Identity Assurance and GOV.UK Verify
27 June 2015
An academic paper has been published which explores issues about how federated identity assurance systems like GOV.UK Verify work, and how the privacy of users can best be protected.
GOV.UK Verify have a Blog and in a recent post mentioned that they have been asked to comment on an academic paper- 'Toward mending two nation scale brokered identity systems'. The Blog goes on to say:
GOV.UK Verify offers people a convenient, secure way to prove their identity when accessing digital government services. It does not have any other connection with or ability to monitor people or their data.
GOV.UK Verify protects users' privacy. It has been designed to meet the principles developed by our privacy and consumer advisory group. GOV.UK Verify does not allow for mass surveillance.
Only minimal data passes through the GOV.UK Verify hub. The person’s name, address and date of birth (and gender, if the user has chosen to state it) is sent through the hub to a government department the person is trying to access.
This only happens when the person accesses a service through GOV.UK Verify - the data is sent through the hub for the purposes of matching the person to the record that is already held about them in that department. No data about the person’s interactions or activities within certified companies or government departments passes through the hub.
We are working with the author of the paper to clarify this aspect and provide assurance on the issues raised. We have invited one of the authors, Dr Danezis, to join our privacy and consumer advisory group (and we are pleased he has accepted the invitation), so that we can continue to consult a range of experts and privacy and consumer groups on our approach to these important issues.