Corporate report

Local authority review: citizen online identity assurance

Published 1 September 2012

This was published under the 2010 to 2015 Conservative and Liberal Democrat coalition government

© Crown copyright 2012

This publication is licensed under the terms of the Open Government Licence v3.0 except where otherwise stated. To view this licence, visit nationalarchives.gov.uk/doc/open-government-licence/version/3 or write to the Information Policy Team, The National Archives, Kew, London TW9 4DU, or email: psi@nationalarchives.gov.uk.

Where we have identified any third party copyright information you will need to obtain permission from the copyright holders concerned.

This publication is available at https://www.gov.uk/government/publications/local-authority-review-citizen-online-identity-assurance/local-authority-review-citizen-online-identity-assurance

Executive summary

This report provides an overview of the ways in which councils currently address online citizen identity assurance (IdA) and offers an insight into the challenges and barriers councils face in expanding their online services within the context of digital service transformation and citizen IdA. The report also makes recommendations on actions that could be taken to inform and support councils in implementing their strategies and plans for online citizen IdA.

From telephone interviews with council representatives from across the UK some common themes emerged:

  • councils may offer hundreds of online services but many of these are not transactional and do not require any form of citizen IdA
    • in many cases, citizens are nevertheless offered the opportunity to register in order that a ‘single view of the customer’ can be developed and the overall customer experience can be improved
  • IdA for transactional online services is managed in a number of different ways within each council:
    • registration, validation and authorisation may be through a single sign-on to a group of services or multiple sign-on to many different services
    • both in-house developed and third party purchased solutions are in place
    • citizens are often therefore required to register and identify themselves multiple times in different ways to the same organisation
  • levels of assurance for each service are generally determined locally and are either referred to in terms of a number (0-3) or colour (bronze-gold); councils offer online services requiring levels of assurance 0, 1 and 2 (bronze and silver) but no examples of online services requiring assurance level 3 (gold) were identified
  • councils recognise that communicating the concepts of IdA to their citizens, particularly in relation to a federated approach, will be very challenging but it is suggested that establishment of a national approach and branding that can be trusted by the public would help
  • citizen trust may be difficult to achieve and it is suggested that demographic and customer insight studies could help to identify groups that might require digital assistance and the type of identity providers with whom they would be most familiar and therefore trust
  • a number of councils are in the process of investigating or reviewing the market place for an IdA solution and there is a common concern not to adopt a solution that will not align with a future national standardised approach; additionally, councils are considering future requirements for linkages across council borders as well as across public service providers; open standards are therefore felt to be an important principle
  • a number of councils are keen to take up opportunities to share knowledge and experience as well as to collaborate in constructive ways especially with the Government Digital Service (GDS)
  • most frequently identified benefits of implementing a standardised online citizen IdA solution include greater satisfaction, security and convenience for the citizen and improved efficiency and lower costs for the council
  • most frequently identified barriers and issues include organisational silos, cost (although this was not explicitly identified as a resource issue), data matching and quality, citizen trust, ownership (of data and/or service), legal understanding and accessibility and usability of a solution
  • councils are interested to identify whether, how and when their plans may align with a national approach and to minimize any risk of future isolation and/or having to re-engineer their chosen solution

The following recommendations are made:

  1. Provide assistance to councils so that they may align with the IdAP (identity assurance programme) vision: + publish IdAP vision and strategy at earliest opportunity + publish IdAP deliverables roadmap and timeline + enable councils to utilise the HMG (Her Majesty’s Government) procurement framework

  2. Work nationally with all suppliers including council suppliers to: + review the landscape of IdA provision + promote the national perspective

  3. Publish a common set of features and standards for IdA (such as a minimum feature list). These would build on good practice guides such as the Requirements for Secure Delivery of Online Public Services (RSDOPS).

  4. Engage with councils to pilot federated IdA solutions and explore alternative non-federated approaches that have already been taken by some councils such as Harrow to online citizen IdA.

  5. Widen lines of communications to councils through: + knowledge sharing platform + newsletters + social media (eg blogs, tweets)

  6. Develop good practice guidelines for implementing assisted digital for IdA.

  7. Customer insight research is required to: + investigate user attitudes to and perceptions of trust, data sharing and the role of third party identity providers + usability/accessibility studies should be undertaken and good practice for IdA defined and published + develop a communications plan and national campaign to raise citizen awareness and trust

  8. Create a national brand for federated IdA to encourage citizens to trust the new approach.

Introduction

Purpose of this report

This report presents the findings of a review commissioned by the Cabinet Office identity assurance programme’s local government advisory group in July 2012.

