Policy paper

UK digital identity and attributes trust framework - delegated authority guidance

Updated 26 January 2023

Check if someone has permission to access services on behalf of another person or organisation

1.0.1 You might need to check if a person is a ‘representative’ of someone else (also known as a ‘subject’) before you give them access to your service. Being a representative gives them permission (or the ‘authority’) to do things on behalf of the subject.

Example

Simone gives her niece Letitia permission to deal with her gas and electricity supplier. Simone tells her supplier to contact Letitia about anything relating to her account, such as giving meter readings or arranging payments.

1.0.2 A subject can also be an organisation.

Example

Greta works for an art gallery that needs funding to put on a new exhibition. The owner of the gallery gives Greta permission to apply for a grant from an arts council on behalf of the gallery.

1.0.3 Once a representative has an authority, they could also do things on behalf of others the organisation works with. This could be another person or organisation. The representative might become accountable for things they do on behalf of someone else.

Example

Shirley works for an accountancy firm. A shop hires the firm she works for to look after their accounts.

Shirley is chosen to be the accountant from the firm who will file the shop’s annual accounts and tax returns. This makes Shirley a representative of both the shop and the firm she works for.

1.0.4 Someone will only have authority if they have permission to make decisions and complete tasks on behalf of the other person or organisation. They do not have authority if they’re helping someone do something, for example:

• a user helping a friend who’s not confident using a computer to fill in an online form

• anyone who offers ‘assisted digital support’ to users of a product or service

2.0 Different types of authority

2.0.1 There are 3 different types of authority a representative can have over a subject.

2.1 Delegated authority

2.1.1 The most common type of authority is ‘Delegated authority’ . This is when a subject nominates a representative to do things for them.

Example

Making a lasting power of attorney (LPA) is one way authority can be given (or ‘delegated’) to a representative. Bryan makes a LPA and chooses his son Pete to look after his property and finances. Pete now has permission to sell Bryan’s house and buy a new flat in his name.

2.2 Asserted authority

2.2.1 In some situations, a representative will be able to declare (or ‘assert’) that they have the authority to act on behalf of a subject. This is known as ‘asserted authority’.

Example

Bev wants to open a Junior Individual Savings Account (ISA) for her son Todd. Because she’s Todd’s mother, she can say that she has permission to open the account in his name. She does not need Todd’s agreement to be able to do this.

2.3 Appointed authority

2.3.1 A representative can be given permission to act on behalf of a subject by a third party. A third party must have the legal power to be able to give authority to a representative. This is known as ‘appointed authority’.

Example

The shareholders of a company that’s in debt decide to appoint an administrator.

They must make an application for an administrator in court. If the court agrees, an administrator will be appointed and given permission to look after the company and anything it owns (its ‘assets’). The shareholders do not need agreement from the company’s board of directors to be able to do this.

3.0 How to check if someone has authority

3.0.1 You might need to check that someone using your service has the authority to access your service on behalf of a subject. Depending on what your service does, you might choose to only allow people with certain types of authority to access it.

Example

Jaini has been given the authority to make payments on behalf of the company she works for. She registers for online banking to do this.

As this will give Jaini access to the company’s money, the bank needs to be sure that she has the authority to access the account. Asking Jaini to assert that she has this authority would not be enough. The bank must have evidence that the authority to do this has been appointed or delegated to her.

3.0.2 In some cases, you’ll always need to let someone access your service on behalf of a subject. For example, if the subject is a vulnerable adult, you must allow a representative to access your service on their behalf.

3.0.3 You’ll usually need some evidence that someone has authority to be the representative of a subject. You can either:

• ask the person or subject to provide evidence

• create the authority within your service

3.0.4 How confident you’ll be that someone has authority to do something on behalf of the subject will depend on the evidence you find. You can collect:

• physical evidence of the authority

• digital evidence of the authority

3.0.5 You can ask the person to provide the evidence of authority or you can find it yourself, for example by checking a database. If you want to find the evidence yourself, you’ll need enough information about the authority, subject and representative to be able to match it to the right records.

3.0.6 This will prove that the authority exists, but it does not prove that the user is either the subject or representative. If you need to know that [check if the person is the presentative]{.ul}.

3.1 Check the strength of the evidence of authority

3.1.0.. The evidence of authority must:

• identify the subject

• identify the representative

• explain what permissions the representative has been given

• explain when the permissions were given

3.1.0.2 The evidence must also identify any third parties that might have been involved in appointing the representative.

