A blog by Steve Wood, Deputy Commissioner (Executive Director, Regulatory Strategy)
22 April 2021
Digital identity systems have started to come of age, driven by the opportunities and challenges of the digital economy and public services.
The public need safe and secure ways to establish their identity in light of the reality of how digital services work in their daily lives. Such systems need to recognise the risks of fraud and security that exist at present, such as through the continued reliance on paper records.
Inspiring trust and confidence in the public about how their personal data is used in a digital identity system is paramount. Which is why we welcome the opportunity to provide our regulatory advice on how the UK Government’s digital identity and attributes trust framework should address data protection.
We recognise that the framework is currently an alpha ‘working’ version that will continue to be updated as proposals develop, as well as to reflect feedback received by the Department for Digital, Culture, Media and Sport (DCMS).
The ICO acknowledges that a digital identity system with strong governance and effective data protection safeguards can help improve public access to digital services and reduce security risks. We are therefore broadly supportive of the establishment of the framework. We have however highlighted that accountability for the way that personal data is processed must be present from the outset.
We also welcome the decentralised approach that the framework proposes, which provides a strong foundation for a ‘data protection by design’ approach that must be embedded across the system.
In a communication also aimed at data protection officers, digital service design teams, monitoring bodies and risk managers, we are supporting Government efforts to get the privacy considerations right, and are recommending that:
- Robust governance and clear accountability are established
- Any system be user-centric and boundaries around who controls personal data and how it is used and gathered be clearly established
- Effective measures are in places to address the data protection risks that relate to data minimisation and purpose limitation
- Organisations operating in the trust framework must have appropriate technical and organisational security measures in place to protect the personal data held in the system
The paper does not focus on COVID-19 status certificates – the Information Commissioner recently issued a separate blog on this issue.