DBS digital identity verification guidance
Updated 9 December 2022
© Crown copyright 2022
This publication is licensed under the terms of the Open Government Licence v3.0 except where otherwise stated. To view this licence, visit nationalarchives.gov.uk/doc/open-government-licence/version/3 or write to the Information Policy Team, The National Archives, Kew, London TW9 4DU, or email: psi@nationalarchives.gov.uk.
Where we have identified any third party copyright information you will need to obtain permission from the copyright holders concerned.
This publication is available at https://www.gov.uk/government/publications/dbs-identity-checking-guidelines/dbs-digital-identity-verification-guidance
This is the Disclosure and Barring Service (DBS) digital identity (ID) verification guidance. This guidance sets out how Registered Bodies (RBs) and Responsible Organisations (ROs) can undertake digital identity verification, for the purpose of verifying an individual’s identity, as part of an application for a DBS check. A glossary can be found at the end of this guidance document.
Introduction
1.1. This guidance sets out how RBs and ROs can meet their obligations under the DBS Code of Practice (for RBs), and under the Basic check processing standards (for ROs), when an RB or RO as a Relying Party uses certified identity service providers (IDSPs) for digital ID verification.
1.2. The guidelines outlined within this guidance document and the corresponding operational procedures appendix are equivalent to:
- the ID checking guidelines for Standard/Enhanced DBS check applications from 1 July 2021
- the Basic DBS check ID checking guidelines from 1 July 2021
1.3. This guidance sets out the rules and standards to validate a person’s identity, for processing Basic DBS checks (medium confidence) and Standard, Enhanced, or Enhanced with Barred Lists DBS checks (high confidence). These are the DBS’ identity evidence verification criteria.
1.4. It is a legal requirement and a condition of registration for Registered Persons (or their authorised agents) to apply the identity evidence verification criteria set by DBS. If a Relying Party uses the services of another person (such as an IDSP) to verify identity, the Relying Party must ensure that those other persons are: i) suitable, ii) provide appropriate training and guidance, and iii) the person discharges their duties in accordance with DBS’s identity evidence verification criteria.
1.5. The 2015 update to the DBS code of practice (PDF, 55KB) recognises the role of RBs in ID verification and the associated guidance published on GOV.UK. An extract from the code of practice is as follows:
“Identity verification Registered Bodies must:
- verify the identity of the applicant prior to the submission of an application for a DBS product by following the current guidelines issued by DBS
- ensure that any person undertaking identity verification checks on their behalf follows the current guidelines issued by DBS
- make sure Lead or Countersignatories do not validate their own applications for any DBS products”
1.6. The Basic check processing standards recognises the role of Responsible Organisations in identity verification and the associated guidance published on GOV.UK. An extract from the processing standards is as follows:
“Identity verification Responsible Organisations must:
- verify the identity of the applicant prior to the submission of an application for a basic check by following the current guidelines issued by DBS.
- ensure that any person undertaking identity verification checks on their behalf follows the current guidelines issued by DBS.”
1.7. This guidance makes extensive reference to the DCMS UK digital identity and attributes trust framework (UKDIATF). The UKDIATF will make provision for IDSPs to be certified as providers of identity verification services.
1.8. The UKDIATF also defines the organisational responsibilities of IDSPs that must be met, in order to be certified, and references the Government Good Practice Guide 45 (GPG45) as the standard that is used to define how identities should be verified. GPG45 defines ‘levels of confidence’ in ID verification and defines ‘identity profiles’ that can meet the levels of confidence. The UKDIATF is currently in draft form and will be refined and amended as we move into the live phase post-legislation. In the interim IDSPs will be certified against the most recent version of the Trust Framework available at the time of certification. This will mean using a certification body which has been accredited by the UK Accreditation Service (UKAS) against the UKDIATF. Once certified IDSPs will be required to undertake annual surveillance audits and biennial recertification against the most recent version of the UKDIATF available at the time.
1.9. DCMS recommend IDSPs monitor and feedback on the UKDIATF as it develops to ensure they can meet any additional requirements which are not part of the DBS Identity Trust Scheme during the UKDIATF’s initial phases.
