Consultation outcome

Additional information: GOV.UK One Login

Updated 26 June 2023

© Crown copyright 2023

This publication is licensed under the terms of the Open Government Licence v3.0 except where otherwise stated. To view this licence, visit nationalarchives.gov.uk/doc/open-government-licence/version/3 or write to the Information Policy Team, The National Archives, Kew, London TW9 4DU, or email: psi@nationalarchives.gov.uk.

Where we have identified any third party copyright information you will need to obtain permission from the copyright holders concerned.

This publication is available at https://www.gov.uk/government/consultations/draft-legislation-to-help-more-people-prove-their-identity-online/outcome/additional-information-govuk-one-login

How GOV.UK One Login processes personal data to help people prove who they are, to access services online

GDS, together with other government departments, is developing a new system called GOV.UK One Login. GOV.UK One Login allows people to create an account, sign in, and prove who they are so that they can access government services online. GOV.UK One Login is already operational and successfully providing people with access to its first set of government services, which will grow over time.

Proving a person’s identity when using government services is not new. GOV.UK One Login makes it quicker and simpler for people to do this online and, over time, the service will be extended to include those currently excluded from digital channels. This process uses the minimum required amount of  personal data. This data is kept safe and secure.

To support GOV.UK One Login, the Cabinet Office is developing new legislation to enable checks against a wider range of trusted data that is already held by participating public bodies, such as government departments. This supports our aim to help as many people as possible use online routes to access services.

The consultation on the proposed legislation was published earlier this year, seeking views from the public, and the government recently published its response. One of the themes emerging from the consultation was the need for more transparency about how GOV.UK One Login currently operates and the types of data used to help people prove who they are online. This additional information document therefore outlines:

  • the government services currently using GOV.UK One Login
  • our commitment to data protection
  • the data that GOV.UK One Login currently processes to enable you to prove your identity online

Government services currently using GOV.UK One Login

Sign in only (Sign in involves us confirming that you are the same returning user. These services do not require you to prove your identity):

  • Department for Business and Trade: Licensing for International Trade and Enterprise
  • Department for Education: Apply to be an Ofqual Advisor
  • Home Office: Modern Slavery Statement Registry

Sign in and prove your identity (Proving your identity involves confirming you are who you say you are):

  • Driver & Vehicle Standards Agency: Apply for a Vehicle Operator Licence
  • Home Office: Disclosure and Barring Service Basic Check
  • Social Work England: Register to be a Social Worker
  • HM Land Registry: Sign Your Mortgage Deed

Prove your identity via the GOV.UK One Login app

  • HM Revenue and Customs: Government Gateway services

Additional sign in only services

  • GDS: GOV.UK Subscriptions. (Allows GOV.UK One Login users to set up and receive GOV.UK subscriptions and alerts)

Our commitment to data protection

GOV.UK One Login has strict data protection processes in place. All data sharing in GOV.UK One Login is compliant with data protection legislation and guidance published by the Information Commissioner’s Office (ICO). This will remain the case for any and all data sharing subsequent to the proposed legislation.  Furthermore, all data sharing using Digital Economy Act 2017 powers must adhere to the statutory underpinning Codes of Practice which includes penalties for misuse.

Under the Code of Practice’s data sharing principles, public bodies sharing information under the powers are required to minimise the amount of data shared, and ensure this is the minimum required for the purpose of achieving the specified objective, using methods which avoid unnecessarily sharing or copying of large amounts of personal information.

The Government will publish a version of the GOV.UK One Login Data Protection Impact Assessment (DPIA) in due course, on the GOV.UK website, so it is accessible to the general public.

More information on how GOV.UK One Login is using data is available by accessing the GOV.UK One Login Data Ethics Assessment and in the GOV.UK One Login privacy notice.

GOV.UK One Login is also committed to adhering to the key tenets of the UK digital identity and attributes trust framework, which outlines the standards and rules for digital identity systems to follow.

The personal data that GOV.UK One Login currently processes when you’re proving who you are online

This section outlines the data GOV.UK One Login currently processes to enable you to prove who you are online. This includes any data which is collected by GOV.UK One Login and shared with other government services, when you are trying to access that service. Any additional data that will be checked or shared by GOV.UK One Login under the proposed legislation, if and when it is passed, will be summarised in the Digital Economy Act’s Register of Information Sharing Agreements.

