online citizen accounts

The idea of an online government account where we can see everything in one place has been kicking around since the late 1990s and the “” all-in-one portal. Despite several generations of government portals over the last 21 years (GIS, UKonline, Directgov, and now GOV.UK) we still don’t seem to be any closer to fulfilling that original vision.

HMRC’s online self-assessment portal for example looks almost identical to when it launched 14 years ago, in 2001, in that heady, optimistic flurry of early “e-government” services. Online government today still generally presents us with a set of silo transactions that mirror the paper-based processes that went before — despite the original plans to use technology to re-think and redesign government services.


Figure: HMRC’s self-assessment service some 14 years on

In this same time frame, even the high street banks have dragged themselves into the Internet age. They’ve gradually provided significantly improved services, through the use of PCs, smartphones and tablets, the deployment of chip and PIN cards and contactless payments, and quicker ways of transferring money electronically, such as Faster Payments. Partly as a result, total cash payments have been overtaken by non-cash payments.

In the best of the public sector we’ve seen organisations such as TfL (Transport for London) taking strategic advantage of these improvements to streamline and improve their own services, embracing the use of contactless payment for example.

Whilst the banks face similar challenges to government – including their complex brownfield IT estates with creaking mainframes in the back office – they’ve made meaningful progress in transforming their front-end operations. And even though the banks compete with each other, they’ve still managed to collaborate so that we can use our bank cards in any ATM and see our current account overdraft regardless of whether that machine is run by our bank, another bank or a third-party provider.

Making it happen – building on what’s in place

But just how accurate is this somewhat cynical view of how well government is handling technology to transform the way our public services operate? How hard would it be to now provide the type of online citizen tax account that the Chancellor mentioned in his budget? How far are we from realising that long-held vision of a more widely integrated online government account for citizens, and businesses, alike?

There’s been a lot of negative commentary questioning the ability of government to deliver the online tax service the Chancellor outlined. Much of the media commentary has focused on this becoming yet another project ripe for “government IT disaster” headlines. That it’s just a grandiose pipedream and will be far too complex to implement. Yet such understandable cynicism overlooks the infrastructure that the UK already has in place. The move towards the real time information (RTI) tax system implemented by HMRC over the last few years has already demonstrated how government can make much more rapid progress in delivering new services if it’s smart about how it works.

The implementation of RTI means that PAYE (Paye As You Earn) data now flows automatically into government. RTI’s success relies on the way in which it has aimed to integrate reporting obligations alongside the actual payments. For example, when an employer sends information about their employees’ salaries and deductions to government and simultaneously makes the actual salary payments to employees’ bank accounts, they fulfill all their obligations without the need for later reconciliation.

Whilst the interim, and incomplete, solution of RTI currently implemented by HMRC means in the short-term that employers haven’t been able to completely integrate payment and reporting, it does give a promising pointer for the future.

RTI interim

HMRC’s real time information (RTI), simplified view of current (interim) design

As the figure above shows, at present RTI data currently flows through two separate channels. For the 70,000 largest submitters, these two processes are automatically joined up by means of a “BACS hash”. This is a convoluted but workable solution that enables payments made over the BACS system to be verified and matched to employers’ payment declarations. This less than ideal interim solution was adopted largely because of representations from the payroll industry, who expressed concerns about changing both what was sent and the channel it was sent over. It’s intended as a staging post on route to the original fully integrated system.

The full solution for RTI envisages a much more streamlined re-use of the existing banking infrastructure. The UK’s banking network processes around 10 billion transactions each year (about ten times the volume of transactions that HMRC handles), with a combined value of about £5 trillion. It provides the central infrastructure for BACS Direct Debit and Credit payments and the Faster Payments Service, and connects the world’s busiest ATM network of over 69,000 machines.

The UK payments industry has already recognised that this existing central infrastructure easily has the capacity to carry the extra data required to meet government’s requirements (a meagre 18 characters per transaction). It has therefore publicly announced its commitment to work with the UK government to develop a strategic, complete solution that would replace the interim RTI phase — an initiative now nicknamed “Richer Data”.

HMRC richer data

The proposed “Richer Data” approach (the original strategic design for RTI)

The significance of these developments goes well beyond PAYE. Although the above Figure illustrates a payroll payment, the infrastructure would enable any payments and the information associated with them to flow regardless of the type of financial transaction. The architecture will enable not only transactions of interest to government, but will also enable businesses to include relevant data with other forms of payment, helping them rationalise and automate many of their other business processes.

Given these existing developments, the next logical step would be to enable citizens (and potentially businesses too) to login online to see and manage their data for themselves. Over the year we would be able to see in near real-time everything we have been paid as employees and all the taxes deducted. It would help to provide the type of experience we already have grown accustomed to with online banking, where we can keep track of our finances in near real time.

