It’s important that those who want to use a digital identity service know which ones are following the UK government’s rules and can be relied on. But you shouldn’t have to know the ins-and-outs of the UK digital identity and attribute trust framework or its certification processes to have this confidence.
That’s why we have created a register of digital identity and attribute services that’s published on GOV.UK.
The Data (Use and Access) Bill (‘the Data Bill’) places the register on a statutory footing and describes how OfDIA should maintain the register when the legislation comes into force. We are operating the register today in much the same way as the Bill will eventually require us to once it has passed through Parliament.
Maintaining an accurate register is important to us
It’s our responsibility – here in OfDIA – to ensure the register is accurate and up-to-date, and only includes services that have been assessed as meeting our rules.
That’s important for relying parties, like employers and landlords, so they can safely buy in the services they want to use to speed up their business processes.
It’s important to the service providers too. They’ve told us that the register influences their customers’ purchasing decisions, and that they want peace of mind that their services only appear alongside other services assessed as meeting the government’s high standards.
It’s important to government departments and agencies which need assurance that their regulatory needs are being satisfied.
And it will also become increasingly important to members of the public, as the register will provide a way to check that the service they are about to use is genuine.
Bad actors shouldn’t get through the front door
To be on the register, a service provider must apply to appear on the register and to have its service (or services) listed after an approved conformity assessment body has certified the service(s) as meeting our rules.
Conformity assessment bodies conduct technical evaluation and background checks on the companies running digital identity and attributes services. These checks mean a rogue operator shouldn’t be able to get through the certification process. But, if they do, new powers proposed in the Data Bill will also allow the government to refuse applications to be listed on the register in certain circumstances, for example where there are national security concerns.
Being certified is the first step for service providers wanting to be listed on the register. The certification process is designed to stop bad actors from getting through the front door.
Maintaining high standards through independent third-party certification
After a service is on the register, we lean heavily on independent third-party certification to ensure ongoing compliance with the trust framework rules.
Every service certified against the trust framework is re-evaluated at least annually by their conformity assessment body, an independent third party, to ensure they are still meeting the trust framework rules.
If anything significant changes with a service – like a change of critical suppliers or a brand new part of a service coming online – then the service provider must tell their conformity assessment body, which might require an extra evaluation of those changes.
In addition, OfDIA can also request that a conformity assessment body undertakes a ‘spot audit’ of individual services if necessary.
If a conformity assessment body finds that a service isn’t following our rules, it will report back to the service provider that it has a ‘non-conformity’.
Conformity assessment bodies – as independent third parties – are exclusively responsible for deciding how to deal with a non-conformity. In most cases, service providers will be given time to fix the non-conformity. In the most serious of cases a certificate will be withdrawn. If a conformity assessment body and a service provider disagree, then the certification process provides for dispute resolution. Under our certification scheme, conformity assessment bodies must have complaints processes in place to handle these kinds of issues.
If a service is no longer certified because of a decision by a conformity assessment body, then it is no longer eligible to be listed on our register. The Data Bill will impose a duty on the Secretary of State to remove services in these circumstances. Because it’s a duty, and because we want the register to accurately reflect the certified status of a service, we will take steps to act on it immediately.
The same duty applies if a certificate expires. We’ll have a duty to act and will immediately take steps to remove services that no longer have certification.
When government will step in
In limited circumstances, the government might decide to remove services from the register, independent of the certification process. When the provisions in the Data Bill come into force, the Secretary of State will have the power to do that even if a service still has a certificate. The power is a backstop, to be used only in extreme circumstances when the certification process can’t address compliance issues.
We can choose to exercise this power to remove service providers and their services from the register when:
- there is clear evidence the service no longer meets the requirements of the trust framework or supplementary code rules,
- a service provider has failed to comply with a request made under information gathering powers set out in the Bill, or
- it is necessary to do so in the interests of national security
Whenever we intend to use these powers, we must follow the process set out in the legislation. Providers will be given at least 21 days’ notice that we intend to remove them and their services. During that time and before they are removed, they will be able to present evidence to the Secretary of State to dispute this which must be considered before a final decision is made.
We don’t expect these powers to be used very often, because most of the compliance requirements needed to keep the ecosystem safe can be baked directly into the certification process. If an issue can be dealt with through the certification process, we will usually refer that issue to a conformity assessment body to investigate; this is something we already do and will continue to do in the future.
Prompt. Proportionate. Effective.
Taken together, we believe that these processes and powers allow us to maintain a digital identity and attribute services register which is secure and can be relied on by the public.
The certification process gives us a prompt and proportionate way to respond to emerging threats to public trust in the digital identity ecosystem, and this will be strengthened even further through the backstop powers in the Data Bill.
Sign up to email alerts to receive an update whenever we publish a new blog post.
Leave a comment