Proposed privacy and data protection guidelines that will inform the government’s Identity Assurance Programme, the successor to the failed ID cards scheme, have been revealed the chair of a committee involved in the project.
Described by Cabinet Secretary Francis Maude as "Little Brother", the scheme involves partnering with private sector organisations to identify citizens and authenticate their transactions with government bodies.
The principles, revealed by Jerry Fishenden, chair of the Identity Assurance Programme privacy and consumer group, reflect an ambition to put individual citizens in charge of how their identity credentials are used.
They are as follows:
1. The User Control Principle: Identity assurance activities can only take place if I consent or approve them
2. The Transparency Principle: Identity assurance can only take place in ways I understand and when I am fully informed
3. The Multiplicity Principle: I can use and choose as many different identifiers or identity providers as I want to
4. The Data Minimisation Principle: My request or transaction only uses the minimum data that is necessary to meet my needs
5. The Data Quality Principle: I choose when to update my records
6. The Service-User Access and Portability Principle: I have to be provided with copies of all of my data on request; I can move/remove my data whenever I want
7. The Governance/Certification Principle: I can trust the scheme because all the participants have to be accredited
8. The Problem Resolution Principle: If there is a problem I know there is an independent arbiter who can find a solution
9. The Exceptional Circumstances Principle: Any exception has to be approved by Parliament and is subject to independent scrutiny
These principles are in line with the EU’s proposed updates to its data protection laws, that seek to place more control over data held by organisations in the hands of the data subject. The principle of portability, for example, would fit with the proposed ‘right to be forgotten’, which obliges companies to delete data on request by the subject.
However, the principles would impose new obligations on the private sector "identity service providers", upon whose participation the scheme depends.
According to Patrick Curry, director of non-profit identity federation advisory the British Business Federation Authority, commercial service providers are unlikely to want to bear the cost of updating their ID management infrastructure to support these principles.
Curry said that the government will have to make more concessions to the requirements of businesses if they are to carry the cost of managing and authenticating citizens’ identities. "Until the government comes clean on a business/commercial model that works, it can only realistically expect government organisations to comply with these privacy principles," he said.
"Alternatively, Parliament could enshrine these principles in primary legislation making them mandatory for all business and government activities in UK," Curry added. "That is unlikely to happen as there would be major objections from the business community who would see this as tantamount to a restriction of trade. The principles are extremely difficult to implement even with a strong federated identity and access model, which the UK is nowhere near having. Hence the legislation could be unworkable."
Earlier this month, the Department of Work and Pensions tendered for identity management services in accordance with the identity assurance strategy. The department plans to spend £25 million on ID management services to help secure benefits payments, and is looking for a "multiplicity’ of suppliers to pitch for the business.
The government has yet to reveal which companies have expressed an interest in becoming "identity service providers", although the Post Office revealed its plans last month by tendering for third party assistance in building new ID assurance infrastructure.