I’ve had many requests for updates on progress with the status of the identity assurance principles intended to underpin the new UK government identity assurance scheme. So I thought I’d post a brief interim update on how things are going with the excitingly named Identity Assurance Programme Privacy and Consumer Stakeholder and Communications Group (a group of independent experts in all things identity, privacy and security related, spanning their legal, technology and citizen implications), which is providing advice to the Cabinet Office.
Mike Bracken, Executive Director of Digital in the Cabinet Office, posted a draft version of our work in March of 2012, as part of the open and transparent process of sharing progress and soliciting feedback on improvements. I also posted them here, although perhaps not in the most readable of formats.
Since that time, the group has been active on looking at feedback, inviting in various government departments and others to review their work, and generally trying to improve the principles to ensure they are pragmatic, useful and consistent, but most of all to ensure they will help build trust based on privacy, security and identity best practice.
We’re at the stage now where I hope the principles will soon be formally republished in their latest form — watch this space. There are no major changes, mainly just clarifications in an endeavour to ensure they are understandable even when discussing some of the arcane complexities that emerge in this space. The intention is that the principles will be applied to the IDA scheme: that all suppliers on the framework for Identity Assurance and all government organisations will conform with the IDA Principles (as they are equally required to comply with government security and other best practice guidance).
In any case, the principles are never likely to be ‘final’ and carved into stone never to be changed again. They will need to be a living and breathing thing, able to deliver their core intent over time, but equally able to flex and adapt based on real life feedback and the ever-changing nature of the interplay between privacy, security and identity — and trust.
On a related note, the Government Digital Service (GDS) recently published the “Good Practice Guide (GPG) 45 – Identity Proofing and Verification of an Individual” which is also worth a read. So is the earlier GDS overview of what they are working towards, together with some of the embedded links.
In the meantime, the principles as set out in March of last year are still a good steer — and as soon as it is agreed, the updated version will appear here and in a variety of more ‘official’ places too.
Transparency disclosure: I am the Chair of the above-mentioned Identity Assurance Programme Privacy and Consumer Stakeholder and Communications Group and writing this in a personal capacity that reflects no formal views of either the group or the Cabinet Office.