government departments

UCD cannot be built by government, since HMG has no remit to create systems for individual-individual and individual-private-sector relationships. But the proposal is of such scale that it cannot easily be built without cooperation from relevant government departments. But, so far, they are all somewhat slow in offering help towards, or at least recognition of, what UCDx is trying to do. Details follow:

DfE has been aware of UCD for at least five years, as a result of various meetings with civil servants, and letters to politicians. Notably, in 2019, there was a top-level meeting arranged at the instigation of HMG’s then Chief Scientific Adviser (CSA) for National Security and attended by the DfE’s own CSA and its chief data officer. But rather than work with UCDx to create open multi-application infrastructure, DfE has chosen – under their Project Titan – to focus on a single application, the transition from secondary to FE, using a DfE branded digital wallet: it has neglected any long-term thinking about organization, business, funding or governance models.

The current situation is summarized in a letter to the Rt Hon Gillian Keegan, secretary of state for education, dated 31 Oct 2022, and kindly forwarded by UCDx’s local MP, Matt Rodda. The letter, and Mrs Keegan’s reply, can be downloaded from the ‘docs’ page.

DCMS is charged with the development and implementation of the UK Digital Identity & Attributes Trust Framework (UKDIATF)+

The staff in DCMS’s digital identity team have yet to focus on the need for a managed market of Personal Data Services (i.e. enhanced digital wallets) as an extra layer on top of an industry of regulated digital identity provider. They do not seem to realise that:

  • if the UK only has digital identity providers, then an individual’s digital ID could be treated like a national identity number, enabling all other personal data (i.e. attributes) to be discovered by back-office data sharing, usually with (but also possibly without) user consent.
  • the extra layer of PDSs (i.e. enhanced digital wallets) treats official identity as simply the (set of) attributes by which an individual is known to central government, rather than as the key for back-office data lookup. A PDS enables an individual to gather attributes from any counterparty (including central government, or an IdP working as its proxy) and show any selection of them to any other counterparty.

Strangely, DCMS does not seem to recognize that UCD is necessary to deliver – elegantly – some of the functionality deemed necessary for UKDIATF, particularly selective disclosure, authority management, and compliance with the spirit (and not just the letter) of data protection legislation. They also consider UCD to be a fully commercial ‘product’, rather than a public-interest ‘proposal’, and so not capable of being endorsed by government

The current situation is summarized in (i) a letter to Julia Lopez, Minister of State for Media, Data and Digital Infrastructure, dated 17 October 22, as kindly forwarded by UCDx’s local MP, Matt Rodda; and in (ii) Ms Lopez’s reply, dated 8 December.  See the docs page for downloadable copies. A further letter to Ms Lopez is overdue.

Following the failure of gov.uk Verify, Cabinet Office is charged with the development of OneLogin, a combined single-sign-on and back-office identity-provider (IdP) for use by individuals seeking access to central government services. As yet, there is no clarity from Cabinet Office / GDS on a number of points:

  • whether individuals will be allowed to use a UCD-style “empty” PDS as a means to authenticate to OneLogin
  • whether, in time, Cabinet Office will issue an official identity attribute from their back- office IdP to an individual’s PDS – which the individual can then show to whomsoever they wish.,
  • whether an individual using a UCD-style PDS, which a commercial identity provider has provisioned with an official identity credential (at a suitable level of confidence), will be able to use that credential to identify themselves to central government, rather than having to repeat the identity-proofing process using the Cabinet Office’s back-office IdP

These three points were raised informally with Cabinet Office civil servants in the course of 2022, and generally met with a response of the kind “We don’t know; we will get back to you”. It may soon be time to raise the points more formally.