The UK government is making another attempt to impose a common digital identity system across all its online public services and is mandating Whitehall departments to comply, Computer Weekly has learned.
Cabinet Office minister Michael Gove last week wrote to departments about the “development of a single sign-on and identity assurance system”. It is not clear when the system will be available, but Gove said in his letter that “all public-facing central government services should migrate onto it and legacy systems will be phased out”.
The work is being led by the Government Digital Service (GDS) and builds on the recent trials of Gov.uk Accounts, a single sign-on system that was billed as a way to deliver more personalised services for users of the Gov.uk website.
However, according to Gove, the new system will go further by adding identity assurance features and sharing identity data between departments. Gov.uk Accounts was initially understood to be a simple login and password tool. But the government needs to replace the failed Gov.uk Verify ID assurance system, which the Treasury said in 2020 should be phased out by September this year.
It is also unclear whether the new development will re-use existing Verify functions. Gove asked departments to “provide necessary resources over FY [financial year] 2021-22 to work with GDS to enable the design, test and build of the new system”. Gov.uk Accounts was given £32m initial funding in the November spending review.
The sharing of identity data, and data about people’s behaviour as they move around the Gov.uk estate, could prove controversial. In September 2019, when plans for personalisation for users of Gov.uk were first announced, the Cabinet Office was adamant that it was not intended to introduce a means for tracking individual users as they interact with online services.
“There is nothing sinister happening,” said a Cabinet Office spokesperson at the time.
But the latest plan for sharing identity and behavioural data between departments is likely to prompt concerns over privacy and data protection.
The Digital Economy Act 2017 governs the sharing of data between public sector bodies. Departments have to agree and publish a formal data-sharing agreement that outlines what data will be shared and under what conditions. The register of data sharing agreements currently has no such arrangements in place for identity data.
Gove said in his letter that “active participation” from departments is “a precondition for the programme’s success”. More than £200m has been spent on Verify, plus hundreds of millions more on other government digital identity systems, such as HM Revenue & Customs’ (HMRC’s) Government Gateway, the Department for Work and Pensions’ (DWP’s) Confirm Your Identity – which sits at the heart of Universal Credit – and NHS Login.
But Gove said the new system will take precedence. “Departments must expeditiously migrate their services and users to this system and must not progress any work on separate, conflicting solutions for identity and attribute verification or single customer accounts and sign-ins,” he told departments.
This is not the first time the Cabinet Office has attempted to mandate a common digital identity system across Whitehall. A 2016 plan to have 25 million users of Verify by 2020 was predicated on all departments using the system. However, in early 2017, HMRC was the first to break ranks and today, its Government Gateway system has about 16 million users, compared with less than half that number registered with Verify.
The DWP has also allowed Universal Credit applicants to use their Gateway credentials through Confirm Your Identity, as it seeks to move away from Verify.
Given that past reluctance towards a single system, Gove stressed that the new initiative relies on departments not pursuing their own developments.
“Success depends on delivering a shared, jointly-owned solution that meets the needs of citizens and of the range of services that the public expects to access digitally,” he said. “Work that is substantially driven by any single department providing public services will lead to further disappointment.”
The Cabinet Office plan came in the same week that the Department for Digital, Culture, Media and Sport (DCMS) announced the first phase of a trust framework intended to establish a set of national standards, covering public and private sectors, to allow interoperability and re-use of digital identities across the economy.
Private digital ID providers have long campaigned for government to allow access to Whitehall systems for users of their commercially available login tools, but if a single cross-government system is introduced, it could further scupper their hopes.
“The development of a single sign-on and identity assurance system that enables access to all government services is long overdue,” said Gove in a letter co-signed by Steve Barclay, chief secretary to the Treasury.
“We recognise that this work is ambitious and that there are challenging technical, legal, ethical and operational issues to resolve. We must work together across departmental boundaries to establish agreed solutions – and we are confident that, with your support, we will do so.”
Gove added that the benefits of a common system for digital identity will include more citizens being able to access online public services; reduction of fraud and errors; and improved policy making by sharing data to understand citizens’ behaviour.
A governance structure will be put in place to oversee the programme, including the involvement of ministers to provide “strategic direction”, led by Cabinet Office parliamentary secretary Julia Lopez.
Speaking at a conference in London in September 2020, Lopez said there are there are currently too many ways to sign on to different government services.
“Too often, users have to enter the same data again and again. And we know how frustrating that is. Our vision is for members of the public to be able to access any online central government service simply, safely and securely using a single sign-on. When necessary to prove your identity, it should be as easy as possible, without re-entering information,” she said.
A Cabinet Office spokesperson said: “We do not comment on leaked ministerial correspondence.”
Labour’s shadow minister for digital, science & technology, Chi Onwurah, said the latest digital identity plans raise a number of important questions.
“Trust in, control of and access to online identity is one of the most important challenges of this digital age and yet the government’s approach is an unholy mess,” she said.
“Over the last 10 years the government has excluded the private sector from its doomed Verify project, then wasted millions on separate identity verification processes for every department. There are also reports they are going to centralise all identify verification, and track people’s identity and data across the whole of government without any assessment of the privacy, equalities and rights impact.
“What they haven’t managed to do in all that time is produce a comprehensive or even a basic framework for online identity and address the consequences of online anonymity and abuse.”