updated Identity Assurance Principles for the UK Government

We’ve been making good progress at the Privacy and Consumer Advisory Group (PCAG) on reviewing the work of various government departments — everything from the Identity Assurance Programme (IDAP), to the “big data” work of the Office of National Statistics, to the “data sharing” proposals, to electoral transformation and other programmes.

I’d like to acknowledge the very open way that most of the government teams have engaged with PCAG — and that even where discussions may have become “full and frank” they have always remained constructive. The Minister for the Cabinet Office, Francis Maude, has also been very supportive of our work, part of the reason its scope has expanded considerably from our earlier focus on identity assurance.

Of course, as an independent advisory group we don’t have any “power” in the sense of a veto over the work of the various government departments — but in general most people we’ve engaged with have understood the sense in applying best privacy and security principles to their work, rather than leaving it full of holes or subject to large-scale public suspicion. It helps that the government’s Technology Code of Practice has as part of its Point 6 the requirement that “Users should have access to, and control over, their own personal data.” Indeed, some programmes — such as the NHS care.data programme — might have avoided some of their problems if they’d observed this policy in the first place…

We’ve just formally submitted our updated Identity Assurance Principles (.pdf) to the UK Government’s IDAP team. They will provide their public response in due course once they’ve had time to consider them and their impact on their work. These updated Principles follow on from PCAG’s earlier work, and our subsequent open consultation.

Advertisements

2 comments

  1. It is important for Identity Assurance Services to avoid facing Service Users with the same problem that faces users of Chip&Pin cards when they are blamed for apparent use of the their cards actually carried out by criminals.

    So if an Identity Provider erroneously informs a Service Provider that someone who impersonates me is in fact me, I should carry no risk (or burden of proof). The principles seem to make no provision to deal with this problem, and appear to assume it cannot occur.

    (And please replace “infers” with “implies” on page 6!)

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s