UCD is still new, so not many questions have been asked yet. We need more! Please submit them via the contact form.
In anticipation, we give below answers to some of the questions that may be asked.
You can filter the questions to see only those relevant to your starting point. There are also some definitions to help explain any unfamiliar terms.
The word ‘control’ in UCD implies that the user plays an active part in the process of transferring data from one party to another, and thus can stop the transfer by declining to play that part. For example, an individual controls whether to take a bank note from their wallet and hand it over to a merchant. Similarly, using a PDS, a user will control whether to share data. Control is different to Consent, defined elsewhere.
‘Consent’ means simply that an individual agrees that data can be transferred between parties but plays no other part in the process. In payment systems, for example, an individual consents to a merchant taking payment by direct debit (by completing a direct debit mandate). Consent is best understood by contrast with ‘Control’, defined elsewhere in this FAQ.
No. The costs of running the UCD infrastructure will be paid by the service providers who choose to interact with you via your PDS. And they will be happy to pay in return for a better experience for their customers, lower costs, and easier compliance with data protection legislation
Yes and no. SSI is a term used by some companies to describe software that enables (i) organisations to issue one or more ‘verified credentials’ to an individual; and (ii) the individual to control who should see such credentials.
Here the term ‘ verified credential’ means much the same as what UCDx calls ‘trustworthy personal data’: both refer to personal data which the individual controls, in the sense of deciding who gets to see it, but cannot change. And both terms are general, and can refer to any kind of data, whether legal identity, or a qualification, or simply a statement that someone is over a certain age.
UCD differs from SSI is that it is aspires to be a complete proposal, putting forward not just clever software but also an organisational model, business model, funding model, governance model, and application route map, starting in UK education.
An attribute is simply a piece of data about – or belonging to – an individual, such as age, hair colour, legal identity, height, qualifications, vouchers, money, a visa for travel etc.
Attributes can be more or less closely tied to a particular identity. For example, a travel visa is generally tied to an identity, as shown in a passport. But a voucher can be anonymous, ‘belonging’ to whoever happens to have possession of it. And money, pure and simple, is always anonymous.
Attributes can be issued directly by a service provider qualified to do so. Examples include: a qualification issued by a learning provider; a credit score by a credit bureau; a ticket by an airline, and a legal identity by a government. Such attributes can usefully be called ‘authoritative’
Attributes can also be checked by some other trustworthy party, other than the issuer. In this case, they can usefully be termed ‘verified’ attributes. Americans often use the word ‘claim’ instead of attribute. The word ‘credential’ can also be used
Although UCD has been developed as a concept largely by PIB-d Ltd, it has long been apparent that – in order to win the necessary trust – the project has to be led by a public-interest body. This realisation led to the creation, in 2020, of UCDx as a community interest company, using funding provided by InnovateUK.
John Harrison, one of the founders of PIB-d Ltd, serves on the board of UCDx and provides necessary expertise. But he has declared his interest in PIB-d to the board, and – should PIB-d ever seek to win work from UCDx – will be recused from the associated decisions.
We may (or may not) join soon.
TrustoverIP (https://trustoverip.org/) is a grouping of organizations formed in 2020 to develop a ‘full-stack’ of standards – not just technology but also governance – for internet scale digital trust.
UCD, in contrast, is a coherent set of business, technical, organization and governance models, together with a route to scale, for developing infrastructure for User Control of Data (including identity), starting in the UK education and finance sectors.
As such, UCD can be thought of a defined and focused expedition into new territory, whereas TOIP is a collective agreement between organizations that there is a lot of exploratory work to be done, and that it is better to carry out the work collectively. UCD may well draw upon some of the work carried out by TOIP.
OIX (https://openidentityexchange.org) is a forum in which public and private sector organisations gather to discuss issues related to digital identity and personal data exchange. From time to time OIX members collaborate on a new schemes, i.e. new ways to makes tangible progress in the field.
UCDx is (or will shortly be) a member of OIX, and the UCD proposal is – in the eyes of OIX – a new scheme.
Ideally, organisations participating in UCD should be able to purchase software components from a deep market of suppliers, all offering standards compliant code. Everynm is one early supplier in the market, and seems to be committed to interoperability; others are emerging and have a similar commitment to interop. Inrupt and Dataswift are further software developers active in the field, but UCDx knows less about them as yet.
Retail banking has remained much the same for a long time. Even web banking is just a new front-end for traditional back office systems. UCD may be the driver of change.
