As part of performing an identity check, digital verification services (DVS) need to verify information that represents the attributes of the person being checked. Often, this is done with reference to an “authoritative source”. Digital verification services sometimes want to use “data brokers” for this purpose and we’ve been asked how they should be treated.
What we mean by data broker
A data broker is an intermediary that aggregates data from multiple sources, often including public records, commercial databases, and online activity. In the context of digital identity, data brokers may be used to verify attributes about individuals – like their name, address, or financial history – by providing access to datasets that support identity checks.
Credit reference agencies, identity and fraud analytics companies, and digital verification services themselves are some of the types of companies that can act as data brokers.
Data brokers must, of course, comply with UK data protection legislation and so must DVS providers when using them.
A data broker can be used an authoritative source
Whilst lots of organisations could act as a data broker, not all data brokers are authoritative sources.
Good Practice Guide (GPG) 45 – which describes how to prove and verify someone's identity – defines what an authoritative source is. It says:
To be authoritative for a particular piece of information, the source must make sure:
- the integrity of the information is protected
- the information is up to date
The source must also do one of the following:
- issue evidence, for example the Driver and Vehicle Licensing Agency (DVLA) issues evidence such as driving licences
- get information from an organisation that issues evidence, for example credit reference agencies can have authoritative information about bank accounts
- get information from another authoritative source, for example from another identity scheme
There is nothing in GPG 45 – or in the trust framework – that prohibits the use of data brokers as an authoritative source. If a data broker meets the requirements set out in GPG 45, it can be used as an authoritative source.
A single data broker can verify multiple pieces of evidence
Data brokers can usually provide data from multiple places and so a single data broker can act as multiple authoritative sources.
For example, a credit reference agency will often have an ability to connect to multiple banks and building societies. If a user had a mortgage with one bank and a credit card with another, and the broker can access that data in a manner that ensures its accuracy and recency, there is no reason why that single broker can’t be used to verify both pieces of information.
Additionally, there is no need to make two separate requests of the broker for it to count as multiple authoritative sources. As long as the information is distinct and able to be verified, a broker can provide one, two or dozens of pieces of evidence as part of a single request from an identity service.
Whilst data brokers can provide all sorts of data, it’s important for service providers to ensure that only data that is within the scope of GPG 45 is being used for identity checks within a certified service. For example, data brokers can often provide profiling about people based on their internet browsing history; that data can’t be scored as part of GPG 45, so it mustn’t be used for an identity check.
Prepare to justify your approach
When conformity assessment bodies audit services against the UK digital identity and attributes trust framework, they will ask service providers to justify how their service achieves the outcomes it purports to be able to achieve. If they use a data broker, service providers must justify that approach and why they think it’s right. In particular, they’ll need to demonstrate that the information the broker can provide is both accurate and up-to-date.
Leave a comment