Objectives of the review were:

  • to provide an overview of current practices and needs for establishing online citizen identities in local authorities
  • to investigate council challenges and barriers to implementing online citizen identity assurance (IdA)

Review design

The review was designed as a small scale survey of councils.

The findings in this report should not be taken as a definitive representation of all authorities in the UK[footnote 1], however it is emphasised that they do provide a solid evidence based illustration of the current status and plans for the future of many authorities.

Review approach

Council representation

A small sample of councils was selected for participation in a review of current local IdA practices and intentions for the future.

In order to explore whether functional differences would result in any dissimilarity in provision or needs, both 1 and 2 tier authorities were included. Geographic location, size and type were also considered so that representation from metropolitan, city, county, district and borough councils across the country was also sought. Appendix A provides a summary list of participants and authorities.

Methodology

Senior council figures were engaged to take part in phone based interviews during the month of August 2012. In total 16 interviews were held with senior officers from both business and ICT departments.

Thirteen of the semi-structured interviews were based around a series of topics designed to explore online services being offered to citizens and requirements for IdA in relation to those services. Three additional interviews were undertaken to gain further opinions on anticipated citizen attitudes towards federated online IdA provision.

Telephone interviews generally took between 30 and 60 minutes and were recorded to ensure accurate analysis of content.

Current digital environment

Types of online services

Individual councils may be required to deliver over 700 different services[footnote 2] although not all of these are available online. Depending on the size and type of council, and the extent of channel shift already achieved, the number of online services offered by the councils participating in this review generally ranged between 50 and 200.

Many of these online services consist of simple web interactions such as finding out about bin collection day or downloading pdf documents which do not require any level of personal identification. Around half of online services offered are considered to be transactional and carry greater necessity for citizen IdA.

Transactional processes can vary in that some may be completed immediately (eg paying council tax, reporting that a bin has not been collected), some may be saved and returned to over a period of time (eg completing a 38 page form for housing benefit/council tax benefit), and others may involve an initial submission that initiates a process which includes offline steps (eg posting proof of car ownership for resident parking permit).

Single sign-on as an enabler for improved customer experience

The majority of authorities are either currently offering (in part) or are developing their ideas on a holistic approach to citizen identity. For example through the concepts of a single customer account, a virtual service centre, a single view of the citizen or establishment of the ‘golden record’[footnote 3]. A number of authorities also spoke of wanting to be able to offer their citizens an Amazon-style experience where information and services can be targeted to individuals based upon their history of interactions and/or profile characteristics. The common feature of these is an easy to use customer experience built around a single sign-on and access to a range of products and services.

No full and comprehensive example where a single sign-on IdA mechanism enables delivery of this improved customer experience was identified in this review. Common aims though are around improving the customer experience, for example by being able to save form-entry data for later completion, sign up for alerts, review history and track progress of transactions, pre-populate personal information such as address, date of birth, phone numbers etc. and importantly to remove the need for citizens to repeatedly register, authenticate themselves and enter the same data many times.

Assisted digital for identity assurance

Authorities are driving forward the channel shift from analogue to digital interactions to reduce the volumes of face-to-face and telephone interactions, making citizens more able to help themselves.

Whilst ‘digital by default’ has become a commonly accepted aspiration which extends to the inclusion of mobile devices and telephony technology (such as interactive voice response) and is generally associated with a culture of self-service, it is also recognised that there is still a need to maintain alternative access routes for some citizens.

Tracy Dodds, Insight and Design Manager, Bristol City Council said:

A major thrust for the programme is identifying who our universal customers are, providing a fit for purpose self-serve digitally enabled proposition but not at the exclusion of those target customer groups that may need something different. That something different might be digitally enabled because we might be able to provide that in a mediated way; it may be that the targeted groups are isolated individuals that digital services can really enhance their access to council services and other life experiences.

Thus through mediated access, digital technology may still provide enhanced services for those unable to self-serve online but this will need to apply equally to the provision of any online IdA service.