We envisage that banks will soon begin to offer PDS accounts, integrated into web banking applications, and allowing individuals to control the flow of personal data from the same interface that they use to control the flow of money. The first attributes will be proof of qualifications, and proof of identity. Use by the education sector should provide a route to scale.
The key to the involvement of the banks is – of course – the business and funding models. We have clear ideas about these, and are working to develop them further. Please contact us to discuss.
The ‘Identity and Attribute Exchange (IAX)’ scheme is being designed by the Government Digital Service as a successor to gov.uk Verify.
While full details have yet to emerge, it is thought that IAX will adopt similar principles to gov.uk Verify, but government itself will not be involved in delivery, i.e. there will be no equivalent to the ‘hub’ (similar to a Service Provider Acquirer in UCD) operated by GDS for Verify; and thus all component parts will be provided by the private sector.
UCD is, in principal, compatible with IAX, since it can be seen as a intermediary commissioned by the individual to enable the sharing of attributes between parties. It is (almost) immaterial whether these attributes are related to ‘legal identity’ and shared between an IAX identity provider and a government department, or whether they are qualifications for sharing between between a learning provider and an employer. The functionality is the same in both cases. Provided it reaches critical mass, UCD should offer lower costs, since it will serve as a (distributed) platform for many atttribute-sharing applications.
No. See answer to ‘Will my PDS provider (or others) have access to my data ?’ above.
No. Government departments like to maintain large databases of personal data, in part at least to enable statistical research as to what policy measures prove effective. Examples include – in education – the National Pupil Data Base (NPDB) and the Learning Records Service.
But these databases are assembled without really asking the individuals involved whether they agree. Further, they are often incomplete. For example, LRS mainly contains qualification data from secondary and further education in England: many universities do not contribute data, and the approach is not used at all in Scotland. (We are not sure about the situation in Wales or Northern Ireland.)
UCD will enable individuals to pull down data from LRS and combine with qualification data from other sources. Then, if they are asked nicely, they may well agree to let an external party view their data for research purposes, provided their anonymity is protected. An explicit link to a research agency could even be installed by default, provided that the individual has the right to delete it.
In summary then, UCD will not prevent statistical research, since databases – such as LRS – will likely remain in place. Rather UCD has the potential to enhance such research by actually asking the individual, digitally, for permission to access all data relevant to a given enquiry, not just the sub-set captured in a centralized database.
UCD aims to be ubiquitous, a bit like a payment system, and so used by individuals to maintain online relationships with organisations across the public and private sectors, and with other individuals.
Thus, even though UCD is clearly infrastructure, design and implementation cannot be led by government. Why ? Because government’s remit is limited to individual-public_sector online relationships: it does not extend to online relationships between individuals and between individuals and private sector organisations.
And yet, UCD cannot be built without support from government, because it is government, in one guise or another, that controls significant chunks of our personal data (e.g. qualification records), and so offers a route to critical mass.
UCDx is working to secure the UK government’s support.
UCD can only developed as a collaboration between the UK‘s public and private sectors. It’s for this reason that the original development company, PIB-d Ltd, was set up as a joint-venture, half owned by (parts of) the education sector and half privately. But PIB-d was premature.
Now UCDx has been set up – as a community interest company – to make the case for UCD and act as a future governance body. But the fact remains that creating the infrastructure still requires collaboration and support from across the UK’s public and private sectors. The stronger the support from the public sector, iniitally education, the easier it will be for the private sector to raise the necessary finance.
gov.uk Verify was a scheme to enable individuals to prove their legal identity online to government. Government could easily have chosen to award a single large contract to just one identity provider, and then presented the result under the gov.uk brand. However, it chose instead to award contracts to several Identity Providers (IdPs, initially seven), and allow individuals to choose between them, based on brand strength and other factors.
The fact that individuals could choose an IdP from a managed market was a step towards the idea that it was the individual commissioning the IdP to act as their agent. But this was never really the case: the IdPs were always commissioned, and paid for, by government. And it is government which has decided to end the Verify scheme (probably sometime in 2022) and so terminate the provision of services by IdPs to individuals.
