… time to set out a few personal thoughts on the independent Privacy and Consumer Advisory Group (PCAG) — and our work overseeing and advising the UK government on various items relating to privacy, identity and security.
PCAG (which I chair) consists of (unpaid) members from a variety of academic, civil society, business, government and consumer groups. They give considerable time and expertise for free, and bring a wealth of experience and expertise from a suitably diverse range of perspectives.
Sometimes we agree, and sometimes we don’t: the purpose is not so much to reach some kind of pointless “group think” consensus as to ensure a robust and sustainable approach to these complex, interwoven topics that will enable the delivery of better public services whilst respecting the need for strong privacy and security. Neither does participation in the group infer any “endorsement” of any specific aspects of government programmes such as the identity assurance scheme from the individuals or the organisations they represent — they are free to dissent or approve of what is happening, in total or in part, as they see fit.
Our focus is on ensuring that the UK government works to provide users (citizens, businesses and the ‘third sector’) with an easy to use, trusted, secure and privacy-compliant way of accessing public services. This will require users to have control of their own personal information; ensure that information is not centralised into a vulnerable single honeypot; and provide a choice of trusted organisations to use for online identity services. (I’m going to ignore here some macro issues, such as recent revelations about the mass interception of private electronic communications by various government agencies …. that’s a whole encyclopaedia worth of blogs and a subject I’ll return to elsewhere).
The group has worked for some time on developing a draft set of identity assurance principles. In June this year, the latest version was put out for consultation. This was our second round of public, transparent consultation (kindly facilitated by the Government Digital Service, GDS) following on from an earlier draft published in April 2012. This open process is intended to help ensure the principles are designed to the highest standard and that all voices have a chance to make themselves heard.
It was also useful that the Scottish Government provided input via their Identity Management and Privacy Principles, which suggest a close alignment between both the objectives and some of the means by which identity can be made to work in a secure and privacy sensitive way. (On a point of transparency, I should point out I may be hopelessly biased on this point since I was also one of the members of the expert group that earlier helped the Scottish Government develop their principles. Yes, yes, I know – I really must get out more.)
As an independent expert group, PCAG has a mandate to challenge and question, as well as to receive detailed explanations of both the policy intent and the technology being used and the systems and the architectures being developed. To be frank, we have no formal power: the group can advise, question, criticise and comment, but the government’s identity assurance programme (IDAP) team and others we engage with are free to take or leave our advice. In practice, however, we have found the IDAP team receptive to our inputs and critiques.
The principles are to a large extent about re-establishing trust — and build on the premise that personal data should be effectively protected from those who would seek to misuse it either by accident or by design. Whilst an updated version of the principles based on recent feedback will be published as a formal “1.0” release once we’ve had a chance to integrate the recent round of feedback, we have always seen them as a living, breathing entity that will continue to evolve in the light of practical experience.
The range of feedback we’ve received during the most recent public consultation period is diverse, so it’s taking time to collate and action. It also spans numerous categories: some feedback provides material, important clarifications and will be incorporated into an updated draft of the principles. Thank you for this — sometimes it takes others to see the wood when you’ve been standing far too close to the trees examining the intricacies of the patterns in the bark. Other feedback has related to the principles’ wider context, and recommended communicating better where and how they fit; whilst other comments highlighted minor grammatical/presentational aspects.
Many other comments provided a mix of alternative views on the progress of the government’s IDAP programme itself and hence fell outside the scope and role of PCAG. For example, some comments were actually questions about progress of the early alpha and beta services using the new approach to ID, or about the identity providers and the nature of their contracts with government, or about departments and their plans for early adopter services. These questions are for the IDAP team and their work with identity providers and departments on development and delivery, not PCAG. Whilst we take an active interest in the physical realisation of the system, it is the definition of, and compliance with, the principles that concern us — from the low level technical and computational level to the policy and regulatory level. We seek assurance that across all of these levels that the principles are being delivered.
Some other respondents appeared to misunderstand the context of the principles, and sought to cover related, but mature and well understood ground, about the nature of identity systems. It’s therefore worth me restating here that the principles are focused on the operation of a user-centric, privacy-compliant identity assurance service. Their purpose is not to cover the many other, well-worn aspects of identity: much of the foundation for the new service is already well understood and covered in the Good Practice Guides. Likewise, some comments about biometrics having been “missed” for example, seemed unaware that this topic is well covered in GPG 44 (Authentication Credentials in Support of HMG Online Services).
Such comments usefully flag again the important issue of how to ensure a better understanding of IDAP, the principles and the way they will enable users to interact in a trusted way with online public services. We have discussed with the IDAP team the need for better, clearer and simpler communication and some less technical documents that convey the purpose and nature of the programme and the principles — something akin to a Ladybird Book or a ‘101 on identity, privacy and security’ for those who would like or need to better understand.
I hope that we’ll be able to publish the revised and improved principles early in the new year — and thank all of you who found the time to respond. It’s much appreciated.