Identity assurance and multi-channel transactions

It is understood that for some transactions, face-to-face or telephony will continue to be the optimal channels. This may be as much to do with the nature of the transaction as with citizens’ abilities to self-serve. As previously mentioned, some transactions may not only consist of multiple steps but may also be conducted over multiple channels (eg use smartphone to access and set up a transaction, continue the transaction on home computer, engage with some advisers via telephone/face-to-face for assistance as part of that same transaction). A key consideration therefore for citizen IdA lies around managing transactions to the same level of assurance throughout the process. Channels and modes of interaction mentioned in this context include:

  • face to face
    • council offices/one stop shops
    • in-home visits
  • post
  • telephone
    • interactive voice response
    • mediated telephone
  • digital
    • devices: fixed device (pc/laptop), mobile device (smartphone, tablet), digital television, kiosks
    • technologies: internet, digital interactive television, apps, email, SMS

Current identity assurance processes

Overview

Each council manages a number of different ways in which to register, authorise and authenticate online service users.

This is in large part due to IdA processes having been developed as individual service needs have arisen. More recent trends though are towards rationalizing the number of times a citizen is asked to register/sign-on by developing a service grouping approach.

Many of the online services can be accessed anonymously (or pseudonymously) and do not require citizens to be authenticated. However many of these also offer the opportunity for citizens to register by providing an email address and setting up a password in order that they can track progress of, for example a fault repair, or be notified with updates.

Some authorities also offer a federated option of signing up for updates (assurance level 0) using existing Yahoo, Google or Facebook logins.

The majority of transactional services require no or low levels of assurance and simply need a mechanism to communicate with an individual whose real identity does not need to be established. There are of course some transactions (such as making applications, renewing library books, requesting a service) that demand higher levels of confidence in someone’s identity and therefore ask for further evidence either electronically, by post or in person.

Councils reported that between 10 and 100 services require some level of assurance but exact details on which services require which level of assurance within each council were not available for this review. The range is due to differences in council size, responsibilities, level of advancement in digital delivery of services and differing views of which services require which level of assurance.

Levels of assurance

Levels of assurance were generally referred to in 1 of 2 ways, either numerically (levels 0 – 3) or by colour (bronze, silver, gold).

In relation to online services, no service requiring assurance above level 2 was identified. The newly developing online services for personal budgets and associated e-Marketplace for social service needs and health and social care support may fall into this category but although it is currently being considered and assessed, within the scope of this review no definitive standards or procedures for assurance were identified.

Identity assurance procedures

Although there are some differences in when and how IdA is stipulated, in general requirements and procedures for assurance follow a similar pattern.

Assurance level 0

Services such as looking for support and advice online, reporting a fault or in some cases paying a bill/fine requiring no level of assurance (level 0) can be accessed without the need to register (some authorities expressed the view that as long as a bill/fine was paid there was no need to identify the individual making the payment). To add value to the service however (such as enable tracking of a repair or emailing progress) citizens may be invited to register remotely and may be asked to provide all or some of the following:

  • name
  • address
  • email address
  • username/user ID
  • password
  • challenge/response information

The citizen may choose whether to authenticate to the service by input of identifying credentials such as:

  • username/user ID
  • password
  • email address

Assurance level 1 and bronze

Services such as requesting social care help or paying a bill/fine requiring second level of assurance (level 1 or bronze) require citizens to identify themselves so that there is a degree of confidence that they are who they say they are. Citizens may still register remotely and are generally required to provide information such as:

  • name
  • address
  • date of birth
  • email address
  • username/user ID
  • password
  • challenge/response information

Authentication to the service may then require input of identifying credentials such as:

  • username/user ID
  • password
  • email address

Assurance level 2 and silver

Citizens may still register remotely but access to services requiring a third level of assurance (level 2 or silver) requires further validation. This additional validation may be undertaken remotely and/or in person, depending upon the service and the policy of the authority or service owner. For example school admissions, library membership, resident’s parking permit, housing and council tax benefit applications. In addition to online registration of the kind of information listed above, there may be additional information required such as:

  • tender
  • unique identifier that has been sent to the home address
  • National Insurance number

Citizens may also be required to:

  • respond to an email to confirm email address
  • respond to an email to activate an account using an emailed code

There may also be further steps to validate identity requiring the presentation (via post, scanning or face-to-face) of documents such as:

  • driving licence
  • proof of car ownership
  • proof of residency
  • Council Tax bills
  • utility bills
  • payslips
  • tenancy agreements

Authentication to the service may then require input of identifying credentials such as:

  • user ID/username
  • password
  • email address
  • unique identifier
  • membership number and pin

Assurance level 3 and gold

Although no online service requiring the highest level of assurance (i.e. requiring registration and validation through in-person appearance along with appropriate documentation) was identified, housing/Council Tax Benefit may for other pragmatic reasons (eg better efficiency through guaranteed quality of data) be processed face-to-face.