UCD is different. An individual will choose a PDS from a managed market, probably at the invitation of a learning provider, just as individuals chose a Verify IdP at the invitation of government. But, in contrast to Verify:
UCD can – over time – provide a range of online applications which government needs, and will do so in a privacy enhancing and secure way. These include enabling an individual to
The first two of applications – identity and proof of age – are acknowledged as necessary by DCMS and are the subject of current or recent work; the third – i.e. the achievement record – was acknowledged as a good idea in 2019 by the then Secretary of State for Education, and has been listed as a candidate for future work in a recent report (July 2020) from the Centre for Data Ethics & Innovation (as hosted by DCMS).
The technology required for UCD is now mostly in place, and can be regarded as a variant of recent work on “self-sovereign identity”, led by companies such as Evernym. The Trust Over IP Foundation is now working – in a necessarily general way – on matters of governance etc.
What UCD contributes are coherent business, funding, and governance models – together with a credible route to scale – required for the implementation of these technologies at scale in the UK.
No. At the moment, when an awarding body (such as a university, or an exam board, or a trade body) issues a paper qualification to an individual, say ABC, they are stating only that the individual known to them as ABC has earned a particular qualification
Even though awarding bodies may ask for proof of ABC’s identity at the time of registration, it is not their role to vouch for that identity to others, and they would not carry liability insurance for doing so.
Rather, vouching for an individual’s identity to others is the role of a specialist service provider, an ‘identity provider’ or IdP. Such organisations look at many factors to determine whether a claimed identity is genuine: evidence of interaction with an awarding body may be one such factor, but is far from sufficient.
Since UCD providers will be private sector companies, all competing for custom from individuals, there is a possibility that one or more could either fail commercially, or simply decide to exit the PDS market.
Should this happen, the company in question will be obliged – under its contractual agreements with UCDx – to allow all its customers to port their accounts to a different UCD provider of their own choosing, or in the final resort, transfer any remaining customers to a default provider selected by UCDx.
No. UCD can be piloted within a single secondary school, FE college and university. In each case, the institution will invite learners to choose a PDS provider from a managed market (i.e. at least two providers), and then use their new account to interact with both the institution and with fellow learners. Assuming these pilots prove successful, other learning providers will follow; and the new approach will grow to ubiquity, eventually being used for transitions between institutions as well as internally.
Eventually. In UCD terms, UCAS is almost a Decision Support Service (see page re organizational model), helping learners choose between, and apply to, universities. If the UCD pilots succeed, setting the infrastructure en route to scale, it will make sense – at some point – for UCAS to consider integration. The task will be complex, but it will be a sign of success, and so a good problem to have.
Yes, it will be. LRS serves, principally, as a back-office store of qualification data from secondary and Further Education in England. This data is provided by the awarding bodies – such as OCR, City & Guilds – who serve secondary and FE learning providers.
We expect that learners will – using a PDS – set up an online relationship with LRS at the same time as they register with a relevant learning providers, and so be able to pull down qualification data as it becomes available. Later on, they will use the same PDS to pull down qualification data directly from learning providers – such as universities and professional/ trade bodies – that act as their own awarding bodies.
LRS is run by the Skills Funding Agency on behalf of the (Westminster) Department for Education. We are seeking DfE’s support.
Yes, it will be. UKAMF enables an individual to use a single username and password, provided by their home institution (say a university or college), to gain access to online resources provided by many others, typically a publisher. The publisher will grant or deny access based on information – attributes – released by the home institution. More info can be found at https://www.ukfederation.org.uk
UCD goes a big step further, enabling an individual to choose a PDS provider as their personal agent, i.e. as an intermediary in (potentially) all their online relationships, including that with their home institution.
Thus an individual will keep the same PDS account – possibly porting it from one PDS provider to another – throughout their educational career, and will be able to use it to share attributes from any party to any other. So UCD will be able to offer not just the functionality provided by UKAMF, but much more, starting with a portable personal achievement record, proof-of-student status, low value payment, proof of identity etc.
Conditionally. UCDx has been set up as a public-interest entity to govern the proposed UCD infrastructure, using funding provided by InnovateUK in response to a grant application submitted by PIB-d Ltd.
Jisc is a shareholder in PIB-d Ltd (www.pib-d.net), a commercial company created – as far back as 2011 – to develop UCD type infrastructure. While UCDx and PIB-d Ltd are independent of each other, PIB-d may in time bid to UCDx for a concession contract to run UCD pilots.
Jisc has indicated that (i) it believes that UCD type infrastructure is necessary; but that (ii) a UCD development project is only feasible if there is general support throughout the education sector, led by the relevant parts of government (in Westminster, Edinburgh, Cardiff and Belfast).