Trust
Risk assessment
This guidance does not replace the Relying Party’s responsibility to carry out a risk assessment for every transaction. The Relying Party remains liable for undertaking their own due diligence. The ID verification process forms a part of the risk assessment. Certified providers must undertake their own risk assessment during the ID verification process. The use of certified IDSP’s who are providing a verified identity to the required Level of Confidence (LoC) simplifies the risk assessment process. The risk assessment will identify the LoC required and a Relying Party can rely on a verified identity from a certified IDSP as having met the required LoC. A Relying Party does not need to undertake additional due diligence on the IDSP or the verified identity if the LoC meets the required level. The DBS sets the evidence verification criteria for relying parties, and it is for the Relying Party to ensure that third parties comply with those criteria. A Relying Party can show it has met its obligations in respect of identity verification by using a certified IDSP and demonstrating that the LoC asserted meets the risk profile.
Relying Parties must therefore ensure the identity has been verified in accordance with the DBS digital identity verification guidance at the time the identity is asserted.
Trusting an IDSP
The DBS code of practice and Basic check processing standards supports the use of third-party identity providers for ID verification, enabling RBs and ROs to delegate the activity to third parties or customers. This guidance meets this requirement by requiring third-party providers to undertake ID verification following GPG45 and be part of a government or industry trust scheme that requires certification of IDSPs. DBS’ scheme has adopted specific profiles of GPG45 as the basis of its ID verification requirements for IDSPs. This guidance will be compliant with the requirements of the UKDIATF. Therefore, IDSPs that are certified and assessed to meet the terms of the UKDIATF, and whose certification includes those specific profiles, will be able to certify their compliance with this guidance. IDSPs may choose to be certified to reach GPG45 medium confidence and/or GPG45 high confidence.
IDSPs must confirm to the relying party the identity has been verified in accordance with the DBS digital identity verification guidance at the time the identity is asserted.
Certification and audit
RBs and ROs must use the services of a certified IDSP when using digital identity verification. This ensures that trust in the IDSP is founded on compliance with the rules of the scheme. If RBs or ROs undertake digital ID verification using their own processes, they will be required to undergo certification as an IDSP. More information can be found in section 3.
Using a certified IDSP
Certified IDSPs
Certified IDSPs are approved companies responsible for validating the identity of a DBS check applicant on behalf of an RB or RO, known as the Relying Party. Certification will align to the requirements and standards set out in the UKDIATF.
IDSPs carrying out identity verification for DBS checks must demonstrate the following through independent certification:
- meet the requirements set out in the latest version of the UKDIATF available at the time of certification by an independent body
- the above certification must demonstrate the information security requirements in 3.1.1 are met
- the above certification must demonstrate the identity assurance requirements in 3.1.2 are met
- compliant with the requirements listed in section 4
3.1.1 Certified against industry standards for information security
Certified companies must have appropriate information security management systems in place to look after people’s data and keep it secure. They must be certified to confirm that they meet an industry standard for information security management. This involves demonstrating that they have adequate processes in place to look after information securely and safely, and how they set up, maintain, and continuously improve an information security management system (ISMS). The ISMS must meet the requirements of ISO/IEC 27001:2013 or another recognised standard that includes all the requirements of ISO/IEC 27001:2013.
3.1.2 Certified against government standards for identity assurance
Certified companies also have to be certified by an independent certification body to assure that their service meets DBS’ standards for identity assurance. The service auditors are accredited by the United Kingdom Accreditation Service (UKAS) for carrying out service assessments. Certification will confirm the Identity Service Provider meets the requirements set out in thein the UKDIATF and these DBS digital identity guidelines.
Certified IDSPs and associated authorised profiles are published by the independent certification body. A full list of certified IDSPs is published and maintained by DCMS.
3.1.3 Illustrative examples when using a Certified IDSP.
Example 1
A DBS Responsible Organisation (RO) that manages Basic Disclosure checks, has elected to offer its users a digital identity check method, when processing a DBS application.
The RO has chosen to integrate its online system directly with an Identity Service Provider (IDSP).
In doing so the RO has satisfied itself of the following:
- the IDSP is certified to the UK digital identity and attributes Trust Framework and DBS digital identity guidelines;
- the IDSP result confirms the identity check meets DBS requirements;
- the IDSP’s audit certificate confirms they have been approved to conduct an identity check using GPG45 profiles to achieve a medium confidence level as a minimum;
- the IDSP’s output report provides all of the information specified in section 4.5 of the DBS digital identity guidelines;
- the RO must ensure the verified applicant data received from the IDSP is consistent with the data sent to DBS.