Single sign-on approaches

A number of authorities encourage their citizens to register once for a range of services or to provide a more personalised experience. Typically this will capture limited personal information that will enable the citizen to access a group of services or to customise their web visits without having to re-enter their name, address etc. Examples of this are:

Account Facilities included
My Newham Reporting problems, requesting services, making payments, checking Council Tax
Me@WCC Fast form completion, saving forms for later completion, tracking correspondence
Myeastriding Managing customer service calls, email alerts and Council Tax
My Hantsweb Personal homepage, displaying location relevant information, presenting topics of interest
My Account (Bristol) Paying Council Tax and Business Rates, applying for benefits, landlord’s services
Citizen’s Account (Rushmoor) Viewing Council Tax, benefits payments and landlord’s payments

Registration and validation for single sign-on is remote and typically requires a citizen to enter details such as:

  • name
  • address
  • email address
  • telephone number
  • mobile number
  • user name
  • password
  • 2-3 challenge/response details

A single sign-on may not automatically authenticate an individual to a service however, in some cases (eg My Account in Bristol and Citizen’s Account in Rushmoor), initial registration is then followed by service enrolment which may require additional validating data including:

  • account/reference number
  • date of birth
  • National Insurance number

Identity assurance interfaces

The anonymous, pseudonymous and single sign-ons are in addition to services requiring higher levels of authentication such as housing benefit applications, library book renewals and reservations and online school admissions. This has resulted in a number of different types of interfaces such as:

  • in-house developed interface for single sign-on to a group of services (eg Me@WCC)
  • in-house developed interface for each service (eg some school admissions systems); interface may appear similar or dissimilar depending upon whether a corporate or service by service strategy is in place
  • individual application supplier interface (eg Hera by Halarose for electoral registration); interfaces are likely to be different for each service
  • generic interface for multiple services (eg CitizenSafe, Gandlake)

For the citizen, this can result in a poor usability experience; not only are they faced with entering the same identity information numerous times but there is no consistent look and feel of the registration validation and authorization process.

Citizen attitude to identity assurance

Customer concerns

Although many authorities do have citizen panels and hold regular forums, the subject of IdA and/or related procedures has not yet been raised as a topic of discussion. However some feedback has been received which illustrates concerns about data privacy and loss and the apparent inability of councils to share across departments.

Some level of irritation has been reported around the need to register and log in to undertake simple transactions but this has been addressed in at least one case by changing the registration from being mandatory to optional.

Impact of identity assurance process on take-up

However none of this has been shown to have an impact on take-up of a digital service.

Process design issues can of course affect take-up. The online voting pilot run in Rushmoor District in 2007 was highlighted as an example of this. In the intervening years between the 2003 and 2007 pilots, the authentication process was changed to include the need for a ‘wet signature’[footnote 4] and a citizen selected username being entered into a database on behalf of the citizen by council staff. This did not in and of itself cause an issue. A negative impact however may have resulted from incorrect entry of data by council staff as well as from the electors forgetting the username they had sent in to the council,[footnote 5] In 2007, only 57% of those registering to vote online successfully did so.

Some indications that procedures need not present a barrier to channel shift however come from an online housing benefit application and a parking permit renewal service, both of which require presentation of additional validation evidence such as recent payslips, tenancy agreement, recent bank statements or evidence of National Insurance number. Online take-up in both cases is in excess of 70%.

Moving to a federated approach - citizen trust

When considering the implications of a federated provider approach it was felt that citizens would need to feel able to trust the identity providers, and organisations such as the Post Office or credit unions might be more readily accepted within localities where citizens are used to interacting with them on a regular basis (use of demographic analyses could help to identify which providers would be most accepted by a community). Another question it was suggested that citizens might raise was around why third parties have to be involved at all and how citizen information might be used.

It was therefore felt important that:

  • there should be clear communication of the benefits and the rationale behind why third parties rather than government should provide online identities when government holds a lot of this data already
  • identity providers are clearly seen to be certified by government
  • a national brand that can be trusted by citizens is developed or associated to the identity provision
  • there should be citizen consultations around trust and data sharing and the role of third party identity providers
  • there should be clear communications around what provision of an identity from a third party will and will not achieve.

Communication is seen as key and it was suggested that a national campaign run by trusted organisations (eg Citizen’s Advice Bureau and other voluntary organisations) would be helpful.

