Checks and balances: Westminster’s verification challenge

The government is aiming to make it easier for citizens to access a range of key public services, but it has a delicate path to tread with its new system
Istock 521074823

Expensive, intrusive and unjustified – these are just some of the words that civil liberties groups and other critics have used to describe the UK’s government’s plans to introduce digital identity systems in the recent past. It’s hoping to avoid such a response after its replacement of the troubled Verify online ID verification platform with a system called One Login. Dozens of departments are expected to migrate to it. 

The Government Digital Service (GDS) claims that the incoming tech will provide “a fast and simple way for people to access government services, while maintaining stringent safeguards on user data and protecting against fraud”. 

In a world that’s becoming ever more connected, digital IDs make sense. Research published by McKinsey estimates that their use in the UK could unlock economic value equating to 3% of GDP in 2030.

Plenty is riding on the success of One Login too. If large numbers of people were to have trouble accessing the key services beyond this new gateway, there would be serious ramifications, notes Dan Prince, professor in security and protection science at Lancaster University.

“This wouldn’t be as simple as being unable to log into your social media account and view your favourite celebrity’s posts,” he says. “In this case, you might not be able to receive your benefits, say, or renew your passport.”

He suggests that, although the system should run smoothly for most users, merging government service log-ins will introduce a single point of failure. If anything were to go wrong, the GDS would need to throw resources at getting the problem fixed quickly. 

“Failures in a digital ID system, along with a poor, slow response, increase the likelihood that the system will become untrusted,” Prince warns. “That could damage public trust in the government and wider digital services.” 

Failures in a digital ID system, along with a poor, slow response, increase the likelihood that the system will become untrusted

People seem largely receptive to the idea of a digital ID system. Research published in March by the Entrust Cybersecurity Institute revealed that 70% of the 1,450 consumers it had surveyed would ­probably “use an electronic form of government-issued ID if one were available”. Their most cited perceived benefit of doing so was an increase in convenience. These respondents deemed sharing their personal data to be an acceptable trade-off for such a gain. 

Westminster does seem to be taking concerns about data privacy seriously. At the start of this year, the Cabinet Office held a two-month public consultation to determine whether departments can improve how they use the data they hold to help people prove their identities online. At the time of writing, the government still hasn’t finished analysing the responses.

The GDS has stressed that it will continue to comply with the data protection legislation and guidance provided by the Information Commissioner’s Office. In particular, it will uphold the principle of data minimisation, as set out in the Data Protection Act 2018. This requires data controllers to limit the collection of personal information to the smallest amount required to verify a person’s identity. 

Dr Felipe Romero-Moreno, prin­cipal lecturer at Hertfordshire Law School, applauds “the government’s decision to take a ‘data protection by design and default’ approach”. In effect, this means that it is “considering privacy issues and safeguarding individual rights up front”, but there are caveats. 

He explains: “The government must lay down clear responsibilities for verification organisations and differentiate between data controllers and data processors. People must always be able to know who is processing their data, when they’re doing it and why.” 

Romero-Moreno adds that, if One Login is to prove fit for purpose, the government must ensure that the many British citizens who can’t or won’t access digital ID systems are not put at a serious disadvantage. 

Prince agrees, noting that “the key thing to remember is that identity shouldn’t be a digital-only concept. The use of digital technologies reduces friction between systems and makes things more efficient, but the ID system needs to embody a process that can be run without ­digital technology.”

The government must lay down clear responsibilities for verification organisations and differentiate between data controllers and data processors

Research published by Ofcom in 2021 estimated that between 1.3 million and 1.8 million UK households did not have home internet access. Older people are particularly likely to be digitally excluded. It’s vital that the government makes it easier for these “non-digital natives to use physical processes to identify themselves in physical locations”, Prince argues. While this might not be as efficient as online verification, it should provide fair and equal access to government services and ensure that the UK’s digital transformation is inclusive. 

The government at least acknow­ledges the need to retain alternative gateways to essential public services. The GDS has stressed that One Login “is not about replacing existing offline and face-to-face routes, which we know some users need”.

The government has also made it clear that One Login is not “about the creation of an ID card”. 

The idea of storing individual public records on personal devices was talked up recently by Sir Tony Blair and his old opponent across the despatch box, Lord Hague. In a report published in February, the pair argued that it was “illogical” not to make such records as easily accessible as airline tickets, banking details and vaccine statuses. Number 10 rejected their calls.

Regardless of whether the UK eventually adopts digital ID cards, the government must remember that any such system has to put ­citizens first, says Romero-Moreno.

“The right to personal identity is a human right enshrined in international law. It’s closely connected with personality rights (the right to one’s voice, name, image and so on) and the right to life, privacy and freedom of expression,” he says. “It is therefore crucial that the government refrains from adopting a narrow meaning of personal identity and implements its verification system in a human rights-compliant way.”