonstrate that they have been checked and certified against the standards set out in the trust framework. The trust mark system will be governed by a regulatory body that will be established by the Government. The trust mark is not just for organisations that are identity service providers but for organisations that use services or products from these providers. For example, if a library uses a service from a digital identity service provider, the library should want to obtain a trust mark in order to reassure its users that it is compliant with the trust framework, which requires compliance with data protection legislation.
This trust framework is in its alpha stage and there are issues that need clarification and development. DCMS will consult with privacy groups, industry and stakeholders and then incorporate feedback and publish an updated version of the trust framework. Testing will then begin with various sectors and organisations.
The ‘alpha’ trust framework is available to read here and the ICO response is available to read here.
     https://www.gov.uk/government/publications/the-uk-digital-identity-and-attributes-trust-framework/the-uk-digital-identity-and-attributes-trust-framework
   https://ico.org.uk/media/about-the-ico/documents/2619686/ico-digital-identity-position-paper-20210422.pdf
 https://ico.org.uk/media/about-the-ico/documents/2619686/ico-digital-identity-position-paper-20210422.pdf (page 17)
© Naomi Korn Associates, 2021. Some Rights Reserved. The text is licensed for use under a Creative Commons Attribution Share Alike Licence (CC BY SA)
Disclaimer: The contents of this blog post are based on the assessment of Naomi Korn Associates Ltd at the time in which the resource was created (May 2021). The contents should not be considered legal advice. If such legal advice is required, the opinion of a suitably qualified legal professional should be sought.