1. Email address

Description

User creates a username for their GOV.UK One Login account, which must be a valid email address.

Why should it be collected?

Email address as a username:

  • To set up a GOV.UK One Login account
  • To enable a user to authenticate and log into a GOV.UK One Login account

Email address as a contact:

  • To notify users about changes to their account, such as password changes or account deletion
  • To support account recovery
  • To provide a means of contact for the support centre
  • To notify users about any unusual sign in behaviour detected, to protect user information

Is it collected in every case?

Yes.

Is it checked against an authoritative data source for the purpose of identity verification?

No.

Will it be shared with other government services?

Yes, only with the service the user is accessing.

2. Password

Description

User creates a password for their GOV.UK One Login account.

Why should it be collected?

  • To secure the GOV.UK One Login account
  • To enable a user to set up a GOV.UK One Login account, and to authenticate and log into it

Is it collected in every case?

Yes.

Is it checked against an authoritative data source for the purpose of identity verification?

No.

Will it be shared with other government services?

No.

3. Phone number

Description

Mobile phone number.

Why should it be collected?

  • To enable a user to set up a GOV.UK One Login account, and to authenticate and log into it
  • To distinguish one person from another
  • To support proof of identity
  • To match the person trying to access the service to existing records held by other government services

Is it collected in every case?

No.

Is it checked against an authoritative data source for the purpose of identity verification?

No.

Will it be shared with other government services?

Yes, where the user is accessing that service.

4. Name

Description

The user’s name(s).

Why should it be collected?

  • To distinguish one person from another
  • To support proof of identity
  • To match the person trying to access the service to existing records held by other government services

Is it collected in every case?

Yes.

Is it checked against an authoritative data source for the purpose of identity verification?

Yes.

Will it be shared with other government services?

Yes, where the user is accessing that service.

5. Date of Birth

Description

The user’s date of birth.

Why should it be collected?

  • To distinguish one person from another
  • To support proof of identity
  • To match the person trying to access the service to existing records held by other government services

Is it collected in every case?

Yes.

Is it checked against an authoritative data source for the purpose of identity verification?

Yes.

Will it be shared with other government services?

Yes, where the user is accessing that service.

6. Address

Description

Current and previous addresses from within the last 3 years.

Why should it be collected?

  • To distinguish one person from another
  • To support proof of identity
  • To match the person trying to access the service to existing records held by other government services
  • To prevent fraud

Is it collected in every case?

No.

Is it checked against an authoritative data source for the purpose of identity verification?

Partially. We check:

  1. Whether it is a valid address.
  2. Whether there are any identity fraud indicators associated with that address.

Will it be shared with other government services?

Yes, where the user is accessing that service.

7. Evidence document data

Description

Data from a document provided by a user to prove their identity.

Currently GOV.UK One Login can accept a Passport, a Driving Licence, and a Biometric Residence Permit.

Why should it be collected?

  • To support proof of identity
  • To prevent fraud

Is it collected in every case?

  • Yes, for services that require proof of identity and when the user follows a route that needs the provision of this information
  • The user does not have to supply information from all these documents; they may decide which ones to use
  • No, for services that only require account sign in

Is it checked against an authoritative data source for the purpose of identity verification?

Yes.

Will it be shared with other government services?

Yes. We do not share this data as default. It is only shared in very limited cases to prevent identity fraud.

8. Knowledge-based evidence

Description

Answers a user gives to questions only they should know, used to prove they are who they say they are - e.g. a question about their finances.

Why should it be collected?

  • To support proof of identity
  • To prevent fraud

Is it collected in every case?

  • Yes, for services that require proof of identity and when the user follows a route that needs knowledge-based questions
  • No for services that only require account sign-in

Is it checked against an authoritative data source for the purpose of identity verification?

Yes.

Will it be shared with other government services?

No.

9. Identity check outcomes

Description

The outcome of any identity checks and the level of verification held by the user against the Good Practice Guide (GPG) 45 framework.

Why should it be collected?

To enable users to access government services.

Is it collected in every case?

  • Yes for services that require proof of identity
  • No for services that just require account sign-in

Is it checked against an authoritative data source for the purpose of identity verification?

N/A - this data are the outputs from checking other data with authoritative sources.

Will it be shared with other government services?

Yes, where the user is accessing that service.

Back to top