arturas kerdokas - Fotolia
Government publishes second version of digital identity trust framework
The second iteration of the framework, still in alpha version, sets out how organisations can become certified digital identity service providers
The government has published the second iteration of its digital identity and attributes trust framework, setting out how digital identity providers can become certified.
The framework, which is still in alpha version, will eventually be brought into law, with the aim of making it easier for people to use digital identity services in the knowledge that it is safe to do so.
It comes after the first version of the framework was published in February 2021, followed by a consultation launched in July.
The government plans to appoint the UK Accreditation Service (UKAS) to accredit certification bodies that will manage the process.
It is also looking at the potential of introducing a “trust mark” for companies to demonstrate their conformance with the framework.
The framework document said that the majority of organisations involved in the consultation were supportive of having a “trust mark”.
“When questioned whether one consistent trust mark or variations to show the role, scheme or level of assurance relevant to that organisation would be preferable, there was a strong consensus that a single trust mark would be most useful in building user trust and recognition,” the document said.
“Understanding the target audience for the trust mark, whether that be organisations or members of the public, was also highlighted as important. We plan for the trust mark to serve a dual purpose across both those groups.”
The framework highlighted other considerations for going forward with the trust mark, especially around the risk of “fraudulent use by criminal groups”.
“While there is already legislation in place to deter such activities, it is recognised that it may be difficult to identify and take down scams quickly. One planned action is to ensure a published list of trust-marked organisations is available publicly for transparency. We will explore additional protections as we move closer to implementation,” the framework document said.
Accreditation by the governing body will not be mandatory for digital identity providers, but firms will not be given access to government datasets unless they take part. Possible homes for the governance function include the Information Commissioner’s Office and the Competition and Markets Authority.
Organisations wanting to be certified can participate in the trust framework in several ways, either by themselves as a single organisation, by setting up a scheme for multiple organisations, or in joining an existing scheme set up by another organisation.
“A scheme is made up of different organisations which agree to follow a specific set of rules around the use of digital identities and attributes. These organisations might work in the same sector, industry or region, which means they will build products and services for similar types of users,” the framework document said.
All identity providers also have to use the guidance set out on how to provide and verify someone’s identity. The government wants the approach to be flexible, allowing organisations to continue to develop and iterate new services to meet user needs.
“This will help to enable interoperability and assure relying parties that providers are meeting the level of confidence they require. The guidance will remain as best practice and will be iterated as required during the testing of the trust framework,” the document said.
Digital infrastructure minister Matt Warman said the government was creating the digital identity framework “so people can confidently verify themselves using modern technology and organisations have the clarity they need to provide these services”.
“This will make life easier and safer for people right across the country and lay the building blocks of our future digital economy,” he said.
Organisations interested in taking part in the next stage of the alpha testing are invited to express their interest.
“Once the cycle of alpha testing is complete next year, we will move to the more dynamic beta phase – facilitating the secure checking of data in real-world scenarios through sandbox-style testing. The details of this testing will be shared at the earliest opportunity,” the framework said.
“The full trust framework will go ‘live’ once the legislative and governance measures are implemented. In the interim, we will support the proliferation of digital identity services to enable them to transition smoothly to the national framework.”
Read more about the government and digital identity
- DCMS wants stakeholders to offer their views on proposals for a new governance regime and expanding access to government-held datasets for identity verification.
- DCMS meets with suppliers to discuss plans for a trust framework to show ‘what good looks like’ as it ploughs ahead with digital identity plans.
- Draft digital identity framework published by the UK government highlights the importance of learning from the private sector and existing standards to accelerate deployment and citizen adoption.