Communications to build citizen trust and highlight the benefits such as a reduction in bureaucracy for both citizens and the council, are seen as key. Once a proven nationally recognised approach is in place with a recognised and trusted branding, it is suggested that the branding could then be integrated into council websites. Councils would then feel more confident about communicating the concept at the local level. Through a variety of channels awareness raising could be undertaken. Suggested approaches include citizen training in libraries and other venues with high citizen footfall, contact through third sector and voluntary organisations, articles in free newspapers and council magazines, promotions through the housing advice bus visits and web promotion.

Another important step for councils is to gain a sound understanding through customer research on how the idea of federated IdA might be received by different sectors of the population[footnote 6]. Usability and accessibility are also a key concern to ensure that processes are not over-complicated – it may be more appealing to undertake repeated simple registrations and sign-ons than one complicated procedure especially when the goal is to undertake a simple transaction.

Identity assurance status local authority

Drivers for online identity assurance

While there is some mention of a national agenda, the most common drivers for online citizen IdA are cited as corporate strategy, service needs, cost reduction and efficiencies. Although there has been no explicit demand from citizens (other than around privacy concerns), improvement of the customer experience also appears to be a motivating factor.

In response to these drivers authorities have strategies either in place or in development to take forward service transformation, channel shift and/or improved customer service. Key principles of these strategies include digital by default (or at least by citizen preference), escalation of a self-service culture allowing greater focus on the more vulnerable, multiple channel access, and device independence.

IdA is not always discretely identified within these strategies although a number of authorities articulated its importance in terms of being an architectural building block and an enabler. Business cases do not tend to be written for IdA but rather it is included as an element within business cases for channel shift/service improvement programmes (eg individual electoral registration programme). So whilst it may not be explicitly referenced, there was general consensus that IdA is an important part of the infrastructure and is an integral part of channel shift which will allow a more coherent approach to the citizen.

The developing theme of single sign-on and a standardized approach to IdA is however juxtaposed with emerging imperatives. The advent of adult social care budgeting, and new government policies on troubled families is likely to drive councils to seek further single service solutions to add to the mix.

Lee Hemsworth, Chief Officer (Intelligence and Improvement) at Leeds City Council said:

because of the need to respond to welfare reform the view was that we can’t wait so we’ll do it and then fix it, federate it later”.

Approaches to ‘requirements’ definitions

Different approaches have been taken to assess assurance requirements. Formal approaches using standard methods such as privacy impact assessments, risk assessments, risk management and accreditation documentation set have been taken but other less formal approaches have also been followed.

A number of councils are now in the process of investigating or reviewing the market place for a more generic IdA solution whilst others are still at early stages of working through their requirements. For most however, there is a concern not to adopt a solution that will not meet future needs and could result in having to re-engineer the solution at some later date.

Ian Litton, Information and Innovation Manager, Warwickshire County Council said:

We would have loved to move off our proprietary authentication solution years ago but identifying how we could do that in a way that wasn’t going to take us down another blind alley was very difficult to do.

Stuart Campbell, Assistant Director Performance & Improvement , Hertfordshire County Council said:

We need the benefit of common standards and shared solutions rather than local authorities and other government agencies continuing to reinvent wheels.

Kevin Woodcock, ICT Programme Manager, East Riding of Yorkshire Council said:

We don’t want to be in the position where we go down the road of doing the work and we’re not compliant with other things.

David McIlroy, Head of Business Change and ICT,Trafford Council said:

There’s a danger that in the absence of anything authoritative people may interpret in a hundred different ways and arguably I’d rather comply with an agreed national framework of best practice than conceive one however well intentioned on my own, so not reinventing the wheel in this day and age sounds very sensible to me.

Collaboration and pilot work

Council collaborative work around online citizen IdA appears to be mainly within the context of the Microsoft Shared Learning Group and the data matching pilots for the electoral registration transformation programme (ERTP).

However IdA is a topic of ongoing dialogue between councils and with organisations such as Socitm and the Association of Greater Manchester authorities (AGMA).

Consideration of a local approach to online citizen IdA however has generally been informed through research of IdA mechanisms available on the market or working with a business partner. Some authorities are aware of the IdA Programme and are therefore expecting to include information from that programme in their deliberations. Most authorities however are still in the process of investigating/assessing an optimal solution.

