The Data (Use and Access) Bill (DUAB) proposes wide-ranging and significant reforms to the existing legislative framework around data in the UK.
One of the key proposals in the DUAB centres around enhancing digital verification services (DVS) in the UK. The DUAB establishes a comprehensive framework for the provision of DVS, aiming to streamline and secure the process of identity and eligibility verification and enable digital identities and attributes to be used with the same confidence as paper documents. In this post, we take a look at four key points arising from the DVS framework, whether digital identity providers should become registered as DVS providers, and opportunities for businesses to leverage digital identity verification.
For a high-level overview of the DUAB and the new concept of smart data schemes, and the proposed reforms to the UK ICO and the UK’s data protection and ePrivacy regimes, please see our previous blogpost.
Four key points around DVS under the DUAB
1) New register for DVS
The DUAB proposes a legislative structure that provides for the establishment and maintenance of a register of persons who provide DVS. It is only possible to be registered if, among other things, the person holds a certificate from a relevant body stating that the DVS are provided in accordance with the new trust framework (described in point (2) below). By creating a digital register, the UK government aims to enhance the reliability and security of digital identities.
Among the benefits of being included on the register, the UK government proposes that there will be a ‘trust mark’ for use when providing or offering to provide DVS, which may only be used by those persons included on the DVS register, and registered persons will also have access to an information gateway (see point (3) below).
2) New trust framework
The DUAB also proposes a new ‘trust framework’, whereby the Secretary of State must prepare and publish the rules and standards for the provision of DVS. This framework is essential for maintaining high standards of security and trust in digital verification processes. The framework will include supplementary rules for specific use cases.
The current version of the ’trust framework’ is the ‘UK digital identity and attributes trust framework beta version (0.3)’, last updated in July 2023. On 25 November 2024, the government pre-released the next gamma (0.4) version of the trust framework.
In order to be compliant with the trust framework, DVS providers must adhere to stringent rules on handling data privacy and security, including:
- not ‘profiling’ users for third-party marketing purposes;
- not creating large datasets that could risk revealing sensitive data about users; and
- explicitly confirming that users understand how their data is being shared, whenever this happens.
3) Information gateway
One of the pivotal aspects of the DUAB’s DVS registration regime is enabling public authorities to disclose personal information to registered DVS providers so that DVS providers are able to use this information as part of their verification processes. This reform is designed to improve identity and eligibility verification processes, making them more efficient and secure. Providing access to government-held data to DVS providers would allow identity proofing to be easier, cheaper and more secure, and to enable a trusted digital identity market to develop in the UK.
4) Right to work and right to rent checks
Another significant reform proposed under the DUAB is the provision that allows the government to legislate the use of DVS providers for right to work and right to rent checks. Employers and landlords will be required to use the services of registered DVS providers who are noted in the register as complying with designated supplementary rules for these checks, ensuring that the verification processes are conducted by trusted and certified entities. The use of DVS for right to work checks can significantly reduce the time spent completing these checks. To minimise operational disruption, HR departments and organisations in the real estate sector should ensure they use a ‘registered’ DVS provider.
Should you become a registered DVS provider?
The government’s preferred approach indicates that while it is not mandatory for digital identity companies to be part of this governance framework, only those certified against the trust framework can perform checks against government-held data via the information gateway, or provide right to work and right to rent checks. This certification will ensure that only compliant organisations can become registered, thus being able to access the information gateway to access sensitive personal data, which provides a clear incentive for DVS providers to become certified for compliance with the trust framework.
If you are interested in becoming a DVS provider once the new DVS regime becomes applicable, you must first obtain a certificate from an accredited conformity assessment body confirming that your services comply with the trust framework. Once you have this certificate, you can apply to be registered on the government-maintained DVS register, following the process that will be determined by the Secretary of State. It is important to ensure that your services continuously meet the standards of the trust framework to maintain your registration and avoid penalties or removal from the register.
However, DVS providers must review the business model carefully before opting to be certified. For example, under the trust framework, DVS providers must not create aggregate data sets that could reveal sensitive information about users, or ‘profile’ users of any age for marketing purposes.
Opportunities for businesses to leverage DVS
Businesses that require identity verification (eg for age verification or know your customer purposes) may wish to consider opportunities to leverage third party DVS providers instead of carrying out such functions in-house. In addition to reducing data protection risks associated with collecting, processing, and storing personal data associated with identity verification, such third-party providers may increase the speed and efficiency of such processes and reduce risks associated with processing errors.
