It all started just over five years ago (6 July 2011 to be precise) when I received an email from Bill McCluggage, then Director of ICT Strategy and Policy, inviting me to join a new group that would help ensure that the Cabinet Office’s new identity assurance programme would engage effectively with relevant stakeholders and “incorporate issues related to privacy, trust and confidence” throughout the development of its new identity policy. This privacy friendly identity policy is now known as GOV.UK Verify.
The first meeting of the group, now known as the Cabinet Office Privacy and Consumer Advisory Group (PCAG) was held on 2 August 2011. PCAG is one of two advisory groups that steers the work of the Government’s Digital Service (GDS) in the Cabinet Office.
Members of PCAG were initially chosen for their expertise in the privacy and security space around identity systems that focus on user needs and this has enabled PCAG to provide an independent sounding board for the Verify team to discuss developments and proposals that might affect public trust and confidence in the service.
One of the most significant pieces of work undertaken by PCAG has been the development of a set of identity assurance principles for Verify. These high level principles are explicitly presented using the first–person and active voice to reinforce the role of the citizen at the centre of the Verify.
As well as being statements of principle, they were also incorporated in the second procurement framework for certified companies to work with the Verify scheme. A recent privacy review of Verify confirms that the certified companies are complying with the principles.
In parallel, a recent survey of key identity industry organisations reports that there is a high level of awareness of the principles amongst their members, with 78 per cent of respondents feeling that having a set of privacy principles was very important to a cross industry identity approach and a similar proportion feeling that the privacy principles were very relevant to their sector or organisations.
Although the PCAG principles were developed specifically for Verify, they have also helped shape work by the UK’s Digital Catapult on developing the information economy and the development of standards for age verification services.
They have also helped shape recent research on privacy in digital identities and fed into the recent Royal Society review of cybersecurity research.
From the earliest days of Verify, the programme team has engaged with the private sector, on the premise that possessing a Verify’d identity that was “good enough for government” could be transferred to commercial transactions as well and would offer additional benefits to citizens and companies alike.
PCAG members have been helping support experimental alpha and discovery projects that explore the real world business, design and technical challenges that will shape the adoption of digital identity services based on open standards. Example projects include the use of digital identity in the peer to peer economy and in a pension finder service.
Alongside the development of the identity assurance principles, and with the support of the recent Ministers for the Cabinet Office, PCAG has provided support and guidance on a range of public sector activities with implications for privacy and consumer trust. These include the data sharing proposals in the Digital Economy Bill, the potential use of Verify by the Office for National Statistics and plans by HM Passport Office’s (HMPO) for its new passport verification service.
Although Verify is now a “live” service, PCAG’s work continues, as Verify continues to iteratively improve its services, reacting to new needs and demands. Thus, it is reflecting on the principles to ensure they remain applicable to the current situation. For example, with BREXIT, the relationship between Verify and the EU eIDAS regulation on trust services and eID needs to be reviewed.
At a personal level, my role as co–chair of PCAG, coupled with the proximity of the Verify team to LSE, has helped facilitate a strong engagement with practitioners in government and industry and has provided opportunities and insights for my own research activities both nationally and internationally.
- The post gives the views of its author, not the position of LSE Business Review or the London School of Economics.
- Featured image credit: Marcos Tulio, Public Domain Pictures
- Before commenting, please read our Comment Policy
Edgar A. Whitley is an Associate Professor (Reader) in Information Systems in the Department of Management at LSE. Edgar has a BSc (Econ) and PhD in Information Systems, both from the LSE. He is the co-editor of Information Technology and People, Senior Editor for the AIS Transactions of Replication Research and an Associate Editor for the Journal of the AIS. Edgar was the research coordinator of the influential LSE Identity Project on the UK’s proposals to introduce biometric identity cards; proposals that were scrapped following the 2010 General Election. His book with Gus Hosein Global Challenges for Identity Policies was published by Palgrave in 2010. Edgar has also advised governments in Brazil, Chile, Ecuador, India, Jamaica, Japan and Mexico about the political, technological and social challenges of effective identity policies. He has contributed to reports for the World Bank, Omidyar Network and Centre for Global Development.
Edgar, thanks for the name check and it’s hard to believe it’s over 5 years since we kicked off the group that morphed into PCAG. The work of the group has been pivotal in gaining the requisite level of trust and the correct balance between privacy and identity.