Policy paper

Understanding attributes

Updated 2 August 2021

© Crown copyright 2021

This publication is licensed under the terms of the Open Government Licence v3.0 except where otherwise stated. To view this licence, visit nationalarchives.gov.uk/doc/open-government-licence/version/3 or write to the Information Policy Team, The National Archives, Kew, London TW9 4DU, or email: psi@nationalarchives.gov.uk.

Where we have identified any third party copyright information you will need to obtain permission from the copyright holders concerned.

This publication is available at https://www.gov.uk/government/publications/attributes-in-the-uk-digital-identity-and-attributes-trust-framework/understanding-attributes

Read this guidance if you collect or create attributes and are interested in being an ‘attribute provider’ (also known as an ‘attribute service provider’) in the UK digital identity and attributes trust framework.

Anyone who becomes an attribute provider must follow the rules on how to create and share attributes.

You’ll usually have to meet extra requirements if you want to join a digital identity scheme as an attribute provider. These requirements will vary between schemes.

Attribute providers can choose to:

  • share attributes they hold
  • build and run services that let other people share attributes

What attributes are

Attributes are pieces of information that describe something about a person or organisation. Attributes can help people prove that they are who they say they are, or that they’re eligible or entitled to do something.

Some examples of attributes are:

  • someone’s hair colour
  • someone’s A levels or trade qualifications
  • someone’s bank account number
  • the number of people that work for a company

It’s likely that you already handle attributes in some way. You might call them something else, like ‘data’, ‘claims’ or simply ‘information’.

Recognising attributes

An attribute can be anything that:

  • a person or organisation is
  • a person or organisation has
  • is issued to a person or organisation by another person or organisation

Example Someone’s age is something they are, and their fingerprint is something they have. Their bus pass (which gives them discounted travel) is something that was issued to them by an organisation.

Recognising attribute providers

Anyone or anything that collects or creates attributes could become an attribute provider.

For example, an attribute provider could be:

  • any organisation that keeps information in a database
  • an organisation that runs a personal data store (PDS) app, which an individual can use to keep information about themselves
  • a rail company’s app that stores a customer’s train tickets
  • a handwritten list showing who has reservations at a restaurant
  • an organisation that can give qualifications, like a university or a driving test centre

In the current UK digital identity and attributes trust framework, only organisations can become attribute providers.

Attribute providers do not own the attributes they hold. This means a person or organisation should always have control over their attributes and how they’re used, regardless of how many attribute providers have them.

Attribute qualities

Changes to attributes over time

Some types of attributes will not change over time. For example, someone will not be able to change their natural eye colour, and the date a company was founded will always stay the same.

Other attributes might change over time. For example, someone’s address will change whenever they move. Their passport number will change when they get a new passport.

These attributes can become less valuable if the attribute provider that collects or creates them does not check they’re up to date.

Example A passport number that’s been checked recently is a valuable attribute for some organisations. It can become less valuable over time because the passport might have since expired or been cancelled.

There’s separate guidance on how to check when an attribute was last updated.

Attribute metadata

All the attributes you collect or share should include ‘metadata’ (information about the characteristics of the data).

The metadata describes something about the attribute or its history. For example, it might include:

  • who created the attribute
  • when it was created
  • when it was last checked for updates

Separate guidance on what the metadata could include will be available in the future.

Combining attributes

A single attribute can contain more than one piece of information.

Example Someone’s postcode can be an attribute in itself. It can also be part of an ‘address’ attribute.

Someone’s postcode can tell you if they’re eligible for certain things, such as becoming a patient at a nearby GP. When this happens, a person will be asked to provide either their postcode or their full home address.

Example Someone’s date of birth tells you when they were born, and it can also tell you if they’re over 18.

You can combine attributes yourself. You might do this to increase their value, to help users meet relying parties’ requirements or to save time.

Example Each user on a social media site has an ‘identity’ attribute. This is the name the user gave, which does not have to be their legal name.

The site can create another attribute by checking the person or organisation’s identity. For example, they might use the guidance on how to prove and verify someone’s identity to check they’re satisfied that a person is who they say they are. This could be recorded as ‘verified’ in an attribute called ‘verified status’.

The site could then combine the identity and verified status attributes to get a ‘verified identity’ attribute.

Digital identities

A digital identity is a specific example of how a combination of attributes can be used. For example, most people’s digital identities will include their name and date of birth (along with any other attributes needed to uniquely identify them).

You cannot share digital identities using this guidance. To share digital identities, you need to become an ‘identity service provider’ - there’s an introduction to the role in the UK digital identity and attributes trust framework.

Sharing attributes

When a user wants to do something online, they usually need to give the organisation they’re interacting with some information about themselves.

For example, if someone is disabled, they could get help buying a new car from the Motability Scheme. They must receive a qualifying benefit to apply. They currently need to prove this by taking some documents to a car dealer.

This information might exist as an attribute that was created or verified by an attribute provider, like the Department for Work and Pensions (DWP) or Veterans UK.

If the car dealer can request a digital version of the attribute, the user will not:

  • have to spend time finding the documents they need
  • need to give any documents to the car dealer in person
  • give the car dealer any wrong or incorrect information

The car dealer and attribute provider are responsible for doing certain checks before they share any attributes they hold.

The benefits of sharing attributes

There are several benefits to sharing attributes you hold with other organisations or individuals.

Make it easier for people to do things online

People can find it frustrating when they’re asked to give information about themselves before they do something online, especially if they:

  • have already given the same organisation that information before
  • cannot easily get or find the information they need

They will not need to do this as much if their digital attributes can be shared.

This will reduce the amount of time a user spends entering information about themselves, making it quicker and easier for them to do things online.

Prevent users from giving wrong or incorrect information

There’s a risk that a user could give an organisation wrong information. They might do this:

  • by accident, for example if they spell something incorrectly
  • on purpose, for example if they pretend they’re over 18 to place a bet online

An organisation is more likely to request information from an attribute provider that can supply reliable information. This is because attribute providers have a process for checking the:

  • information is correct
  • attribute belongs to the right person or organisation

This will help reduce the amount of time other organisations spend processing and checking the quality of their data.

Security benefits

Sharing attributes will also mean there are opportunities for data minimisation, using ‘attribute confirmation checks’. This is when information is only shared if it’s needed to give a user access to a service.

Example When buying some age-restricted products, a retailer only needs to check that a user is over 18. They do not need to know their exact date of birth.

Following the attributes guidance will help make sure that attributes are managed and shared securely. This can help to protect people and organisations from identity fraud.

Back to top