Guidance

Requirements for joining the Document Checking Service pilot

The pilot allows organisations to check whether passports are valid. Organisations need to meet certain requirements to take part.

From:
Government Digital Service, Department for Digital, Culture, Media & Sport, and HM Passport Office
Published
1 October 2019

This guidance was withdrawn on

The Document Checking Service pilot ended on 31 March 2022.

Organisations need to meet certain requirements to take part in the Document Checking Service (DCS) pilot.

This is to make sure that the passport validity check is happening securely and safely and that the pilot objectives can be delivered.

The requirements on this page are not exhaustive. Organisations will receive more information as they progress through the pilot.

How to use the DCS check

Your organisation can only use the passport check:

  • for the purpose of crime prevention
  • in combination with existing or new products and services

Your organisation must:

  • get explicit consent from users for their data to be processed - consent must be valid to the standards set out in data protection legislation
  • understand that the passport data check gives a trusted assertion that the details provided by a user are the same as those held in HM Passport Office (HMPO) records - it does not prove that the document is genuine or guarantee the user’s identity

What the DCS check cannot be used for

Your organisation must not use the DCS check for anything that:

  • is illegal, for example any use that relates to selling or promoting illicit goods or substances, promoting acts of violence or terror, or that breaches any law, including data protection law
  • is derogatory to, or discriminates against, people of a particular race, sex, gender, religion, sexual orientation or disability
  • is misleading or deceptive in any way
  • targets or exploits vulnerable people, for example, any use that relates to promoting gambling to those who have self-excluded, or promoting short term personal loans like ‘payday loans’
  • may damage the reputation, image, goodwill or trust in the DCS, HMPO, the UK government, any government service or any authorised service

If you pass on the trust from the passport check to any third party organisations, they must comply with these conditions too.

GDS may need to change or add to these at any time. Your organisation will be told in advance if this happens.

Minimum organisational requirements

Your organisation needs to have documented information security management practices, policies, approaches to risk management and other recognised controls in place.

This is to make sure that users’ information will be protected and used lawfully and appropriately.

Your organisation will need to show that it:

  • is a private sector or civil society sector organisation
  • processes data for this pilot in the European Economic Area (EEA) or the UK
  • is established and fully operational in the areas that will provide the service
  • meets any legal requirements in connection with operation and delivery of the service, including the types of information that it checks, what information it retains and for how long
  • can assume the risk of liability for damages
  • has the financial resources to take part in the agreed duration of the pilot
  • is responsible for the fulfilment of all commitments and for complying with the pilot rules, where it outsources to another entity

Your organisation will also need an effective termination plan in place that covers:

  • orderly discontinuation of service
  • how it will inform relevant authorities and end users
  • how records will be protected, retained and destroyed

If your organisation is currently certified against standards such as ISO 27001, GDS will not need to recertify it against them. At the written application stage, you should state any relevant kitemarks your organisation holds or certification processes it has gone through.

Information your organisation gives to users

Your organisation will need a published ‘service definition’ that explains what the service connecting to the DCS does. It should include:

  • all applicable terms, conditions, and fees of the service
  • any limitations on how the service can be used
  • a privacy policy

Your organisation will also need appropriate policies and procedures that:

  • allows it to tell service users of any changes to the service definition in a timely and reliable way
  • means it can give full and correct responses to requests for information

Information security

Your organisation will need an effective information security management system that meets proven standards, so it can control information security risks.

Records

Your organisation will need to:

  • record and maintain relevant information using an effective records management system, that takes legislation and good practice into account
  • retain records in accordance with its organisational policy, which must be within the timeframes allowed by law
  • protect records for as long as they are needed for auditing and investigating security breaches
  • securely destroy records once they are no longer needed

Facilities and staff

Your organisation will need to show that it:

  • has policies and procedures that make sure staff and subcontractors are sufficiently trained, qualified and experienced in the skills needed to carry out their roles
  • has sufficient staff and subcontractors to adequately operate and resource the service according to your policies and procedures
  • continuously monitors its facilities for damage that may impact the security of the service
  • protects its facilities against damage that may impact the security of the service
  • makes sure that access to areas holding or processing personal, cryptographic or other sensitive information is limited to authorised staff or subcontractors

Technical controls

Your organisation will need to show that:

  • it has proportionate technical controls to manage the risks posed to the security of the service, protecting the confidentiality, integrity and availability of the information processed
  • all electronic communication channels used to exchange personal or sensitive information are protected against eavesdropping, manipulation and replay
  • it only gives access to sensitive cryptographic material to the roles and applications that strictly require it
  • all media containing personal, cryptographic or other sensitive information are stored, transported and disposed of in a safe and secure manner
  • it protects sensitive cryptographic material from tampering
  • it has procedures to make sure that security is maintained over time
  • it has procedures to make sure it can respond to changes in risk levels, incidents and security breaches

Audit

Your organisation will need to show that it has regular independent audits that cover all parts of the service related to the use of the DCS.

Contact information

Contact the DCS pilot team with any questions at digital-identity-pilot@dcms.gov.uk

Published 1 October 2019
Contents

Related content