Our trust framework sets out the rules digital identity and attribute services should meet. How can we be confident that those rules are being followed? That’s the role of “conformity assessment” – or, more colloquially, certification. Our legislation – the Data (Use and Access) Bill – will require us to operate a process rooted in accredited conformity assessment, with a structure of standards, governance and oversight to help people know which digital identity services are trustworthy and secure.
Assurance built on processes you already trust
We all rely on certification every day, whether we know it or not. The eggs we eat, seatbelts in our cars, locks on our front doors, phones in our pockets, and thousands of other things we use all the time are quality assured through a process of conformity assessment to ensure they are safe to use and work as intended.
We’re applying those same robust processes that keep you safe in every other area of your life – and that we all already implicitly trust – to the digital identity and attribute services market.
Services are evaluated by independent experts
Our certification process is based on “third-party conformity assessment”. That means that a service provider can’t just self-declare its services meet our rules; it has to get an independent third party, with no connections to its service, to attest that it complies with the rules.
Those independent third parties are called Conformity Assessment Bodies; organisations that specialise in objectively evaluating products, services and processes. We currently have 3 organisations that are approved to conduct certification. Each of them employs specialist auditors with specific expertise in technical areas covered by our trust framework.
Certification based on international best practice
Whilst the trust framework defines ‘what’ is being evaluated, a Conformity Assessment Body needs to know ‘how’ to evaluate it too.
For the UK digital identity and attributes trust framework, we’ve created a ‘certification scheme’ based on the ISO/IEC 17065 standard. The certification scheme is a series of documents that define what Conformity Assessment Bodies have to do in order to evaluate services against the trust framework.
We’ve chosen to base our certification scheme on the 17065 standard because it sets a clear baseline for how to evaluate products, services and processes and the minimum quality standards that Conformity Assessment Bodies must follow. Under our certification scheme, services must be evaluated at least annually to check that they continue to meet the rules in the trust framework.
Independent assurance of independent certification
So we have rules in the trust framework for service providers to follow when building and operating their services, and we have rules for Conformity Assessment Bodies to follow when they provide certification.
Who checks the checkers? That’s the role of the UK Accreditation Service (or ‘UKAS’); the national accreditation body for the United Kingdom, appointed by government, to independently assess organisations that provide certification, testing, inspection and calibration services.
UKAS does several things to ensure that this entire certification process we’ve created is sufficiently robust, objective and well-managed.
First, they hold OfDIA to account for the quality of the certification scheme that we have developed and against which services are being certified. This is a process called ‘recognition’; a detailed technical process where UKAS assessors scrutinise the work we’ve done, and ensure it aligns to international standards and best practice.
The non-statutory UK digital identity and attributes trust framework and its associated certification scheme were first ‘recognised’ by UKAS in April 2024. We’ll be continually working with them to ensure the certification process remains of a high quality and maintains recognition going forward and this will continue following the Data (Use and Access) Bill coming into force.
Once UKAS ‘recognises’ our certification scheme, UKAS then ‘accredits’ Conformity Assessment Bodies, auditing them to check they’re implementing our certification scheme correctly.
But the checks and balances don’t stop there. UKAS itself is regularly assessed by its peer organisations worldwide, to ensure that it is performing recognition and accreditation activities in line with internationally agreed standards.
Layers of checks and balances that you can trust
We know creating trust in digital identity services requires clear rules and assurance those rules are being followed. Our certification process is rooted in international best practice, and it has robust checks and balances in place.
But you shouldn’t have to understand this level of detail as a member of the public or as a business who needs to check identity in the economy to rely on a digital identity service. In the same way that a “gas safe” symbol and register make it easy to find a trusted heating engineer, we’re creating a register of providers and, once the Data (Use and Access) Bill comes into force, we will start to issue a government trust mark; we’ll be publishing more on that, soon.
Sign up to email alerts to receive an update whenever we publish a new blog post.
Leave a comment