3.1.0.3 The subject, representative and third party can be identified in the evidence by using one or more of the following:

• a unique identifier

• their identity

• an authenticator

3.1.0.4 Sometimes an authority might have come with conditions. For example, it might only be for a given period of time or up to a certain value. This should also be included in the evidence of authority.

Example

Beydaan has been given the authority to agree contracts with external suppliers on behalf of her employer whilst a colleague is on leave.

As this is not her usual job her employer limits her permission to only the time her colleague is away and sets a maximum contract cost she is allowed to agree to.

3.1.1 Low strength

3.1.1.1. The evidence will have low strength if it’s an email, PDF or letter with no security features. This means they can be easy to forge or counterfeit.

3.1.2 Medium strength

3.1.2.1 The evidence will have medium strength if it includes information that’s unique to the evidence, such as a reference number.

3.1.2.2 If the evidence includes the identity of the subject or representative, it must show their full name instead of any pseudonyms, aliases or nicknames.

3.1.2.3 If the subject or representative is an organisation, the evidence must include its official name, for example their registered name or trading name.

3.1.2.4 If the evidence of authority is a physical document, it must be protected by physical security features. These features will stop it from being reproduced or altered without specialist knowledge or information.

3.1.2.4 If the evidence of authority includes digital information, it must either :

• be protected by cryptographic security features that can be used to check the digital information has not been altered

• is on a list that’s maintained by a government department, agency or another public body who have processes that make sure only authorised people can create or update it

3.1.3 High strength

3.1.3.1 The evidence will have high strength if it meets all the criteria for medium strength evidence and also:

• includes information that uniquely identifies both the subject and the representative

• uses official names instead of initials or synonyms

• has physical security features that stop it from being reproduced without specialist equipment (if the evidence is a physical document)

3.1.3.2 If it’s digital information the evidence must also have cryptographic security features that can be used to identify:

• the subject that delegated the authority to the representative

• the third party authority that appointed the representative

• the representative that asserted the authority

3.1.4 Very high strength

3.1.4.1 The evidence will have very high strength if it meets all the criteria for high strength and contains digital information that’s protected by cryptographic security features.

3.1.4.2 It must also either:

• include biometric information that can be used to identify the subject and the representative

• use cryptographic security features that can be used to identify the representative and either the subject or third party authority that gave the permission

Example

Delena wants to employ John as an au pair. They agree to a contract and both digitally sign it using their qualified electronic signature. This means the contract cannot be altered and both Delena and John can be uniquely identified by their digital signatures.

3.2 Check the evidence of authority is genuine or valid

3.2.0.1 If you want to prove that a representative has authority using physical or digital evidence, you must check it’s genuine.

3.2.0.2 If you’re using digital evidence, you might also be able to check cryptographic security features.

3.2.0.3 You can also check that the evidence is valid. This means you can find records that also show the authority has been given.

3.2.0.4 You can check the evidence in person or remotely. How confident you’ll be that the evidence is genuine or valid will depend on how well you’ve done the check.

3.2.1 Weak check

3.2.1.1 You will have done a weak check of the evidence if it appears to be genuine but you didn’t check any security features.

3.2.1.2 The person checking the evidence must be able to confirm:

• they’re checking an original, certified copy or scan of the evidence

• there are no errors on the evidence, like wrong paper type, spelling mistakes, irregular use of fonts or missing pages

• the details, layout or alignment of the evidence look the way they should

• any logos look the way they should

• any references to information are the same across the evidence (for example if the body text of a letter references an address, this should match the address shown at the top of the letter)

3.2.2 Good check

3.2.2.0.1 You will have done a good check if you can confirm any of the following:

• the visible security features are genuine (these are security features that can be seen without using specialist light sources)

• the ultraviolet (UV) or infrared (IR) security features are genuine

3.2.2.1 Confirm the visible security features are genuine

3.2.2.1.1 If the evidence is a physical document being checked in person, whoever is doing the check must make sure:

• they check the original evidence - not scans, photos, or photocopies of the evidence (this is because it can be difficult to tell if these have been forged or counterfeit)

• any shadows or glare do not stop the security features on the evidence from being examined

3.2.2.1.2 The evidence must always be shared in a way that protects it from being tampered with. For example, it could be sent by secure delivery if it’s being checked in person.

3.2.2.1.3 If the check is being done remotely, the image or video of the evidence must be clear enough for the system to examine its security features.

3.2.2.1.4 The image or video must be taken at the same time the check is being done. The user cannot upload an image or video of the evidence that they’ve taken before.

3.2.2.1.5 They should check the evidence using non-specialist light sources such as natural sunlight, indoor lights or desk lamps.