So the first step towards providing us with online government accounts should not be “a major IT project”, but a programme that enables us to access our existing data based on enhancements to the UK’s core national payments infrastructure — a programme not run as a “government IT project”, but a joint programme in partnership with those who currently own and run it.

HMRC could surface this information via their own portal, where they already provide other HMRC services, elsewhere on the GOV.UK infrastructure, or through other access channels. For logging in to such a government-based service, there’s already the old Government Gateway authentication system, although any new services are likely to use the replacement Verify identity assurance system to enable us to login as securely and easily as possible. Equally, another option would be for us to access this data through our existing secure, trusted and familiar online banking services — via online banking services for example, and to view or print the data at an ATM. It will be interesting to see whether we are given a choice of channels as plans for the citizen account develop.

Making it worthwhile

By making smart use of the UK’s existing payments infrastructure, within a fairly short time period we could have an online service that lets us see everything we earn and everything we have contributed to the government from an employee perspective. This would be a useful first step. We would be able to see in near real time our current year’s contributions and earnings and, over the years, we would begin to build up an historic record of our cumulative contributions and earnings. So far so good.

But this system would not provide a complete picture. Any other earnings, such as from savings, that do not go through PAYE would not appear. And our relationship with the state is not one-sided: wouldn’t it be useful to see any benefits or welfare payments being made to us too? After all, one of the other reasons for the implementation of RTI was to provide up-to-date information about employment and pension income so that the Department for Work and Pensions (DWP) can determine and adjust claimants’ Universal Credit awards.

What we ideally need is not a partial set of data, but an equivalent to our online bank accounts, showing monies in and monies out. It wouldn’t be much use only having part of the picture, of seeing what we pay into the system without the balancing information about how much we benefit too.

Surprisingly, enabling us to access this additional information needn’t be such a big subsequent step. The banks already send to HMRC the taxes deducted from our savings accounts. So this information could also be rolled into our citizen account. On the welfare side, DWP uses a duplicate of the same data gathered by RTI to help inform the calculation and determination processes that decide our entitlement to Universal Credit payments. So this data could be made visible in our online accounts too.

Given that much of the infrastructure and data already exist, in a fairly short space of time we could have an online service that enables us to view all of our earnings, our payments into government and our payments received from government. Over time, this would also build up into a useful lifetime record of our earnings, contributions to the state and receipts from the state. A true citizen account rather than only a partial and incomplete view.

citizen account mockup

A simple mockup of an initial citizen online account

Extending the model

Would this be enough? It would certainly be useful, but in some aspects it would also still be incomplete. What about other taxes, such as indirect taxation like VAT? For most of us, the tax we contribute via indirect taxes such as VAT will also be significant on an annual basis — as are other taxes or duties if we fly, drive, smoke or drink. It would be good to see all of this too, but how feasible would that be?

Not as difficult as you might think.

Part of the way that the “Richer Data” initiative will work is via the use of a financial data standard (likely to be based on an open standard such as ISO 20022). This would enable additional data to be carried alongside financial information – such as the additional payroll data that now flows with RTI.

For example, suppose we pay £12.00 using a credit card in a shop, which is actually £10 + £2 VAT. At the moment, when we receive our credit card bills we don’t see this breakdown, merely the gross amounts including tax and the total amount due: we lose insight into the amount of tax incurred in our daily lives. However, if these transactions used the ISO 20022 standard, both our credit card statements and the online citizen portal could reflect this breakdown, not just the total amount, as at present. It would enable us to keep track automatically of our VAT contributions. Indeed, it could conceivably cover all national or local government payments – council tax, parking and congestion charges, even library fines and prescription charges.

Given that many of these transactions already take place over the banking network, capturing this information could be automated using the same processes and data standards. In the same way, if we pay for an evening out in a pub or fill up our car with petrol or pay for a holiday flight, the data captured and shared back to us could also include other related taxes, such as beer, petrol and air passenger duty.

new payments infrastructure

How payments data could flow from e.g. retail outlets

This approach would enable the much-promised online citizen account to become a rich resource to us in terms of our interactions with the state. Yet a single “citizen portal” should not be the only option. As with the current ATM system, which lets us see our account balance anywhere we choose (even at a competing bank’s ATM) we should also have choice about what channels we can use to see and track our information. It shouldn’t just be accessible from a single government website: that would take us back in time to the sort of top-down design and massive, monolithic “government system” thinking typical of the late 1990s.

But whoah! Hold on a moment – won’t this system I’m describing also enable the state and our financial providers to know far too much about us in terms of where we shop, what we buy, how much we drink and smoke and so on?

