Identity anarchy in the UK

It’s good to see the UK government moving on digital identity again, following many years of drift and uncertainty.

It became clear several years back that the previous strategy for England and Wales, heavily centred on the GOV.UK Verify service developed by GDS, was effectively dead. It’s a shame that so much time was lost. My friend Frank Joshi has written eloquently about the enduring frustration and disappointment of the tech industry.

But there’s more energy and appetite now in government to tackle digital ID than I’ve seen for many years. Perhaps that’s not saying much, but nevertheless let’s hope this moment won’t be wasted.

Digital ID is a fundamental pillar of the digital economy, which relies utterly on trust. We must establish a functioning ecosystem if we don’t want to risk the UK’s economic recovery from Covid and Brexit shocks.

Even more importantly, to my mind, are the increasing issues of digital exclusion affecting citizens who don’t have the paper credentials that digital services rely on to identify them – passports, driving licenses and so on – so called “thin-file” citizens.

Often these are citizens who are vulnerable in other ways: think homeless, elderly and isolated, irregular immigration status. Things can go very badly wrong for socially excluded people when they’re not able to prove their credentials, as we learnt from the Windrush scandal.

This is a particular challenge for local government to address (I wrote about some of those issues in my report for Think Digital Partners.) But DWP, the Home Office and other central government departments also have a special responsibility to these citizens.

The debate about digital ID has always been politically difficult across the UK. There have been long-standing fears about privacy and possible government over-reach. Remembering the strong historic opposition to ID cards, that has translated into a push-back against centralised digital ID schemes based on a single citizen database.

This is why governments over the past decade have consistently tried to implement a so-called federated approach to ID, which allows citizens to be identified without relying on a database that consolidates lots of data about them in one place.

Whilst GOV.UK Verify took that approach, it was ultimately not flexible enough to cater for all the digital services offered by government, let alone the wider public sector or the private sector.

Instead, the UK government is now developing a trust framework which will set standards and rules for digital identity across the UK. Any organisation will be able to use this to develop digital ID verification services, based on credentials that most people have, such as passports, driving licenses, and beyond. We’re expecting the first draft of that framework soon.

Changes to the legal framework are also expected to make it easier for people to use digital credentials in secure transactions, where today you might have to go in person to sign physical documents.

Government has published further principles for the trust framework based on privacy, public trust and confidence, transparency and so on. The minister Matt Warman referred to these as “British values”, which suggests a certain level of political sensitivity about the international dimension.

Ultimately, the standards we end up adopting in the UK will need to work across international borders and – given the facts of our geography – interoperability with the EU’s EIDAS regulations is an obvious necessity. Or should we expect that project to be scuppered by anti-EU parliamentarians who view interoperability as an encroachment on sovereignty?

Maintaining regulatory oversight of the digital ID landscape within the UK itself may be difficult.

The federated path we’ve chosen, for better or worse, is more complex than a highly centralised system as you have in countries like Estonia. The user experience will be more fragmented. There will inevitably be dependencies between public and private sector bodies which might not always be clear, creating additional risk. And even here we are assuming that the differing approaches and schemes in England and Wales, Scotland and Northern Ireland will play nicely alongside each other.

This complexity slows adoption of digital ID. And pace is another challenge.

We know that some within government believe that not having a centralised ID scheme was a mistake. The pandemic has reminded us that, at times of crisis, citizens expect government to have the levers of control necessary to move quickly in keeping their populations safe.

Because of that, I wonder whether we might see something looking more like a centralised scheme covering the NHS emerging over time. After all, the NHS number which nearly everyone in England, Wales, Scotland and Northern Ireland has is probably the closest we have to a universal citizen ID in the UK.

In fact the NHS Central Register in Scotland is already used by Scottish local authorities for citizen ID purposes, and there was an (unsuccessful) attempt in 2017 to extend its use to the whole of the Scottish public sector. And Northern Ireland has just announced plans for a single digital ID covering health and social care, based on citizens’ Health and Care Number records.

In the wake of Covid, there might be public appetite for something simple and universal to support more joined-up care. Or even Covid passports. The general public can be surprisingly relaxed about sharing personal data online with private companies – and trust in the NHS is very high. Perhaps government will seize the moment. We will see.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s