The snappily named “Identity Assurance Programme Privacy and Consumer Group” has been busy for some time now, debating and distilling a set of privacy-based principles to underpin the new UK Government identity assurance programme.
As Chair of the group, I thought it’d be a good time to share what this work has accomplished so far. With the important caveat that this is still work in progress and the principles have yet to be formally reviewed, finalised and – most importantly – adopted as an integral part of the programme. But great work has already been done.
So this is where we are right now in terms of a high level summary. I’d welcome all feedback on how these principles are shaping up – particularly anything missed or anything that could be improved.
THE IDENTITY ASSURANCE PRINCIPLE |
SUMMARY OF THE CONTROL AFFORDED TO AN INDIVIDUAL |
1. The User Control Principle | Identity assurance activities can only take place if I consent or approve them |
2. The Transparency Principle | Identity assurance can only take place in ways I understand and when I am fully informed |
3. The Multiplicity Principle | I can use and choose as many different identifiers or identity providers as I want to |
4. The Data Minimisation Principle | My request or transaction only uses the minimum data that is necessary to meet my needs |
5. The Data Quality Principle | I choose when to update my records |
6. The Service-User Access and Portability Principle | I have to be provided with copies of all of my data on request; I can move/remove my data whenever I want |
7. The Governance/Certification Principle | I can trust the Scheme because all the participants have to be accredited |
8. The Problem Resolution Principle | If there is a problem I know there is an independent arbiter who can find a solution |
9. The Exceptional Circumstances Principle | Any exception has to be approved by Parliament and is subject to independent scrutiny |
The above summary is intentionally designed to have clarity and to be easy to understand. Underpinning it is more precise detail of what these mean and how they are to be observed and implemented. I’d like to acknowledge the commitment, contributions and smart thinking and debate of the Privacy group, as well as the great support we get from the team in the Government Digital Service – it’s a real privilege Chairing, which isn’t something that I can often say about such roles.
I’m happy to share the full details of current thinking behind these principles here as well – but that will make for a long blog :-). So I’ll leave that for a future post if people would like to get into a much more detailed discussion….
Great start and good to see the principles in place before the technology solution.
Some thoughts, not omissions, but more thoughts on how to remove ambiguity in practice. My thoughts are on how to close current gaps and loopholes that providers exploit.
1) Prin5 – this allows data to be provided by post, on paper and in a form that many be unreadable or not show how the data is being used. Can this be clarified so that data is not only available, but viewable at any time. What about, ‘I can see my data at any time’? I can see who is using my data at any time.
2) Prin5: Needs to show not just data, but also data use with relationships also being shown?
For example, if I share data with DVLA, I want to know if they share this with clamping companies and be able to delete not the data from DVLA, but the relationship and access to the data from the clamper.
3) Prin8: Arbitation requires timely resolution.
4) Prin6: What about being able to delete not just my data, but my identify from a provider? There needs to be a cost for misuse, so if trust is fundamentally broken, the organisation cannot carry on without consequences. If a bank compromises my identity, I want to not just stop using the bank, but completely sever relationships.
5) Prin6: Add ‘easily’ or ‘simply’ to move/remove my data. No point having this, if you cannot apply it due to complex, slow, expensive processes.
5) ‘I choose when to update’ – could be clearer. Should this be something on ownership, or primacy of data sources?
6) Is there anything about security, governance or responsibility – or is this embedded?
7) Who owns the identity?
It would be good to see some thoughts on use cases and how the principles would work – in particular how they learn from/improve on current problems. Can we take a number of recent identity problems and apply the principles above and see what would be different?
“By their enemies shall ye know them”.
These principles get in the way of the business models of major players whose operations are hosted off-shore and who pay little or no tax in the UK.
Are they therefore the basis for making the UK the most trusted global location for operations to serve high-worth individuals around the world – leaving those based on selling our personal data to who-ever pays best to lesser nations ?
Hi Gerry:
It’s good that you are busy with this, and that there is now a willingness in government to sort out the principles before spending mega-bucks. I, for one, would like to see the detail behind the principles, and also know more about how your working group is constituted and operates.
One general comment to begin with. The Cabinet Office seems to be fixated by the term ‘ identity assurance’ despite the fact that – when the necessary architectures are thought through – it becomes apparent that legal identity is just one of many attributes over which the individual can usefully be given better control. Others include: proof-of-age, licences, qualifications, memberships, tickets, access rights, certificates, etc. While acknowledging the risk of scope creep, would it be possible to modify the wording of the principles to encompass this fact ? Because only when a problem is seen and described properly can it be addressed.
I also have some detailed comments about the principles, but step by step
Principle 7 is badly worded, since trust is a multi-dimensional concept, is subjective, and depends upon more than mere accreditation. People might trust the scheme because their friends use it. They might not trust the scheme because they dont trust the accreditation authority. Principle 7 might be better worded by removing the word trust. How about “All the participants have to be accredited, so that gives me more confidence that they will behave professionally”.
Principle 5 is not complete, since it depends upon both the subject and the controller agreeing to the updates. It might be better worded as “I choose when to update my records, accepting that the identity provider will validate the data first before committting to the update”
Useful inputs, many thanks. Aiming for clarity at the high level, while removing ambiguity, is a challenge. And much relies on the scope and precision of underlying definitions: there are many semantic interpretations and re-interpretations in the world of identity most of which have been chinwagged over endlessly for more years than I care to recall …. The scheme will have definitions with precise scope – but overall the term “Information Assurance data (IA data)” means any recorded information that is connected with a “Service-User” so includes “Personal data”, “Audit data”, “Relationship data”, “Attribute data”, “Identity data”, “Transactional data”, etc.
More of the background detail here soon(ish) ….
Excellent first draft, clear concise and . in addition to the points made above i would add
A. An individual should be able to act as their own Identity provider if they are equipped with the required data attributes and proofs of claim from the attribute providers
B. An individual must be the owner of their identity. Therefore other participants that provide a level of assurance concerning aspects of their proofs of claim surely must be an identity assurance service provider. It may be semantics but I think over time giving precise definitions to the roles of participants in the scheme being envisaged will be critical
C. We are in essence seeking to provide a trust framework built on evidence relating to many aspects of a persons life not just identity. As John states proofs of claim regarding education, age, specific rights someone holds are all important data points that when combined with irrefutable evidence that a person transacting digitally is the same person acting physically is an important goal these principles need to underpin. We are in essence wanting to make it possible for an individual to acquire and prove a digital and physical identity that is under their control and verified for use in whatever context they choose to or choose not to.
The individual therefore has to be a participant in the scheme being developed not just the subject of it.
Well done