The RO will retain the IDSP output report in compliance with Section 4.6 of this document.
The chosen IDSP is also able to offer its users a re-usable digital identity. This allows the verified identity to be used multiple times and for other uses. The re-usable identity must be certified to meet the DBS requirements and its authentication processes are in compliance with Section 4.8 of this guidance document.
Example 2
Carmen is a doctor and is moving to a new hospital to work.
As part of her background checks she must prove her eligibility to work in the UK, establish her identity for a DBS check and confirm that she has the relevant qualifications before being able to start work at the hospital.
The hospital has contracted directly with a certified Identity Service Provider (IDSP) to confirm an employee’s Right to Work and prove identity for a DBS check.
The hospital uses a DBS registered Umbrella Body to manage its DBS applications online and receive e-results.
The hospital invites Carmen to prove her identity and Right to Work by providing access to their IDSP to upload her in date British passport. At the same time the IDSP asks Carmen to establish her identity for a DBS Check to a high level of confidence.
The hospital will use the digital identity check for Carmen’s DBS application via the Umbrella Body online system.
The Umbrella Body accepts the identity check once they have satisfied themselves of the following:
- the IDSP is certified to the UK digital identity and attributes Trust Framework;
- the IDSP output report confirms the identity check meets DBS requirements;
- the IDSP’s audit certificate confirms they have been approved to conduct an identity check using the GPG45 profile specified in the output report;
- the IDSP’s output report provides all of the information specified in section 4.5 of the DBS digital identity guidelines;
- the applicant’s current address has been verified 90 days prior to the application being sent to DBS.
The Umbrella Body is able to confirm the above points directly with the IDSP if the information needs to be substantiated, or in the event of a DBS audit / investigation. The Umbrella Body must retain the IDSP output report in compliance with Section 4.6 of this document.
Example 3
A DBS Registered Body (RB) has elected to build its own digital identity service.
The RB acknowledges its identity service will need to fulfil the requirements of a separate audit and certification regime.
Identity Service Providers (IDSP) must be independently certified by one of the UKAS recognised Certification Bodies to the UK digital identity and attributes Trust Framework and DBS digital identity guidelines.
Once the organisation’s digital identity service has successfully completed its audit and is listed by DCMS as a certified IDSP; then the RB may use its digital identity service for DBS checks.
Verifying identities
IDSPs
Verifying an individual’s identity following GPG45 requires IDSPs to follow a process known as ‘identity checking’. This process is made up of 5 parts:
- get evidence of the claimed identity
- check the evidence is genuine or valid
- check the claimed identity has existed over time
- check if the claimed identity is at high risk of identity fraud
- check that the identity belongs to the person who’s claiming it
Each step of the process is scored, and these scores are used to determine what LoC has been achieved.
Identity profiles
There are several ways to combine the scores you get for each part of the identity checking process. These combinations are known as identity profiles. GPG45 has four LoCs. You are required to meet the following:
4.2.1 Basic DBS check – medium confidence
This is the minimum LoC required for a Basic DBS check. ROs may choose to proof individuals to the higher LoC required for a Standard, Enhanced, or Enhanced with Barred Lists DBS check.
4.2.2 Standard, Enhanced, and Enhanced with Barred Lists DBS check – high confidence
This is the minimum LoC required for a Standard, Enhanced, and Enhanced with Barred Lists DBS check. To meet an identity profile, your scores must be the same as, or higher than, the scores needed for each check. Do not add your scores up. You do not need to do an activity history or identity fraud check to meet some identity profiles. DBS recommends an identity fraud check is undertaken on the claimed identity for all profiles, including those where GPG45 profile does not require it.
Right to work
It’s important to note that a DBS check does not provide evidence of a person’s right to work in the UK. You must do a separate check to make sure a job applicant is allowed to work in the UK which also includes roles for voluntary work. IDSPs may also be certified to undertake right to work checks. This means a single check may be used to confirm a person’s right to work eligibility and identity for a DBS check.
Additional attributes
4.4.1. Name verification and previous names
The applicant’s identity must be verified against the claimed identity’s current ‘official name’. The ‘official name’ must be used for the DBS check, and is the name on official documents the applicant may have, such as their passport. The applicant must also declare all previous name changes to the Relying Party.
