Through the information gateway, registered digital verification service (DVS) providers can ask for information directly from public authorities.
Section 45 of the Data (Use and Access) Act 2025 contains a power that is referred to as the "information gateway", which allows public authorities to share information with digital verification service (DVS) providers, as long as information is only provided:
- to DVS that are certified against the UK DVS trust framework and registered on the DVS register
- for the purpose of providing identity or eligibility verification services
- at the request of the individual to whom the data relates; and
- in compliance with other relevant existing legislation, including data protection legislation.
This power will help enable more efficient, fully digital processes, allowing people to prove their identity digitally without needing to scan physical documents. The information gateway is a key part of the government’s approach to enabling the widespread use of trustworthy digital verification services, which could generate at least £701 million per year in economic benefits in the UK.
Public authorities receiving requests under section 45 of the Act are encouraged to share information with the registered DVS provider through the information gateway where possible. Requests should be proportionate, and comply with data minimisation rules. In general, requests should not be refused unless doing so is in line with public law principles, for example where there is a reasonable justification for the refusal. In such circumstances, the authority should explain its decision to the provider.
Where public authorities do decide to share information through the information gateway, they can charge fees to registered DVS providers to cover the cost of setting up, implementing and maintaining the necessary systems for sharing information.
OfDIA is working to develop and publish information for different actors in the ecosystem, to help them understand what the information gateway power is, and how different organisations may interact with the information gateway.
The statutory Code of Practice
Section 49 of the Act requires the Secretary of State to prepare and publish a Code of Practice about disclosure of information through the information gateway under section 45. The public authority must have regard to the Code of Practice when sharing information via the information gateway. OfDIA, acting on behalf of the Secretary of State, will prepare the Code of Practice for it to be laid before Parliament.
The information gateway power will be commenced once the Code of Practice has been approved by both Houses of Parliament which, subject to Parliamentary timings, we anticipate will happen later this year. We will publish updates on progress here on our blog.
Public authorities can share information in a variety of ways
The information gateway power does not dictate how information held by public authorities should be shared, and this is something each public authority will decide for themselves. When sharing personal data, as well as having regard to the Code of Practice, public authorities must also comply with data protection legislation.
It is likely that in the majority of cases, public authorities will be able to best and most cheaply fulfil a request for information by securely sharing attributes via APIs. This will minimise the amount of information shared by the public authority.
Some public authorities will make information available by developing a digital credential, like a digital driving licence.
Public authorities can offer both options in parallel – issuing a digital credential into the GOV.UK Wallet does not prevent a public authority also facilitating API checks of data they hold.
To share information, public authorities and registered DVS providers will enter into agreements
Some public authorities might choose to publish information about the information they hold and that is being made available using the information gateway powers, to make it easier for DVS providers to engage with them.
Once a DVS provider has established that a public authority holds information relevant for its service (or planned service) and is making it available using the information gateway powers, the registered DVS provider and public authority would then be expected to enter into a contract and data sharing agreement. These should set out, among other things:
- the roles and responsibilities for all parties
- the specific mechanisms and safeguards for data sharing
- compliance with data protection legislation; and
- any applicable fees payable by the DVS provider
Once agreed, the registered DVS provider can make information requests on behalf of the individuals using their services. Public authorities will need to consider those requests and decide whether to share information or not. This will include:
- checking that the service of the DVS provider requesting the information is on the DVS register and that the individual has requested that service
- considering whether the data is accurate for the relevant purpose
- considering whether the data is in a format appropriate for sharing; and
- determining what the public authority will charge the DVS provider.
Checking that a service is on the DVS register
We want information sharing under the information gateway to be as secure and robust as possible. That is why only services operated by providers that are registered on the DVS register can receive information via the information gateway.
To help public authorities check that a provider is genuine when they make a request via the information gateway, this year we will be enabling DVS providers to securely prove they are on the DVS register in real-time, through public key infrastructure. We will publish more information about our plans for this shortly.
Next steps
To drive use of the information gateway by registered DVS providers and public authorities, OfDIA is working to:
- publish the Code of Practice
- gather evidence on user needs for the information gateway, including conducting a survey of registered DVS providers to understand the demand for different data
- develop guidance to help registered DVS providers and public authorities understand how they can use the information gateway
- provide the new security features of the DVS register
It is our intention that this work makes it easier for registered DVS providers and public authorities to share information via the information gateway, to support our ultimate goal: efficient and authoritative digital verification of attributes across the economy.
10 comments
Comment by Richard O posted on
Thanks for the update. GDS announced in May 2025 that government departments will issue cryptographic verifiable credentials (VCs) (e.g. DVLA + mobile driving licence; HMPO + digital passport) by the end of 2027.
