UK digital ID providers fear govt plans conflict with data protection act aims

The mechanism within the UK’s Data (Use and Access) Act that allows businesses certified under the government’s Digital Identity and Attributes Trust Framework (DIATF) to collect data from public authorities has become the latest grounds for dispute between parties in the country’s spasming identity sector. Most the data protection rules remaining under the Act, also known as the DUAA, meanwhile, came into force Thursday.

For digital identity and biometrics providers, also still outstanding is clarity on their role in the country’s digital identity system, and whether it is commercially viable.

Earlier in the week, the Department for Science, Innovation and Technology (DSIT) and Government Digital Service updated the status of the Information Gateway mandated by Section 45 of the DUAA in a joint webinar on the UK’s digital ID landscape. Digital Verification Service providers will be able to request and gather information from public authorities via the Information Gateway.

DSIT says a “Code of Practice” for these information disclosures is coming, and is expected to be approved by Parliament this summer, according to a LinkedIn post by legal and digital identity consultant Richard Oliphant. A lively discussion has followed in replies to the post.

“This is a necessary precursor to establishing the Information Gateway and it will boost the use of DVS in the UK private sector,” Oliphant says.

However, he also identifies two major problems ahead.

One is that DSIT has said there are no plans to allow DVS providers to host government-issued verifiable credentials, like a UK mobile driving license (mDL). These will be stored in the GOV.UK Wallet, giving it an unfair advantage over DIATF firms, which will only be able share derived credentials that do not bear the digital signatures contained in the VC, and therefore have minimal value.

Authorities will also have the option to deny DVS provider requests, DSIT says. But if public authorities can deny data such requests, Oliphant argues, rights such as data portability granted by UK data privacy law.

Both issues could pit DVS providers against the government plan, Oliphant says, and conflict with the DUA’s statutory aims.

In the meantime, all of the DUAA has now commenced, except a complaints procedure requirement that takes force midway through 2026 and some pending ICO governance provisions.

The Information Commissioner’s Office (ICO) has published updates to its guidance for businesses, particularly for “children’s higher protection matters” mandated under the DUAA.

Article Topics

Data (Use and Access) Bill (DUA)  |  Department for Science Innovation and Technology (DSIT)  |  Digital Identity and Attributes Trust Framework (DIATF)  |  digital verification service (DVS)  |  UK digital ID