4.4.2. Current address and five-year address history
The applicant’s current permanent address must be verified within 90 days of the application being sent to DBS by either:
- an authoritative source through a certified IDSP; or
-
providing documentary evidence to the Relying Party from the list of documents set out in the following DBS ID guidelines (dependent on the level of DBS check being requested):
- ID checking guidelines for Standard/Enhanced DBS check applications from 1 July 2021
- Basic DBS check ID checking guidelines from 1 July 2021
The permanent address will be the applicant’s correspondence address and where DBS will send the DBS certificate. See further guidance on addresses. If the applicant’s current address is verified using documentary evidence as set out in the DBS Identity Guidelines then a record should be retained by the Relying Party for DBS audit purposes; specifying evidence checked by, date of check and the documents used. For DBS checks, the applicant must also declare a minimum of 5 years’ address history to the Relying Party. The applicant must make sure they fill in the address part of the form correctly if they have an unusual address, for example if they live abroad, in student accommodation, or in a hostel.
Required subject information
For each identity verified by the IDSP the following attributes must be provided:
| Field name | Mandatory / Optional | Sent to DBS |
|---|---|---|
| Forename | Mandatory | Y |
| Middlenames | Mandatory if applicable | Y |
| PresentSurname | Mandatory | Y |
| DateOfBirth | Mandatory | Y |
| CurrentAddressVerified (Y/N) | Mandatory | N |
| CurrentAddress | Mandatory if sourced from IDSP <note: must be verified within 90 days prior to application> | Y |
| Date of address check | Mandatory if sourced from IDSP | N |
| IdentityVerified (Y/N) | Mandatory | Y |
| EvidenceCheckedBy | Mandatory <note: IDSP name as certified by certification body> | Y |
| Passport Details | Mandatory if sourced from IDSP | Y |
| Driving Licence Details | Mandatory if sourced from IDSP | Y |
| GPG45 profile | Mandatory | N |
| GPG44 level | Mandatory if applicable | N |
| Subject ID | Mandatory | N |
Relying Parties retain their responsibility to: ‘Ensure that applications for a DBS product are completed accurately and that all data fields determined by DBS as mandatory are completed in full.’ As detailed in the DBS Code of Practice (PDF, 55KB) and Basic Check Processing Standard.
e-Bulk enabled Relying Parties submitting data to DBS will continue to meet the requirements set out in the Business Message Specification (BMS) e-Bulk Interface BMS P3 (PDF, 989KB).
Relying parties submitting Basic Disclosure will continue to meet the requirements set out in the Web Service specification (WSS), INT022 Submit Disclosure Application
4.5.1. Data Structures
The following data ‘Structures’ are referenced in the BMS and provided below for information:
a) Current address date
The ‘Current Address Date Structure’ is used to provide an address and to associate that address with the period during which the applicant has been resident at the address.
| Field name: | Mandatory or optional: | Sent to DBS |
|---|---|---|
| Address | Mandatory | Y |
| ResidentFromGyearMonth | Optional <note: field data must be provided by Relying Party if not available from IDSP> | Y |
b) Passport details
The ‘Passport Structure’ is used to provide details obtained from the applicant’s passport when used.
| Field name: | Mandatory or optional: | Sent to DBS: Std/Enh’d | Sent to DBS: Basic |
|---|---|---|---|
| PassportNumber | Mandatory | Y | Y |
| PassportDob | Mandatory for Std/Enh’d only | Y | N |
| PassportNationality | Mandatory, if applicable | Y | Y |
| PassportIssueDate | Optional <note: field data must be provided by Relying Party for Std/Enh’d checks if not available from IDSP> | Y | N |
c) Driver licence details
The ‘Driver Licence Structure’ is used to provide details obtained from the applicant’s UK driving licence when used.
| Field name: | Mandatory or optional: | Sent to DBS: Std/Enh’d | Sent to DBS: Basic |
|---|---|---|---|
| DriverLicenceNumber | Mandatory | Y | Y |
| DriverLicenceDOB | Mandatory for Std/Enh’d only | Y | N |
| DriverLicenceType | Mandatory for Std/Enh’d only | Y | N |
| DriverLicenceValidFrom | Mandatory for Std/Enh’d only | Y | N |
| DriverLicenceIssueCountry | Mandatory for Std/Enh’d only | Y | N |
Data retention
The Relying Party must maintain an audit trail showing details of each application submitted, including the data from the IDSP, which must be kept for a minimum of 12 months and made available to the DBS if requested.
