Notice

Register of digital identity and attribute services: privacy notice

Updated 7 April 2026

© Crown copyright 2026

This publication is licensed under the terms of the Open Government Licence v3.0 except where otherwise stated. To view this licence, visit nationalarchives.gov.uk/doc/open-government-licence/version/3 or write to the Information Policy Team, The National Archives, Kew, London TW9 4DU, or email: psi@nationalarchives.gov.uk.

Where we have identified any third party copyright information you will need to obtain permission from the copyright holders concerned.

This publication is available at https://www.gov.uk/government/publications/register-of-digital-identity-and-attribute-services-privacy-notice/register-of-digital-identity-and-attribute-services-privacy-notice

This notice sets out your rights and how we will process your personal data. It is made under Articles 13 and/or 14 of the UK General Data Protection Regulation (UK GDPR).  

The Office for Digital Identities and Attributes (OfDIA) in the Department for Science, Innovation and Technology (DSIT) is responsible for maintaining the UK digital identity and attributes trust framework (UK DIATF) conformity assessment scheme, and for managing applications to join the register of digital identity and attribute services. This notice sets out how we will process your personal data that is submitted to the Digital Verification Services (DVS) Register Service as part of your application.   

For the purposes of processing your personal data, DSIT is the data controller.

1. Your Data 

1.1 We will process the following personal data:   

  • Primary and secondary contact details for each digital verification service provider, including full name, job title, work email address and contact number.  
  • Details of shareholding of the digital verification service provider and parent company (if applicable); this may include full names of minority shareholders, shareholders with significant ownership, the nationality of individuals, their percentage of ownership, the shareholders with voting rights and details of their voting rights.   
  • Details of the Board of Directors of the digital verification service provider and their parent company (if applicable); this includes their individual name, date of birth, position held, whether they are classified as a politically exposed person (PEPs).  

We also collect public open-source data that is necessary for us to exercise our functions as the team in DSIT responsible for carrying out functions set out in the Data (Use and Access) Act 2025, and to comply with UK national security laws. This can include opinions and news reports that include a broad range of categories of personal data.  

1.2 We may process the following criminal conviction category data:  

  • data on criminal convictions, offences and adverse media, where that is considered relevant in exercising our functions as the team in DSIT responsible for carrying out functions in the Data (Use and Access) Act 2025 and/or conducting Public Interest Checks on a digital verification service provider.  

1.3 How your personal information is collected:  

Where personal data is not collected directly from you, DSIT will source your personal data as described below.   

The personal data we collect directly from Conformity Assessment Bodies (CABs):  

  • Primary and secondary contact details for each digital verification service provider - this information will be collected from providers by their CAB as part of certification activities. This information will be shared by your CAB with DSIT as part of your application to join the register.  
  • CABs are also required to share with DSIT information about the digital verification service providers they have certified, including either a Companies House registration number, a Charities Commission registration number or a Dun and Bradstreet (DUNs) number. DSIT will use this information to assess personal information concerning shareholders and directors.  

1.4 We may also receive personal information indirectly from the following third parties and/or in the following scenarios:  

  • Public authorities, including other government departments, regulators or law enforcement bodies. 
  • Publicly available sources, including Companies House.  
  • Public authorities, regulators or law enforcement in other jurisdictions. 
  • Where you have made your contact information available on your organisation’s website and we use this to contact you and your organisation in our role as certification scheme owner.  

In exercising its responsibilities as certification scheme owner, DSIT may observe, monitor, record, retain and share within government and with your CAB, internet data which is publicly available.

2. Purpose 

2.1 The purposes for which we are processing your personal data are to:  

  • form part of your provider profile on the DVS Register Service  
  • process your application to join the register of digital identity and attribute services  
  • get in contact with you regarding your application   
  • notify you of updates to your application  
  • engage with your organisation, including about the development of the register and about OfDIA’s policy objectives for digital verification services
  • communicate information about the certification scheme or the UK digital identity and attributes trust framework
  • conduct a Public Interest Check on your company  

2.2 Public Interest Check 

As a certification scheme owner, DSIT is responsible for maintaining the digital identity scheme. Before you join the register, DSIT will conduct security checks on your organisation, your organisation’s parent company (if applicable), person(s) with significant control of your company, and company directors to ensure they do not pose a risk to the UK’s national security and are fit and proper persons to uphold the rules of the UK DIATF.  

