The UK government’s identity management plan

The way in which UK government departments treat the identity of citizens is wildly inconsistent, in many cases governed by business processes that were defined decades, if not hundreds of years, ago. Not only do these processes have well-documented holes in how they verify identity, but their different approaches create huge inefficiencies and duplication of effort.

Katherine Courtney hopes to eliminate much of that. As programme director for the Home Office’s National Identity Card scheme, she is leading the nationwide identity management implementation that the government intends to roll out over the next two years.

Speaking at the Effective IT Summit 2006, Courtney highlighted the issue with an example: the experience of someone accused and convicted of a crime. The initial job of establishing the suspect’s identity is carried out by police, using their own ID management systems. When the case moves onto the courts, the criminal justice system, the prison service and the rehabilitation services separately process the person’s identity using their own, case-centric systems and authentication processes.

This repetition, of which there are many parallels in the public and private sectors, requires the same information to be provided, stored, and checked again and again.

“A huge chunk of the information that is being asked for, and a significant part of the business process, is concerned with identifying the person you are actually dealing with,” explained Courtney. “Only after that part of the process is complete do you add value with whatever service you are providing.”

One consequence of the outmoded form of identity management currently employed by the State’s various departments is that it provides plenty of opportunity for individuals to lie – with fraudulent intent. Courtney cited the early 2006 examples in which the UK’s tax credit service was defrauded of millions of pounds after criminals stole data on several thousand employees (in separate incidents involving staff at Network Rail and the Department of Work and Pensions) and used those identities to make fraudulent claims.

To reduce the risk of this – and the burden that inefficient identity management places on departmental resources – a single process of authenticating citizens’ identities and a central repository of identity information is vital, she said. And the government’s ID cards programme (which passed into law in late March) is a central plank in the drive to cut administration costs through ‘Shared Services’.

Under the new legislation, ID information such as home address and date of birth is to be housed in a central National Identity register, along with thirteen biometric identifiers (a facial pattern, scans of both irises and ten finger prints). Starting in 2008, that identifying information is to be gathered when citizens apply for passports, although they can opt out of obtaining an ID card until 2010.

Private identity

Through identity federation technology, other government departments and accredited private sector organisations will be able to use this information to quickly establish or confirm the identity of a citizen with whom they are dealing. With the exception of the emergency services, all access to an individual’s identity information will require that person’s consent, a principle that has informed the proposed design of the infrastructure from its inception.

Partner organisations, – in both the public and private sectors – will have read-only access to information stored in the national identity register, alleviating the need for their own identity investigations. Crucially, although it is a shared information service, no authority other than the National Identity register will have the capability to change records.

“We want to preserve the principle that the identity information in the central repository should be closely guarded,” explained Courtney. “Having multiple routes to changing the information defeats that principle.”

But the services of the National Register will be flexible, said Courtney. Businesses that can prove they have a legitimate need to use the identity data will have a number of ways to access it, depending on the requirements of the situation.

“Not all businesses require six pieces of identification information from their customers,” said Courtney. “Instead, they can make a risk-based decision. If you are hiring an airline pilot, for example, you would want to check that the person standing in front of you is the person they claim to be, and that they have the credentials to fly the plane. But if you are checking proof of age for someone buying alcohol, you just need to be able to look at the picture and the date of birth.”

The technological details of the scheme have yet to be finalised: Although it is currently the plan to make the national register a single, massive database, Courtney said her organisation is still open to alternative suggestions, including a federated database design.

But whatever the eventual specifications of the infrastructure, the success of the project depends more on the trust among citizens in the security of the information, and in the government’s policing of its use. “That has less to do with the technology, and more to do with the people and the processes that we build around it,” she said.

Further reading

The necessary adoption of blockchain by government – Blockchain will evolve from beyond its application in finance and serve its purpose in government for identity, access to services and elections

Pete Swabey

Pete Swabey

Pete was Editor of Information Age and head of technology research for Vitesse Media plc from 2005 to 2013, before moving on to be Senior Editor and then Editorial Director at The Economist Intelligence...

Related Topics

Identity Management