Choosing an identity profile
GPG45 treats all profiles within a Level of Confidence as being equal. DBS recommends that the strongest piece of evidence available is used, to prove the identity exists such as the Passport, and the strongest method of matching the individual to this evidence.
If the applicant also holds a driving licence and / or a national insurance number, the Relying Party should continue to capture this information to support the DBS matching process.
Reusable identities
IDSPs or attribute service providers that want to create a reusable digital identity or attribute service, must link the digital identity and/or attributes to an authenticator (such as a password, piece of software, or device). You must follow the guidance on using authenticators to protect an online service. This is also known as GPG44 as specified in 13.1 in the UKDIATF.
IDSPs protecting reusable digital identities must meet the requirements specified in GPG44 and include medium quality authenticators as a minimum.
See Section 8.0 for further information.
Glossary
Attribute service provider
An attribute service provider (ASP) is a specialist data provider that may provide ‘attributes’ as part of the ID verification process. The UKDIATF strongly recommends that ASPs are certified under the trust framework. It is likely that IDSPs will use ASPs as part of their verification process, in which case it is likely that the IDSP certification process will include assessment of the accuracy of the attributes, rather than certification of the ASP themselves.
Authoritative source
An authoritative source may verify a particular piece of information about the applicant’s identity and is defined in GPG45.
Basic DBS check/certificate
A Basic DBS certificate is a DBS product that shows unspent convictions and conditional cautions.
Certification
Independent certification builds trust that approved IDSPs will protect a DBS applicant’s privacy and keep their data safe and secure. Certification will be undertaken by an independent certification body to assure their service meets DBS’ standards for identity assurance.
Bodies that have applied for the pilot assessment programme to become accredited to certify against the UK Digital Identity and Attributes Trust Framework are recognised by UK Accreditation Service (UKAS).
Disclosure and Barring Service
The Disclosure and Barring Service (DBS) delivers disclosure and barring functions on behalf of government. This includes DBS checks for England, Wales, Jersey, Guernsey, and the Isle of Man, and barring functions for England, Wales, and Northern Ireland. More information about DBS and how we work to make recruitment safer can be found on the DBS website.
Enhanced DBS check/certificate
An Enhanced DBS certificate is a DBS product that shows spent and unspent convictions, cautions plus any information held by local police that is considered relevant to the role being applied for.
Enhanced with Barred Lists DBS check/certificate
An Enhanced with Barred Lists DBS certificate is a DBS product that shows the same as an Enhanced DBS certificate, alongside whether the applicant is on the Adults’ Barred List, Children’s Barred List, or both.
Good Practice Guide 45
The Good Practice Guide 45 (GPG45) is the government standard for identity verification, against which IDSPs will be certified.
Identity profile
GPG45 has four levels of confidence in terms of proof of identity. These are:
- low confidence
- medium confidence
- high confidence
- very high confidence
This guidance document refers to medium confidence and high confidence only.
There are several ways to combine the scores you get for each part of the identity checking process. These combinations are known as ‘identity profiles’.
Identity service providers
An identity service provider (IDSP) is a provider of ID verification services. In the context of this DBS guidance document, they will be certified to provide ID verification to specific levels of confidence, specified by government standards. IDSPs are sometimes referred to as ‘identity providers’.
Certified IDSPs and associated authorised profiles are published by the independent certification body. A full list of certified IDSPs is published and maintained by DCMS.
Identity verification
Identity verification (IDV) refers to the process of proving that an identity exists and that the individual making the claim (applying for the DBS check) is the owner of the identity.
Level of confidence
Completion of the identity proofing process will result in a proof that has a ‘level of confidence’ (LoC). The higher the LoC, the stronger the evidence required to support that LoC. The evidence needed to achieve an LoC is defined within GPG45.
Operational procedures
An appendix covering operational procedures has been included in this document for clarification on how to implement these guidelines using GPG45. The appendix aims to remove ambiguity and interpretation that exists within GPG45, to allow IDSPs to develop solutions with certainty and provide a simple reference for auditors to certify against.