Making it private and secure

Whilst a data rich online citizen account could be enabled relatively simply, and in an incremental fashion that avoids the “big bang” chaos of some previous government programmes, clearly there are significant privacy and security concerns that must be addressed.

Would we be happy for all of this information to be gathered and stored in a single place? It would be incredibly valuable data in the wrong hands, providing rich insight into many aspects of our private lives, where we spend and on what, and how dependent we are on the state. Inappropriately accessed and used, it would be a potentially toxic resource and effectively function as a confessional self-reporting system on where and how we live our daily private lives.

If we are to have a useful online citizen account, security and privacy need to be built into the system by design. It should aspire to comply with the sort of principles Kim Cameron set out in his “Laws of Identity”. The system must avoid the inadequate technical design of earlier government initiatives, such as the national identity register and its associated identity cards which based themselves on a simplistic model from the 1930s. Such systems demonstrated poor systems design and engineering, neglecting to use modern technologies that provide stronger data protection and hence enhanced levels of security and privacy.

It’s been possible, for example, to conduct a transaction such as confirming someone is a higher rate taxpayer or in receipt of child benefit without revealing anything else about them since at least the early 2000s [1]. Such techniques need to become commonplace rather than the sloppy “data sharing” approaches which assume personal data needs to be copied and shared everywhere, with the inevitable leaks and abuses reported so frequently by the media. Newer technology options, such as homomorphic encryption [2], blockchain [3],  certificate transparency [4] and ‘Guardtime’ [5] should also be robustly evaluated to see what potential role they could play in a secure, privacy aware and citizen-centric service.

If government applies good privacy and security engineering to an online citizen account, it would also have beneficial impacts on the wider financial system. It would raise the bar for example on the security used within banking and retail operations, which remains relatively leaky today. They too could move to take advantage of the more secure technologies that an online citizen account will require.

Such a system would also need to give us control over our personal data (in line with government policy).

government policy

Government policy on citizens’ personal data (source: Government Service Design Manual)

Better than that, it must also be engineered so that it is impossible for the system to hold inappropriate detail or enable anyone to reverse engineer our interactions without our explicit consent (or under due process of law). That is why ensuring the right technologies are engineered into the design before it is developed is essential. This would enable transactions to be verified and authenticated, and for data to answer questions such as “Is this person entitled to a tax credit?” but without any intrusive “panoptic” central authority holding all the details.

Such a system must also enable citizens to continue to use cash where they wish, but to obtain a point of sale receipt that enables them to manually enter records if they want to keep track of all interactions, including those that don’t use digital technology. (For insight into the potential dubious consequences of moving to a completely cashless society, this article is worth a read).

Many of us already interact with what is regarded as a generally safe, secure and ubiquitous financial system that we feed data into. After all, using online payments we’re becoming accustomed to services that let us transfer our hard-earned cash out of our own accounts and to a sequence of numbers that we trust to be the account of our intended beneficiary. We must be able to trust this system to protect our data and use it for the purposes we designate if we are going to increase our dependency upon it even further.

So all the components and technologies are in place, or in near-development, to make this vision a reality. A step-by-step approach can build on what is already there. It now requires a clear political commitment to ensure the whole design remains secure and privacy-friendly. The design of such a system must be done in the open, so that the UK’s expertise in privacy and security engineering can contribute, helping to review and improve the design. Building on the Cabinet Office sponsored private/public open collaboration on identity, represented by the OIX open forum, we also need a payment equivalent where payments standards and interoperability can be developed to meet these requirements, but with sufficient commercial incentives to maintain a competitive and innovative drive.

Where some of the necessary security and privacy technology is not quite ready for prime-time, government should play an essential catalysing role in encouraging further research and development – another good reason for working on this in the open. Not only will the citizen account then become an exemplar of how to create modern, secure and private citizen services – but it will also provide a unique competitive advantage to the UK, helping researchers, public services, and commercial and financial businesses to develop world-leading secure online computing and personal data models, technologies and products that will be in high global demand.

Wider benefits

There should be many other beneficial and far-reaching side effects to engineering the online citizen account well. For example, it would become simpler in real time to see other data, such as which major businesses are being subsidised by government – where employees are in receipt of tax credits to top up their low wages for example. Such information should also be easily accessible in the public domain.

insight into business data

Visibility of which businesses receive taxpayer subsidies

Such transparency would help inform the debate about the extent to which taxpayers subsidise apparently profitable businesses and enable better modelling of things like whether increasing the minimum wage to the living wage would produce a better outcome for all than business subsidies made via tax credits. Equally, it might be appropriate for government to consider reclaiming such taxpayer subsidies from a business’s annual profits. Without accurate and complete data, many such policy considerations are little more than a stab in the dark at the moment – but the moves towards a well designed system, with the right policy and engineering safeguards built in, would provide far wider benefits than just the immediate citizen account itself.