Considerations mentioned for citizen IdA include:

  • an identity service solution should be open standards based (eg OpenID)
  • the council or some other partner may undertake the role of Issuing Authority
  • future integration of social care self-directed support (personal budgets) will involve a high level of assurance
  • linking with personal data stores
  • linking across borders with other councils (district, borough, county etc)
  • joining up with other public sector services (eg DWP, NHS)
  • transferability of identity(eg moving in from another borough)
  • linking with Facebook, Hotmail accounts etc. for authentication
  • multiple device assurance processes (PC/laptop, mobile devices, telephony etc)

Council awareness and readiness

Those who participated in the interviews are naturally informed about the topic of online IdA for citizens however this awareness and understanding does not permeate uniformly throughout organisations.

Whilst security and risk may be something that is at the forefront of the minds of those working in councils (especially at times of newsworthy data losses), awareness and understanding of citizen IdA is described as ‘partial’ or ‘mixed’. In general awareness and understanding of the impact (eg process change implications) may exist at some higher levels such as cabinet members, especially those who are portfolio holders, and senior managers. Awareness in other areas may be high where IdA is an essential principle (eg ICT, health and children related services).

This is a work in progress and some councils are in the process of discussing IdA needs with business managers. In the past, online IdA mechanisms and processes may have been viewed as a technical issue. This has resulted in the knowledge around the processes of citizen IdA being an emerging intelligence, especially in relation to the association of a single customer view that is supported by internal data such as a master customer index.

Despite an incomplete level of awareness and understanding there were no concerns reported around capacity, capability or resources that would be needed to progress with online citizen IdA. It was felt that these were either already in place or that they would be addressed as a matter of course eg as part of agreeing a business case.

Councils are embarking on different facets of online citizen IdA at different paces and it is therefore difficult to generalise about a state of readiness to move towards adoption of a standardised approach. When asked for their opinions, around one third reported that they felt their organisations are ready to move towards implementing comprehensive online IdA whilst others felt that they still have ‘a way to go’. The kind of work undertaken by councils to date includes (but is not limited to):

  • strategic positions clarified
  • high level planning underway
  • review of consumer market for identity provision and solutions identified
  • implementation of online IdA to level 0/1 for Highways services
  • operational use of authentication servers capable of handling SAML assertions (i.e. federation capability in place)
  • module development for online benefits service
  • mobile technology framework in place forming part of information security policy
  • data matching pilots

Examples of the kind of work that some of the councils plan to undertake over the next 3 months include:

  • development of specification for overarching IdA system
  • review of online services and specification of levels of assurance
  • review of consumer market for identity provision and procurement of a solution
  • development of a system to test integration with Google login authentication
  • trialling and evaluation of IdA software
  • business case development of a Client Index taking account of and collaborating with the IdA programme

Examples of the kind of work that some of the councils plan to undertake over the next 12 months include:

  • implementation of IdA systems for personalised budgets
  • implementation of IdA system linking at least 2 services with mechanism in place to link others and replacement of current authentication
  • implementation of personalised delivery of services
  • consumption of GDS products enabling acceptance of greater levels of trust

Potential for experience-sharing

There are some examples of fundamental processes being put in place to align with a more all embracing approach to online citizen IdA (eg in Newham an identifier is automatically printed on documentation that is posted to home addresses, thereby providing one of the factors needed for online authentication), and some of the approaches taken in grouping service access have demonstrated the effectiveness of a single sign-on.

None of the councils participating in this review was at a stage of having implemented a standardised solution for online citizen IdA. It is worth noting however that although not part of this review, The London Borough of Harrow does provide a mechanism using the Gandlake Citizen’s Account software to access a number of online services (council tax, business rates, rents, libraries) that will allow citizens to eventually access over 80 of their online services using a single sign-on.

There are nevertheless some useful materials and products that can be shared now and in the coming months that could help support other authorities as they progress with their IdA plans and provision of a platform to accommodate sharing of knowledge and understanding could be a catalyst for accelerating nationwide progress in citizen online IdA.

Perceived benefits

Benefits expected to be realised from implementing online IdA were identified for both citizens and for councils.

Figure 1: Benefits perceived for citizens by councils

Benefit n
Greater satisfaction 8
Security 8
Convenience 6
Single/unified sign on 5
Ease of use 4
Choice 3
Greater confidence 3
Privacy 3
More joined up response to needs 3
More personalised services 3

Figure 2: Benefits perceived for councils by councils

Benefit n
Improved efficiency 6
Lower costs 5
Demonstration of innovation 2
Connectivity potential 1
Standard authentication methods 1
Supporting citizen trust 1
Providing integrity 1
Cross-selling of digital services 1

Benefits were generally qualitative in nature although efficiency improvements and cost reductions should both be quantifiably measurable beneficial outcomes.

