Thursday, November 06, 2014

Protecting privacy in the GOV.UK Verify scheme

For the last two years I've been working with colleagues in the Cabinet Office's Privacy and Consumer Advisory Group to develop privacy principles for the government's online identity assurance programme. This is now close to launch, and got some front-page attention in The Times on Monday. Here is the just-published letter we sent to the newspaper with more details. The Government Digital Service has also published a response.


Today’s Times (4/11/2014) front-page story contains an error: “Virtual ID for everyone” should read “Virtual IDs for everyone”. It is a vital part of the scheme that we may all have plural identities.

For the last two years, we, as members of the Privacy and Consumer Advisory Group, have been working with the dedicated Cabinet Office team to define nine Identity Assurance Principles that, if implemented across government, would protect against the Verify scheme becoming a shadow identity card system.

Control by the citizen is at the heart of these principles. You choose (and can discard) your own virtual identities. They are not imposed on you by the state. You can read more on the principles at

Obviously a citizen using a public service (online or otherwise) needs to be identifiable to that service to some degree. But this does not mean a service provider should have access to any unnecessary information about the citizen. That is what the Verify scheme was conceived, laudably, to achieve. 

Our Identity Assurance Principles are intended to ensure it does achieve that in practice. We have recommended that all existing powers of data access or disclosure should be re-approved by Parliament as these powers have themselves been transformed by modern technology. We also call for effective forms of redress, and for an effective regulatory and judicial oversight over the use of such powers.

Public support for virtual identity will depend on trust and understanding. Our Nine Principles are designed to build that, but will only do so if members of the public know what they are, and that the authorities will obey them. That is why we have asked that, after the testing phase, the principles are written into law to ensure their general application.

Yours faithfully,
Guy Herbert, General Secretary, NO2ID
Louise Bennett, BCS Policy Board Member
Dave Birch, Consult Hyperion
Ian Brown, Professor of Information Security and Privacy, Oxford Internet Institute
Emma Carr, Director, Big Brother Watch
Dr Gus Hosein, Director, Privacy International
Dr Chris Pounder, Amberhawk
Dr Edgar Whitley, London School of Economics

No comments: