The UK digital identity and attributes trust framework underpins our approach to building trust in the digital identity ecosystem. The requirements it contains help build confidence that services certified against it are reliable and secure.
So far, we’ve published three versions of the UK digital identity and attributes trust framework. Today, we're delighted to pre-release the next iteration – the gamma (0.4) publication.
What we mean by a ‘pre-release’
We’re badging this publication as a pre-release because it’s not yet ready to be certified against.
However, pre-releasing gives certainty about the forthcoming standards and allows providers time to prepare for the new rules. Once Conformity Assessment Bodies (CABs) are accredited and ready to begin certifying early next year, we will republish gamma, clearly labelling it as the final publication.
The requirements in the gamma publication won’t change between now and its final release.
Changes for the gamma publication
Testing and iterating the trust framework is core to our approach. We’ve engaged extensively with stakeholders since publishing the June 2022 beta (0.3) version, and building on that evidence we’ve made five main changes for gamma. These mean the new rules:
- Better reflect the current market. We have introduced two new roles that services can certify as – the Holder Service Provider and Component Service Provider. This means increasingly important business models, like digital wallets and facial authentication specialists, will be better accommodated.
- Provide more protection and support for users. We have strengthened a variety of security measures, improved inclusion monitoring processes, and refined mechanisms to help users control how their data will be shared. We have also increased requirements on providers to support users if things go wrong.
- Respond to the increasing prevalence of biometric technologies. New rules – in a dedicated section – will help ensure biometric systems are appropriately tested to be fair and effective, for instance across different demographic groups.
- Strengthen trust across the wider ecosystem. New requirements will govern providers’ presence on the forthcoming register of digital identity and attribute services. We’re also introducing requirements on protecting user data as it moves from certified services to relying parties, and clarifying how services should advertise their certified status to avoid confusing users.
- Are more navigable, usable and auditable. We have restructured the trust framework and introduced a new rule numbering system to make the document easier to use. We have also increased the trust framework’s auditability by removing ambiguous ‘should’ expectations in their entirety.
Overall, I see these changes as more evolutionary than revolutionary. But, taken together, it should be clear that we’re deliberately raising the bar for providers operating within our trusted ecosystem. It’s essential that certification remains a real distinction for the most trustworthy services, and that we suitably safeguard the privileges that it brings.
For more details on the improvements we’ve made, please see the detailed summary of changes in the gamma publication.
What happens next?
As mentioned earlier, while services can start preparing to meet the gamma publication’s rules now, they will not be able to get certified against them just yet. We will announce when CABs are accredited and ready to begin certifications next year.
Once the new Data (Use and Access) Bill passes, OfDIA will have a duty to review the trust framework at least annually. We’ll therefore soon also be launching our next round of stakeholder engagement, to gather feedback on the gamma publication and other guidance that together makes up the trust framework. This will help us develop the next publication, which we plan to release following the Data Bill’s passage.
We’ll share more information about getting involved with engagement in a future blog post. In the meantime, do let me know what you think about this new publication.
Sign up to email alerts to receive an update whenever we publish a new blog post.
Leave a comment