In consequence, it seems fair to say that Jisc’s support for UCD is conditional on winning support from government.
There is already one PDS provider in the UK, Mydex CIC. It seems to be active mainly in the health sector.
But the new approach can only become infrastructure, and reach national scale, if users are given a choice between different PDS providers, and are assured of interoperability and account portabiity between them.
When this need for choice between providers is accepted, and a route to national scale is set out, we expect that the retail banks will begin to offer PDSs. The service can be seen as complementary to the provision of banking services, akin to safety-deposit boxes in the physical world.
It’s also possible that the mobile network operators offer PDSs. And Big-Tech (i.e. Google, Microsoft, Facebook, Apple) may decide to participate, but would have to accept external regulation, something they have long been unwilling to consider.
Yes.Just as an individual can choose to destroy a real-world wallet, and everything within it, so an individual will be able to delete their own PDS account and associated data.
If they do so, they will have to re-establish online relationships with every service provider by some other means. This will be difficult, but the right to delete a UCD account is fundamental.
Not in normal use. A PDS provider does not have the right to look inside an individual’s Personal Data Service (e-wallet) or make any use of the data therein.
However, occasions may arise where a PDS provider, probably working on behalf of others (such as the State or a relative) needs to gain access to such data. In the case of the state, there would likely be a need for a warrant, akin to that used to obtain physical access to an individual’s home. A relative might need a power of attorney, or similar.
This area is controversial. In our view, the debate should not be about whether access of this kind should be technically possible, but rather about the safeguards – legal and technical – that should be put in place to ensure that any such third party access only happens in extreme situations, and is never abused
No. UCD will be designed to avoid – at the infrastructure level – any unique identifiers for individuals, making it more difficult for counterparties to exchange personal data between their back offices without involvement of the individual. Instead, they will need to ask the individual, via their PDS account, to disclose the data.
Note, however, that some parties will require an individual to disclose personal data capable of being used as a unique personal identifier (such as the triad of name, date-of-birth and postcode; or an email address; or a phone number) at the point they sign-up. In this case, the individual can either comply or choose to walk away.
As many as you like. But – just as too many bank accounts or wallets becomes a nuisance – so most people will find that it’s easier to have just one or two PDS accounts. Otherwise, they may find that the data that they need to share via one account can only be accessed by a different one.
No. Just like signing up for a conventional account on any website, the only thing that an individual must prove to open a PDS account is that they are human (probably by solving a captcha).
Later, when using a PDS account to set up an online relationship with a service provider, it’s the service provider which determines what information the individual needs to disclose and to what degree such information needs to be trustworthy.
In some cases, the service provider – say a Further Education college offering or a family doctor – may request online proof of an individual’s legal identity not because such proof is necessary for the delivery of their services, but rather to help link the individual to any existing offline records that they may maintain. (Or they could make the linkage by face-to-face contact instead: a teacher can recognise a student, and just as a doctor can recognise one of their patients.).
There is a purist approach to UCD in which individuals don’t need a UCD provider, and rely instead only on software installed only on their own device. While it might be possible to make this work technically, there are two main reasons why we think there is a need to involve UCD providers
The first is that software is never intrinsically trustworthy, secure or privacy-enhancing. Rather all these good things are the result of work by people and organisations, are communicated by some form of brand or trademark, and need to be paid for. Put otherwise, there is a need for infrastructure to have a coherent business model; and the best one (that we can find, anyway) relies upon service providers paying UCD providers small periodic relationship fees.
Second, humans are fallible: they forget passwords, and they forget to make backups. For most people, it makes sense to have a PDS provider help them ensure that they never lose their data, or access to it.
UCDx will maintain and enforce open standards to ensure interoperability between the software components used by all the participants in UCD infrastructure. Whether any components are made available open-source is a secondary issue, to which the answer is not yet clear. It may be that software components are made available free issue to any organisation that has signed-up as part of the infrastructure, but this is not quite the same as Open Source.
In time. The main idea between UCD is to give individuals control over their own data. Once they have such control, they may well choose to give an AI access, seeking advice or guidance. And if they don’t like the results, they can switch to a different AI, or turn the thing off entirely.
Not necessarily. UCD can be built without block-chain – which is just one technical option and in no way a panacea. If used at all, the most likely application is for the exchange of public keys between parties.
It won’t change your life. But doing stuff on line will gradually become better: