UK lays out privacy policy for One Login identity verification

Data collected for Gov.uk One Login will not be used to target advertisements or profile users, and selfie biometrics for remote ID verification will be deleted after 30 days, the UK’s Government Digital Service has announced.

A privacy notice from GDS describes how and why biometric data is collected for liveness and “likeness” checks, and sets out the data storage and sharing policy. The notice outlines Experian’s role in identifying signs of identity theft, knowledge-based verification (KBV) and providing a fraud score.

The process for in-person identity verification at a Post Office with help from its subcontractor Yoti is explained. Data collected for in-person identity checks is deleted after 11 days.

Online identity verification through the Gov.uk ID Check app or Gov.uk One Login app with ID document authenticity, biometric matching and liveness detection checks is handled by iProov and its subcontractors Veriff and Inverid. The selfie video taken during the process is not stored, but the still photo and biometric data generated from it and the driver’s license image are deleted by iProov after 30 days.

GDS says system logs will store extensive information about how One Login is used for a year, accounts will remain active for up to five years after their last use, and audit logs will be kept for seven years for fraud monitoring purposes. The notice also states that information from ID documents shared with One Login can be passed on to HM Revenue and Customs, the Passport Office and Driver and Vehicle Licensing Agencies for Britain and Ireland. Anti-fraud data could also be shared with law enforcement agencies and the Home Office.

One Login is projected to cost 329 million pounds (approximately US$445 million) to deliver, PublicTechnology reports. The project has found itself repeatedly under fire, following an assessment by the National Cyber Security Centre earlier this year that found it was compliant with only 21 of 39 cybersecurity recommendations, and when it temporarily dropped off of the DIATF register. Multiple contracts intended to improve One Login’s security resilience have since been awarded.

Article Topics

data privacy  |  Gov.UK  |  identity verification  |  Inverid  |  iProov  |  One Login  |  selfie biometrics  |  Veriff