There are also likely to be considerable knock-on benefits to government’s own operations. It would make it possible, for example, to decide whether to continue to maintain two separate organisations with many duplicated functions, one which takes money from us (HMRC) and another which gives it back (DWP), with all the costs and friction (and citizen inconvenience and personal hardship) this artificial split can currently create. Given the type of data that RTI already collects and the type of data that would be available in a citizen account, it would be much simpler in future to have a single set of calculations that offset both deductions (taxes) and allowances (welfare). Doing so could improve the services we receive, cut their operational costs and inconvenience, and reduce the levels of fraud in the system.

The result is that government will progressively be able to streamline its own processes and organisation to better meet the needs of citizens and businesses, providing the type of digital transformation centred on improved public service design that we discuss in our book “Digitizing Government”. For the majority of citizens and businesses the administrative burden and frictional and human costs would reduce and government could better focus its efforts on those whose need more support and a helping hand — as well as homing in on those who intentionally fail to comply and contribute to our society.

Such a system should be incrementally developed, proven and improved over time rather than trying to do too much all at once. For example, we receive many other benefits from the state that are harder to quantify – from education to healthcare, policing to defence, and from road building to public transport. Working out how to determine the shared benefits we take from these will remain a much more complex challenge. But the route for the journey ahead is clear to see.

What we need now is a much better informed public debate about how such a system can be made to work in the best possible interests of us all. After all, this is not just about delivering another “government technology project”, but about addressing wider societal and policy issues too.


[1] See for example some of the techniques developed by Stefan Brands and his former company Credentica here.

[2] Homomorphic encryption

Homomorphic encryption is a form of encryption that allows calculations to be carried out on encrypted data. It generates a result that is the same as if the data had not been encrypted. This means, for example, that it is possible to perform calculations on financial data that has been encrypted without revealing the actual data. These characteristics make it useful for deployment in a system where a considerable amount of personal data is collected in one place – such as the proposed citizen online portal. It would potentially enable data to be encrypted and hence inaccessible to anyone except the owner (i.e. the citizen) but would still enable e.g. HMRC or banks to perform calculations on that data. As with blockchain technology (see below), it is not yet fully mature – but another area where government can play an important role in helping drive its development and adoption. You can read a bit more about it in this “American Scientist” article.

[3] Blockchain

A blockchain is a public ledger of all transactions that have ever been executed. It provides proof of all the transactions on a network and a full history of transactions. Transactions are entered chronologically in a blockchain and the blockchain database is shared by all nodes participating in a system so that no single node can ever be in the position of falsifying or tampering with it. The full copy of the blockchain has records of every transaction ever executed. It could be used to ensure that our transactions have happened and cannot be tampered with, yet it can also potentially retain a degree of anonymity – which is why it has provoked such interest with Bitcoin, the digital currency, since it enables secure financial transactions to take place without necessarily revealing who is involved in those transactions.

Within a system using blockchain technology, users can be identified only by their public keys. The mapping of a user to their public keys is held on that user’s node only and each user can generate as many public keys as they want, using each in a different context (such as a transaction with a particular retailer), and potentially also using one-time public keys to further reduce the risk of anonymity being compromised. These characteristics – proof that a transaction, such as a purchase or payment of tax, has happened, combined with potential anonymity – make it a candidate technology to be considered for use in a twenty-first century system. However, the ability to maintain anonymity may require better design than that currently used in the Bitcoin network, as this paper (PDF) points out, and its vulnerability to concerted manipulation by an adversary with sufficient computational power remain a concern. This piece is also interesting about its current limitations and (possible) future direction. Also it’s unclear how it can be much value outside the limited domain of natively digital assets such as Bitcoin. There’s no way to establish an immutable relationship between a physical asset (such as a property, food product or artwork for example): someone tampers with the physical asset (such as replacing it with an inferior food) and what does the blockchain tell you? Na-da. It’s become the pet project of those who don’t understand its limitations, and neglect to mention it does nothing to solve the hard real-world problems of trust, networks versus hierarchies, socioeconomic issues and social justice and a whole host of related issues on which we can better and more productively focus our attention.

[4] Certificate Transparency

This technology is centred on a public, verifiable, append-only log — see Ben Laurie’s 2014 post here.

[5] Guardtime

This technology provides real time detection and mitigation of integrity loss in network infrastructure. It aims to combat cyberattack and data breaches through the use of a blockchain-based digital signature system for real time validation of electronic data. See this PC Advisor article and this Wikipedia entry.

One comment

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.