UK digital identity program stalls, DCMS calls for industry support at OIX
Digital identity products are live in the UK, but industry help is needed for the country to build momentum for its digital identity-powered future, heard the industry at the second OIX (Open Identity Exchange) Conference, Identity Trust 2022, in London. A few days later, the government pauses the Data Protection and Digital Information Bill (DPDI, sometimes referred to by its previous name, the Data Reform Bill) that would make it happen.
‘Are you ready for digital ID?’
‘Yes’ appeared to be the most straightforward answer to the subline of the OIX conference title. From relying parties to identity verifiers to estate agents, everyone in the industry in the UK is ready. ‘Tough’ would be the response from the government a few days later.
“I feel like we have moved on a bit since last year,” Hannah Rutter, Deputy Director for Digital Identity at the Department for Digital, Culture, Media and Sport (DCMS) told the auditorium, as she launched into all the progress.
Four days later, her new boss, Michelle Donelan, secretary of state for DCMS in new Prime Minister Liz Truss’s reshuffled cabinet, announced that the DPDI Bill has been paused. The announcement came not in Parliament, but at the Conservative Party Conference, reports TechCrunch in an excellent run down of the Bill’s fate.
Donelan’s reason for the pause is to create time to come up with a different way to replace UK GDPR. In this way, the Bill’s content for digital identity suffers collateral damage. Donelan was unable to provide any suggestions for a new replacement, but it will be all things to all people ensuring data adequacy while being “truly bespoke” and “British.”
Truss is also to make “tweaks” to the high-profile Online Safety Bill.
Back at the OIX conference, the timeline for the Digital Identity and Attributes Trust Framework and passage of the Data Protection and Digital Information had not been as prominent an issue during the conference as some might have expected. A secretary of state pause had not been foreseen.
The DPDI Bill has had its initial reading in the Houses of Commons and Lords, since when the government has absorbed itself entirely in a crisis of its own making.
The Bill is needed to underpin the trust frameworks and certification process, so that users can know that a service is trustworthy. It would also enable government agencies to make their datasets available to be checked against.
DCMS: progress on AML, live use, industry/government collaboration
A theme that developed throughout the OIX conference was that the technology is there, digital identity exists in the UK and it has ventured onto the streets and into people’s pockets. But these are still specific use cases and pilots. When it comes to mass use, companies are going to have to risk being the first (or second) to adopt the technology.
The industry needs to help them understand why they should and why government departments should. And that someone is going to have to tell the public what it is all about. The latest DCMS announcement has brought more confusion, not less.
There have been other more pro digital identity events on the national calendar. The conference was just two days before new use cases would go live: remote right to work, right to rent and background checks (via the government Disclosure and Barring Service, DBS) would all need to use digital identity (not emailed scans of credentials).
In charge of making sure digital identity can be used across the economy, Rutter explained that 45 companies have passed through self-assessment against the Digital Identity and Attributes Trust Framework, which allowed more insight and data on use and conformity that has helped push it into Beta testing. Five certification bodies got up and running in nine months which have approved 12 products.
AML regulation could be seeing some changes, according to Rutter. “You’ve got to do more on money laundering,” she said, referring to feedback heard about legislation for financial service so far asking to “get things moving.”
“We’ve always said you can use these products to fulfil your anti-money laundering things, but we have heard that we want further clarity on that, that that needs to be clearer, so we’re working really hard with our Treasury colleagues and they have committed to consider amending the anti-money laundering regulations to ensure much greater clarity on this issue and to directly refer to the Trust Framework as a part of that process.”
The framework is being benchmarked against systems in other areas such as the EU and Canada, and perhaps most extensively with Singapore as the two continue to see how far they can go with mutual recognition.
The Governing Body for Digital Identity is still “being incubated” by DCMS on behalf of the government in general “to see what it needs to do and how far it needs to grow to create the trust necessary for this market to flourish,” said Rutter.
Rutter is keen to seek industry collaboration to move the whole sector on, especially relying parties or “[ID] acceptors” as the OIX is keen for them to be known as. “OK, so we’ve done this, what’s the gap, what is it now that needs to happen that you’ll use this stuff? Here in the UK, where’s the gap that I need to fill so that you as relying parties will feel really confident and happy to rely on digital identity products?”
Digital identity is being used in face-to-face settings, such as proof of age in cinemas. There is no blanket mechanism to push retailers to accept digital ID as there is no overall way of doing that for any form of ID, said Rutter, meaning that it will have to be done use case by use case, product by product.
“We need to rely on you at this point to help us make the case,” said Rutter. “We need to sell this well beyond this room. If this stuff is going to get through Parliament, we can’t be talking technicalities of ISO standards or if this bit of GPG 45 [the Government Good Practice Guide on digital identity] is accurate. I don’t know if any of you have had conversations in the [House of] Lords tearoom, but it’s not going to work.”
Conference attendees were, however, far less confident of it clearing the Lords than Commons, precisely because the Lords are in fact much keener on the Bill’s details.
Much of the work of the DCMS digital identity team and Trust Framework culminates in the DPDI Bill’s success. Rutter called on attendees to use the new government’s supposed focus on growth to their advantage: “Tell them how digital identity is going to support growth. Tell them how it’s going to support the rights of individuals and protect them, that we’re not creating ID cards, we’re creating a system where people will be able to have control over their data and be able to use it to make things easier for them while they have control.
“Help us to spread that message because without that, my little team can’t get this through Parliament, and my little team can’t get this to the finish line.”
But a weekend is a very, very long time in UK politics.