Guidance

Enabling the use of digital identities in the UK

We’re working to help people securely prove who they are without having to rely on physical documents.

From:
Department for Science, Innovation and Technology
Published
13 February 2023
Last updated
22 March 2023 — See all updates

Overview

In the Department for Science, Innovation and Technology (DSIT), we’re working to help people securely prove things about themselves, such as who they are or what their age is, without having to repeatedly present physical documents.

The government is not making digital identities mandatory. This is not a step towards ID cards. Instead, we’re setting robust standards to make sure innovative private-sector solutions protect privacy, boost security, and enable greater accessibility, all while growing the economy by saving people and businesses time and money.

To maintain trust in digital identity products and services as uptake increases and technology develops, we are setting up a governance structure, underpinned by legislation, to ensure standards are being followed and to keep them up to date.

This page collects digital identity guidance published to date and is primarily aimed at 4 groups:

What is a digital identity?

If you’ve scanned your driving licence to open a bank account, used your passport at an automated border gate, or used your face to unlock your phone, you’re already familiar with the sorts of technologies used in digital identity products.

A digital identity is a digital representation of your identity information, like your name and age. At your request, it can also contain other information about you, like your address, or biometric information, like a fingerprint or face scan.

It enables you to prove who you are during interactions and transactions without presenting physical documents.

Just like when a physical document (such as a passport) is checked, someone checking your digital identity must have a way to know that it is genuine and that it belongs to you.

For example, some banks will check your identity digitally when you want to open an account. A typical process is:

  • You take a photo of a document (e.g. a passport or driving licence)
  • It is checked digitally to confirm it is genuine
  • You take a photo or video of yourself which is matched to the one on the document

Unlike with a physical document, you are able to limit the amount of information you share to only what is really necessary. For example, if you are asked to prove you are over 18, you could provide a simple yes/no response and avoid sharing any other personal details.

Currently, you have to go through an identity checking process each time you need to prove your identity, and many places don’t accept digital identity products, online or in real life. You also don’t currently have an external assurance that this process is optimally secure and privacy-preserving.

The common, robust standards in the UK digital identity and attributes trust framework will change this by enabling digital identities to be reused while providing assurance of privacy and security.

Story so far

  1. In September 2020, we published our response to a call for evidence gathering views on how government can support the development of secure digital identities in the UK

  2. In February 2021, we published the first version of the UK digital identity and attributes trust framework, which has been in development since

  3. In March 2022, we published a response to a public consultation on our proposed approach to enabling secure digital identities in the UK economy

  4. In April 2022, employers and landlords became able to use providers with certified services for pre-employment, rental eligibility and criminal record checks

  5. In June 2022, we published the current ‘beta’ version of the trust framework and started our beta testing programme

  6. In March 2023, the Data Protection and Digital Information (No.2) Bill had its first reading in Parliament. The Bill will underpin the trust framework and its governance and allow identity and eligibility checks to be made against trusted, government-held data

Useful information for providers

There are three types of providers that fall directly under the scope of the rules found in the UK digital identity and attributes trust framework:

The rules applying to each can be found in sections 11 to 15 of the trust framework.

Providers looking to become certified against the trust framework are already able to do so with government-approved certifying bodies who are undergoing accreditation with the UK’s national accreditation body, UKAS, who has a list of approved certification bodies.

Organisations interested in getting certified should read the guidance on becoming certified against the trust framework.

There are live use cases with pre-employment, rent eligibility and criminal record checks. The government has also published guidance on how to become certified to perform these checks, which require additional rules to be followed. Home Office requirements for these checks can be found at the guidance pages for right to work, right to rent and Disclosure and Barring Service (DBS) checks.

The certification process for the trust framework and any other digital identity overlay schemes is modular: you can certify your services against the trust framework and other overlay scheme guidance which builds on it for particular use cases (such as the right to work, right to rent and DBS schemes).

You do not need to recertify against the trust framework every time you seek certification against an additional overlay scheme.

Useful information for certifying bodies

The UK digital identity and attributes trust framework is now in its beta version. Guidance for providers on becoming certified against the trust framework has been published for those wishing to participate.

The trust framework draws on government guidance for proving and verifying someone’s identity (GPG 45) and for using authenticators to protect an online service (GPG 44).

There are further rules, standards, guidance and legislation in the trust framework, which a provider’s services must or should follow to become certified.

As the certification process for the trust framework is modular, a provider’s services can be certified against other standards on top of the trust framework as part of an overlay scheme.

There are currently public-sector overlay schemes open for right to work, right to rent and DBS checks. Additional Home Office requirements for these checks can be found at the guidance pages for right to work, right to rent and DBS checks. The government has published guidance on how to become certified to perform these checks.

If you want to know which providers have already been certified to carry out right to work, right to rent and DBS checks, you can refer to the list of providers with certified services.

Useful information about overlay schemes

The UK digital identity and attributes trust framework provides a baseline standard for the secure use of digital identities, and is not use case specific.

Some use cases may have additional requirements, for example for providers running pre-employment, rent eligibility and criminal record checks.

These additional requirements may be codified by an organisation or group of organisations as part of an overlay scheme. The overlay scheme can then use the trust framework certification process to certify against these extra requirements.

An overlay scheme is any organisation or group of organisations that:

  • Creates additional rules on top of those in the trust framework that reflect the requirements in a particular use case
  • Wants participating providers to be certified against those rules.

The certification process for the trust framework is modular, meaning providers can ‘top up’ trust framework certification with certification against the rules of one or more overlay schemes.

If you’re interested in learning more about setting up an overlay scheme, please send an email to digitalidentity-certification@dcms.gov.uk.

Useful information for employers, businesses, and other bodies

Employers, businesses or other bodies, who are often referred to as relying parties in the digital identity market, are already able to contract with providers who have undergone certification to conduct digital pre-employment, rent eligibility and criminal record checks using digital identity technologies.

Digital Disclosure and Barring Service (DBS) identity checks can be undertaken by providers whose services have been certified, as can digital right to work and right to rent checks for British and Irish passport-holders.

If you are looking to use certified services to carry out digital right to work, right to rent and DBS checks, you should refer to the list of providers with certified services.

Home Office requirements for certification to carry out these checks can be found at the guidance pages for right to work, right to rent and DBS checks.

Latest news

28 November 2022: The robust certification process underpinning digital identity services

10 March 2022: New legislation set to make digital identities more trustworthy and secure

19 January 2022: New digital identity checking for landlords and employers to tackle immigration abuse

Contact us

Stakeholders across the private sector, civil society sector and academia have been involved in developing every step of our work, with over 250 organisations giving us direct feedback through monthly sessions over the last three years.

If you are a provider, scheme, academic or business interested in joining our stakeholder sessions, please email digitalidentity-engagement@dcms.gov.uk.

If you have questions about the certification process not answered by the trust framework certification guidance, please send an email to digitalidentity-certification@dcms.gov.uk.

Published 13 February 2023
Last updated 22 March 2023 + show all updates

  1. The Data Protection and Digital Information (No.2) Bill reintroduced to Parliament.

  2. First published.

Contents