Although this is an aspect about which thoughts are still developing, some suggestions for measuring the benefits of online citizen IdA include monitoring the take-up of services that fall within the umbrella of the IdA mechanism and monitoring customer satisfaction levels.

Responsibility for managing benefits has largely still to be defined but it was generally felt to lie within the remit of the service owner, the customer services group or the CIO group.

Perceived barriers and issues

A number of commonly perceived barriers and issues were identified as putting at risk the achievement of the full visions for online IdA.

Figure 3: Barriers and issues perceived by councils

Barriers/issues n
Organisational silos 6
Cost 6
Data matching 6
Data quality 6
Trust 5
Ownership 5
Legal 5
Accessibility, usability 5
Culture 4
Suppliers 3
Risk 2
Partners 2
Awareness 2
Scepticism 1
Technical 1
Digital exclusion 1
Security 1

Gaining consensus across the organisation (council) and understanding of purpose, councils’ financial constraints, lack of consistent data (eg in one authority over 15,000 duplicate records have been detected) and lack of data accuracy (council staff inputting data do not always recognise the importance of completeness and accuracy) are cited as the most common challenges.

Trust has a number of facets including residual fears for citizens that this may be ID cards by another name, that citizens may not trust government or third parties with their data and that IdA procedures are appropriate to the service being accessed. Ownership was a concern in terms of identifying who owns particular information and in terms of service vs corporate ownership. Although there was no specific legal question cited, it was felt that there could be issues around council legal teams being familiar enough with the concepts of federation and with social care considerations: there could be a tendency to hide behind the data protection act when understanding is limited. Accessibility and usability of the process are seen as important aspects to get right for citizens.

Both organisational and societal culture, and embedded service suppliers’ reluctance to embrace any other solution than that developed by themselves, were cited by some as potentially creating difficulties.

Other barriers were mentioned but not by as many participants.

What would local authorities like?

When asked what would be most helpful to their organisations in progressing with online citizen IdA, the following wishes were expressed:

  • clarity on vision/strategy:
    • clarity about the GDS Vision, the strategy for going forward and a roadmap with timeline
    • a coherent vision which addresses not just HMG departmental requirements for citizen authentication but also council needs
    • clarity around the relationships and sequence between all the identity projects that are underway eg Universal Credit, passport office
  • alignment:
    • to be able to align with HMG solutions and standardise from the HMG approach
  • clarity on technology:
    • to be given advice on technology – how do we go about this
  • standards and framework:
    • to be provided with a clear set of common standards and accredited processes so that it is clear what providers are delivering in terms of trust and authenticated individuals
    • to have a common set of standards and a common approach that apply across councils and the whole public sector
    • a framework identifying how it could work nationally with certified trusted third parties even if only for specific types of transactions
  • to be able to make use of any HMG solution such as the federated ecosystem
  • opportunities for collaboration
  • communication for councils:
    • a framework and a programme for dispersing knowledge in whatever form; the GDS or HMG to take a role in this
    • community of Practice or similar for councils for knowledge sharing
  • communication for general public:
    • HMG to help to make people aware and help the brand to become trusted
  • brokerage:
    • HMG to provide a useful brokerage service to help councils to procure IdA solutions in such a way as to be more cost effective
    • ability to procure quickly and efficiently and know that we’re getting the right thing so anything that helps steer councils in the right direction and speeds up the process.

Recommendations

There is a strong sense of enthusiasm for securing wider understanding of HMG’s plans around citizen IdA. Councils are keen to identify whether, how and when their plans may be aligned to a national approach and to minimise any risk of future isolation. Additionally, an excellent potential opportunity for effective re-use of centrally developed standards and technology is recognised.

To help councils in moving forward, the following recommendations are made:

Recommendation 1 - provide assistance to councils so that they may align with the IdAP vision

This involves:

  • publishing IdAP vision and strategy at earliest opportunity
  • publishing IdAP deliverables roadmap and timeline
  • enabling councils to utilise HMG procurement framework

Publishing and effectively disseminating the vision and strategy along with the deliverables roadmap will provide councils with clarity on GDS technology and approach and aid them in formulating their own plans.

