The Cabinet Office has announced plans to update legislation so as to allow departments to more easily share a greater range of citizens’ personal data – potentially including the most highly sensitive details.
The legal tweaks are intended to support the delivery of One Login – the new system for accessing public services that will be rolled out across government over the next two years.
The proposals, unveiled this week, would see 2017’s Digital Economy Act amended to add “identity verification” as a specified “objective” for which departments would be legally allowed to share personal information. The law would also be updated to “enable public bodies to share a wider range of specified data than is currently possible”.
The amended legislation would include four named agencies that the government intends “will either hold data to verify an individual’s identity and/or help to deliver the identity verification service”.
This includes the Cabinet Office itself – home of the Government Digital Service, which is delivering One Login – as well as the Department for Environment, Food and Rural Affairs, which “manages a number of services which will offer the identity verification service to individuals so they may access their services”.
The Disclosure and Barring Service – which carries out checks of citizens’ criminal records – will also be green-lit to share personal data under the updated legislation, as will the Department of Transport, chiefly through its executive agency the Driver and Vehicle Licensing Agency.
The personal data that will be shared by agencies as part of the expanded sharing regime could include: full names; dates of birth; details of income; photographs; driving licence and passport information, and any other government-held data; home addresses and other contact information; and of details on previous identity checks and login attempts.
“Other data items may be processed as identity verification services develop,” the proposals said. “This may include special category data.”
So-called "special category data" includes information which could reveal an individual's race, ethnicity, political or religious beliefs, as well as genetic and biometric data, information on trade-union membership, and details of a person’s sex life and sexual orientation.
Public authorities will, however, “process the minimum number of data items… necessary for verifying the identity of an individual”, according to the government.
The Cabinet Office has launched a public consultation on the intended legal changes, with responses open until 1 March.
In the consultation’s foreword, Alex Burghart – the latest minister to hold responsibility for the digital government brief – said that the expansion of data-sharing powers “would make it easier for citizens to prove who they are online when accessing government services”.
“Inclusion is at the heart of GOV.UK One Login,” he said. “The proposed data-sharing legislation will ensure that more people than ever before will be able to prove their identity online and access government services, so that anybody who wants to use online services is able to.
"Furthermore, the government is committed to realising the benefits of digital identity technologies without creating ID cards. GOV.UK One Login and the proposed legislation will ensure the government continues to drive inclusive digital transformation, to level up opportunities across all corners of the UK, and deliver brilliant public services.”
The knowledge
The referencing of data held by organisation to confirm a user’s identity is an example of so-called knowledge-based authentication – which can be used as a secondary layer of login security, or as an alternative route when a user forgets their credentials, or if they do not possess a form of identification that might otherwise be used for verification.
Newly published commercial documents reveal that, on 25 November, GDS signed a deal with Experian for the “provision of a cloud software solution to facilitate knowledge-based verification questions to users and validated responses to GDS”.
The deal is expected to be worth £7m to the credit-reference agency over the course of its initial two-year term – which can be extended by two further 12-month periods.
The text of the contract reveals that, in June 2022, GDS and Experian had signed a temporary “bridge contract” for the delivery of knowledge-based verification services; this deal has now been terminated and replaced by the two-year engagement that began in November.
Experian is also contracted to provide the One Login system with an “email and phone validation service” and “identity fraud checks”, under the terms of two other contracts awarded to the firm by GDS in July. These deals each run for an initial two-year team, with a cumulative worth of about £11m.
An initial tranche of five government services adopted One Login on a pilot basis in September. All departments are expected to finalise a “roadmap” for adopting the new system by March of this year – with the target of ubiquitous uptake by 2025.
In providing a single, unified means of accessing all government-delivered services, the platform is intended to replace a total of 191 separate accounts currently in use across departments – incorporating 44 discrete login methods.
Sam Trendall is editor of CSW's sister title PublicTechnology, where this story first appeared