government departments

UCD cannot be built by government, since HMG has no remit to create systems for individual-individual and individual-private-sector relationships. But the proposal is of such scale that it cannot easily be built without cooperation from relevant government departments. Unfortunately, they are all somewhat slow in offering help towards, or at least recognition of, what UCDx is trying to do. Details follow, and are accurate as of May 2024:

DfE has been aware of UCD for at least five years, as a result of various meetings with civil servants, and letters to politicians. Notably, in 2019, there was a top-level meeting arranged at the instigation of HMG’s then Chief Scientific Adviser (CSA) for National Security and attended by the DfE’s own CSA and its chief data officer. But rather than work with UCDx to create open multi-application wallet infrastructure, DfE has chosen – under their Project Titan – to focus on a single wallet application, the transition from secondary to FE, using a DfE branded digital wallet, and taking data from the centralised Learning Record Service, rather than directly from learning providers. DfE has not shown any evidence of long-term thinking about organization, business, funding or governance models for wallet infrastructure.

DSIT is charged with the development and implementation of the UK Digital Identity & Attributes Trust Framework (UKDIATF) which, so far, only really set outs the requirements for single-use identity proofing providers, and ancillary organisations.

The staff in DSIT’s digital identity team have yet to focus on the need for a managed market of digital wallets as a way to give individuals control of legal identity AND many other types trustworthy personal data.They do not seem to realise that:

  • if the UK only has digital identity proofing providers, then an individual’s digital ID could be treated like a national identity number, enabling all other personal data (i.e. attributes) to be discovered by back-office data sharing, often with (but also possibly without) user consent.
  • a UCD-style digital wallet will treat official identity as simply the (set of) attributes by which an individual is known to central government, rather than as the key for back-office data lookup; a wallet enables an individual to gather attributes from any counterparty (including central government, or an IdP working as its proxy) and show any selection of them to any other counterparty;
  • UCD is necessary to deliver – elegantly – some of the functionality deemed desirable for UKDIATF, particularly selective disclosure, authority management, and compliance with the spirit (and not just the letter) of data protection legislation; and
  • UCD is not a commercial ‘product’, rather than a public-interest ‘proposal’, and so not capable of being endorsed by government.

DSIT’s slowness is – probably – the result of a remit  that has been constrained by agreement with other government departments. UCDx continues to lobby for change.

Following the failure of Verify, Cabinet Office is charged with the development of OneLogin, a combined single-sign-on and back-office identity-provider (IdP) for use by individuals seeking access to central government services. As yet, there is no clarity from Cabinet Office / GDS on a number of points:

  • whether individuals will be allowed to use a UCD-style “empty” wallet as a means to authenticate to OneLogin
  • whether, in time, Cabinet Office will issue an official identity attribute from their back- office IdP to an individual’s wallet – which the individual can then show to whomsoever they wish.,
  • whether an individual using a UCD-style wallet, which a commercial identity provider has provisioned with an official identity credential (at a suitable level of confidence), will be able to use that credential to identify themselves to central government, rather than having to repeat the identity-proofing process using the Cabinet Office’s back-office IdP

These three points were raised informally with Cabinet Office civil servants in the course of 2022, and generally met with a response of the kind “We don’t know; we will get back to you”. It may soon be time to raise the points more formally.