The snappily named “Identity Assurance Programme Privacy and Consumer Group” has been busy for some time now, debating and distilling a set of privacy-based principles to underpin the new UK Government identity assurance programme.
As Chair of the group, I thought it’d be a good time to share what this work has accomplished so far. With the important caveat that this is still work in progress and the principles have yet to be formally reviewed, finalised and – most importantly – adopted as an integral part of the programme. But great work has already been done.
So this is where we are right now in terms of a high level summary. I’d welcome all feedback on how these principles are shaping up – particularly anything missed or anything that could be improved.
THE IDENTITY ASSURANCE PRINCIPLE
SUMMARY OF THE CONTROL AFFORDED TO AN INDIVIDUAL
|1. The User Control Principle||Identity assurance activities can only take place if I consent or approve them|
|2. The Transparency Principle||Identity assurance can only take place in ways I understand and when I am fully informed|
|3. The Multiplicity Principle||I can use and choose as many different identifiers or identity providers as I want to|
|4. The Data Minimisation Principle||My request or transaction only uses the minimum data that is necessary to meet my needs|
|5. The Data Quality Principle||I choose when to update my records|
|6. The Service-User Access and Portability Principle||I have to be provided with copies of all of my data on request; I can move/remove my data whenever I want|
|7. The Governance/Certification Principle||I can trust the Scheme because all the participants have to be accredited|
|8. The Problem Resolution Principle||If there is a problem I know there is an independent arbiter who can find a solution|
|9. The Exceptional Circumstances Principle||Any exception has to be approved by Parliament and is subject to independent scrutiny|
The above summary is intentionally designed to have clarity and to be easy to understand. Underpinning it is more precise detail of what these mean and how they are to be observed and implemented. I’d like to acknowledge the commitment, contributions and smart thinking and debate of the Privacy group, as well as the great support we get from the team in the Government Digital Service – it’s a real privilege Chairing, which isn’t something that I can often say about such roles.
I’m happy to share the full details of current thinking behind these principles here as well – but that will make for a long blog. So I’ll leave that for a future post if people would like to get into a much more detailed discussion….