GDS has also stated that the VCs will be hosted in the GOV.UK Wallet and DVS providers may only create 'derived credentials'. Unlike a VC, a derived credential will not bear the digital signature of the issuer. A derived credential is therefore legally and cryptographically inferior to a VC.
The Cabinet Office consultation paper on digital ID (March 2026) has subsequently told us that the GOV.UK Wallet will be certified against the DVS Trust Framework.
Please therefore confirm that ALL certified DVS providers will have equal access to VCs via the Information Gateway. Many thanks.
Comment by Eleanor Curry posted on
Under the information gateway powers, any registered digital verification service is equally entitled to request information from public authorities. And as a matter of public law, requests to exercise the power should not be refused unless there is a reasonable justification for doing so. That said, requests should be proportionate and relevant for their service, to comply with data minimisation rules. For example, it is unlikely to be appropriate or necessary to share an entire credential for the check of a single attribute.
In practice, we expect DVS will reach out to public authorities to discuss data sharing needs ahead of time, and that a Data Sharing Agreement (and other terms as necessary) will be established to manage individual requests. We'll be blogging more about this, and publishing guidance for all parties, ahead of commencement.
Comment by David Moss posted on
Request for clarification
We read in the blog post above that "only services operated by providers that are registered on the DVS register can receive information via the information gateway".
Does that mean that the provider has to be registered but it doesn't matter if their service isn't?
Take the example of DSIT, who are on the register as the provider of GOV.UK One Login.
The blog post says that: "Public authorities can offer both options in parallel – issuing a digital credential into the GOV.UK Wallet does not prevent a public authority also facilitating API checks of data they hold".
But GOV.UK Wallet does not appear on the DVS register.
DSIT is registered, Wallet isn't, can Wallet be used in the information gateway or can't it? Does "DVS" denote the service or the service provider or both, it can be confusing?
Comment by Eleanor Curry posted on
Both the provider and the service will need to be registered. It's important to note that public authorities do not need to be listed on the DVS register to be able to provide information they hold via the information gateway to registered DVS. For example, DVLA won't need to be on the register to facilitate API checks of driver data for DVS purposes.
Similarly, neither the Government Digital Service nor the GOV.UK Wallet need to be on the register to provide data to registered DVS via the gateway – although DSIT's intent is for GDS and the GOV.UK Wallet to be registered anyway to increase trust and confidence. And given GDS is a public authority they don't need to be on the register to receive this data from other public authorities either (they can rely on Digital Economy Act powers for this).
Comment by MarkK posted on
This is permissive; it is not clear why any authority would spend the sums needed to update/renogatiate and reassess their exisiting systems with a secure opening when it is not on their list of functions for which they get funds and are accountable. It would be a liability with no benefit to them.
A public authority in the UK is an organization or body that exercises functions of a public nature, performs governmental duties, or is publicly funded, including central/local government, the NHS, police, and schools.
How many of these are expected to partake, and at what level?
Comment by Eleanor Curry posted on
Section 45 of the Data Act allows public authorities to charge the DVS fees to recover the costs of any information sharing with them, which should mitigate the financial risk for public authorities. And given the power exists, requests should not be refused unless there is a reasonable justification for doing so (which could include unmet costs).
There are a large number of public authorities in the UK, and OfDIA is working to better understand the potential barriers to public authorities sharing data, how these can be mitigated, and what initial uptake is likely to be. We'll continue to blog about data sharing activity happening via the information gateway.
Comment by alan chaplin posted on
Thanks for the blog. Is it only identity data than can/should be shared? For example could an organisation on the DVS register request tax information from HMRC? I’m in pensions so something like checking the protected pension allowances an individual has from HMRC would be much more efficient than the current process of asking for certificates.
Comment by Eleanor Curry posted on
Yes. Information can be shared under Section 45 for identity or eligibility verification purposes. This means checking something like protected pension allowances would be in scope.
Comment by Mike posted on
So let's say a DVS wanted access to the national pupil database (from the DforE which contains all pupils from 2002 onwards) which would help in areas like age verification, thin file consumers and in creating new challenge and response questions. That's applicable because you have the data subject consent to access the data being held about them? (Obviously subject to API's being built etc)
How are the public sector authorities ensuring that they are protecting the data so that we can be sure that data pertaining only to the data subject is released?
Comment by Eleanor Curry posted on
Under the Data Act and data protection legislation, public authorities must have safeguards in place when sharing data via the information gateway power.
Public authorities will need to enter into a Data Sharing Agreement with digital verification services (DVS) requesting information, and we'd expect Data Protection Officers from both parties would input. This process will include setting out what information the public authority needs from the DVS to be confident that the request has come from the individual the data relates to.
In future, OfDIA will publish information on security considerations, and we will shortly blog about our work to provide a secure DVS register.