Stock of legislation / current regulation on digital ID
Contributor: Katelyn Cioffi
Organization: Center for Human Rights & Global Justice, NYU School of Law
Country: United Kingdom
1.1. Which are the specific laws creating and regulating Digital ID and what is their hierarchy (constitutional, organic laws, regional/sub-state laws, regulations, procedures)?
Several pieces of legislation help to regulate digital ID in the UK. This includes the Online Safety Act 2023;[1] Data Protection Act 2018; UK General Data Protection Regulation (retained EU Law); Equality Act 2010; and Freedom of Information Act 2000. Another key piece of legislation will be the proposed Data Protection and Digital Information (No. 2) Bill which will underpin the proposed digital ID trust framework; as of February 2024, this Bill has passed the House of Commons and is in Committee stage in the House of Lords.
Apart from the current stock of legislation, the UK has a long history of civil registration,[2] and has embarked on several failed to introduce new form of national digital ID. This includes the introduction and repeal of the Identity Cards Act (UK) 2006,[3] and the abandoned Gov.uk Verify federated digital identity system.[4]
The Identity Cards Act of 2006 was part of the National Identity Scheme led by Home Office, which was to include both a national ID card and a biometric registry. However, significant research from the LSE Identity Project, as well as a grassroots campaign called No2ID,[5] eventually led to the abandonment of this scheme and the destruction of the biometric data that had been collected. Another project, Gov.uk Verify, was first initiated by the Cabinet Office in 2011, to serve as a federated identity service for accessing public services online. However, this project was also scrapped after a number of private sector providers decided to leave the scheme and it was found that many seeking to use the service had been excluded from government services, most significantly the UK’s flagship welfare programme, Universal Credit.[6]
The UK government, however, remains committed to digitalisation of public services and the need for a digital ID. It is currently engaged in an “iterative process” to develop a digital ID trust framework[7] that will apple across public and private services, as well as to introduce a single-sign on service (Gov.uk One Login) for accessing online public services.[8]
[1] Online Safety Act 2023, 26 October 2023, https://www.legislation.gov.uk/ukpga/2023/50/enacted
[2] See National Registration Acts of 1915 and 1939.
[3] Identity Cards Act 2006 (repealed), https://www.legislation.gov.uk/ukpga/2006/15/contents; the Identity Cards Act was replaced by the Identity Documents Act 2010, which mainly deals with the destruction of cards and data under the 2006 Act, and to codify offenses related to falsification of identity documents, https://www.legislation.gov.uk/ukpga/2010/40/crossheading/repeal-of-identity-cards-act-2006/enacted.
[4] UK Government Digital Service, Gov.UK Verify Guidance, last updated 26 April 2023, https://www.gov.uk/government/publications/introducing-govuk-verify/introducing-govuk-verify.
[5] Success Story: Dismantling UK’s Biometric ID Database, Electronic Freedom Foundation, https://www.eff.org/pages/success-story-dismantling-uk%E2%80%99s-biometric-id-database; John Harris, Great ID Card Rebellion, Guardian (24 Jan. 2008), https://www.theguardian.com/politics/2008/jan/24/idcards.humanrights.
[6] National Audit Office, Investigation into Verify, 5 March 2019, https://www.nao.org.uk/wp-content/uploads/2019/03/Investigation-into-verify.pdf.
[7] This is guided by a set of principles developed by the interim governance arrangement in the Department for Digital, Culture, Media and Sport the Office for Digital Identities and Attributes (OfDIA). These are:
- Privacy – When personal data is accessed citizens will have confidence that there are measures in place to ensure their confidentiality and privacy. Where possible, citizens select what personal data is shared. Organisations will have privacy standards to uphold and will need to prove their ongoing compliance.
- Transparency – Citizens must be able to understand by who, why and when their identity data is used [when using digital identity products].
- Inclusivity – This means those who want or need a digital identity should be able to obtain one. We will look at how citizens could use different attributes (e.g. name, date of birth etc.) held across government and by other parties to support identity proofing.
- Interoperability – Setting technical and operating standards for use across the UK’s economy to enable international and domestic interoperability.
- Proportionality – User needs and other considerations such as privacy and security will be balanced so digital identity can be used with confidence across the economy.