Whilst council procurement frameworks exist for a number of software application solutions, there does not appear to be any such framework that would apply to procurement of IdA services.

Recommendation 2 - work nationally with all suppliers including council suppliers

This involves:

  • reviewing the landscape of IdA provision
  • promoting the national perspective

A review of council service providers for example to clarify which suppliers will only offer their own proprietary service for IdA, which are open standards based and may therefore present no interoperability issues, whether individual suppliers are offering a consistent product/service across their customer base, would provide information to enable useful engagement with those suppliers.

Engaging service providers will also help influence negotiations and reduce the risk of councils being ‘boxed in’ by embedded suppliers (i.e. those suppliers from whom software systems such as online council tax are purchased).

Recommendation 3 - publish a common set of features and standards for IdA such as a minimum feature list

Build on good practice guides such as the ‘requirements for secure delivery of online public services’.

A common set of features would also help to clarify relationships between levels of assurance (0-3, bronze, silver, gold etc), factor authentication, and generally develop a common language that will minimise misunderstandings.

Recommendation 4 - engage with councils to pilot federated IdA solutions and further explore current non-federated approaches

Many councils are keen to collaborate to help develop and test federated solutions in their local environment. It would also be instructive to explore alternative non-federated approaches that have already been taken by some councils such as Harrow to online citizen IdA.

Recommendation 5 - widen lines of communications to councils

Do this through:

  • a knowledge sharing platform
  • newsletters
  • social media (eg blogs, tweets)

There is a sharp appetite to share, learn, collaborate, inform and be informed. Additionally awareness-raising across the public sector would help address some of the barriers and issues facing authorities in relation to increasing understanding of the concerns within councils and partner organisations, help to clarify thinking around potential solutions and increase efficiencies through avoidance of ‘re-inventing the wheel’.

Recommendation 6 - develop good practice guidelines for implementing assisted digital for IdA

Recommendation 7 - customer insight research is required

This will help:

  • investigate user attitudes to and perceptions of trust, data sharing and the role of third party identity providers
  • usability/accessibility studies should be undertaken and good practice for IdA defined and published
  • develop a communications plan and national campaign to raise citizen awareness and trust

Recommendation 8 - develop a national brand for federated IdA to encourage citizens to trust the new approach

Annex 1 Authorities and Participants

Authority Name Title
Bristol City Council Tracey Dodds Insight and Design Manager
Bristol City Council Keith Billingsley Information Architect
East Riding of Yorkshire Council Kevin Woodcock ICT Programme Manager
Hampshire County Council Jos Creese CIO and Head of IT
Hertfordshire County Council Stuart Campbell Assistant Director Performance and Improvement
Hertfordshire County Council Michael Francis Head of Customer Service
Leeds City Council Lee Hemsworth Chief Officer (Intelligence and Improvement)
London Borough of Newham Council Geoff Connell Divisional Director ICT Newham
London Borough of Southwark Council Karen Michael Service Development Team Leader
London Borough of Wandsworth Council David Tidey Head of IT and Business Communications
Lothian Valuation Joint Board Graham Strachan Deputy Assessor and Electoral Registration Officer
Rushmoor District Council Andrew Colver Head of Democratic Services
Sunderland City Council Conn Crawford Strategic Projects Officer, Sunderland ICT Unit
Surrey City Council Simon Pollock Head of Customer Service
Trafford Metropolitan Borough Council David McIlroy Corporate Director, Environment, Transport and Operations
Trafford Metropolitan Borough Council Jayne Stephenson Head of Partnerships and Performance
Warwickshire County Council Ian Litton Information and Innovation Manager

Footnotes

  1. Since there are over four hundred councils in the UK, this would require a large scale survey. 

  2. Socitm Insight, Potential for channel shift in local government (England) (2012). 

  3. The ‘single truth’ or ‘single customer view’ which is the most correct and complete customer record, usually created by extracting and cleansing data from duplicate customer records from different systems.Practical Approach for Master Data Management, World of Computer Science and Information Technology Journal (WCSIT), Vol. 1, No. 5, 213-216, 2011. 

  4. An original signature, not one faxed or sent electronically. 

  5. Electoral Commission Report, Electoral pilot scheme evaluation Rushmoor Borough Council August 2007. 

  6. Relevant studies include Group Identity Assurance – User tests results from the Happy Use Case, UCL Department of Computer Science Information Security Research and UC IDA claimant testing Findings, DWP Insight Team. 

Back to top