Orchestration service provider
Orchestration service providers, also known as orchestration providers, enable data to be securely shared between participants in the trust framework, through the provision of their technology infrastructure.
Registered Body
A Registered Body (RB) is an organisation registered with DBS to submit Standard, Enhanced, and Enhanced with Barred Lists DBS checks.
Relying Party
The role of Relying Party is defined in the UKDIATF. A Relying Party is an organisation that receives, interprets, and, depending on the use case, stores information received from other trust framework organisations.
Relying parties do not themselves need to be certified against the trust framework, but if a Relying Party uses the services of another person (such as an IDSP) to verify identity, the relying party is required to ensure that those other persons are: i) suitable, ii) provide appropriate training and guidance, and iii) the person discharges their duties in accordance with DBS’s identity evidence verification criteria. Using a certified IDSP is part of ensuring compliance with these criteria, as explained in sections 2 and 3 above.
The RB or RO, as appropriate, is the Relying Party when a DBS check is applied for.
Responsible Organisation
A Responsible Organisation (RO) is an organisation or person registered with DBS to submit Basic DBS checks.
Standard DBS check/certificate
A Standard DBS certificate is a product of DBS that shows spent and unspent convictions, cautions.
UK digital identity and attributes trust framework
The UK digital identity and attributes trust framework (UKDIATF) is being implemented by the Department for Digital, Culture, Media, and Sport, and will be backed by legislation to enable the legal development of digital ID services. This guidance is being created in line with the UKDIATF.
Appendix 1: Operational Procedures related to implementing these guidelines.
Verifying identities
This section should be read with reference to section 4 of the DBS digital ID verification guidance.
Choosing an identity profile
GPG45 treats all profiles within a Level of Confidence as being equal. DBS recommends that the strongest piece of evidence available is used, to prove the identity exists such as the Passport, and the strongest method of matching the individual to this evidence.
If the applicant holds a driving licence and / or a national insurance number, the Relying Party is requested to capture this information to support the DBS matching process. The IDSP may offer to support the Relying Party to capture these additional attributes.
6.2.1. Medium level of confidence for Basic DBS checks
To achieve a ‘medium’ level of confidence, the following profiles can be used. A single document is acceptable using digital means, as long as it meets the strength, validity, and verification scores detailed below.
| Score | |||||
|---|---|---|---|---|---|
| Profile | Strength | Genuine / Valid | Activity history | Identity fraud | Verification |
| M1A | 4 | 2 | N/A | 1 | 2 |
| M1B | 3 | 2 | 1 | 1 | 2 |
| M1C | 3 | 3 | N/A | N/A | 3 |
| M1D | 2 | 2 | 2 | 1 | 3 |
| M2B | 3 | 2 | 1 | 2 | 2 |
| M2B | 2 | 2 | |||
| M2A | 2 | 2 | 3 | 2 | 2 |
| M2A | 2 | 2 | |||
| M2C | 3 | 2 | N/A | 1 | 3 |
| M2C | 2 | 2 | |||
| M3A | 2 | 2 | 2 | 2 | 2 |
| M3A | 2 | 2 | 2 | ||
| M3A | 2 |
Profiles marked as ‘M1’ only require a single high-strength document. Profiles marked as ‘M2’ require two documents - the second document is only checked for ‘Strength’ and ‘Genuine / Valid’. Profiles marked ‘M3A’ require three documents.
6.2.2. High level of confidence for Standard, Enhanced, and Enhanced with Barred Lists DBS checks
To achieve a ‘high’ level of confidence, the following profiles can be used. A single document is acceptable using digital means as long as it meets the strength, validity, and verification scores detailed below.
Score
| Profile | Strength | Genuine / Valid | Activity history | Identity fraud | Verification |
|---|---|---|---|---|---|
| H1A | 4 | 3 | N/A | 1 | 3 |
| H1B | 3 | 3 | 2 | 1 | 3 |
| H1C | 4 | 3 | N/A | N/A | 4 |
| H2A | 2 | 2 | 3 | 2 | 3 |
| H2A | 2 | 2 | |||
| H2B | 4 | 2 | N/A | 2 | 3 |
| H2B | 3 | 2 | |||
| H2C | 3 | 3 | 1 | 1 | 3 |
| H2C | 2 | 2 | |||
| H2D | 3 | 3 | N/A | 1 | 3 |
| H2D | 2 | 2 | |||
| H2E | 4 | 3 | N/A | N/A | 3 |
| H2E | 3 | 3 | |||
| H3A | 2 | 2 | 2 | 2 | 3 |
| H3A | 2 | 2 | |||
| H3A | 2 | 2 |
Profiles marked as ‘H1’ only require a single high strength document. Profiles marked as ‘H2’ require 2 documents, the second document is only checked for strength and Genuine / Valid. Profile ‘H3A’ requires 3 documents.