This involves checking that these individuals:  

  • are legitimate natural persons;  
  • are qualified to take up post as a director;  
  • do not pose a risk to the UK’s national security, for example appearing on a sanctions list; and  
  • do not pose a risk in bringing the rules of the trust framework into disrepute.

The legal basis for processing your personal data under Article 6 of the UK GDPR is:  

  • 1(e) Public task: Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the data controller. In this case that is the exercise of DSIT’s functions as certification scheme owner for the UK DIATF conformity assessment scheme and to ensure individuals and business engaging in the UK digital identity market are safeguarded from fraud and security threats. 

DSIT will also be processing social media clips and other media pieces produced by media outlets, and whilst we may come across special category data during this processing, we will not be using or storing or retaining this data.  

The processing of personal data relating to criminal convictions and offences or related security measures is done under Schedule 1 Part 3 paragraph 36 of the DPA 2018 with reliance on the substantial public interest condition in Schedule 1 Part 2 paragraph 6 Statutory etc and government purposes. 

An Appropriate Policy Document (APD) is in place to address this processing.

4. Recipients 

Your personal data will be shared by us with: 

  • Microsoft and Amazon Web Services - as part of our IT infrastructure, your personal data will be stored on systems provided by our data processors, Microsoft and Amazon Web Services. This does not mean we actively share your personal data with these entities; rather, they are technical service providers who host infrastructure supporting our IT systems. 
  • Microsoft Forms - your data will be processed by, but not actively shared, with our survey platform provider Microsoft Forms.
  • Your Conformity Assessment Body (CAB) - where it is necessary in discharging their responsibilities under the scheme. 
  • Other government departments or agencies, or law enforcement bodies - where it is necessary to do so for the prevention, investigation, detection or prosecution of criminal offences. 
  • Regulatory authorities - when it is necessary for the purposes of their regulatory functions. 

5. Retention  

5.1 If your provider profile is active 

We will keep your personal data while your provider profile is active. Your profile is active if you have any open or in progress applications, or if you have a service published on the register. Whilst your profile is active, you or your CAB is required to inform DSIT by email of any changes to your primary and secondary contact details.  

5.2 If your provider profile becomes inactive 

Your profile becomes inactive if you have no applications open or in progress, and no services presently published on the register.

5.3 Your personal data will be deleted within 24 hours: 

  • If you or your CAB notify us that your primary and secondary contact details have changed and DSIT updates this information on the system (you or CAB will need to provide new contact details to replace the out-of-date contact details).  
  • If your application has been inactive for longer that 3 years and 60 days.

6. Solely Automated decision making   

Your personal data will not be subject to any solely automated decision making where such a decision has a legal or similarly significant effect on you. 

7. International transfers  

Your personal data will be processed in the UK. 

8. Your rights 

You have the right to request information about how your personal data are processed, and to request a copy of that personal data.  

You have the right to request that any inaccuracies in your personal data are rectified without delay.  

You have the right to request that any incomplete personal data are completed, including by means of a supplementary statement.  

You have the right to request that your personal data are erased if there is no longer a justification for them to be processed.  

You have the right in certain circumstances (for example, where accuracy is contested) to request that the processing of your personal data is restricted.  

To exercise your rights please contact the Data Protection Officer using the contact details below. 

9. Contact Details 

The data controller for your personal data is the Department for Science, Innovation and Technology (DSIT). You can contact the DSIT Data Protection Officer at:  

DSIT Data Protection Officer  
Department for Science, Innovation & Technology  
22-26 Whitehall  
London  
SW1A 2EG

Email: dataprotection@DSIT.gov.uk  

If you are unhappy with the way we have handled your personal data, please write to the department’s Data Protection Officer in the first instance using the contact details above.  

10. Complaints 

If you consider that your personal data has been misused or mishandled, you may make a complaint to the Information Commissioner, who is an UK independent regulator.  The Information Commissioner can be contacted at:  

Information Commissioner’s Office 
Wycliffe House 
Water Lane 
Wilmslow 
Cheshire 
SK9 5AF

Telephone: 0303 123 1113 

Website: Make a complaint

Any complaint to the Information Commissioner is without prejudice to your right to seek redress through the courts.  

11. Updates to this notice 

If this privacy notice changes in any way, we will place an updated version on this page. Regularly reviewing this page ensures you are always aware of what information we collect, how we use it, and under what circumstances we will share it with other parties. The ‘last updated’ date at the bottom of this page will also change. 

If these changes affect how your personal data is processed, we will take reasonable steps to let you know. 

Last update: 7 April 2026

Back to top