- Good governance – Digital identity standards will be linked to government policy and law. Any future regulation will be clear, coherent and align with the government’s wider strategic approach to digital regulation.
[8] This service is currently being provided by Deloitte, see Chris Burt, Deloitte nets £16m from UK government in latest One Login contract win, Biometric Update (17 Aug. 2023) https://www.biometricupdate.com/202308/deloitte-nets-16m-from-uk-government-in-latest-one-login-contract-win.
1.2. What is the definition of Digital Identity brought by the Law or regulation, if any?
“A digital representation of who a user is. It lets them prove who they are during interactions and transactions. They can use it online or in person.”[1]
[1] Please note that this is a beta version. UK Department for Digital, Culture, Media & Sport & Department for Science, Innovation & Technology, UK digital identity and attributes trust framework beta version (0.3), 20 July 2023, https://www.gov.uk/government/publications/uk-digital-identity-and-attributes-trust-framework-beta-version.
1.3. Which are the corresponding Data Protection laws, if existing?
Data Protection is governed by the UK General Data Protection Regulation (GDPR),[1] which is complemented by the Data Protection Act of 2018.[2] As part of the European Union (Withdrawal) Act 2018, the GDPR became part of “retained EU law,” which means that a snapshot was taken of the end of the Brexit transition period on 31 December 2020. The current iteration of the UK GDPR retains significant similarities to the EU GDPR and has been deemed “adequate” by the European Union.[3]
However, current efforts are pending in the House of Lords to introduce a new Data Protection and Digital Information Bill, which will govern the use of personally identifying information and its use in the delivery of public services. Some advocates have argued that this new bill will weaken data protection in the UK,[4] which may result in a blockage to free flow of data between the EU and the UK if the system is deemed to be considered inadequate.
[1] Information Commissioner’s Office, UK GDPR guidance and resources, https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/.
[2] Data Protection Act 2018, https://www.legislation.gov.uk/ukpga/2018/12/contents/enacted
[3] Information Commissioner’s Office, Adequacy, https://ico.org.uk/for-organisations/data-protection-and-the-eu/data-protection-and-the-eu-in-detail/adequacy/
[4] Public Law Project, How the new Data Bill Waters down protections: A briefing for the House of Commons report stage of the Data Protection and Digital Information Bill, 28 November 2023, https://publiclawproject.org.uk/resources/how-the-new-data-bill-waters-down-protections/.
1.4. Was public participation ensured when these were drafted and enacted? How?
In 2020, the Cabinet Office and the Department for Digital, Culture, Media & Sport launched a call for evidence on digital identity,[1] and has conducted numerous consultations throughout the development of the trust framework.
[1] Cabinet Office & Deparment for Digital, Culture, Media & Sport, Digital Identity: Call for Evidence Response, 8 September 2020, https://www.gov.uk/government/consultations/digital-identity/outcome/digital-identity-call-for-evidence-response.
1.5. Does the country’s Digital ID framework reflect any particular digital ID model existing elsewhere (e.g., similar/comparable to X country)?
Yes, similar approaches to trust frameworks have been planned in Australia, New Zealand and Canada. Moreover, the UK has taken inspiration from several Nordic countries—including Sweden, Finland and Denmark in introducing elements of federation and interoperability into their digital ID system.[1]
[1] The Information Commissioner’s position paper on the UK Government’s proposal for a trusted digital identity system, 22 April 2021, https://ico.org.uk/media/about-the-ico/documents/2619686/ico-digital-identity-position-paper-20210422.pdf.
1.6. What is the interrelation of these Digital ID laws with existing nationality laws (does Digital ID reflect nationality status, is nationality an eligibility criterion or only legal residence)?)
There is no requirement of nationality to use the digital ID system, but it will be a key data point in the identity verification process. The early beta testing of the identity verification services has focused on right to rent, right to work, and Disclosure and Barring Service checks, a form of criminal background check.
1.7. Court cases: Is there litigation going on? Has there been prior litigation? What are the specifics of those cases (list and summarize)?
There is no requirement of nationality to use the digital ID system, but it will be a key data point in the identity verification process. The early beta testing of the identity verification services has focused on right to rent, right to work, and Disclosure and Barring Service checks, a form of criminal background check.