3.2.2.1.6 The person or system will need to use reference templates to check any of the following features on the evidence look the way they should:

• background printing

• fonts and alignment

• holograms and positioning

• the way it’s been laminated

• designs printed with optical variable ink (and check they look the way they should at certain angles)

• the format of any identifiers

• the position of any photographs on the evidence (they should not have been replaced or edited)

3.2.2.1.7 If the evidence is being checked by a person, they must:

• be trained in how to detect false documents by a specialist trainer, such as the Home Office, National Document Fraud Unit or Centre for the Protection of National Infrastructure (CPNI)

• refresh their training at least every 3 years

3.2.2.1.8 If the evidence is being checked by a system, it must:

• have been built following good practice, such as the Home Office’s guidance on identification document validation technology

• update the templates it checks the evidence against at least every 3 years

3.2.2.2 Confirm the UV or IR security features are genuine

3.2.2.2.1 The person or system doing a check of a physical document will need to use a UV or IR light to make sure:

• the paper the evidence is printed on looks the way it should

• the alignment of the evidence looks the way it should

• any fluorescent features (such as fluorescent inks or fibres) look the way they should

• the evidence has not been tampered with (for example a UV light will show where UV features have been covered by glue if something has been stuck on the evidence)

3.2.2.2.2 The person or system will need to use reference templates to check any of the following features on the evidence look the way they should:

• background printing

• fonts and alignment

• holograms and positioning

• the way it’s been laminated

• designs printed with optical variable ink (and check they look the way they should at certain angles)

• the format of any ‘identifiers’

• the position of any photographs on the evidence (they should not have been replaced or edited)

3.2.2.2.3 If the evidence is being checked by a person, they must:

• be trained in how to detect false documents by a specialist trainer, such as the Home Office, National Document Fraud Unit or CPNI

• refresh their training in how to detect false documents every year

3.2.2.2.4 If the evidence is being checked by a system, it must:

• have been built following good practice, such as the Home Office’s guidance on identification document validation technology

• update the templates it checks the evidence against at least every year

3.2.3 Strong check

3.2.3.0.1 You will have done a strong check if you do any of the following:

• confirm the evidence is valid with an authoritative source

• check the cryptographic security features to make sure they are genuine

3.2.3.1 Confirm the cryptographic security features are genuine

3.2.3.1.1 To make sure the cryptographic security features are genuine, the system that checks the evidence will need to:

• read the cryptographically protected information

• provide any required cryptographic keys

• check the digital signature is correct

3.2.3.1.2 It will also need to check the signing key:

• belongs to the person that it claims signed it

• has not been revoked

3.3 Check if the person is the representative

3.3.0.1 Before you can let a person act on behalf of someone else you must be confident that the user is the representative that is identified in the evidence.

3.3.0.2 How confident you’ll be will depend on how well you check that the user and the representative are the same person.

3.3.0.3 To check this you can:

• match the identity of the person or organisation claiming to be the representative to the one described in the evidence of authority

• use an authenticator

• use a code or reference number

3.3.1 Low assurance

3.3.1.1 You will have low assurance that the user is the representative if you have done any of the following:

• linked them to the evidence by using a unique reference number

• linked to them by an authentication process that has low protection

• low confidence in their identity

3.3.1.2 Low assurance means it would be reasonably easy for someone to link themselves to the evidence even if it does not relate to them.

Example

Atzi books a holiday on a travel booking website. She wants her travel companion Bao to also be able to manage the booking. The website gives her a 4 digit code to give to Bao.

Bao goes to the same website and enters the code. This allows him to see and make changes to the booking. The travel booking website will have low confidence that Bao is the representative because someone else could pretend to be them if they knew, or guessed, the code.

3.3.2 Medium assurance

3.3.2.1 You will have medium assurance that the user is the representative if you have either:

• linked to them by an authentication process that has medium protection

• medium confidence in their identity

3.3.2.2 You will also have medium assurance if you have all of the following:

• linked to them by using a unique reference number

• linked to them by an authentication process that has low protection

• low confidence in their identity

3.3.3 High assurance

3.3.3.1 You will have high assurance that the user is the representative if you have either:

• linked to them by an authentication process that has high protection

• high confidence in their identity

3.3.3.2 You will also have high assurance if you have all of the following:

• linked to them by using a unique reference number

• linked to them by an authentication process that has medium protection

• medium confidence in their identity

3.3.4 Very high assurance

3.3.4.1 You will have very high assurance that the user is the representative if you have either:

• linked to them by an authentication process that has very high protection

• very high confidence in their identity