Scoring identity evidence
7.1 GPG45 provides a detailed explanation of how identity evidence is scored. This document details specific requirements applicable to DBS requirements. DBS requirements may restrict how evidence is scored or may provide specific guidance where it is considered that GPG45 does not provide sufficient clarity to enable IDSPs to operate as DBS intends.
7.2 IDSPs will be certified against the current published version of UKDIATF and GPG45 in full and must therefore refer to the published versions of both UKDIATF and GPG45.
7.3 IDSPs will be required to undergo a specific audit and certification considering this OP appendix.
7.4 IDSPs must be certified by an independent certification body to assure that their service meets DBS’ standards for identity assurance. The service auditors are accredited by the United Kingdom Accreditation Service (UKAS) for carrying out service assessments. Certification will confirm the IDSP meets the requirements set out in the DBS OP appendix.
7.5 The following information provides additional clarity to enable IDSPs to operate as DBS intends. Please note, headings correlate to headings within GPG45.
7.5.1. Get evidence of the claimed identity:
No amended or supplementary requirements to GPG45.
7.5.2. If the user has changed their name:
No amended or supplementary requirements to GPG45.
7.5.3. Scoring evidence of the claimed identity:
Score 1
Evidence that only score 1 are not acceptable.
Score 2
No amended or supplementary requirements to GPG45.
Score 3
No amended or supplementary requirements to GPG45.
Score 4
A UK biometric residence permit cannot be used to achieve a score of 4, as the cryptographic keys cannot currently be validated.
7.5.4. Check the evidence is genuine or valid:
DBS allow expired UK passports to be used for ID checking purposes, if within 6 months of their expiry date. The applicant must be in possession of their expired passport, to use it as an identity document.
Score 1
Evidence that only score 1 are not acceptable.
Score 2
If the evidence is being checked by a person, they must:
- be trained in how to detect false documents by a specialist trainer; evidence of the trainer’s specialist capability will be required to be presented to the certification auditor
- refresh their training at least every 3 years
All other requirements are as documented in GPG45.
Score 3
The requirement to confirm any physical security features are genuine and assess UV or IR security features is for physical, in person checks only. Any evidence protected by cryptographic security features will have a score of 3 if you make sure these security features are genuine. Therefore, for a mobile based automated process you must use mobile chip checking capability to obtain a score of 3. All requirements are as documented in GPG45.
Score 4
All requirements are as documented in GPG45.
Document validation technology:
Please refer to Home Office Identification Document Validation Technology guidance.
7.5.5. Check the claimed identity has existed over time – activity history
No amended or supplementary requirements to GPG45.
7.5.6. Check if the claimed identity is at higher risk of identity fraud
DBS recommends an identity fraud check is undertaken on the claimed identity for all profiles, including those where GPG45 profile does not require it.
Score 2
PEP data does not need to be used as part of the fraud checks. Authoritative counter-fraud data sources can be used from the public and private sector.
7.5.7. Check that the identity belongs to the person who’s claiming
DBS recommends that the highest-strength identity document available is used to prove the identity belongs to the individual claiming it. All other requirements are as documented in GPG45.
Reusable identities
IDSPs or attribute service providers who want to create a reusable digital identity or attribute service, must link the digital identity and/or attributes to an authenticator (such as a password, piece of software, or device).
You must follow the guidance on using authenticators to protect an online service. This is also known as GPG44.
IDSPs protecting reusable digital identities must meet the requirements specified in GPG44 and include medium quality authenticators as a minimum.
Where an IDSP is asserting an identity that is held as a reusable digital identity it is the IDSP’s responsibility to ensure that the asserted identity, at the time the identity is asserted, both: (a) meets the requirements specified in GPG44 and include medium quality authenticators as a minimum; and (b) has been verified to the required Level of Confidence under GPG45. The IDSP must ensure that a reusable digital identity is protected.