On 17 June 2013 the UK Government published a consultation (“Consultation”) on the issue of Identity Assurance Principles (“IAP”). The IAP are principles which would govern a proposed Identity Assurance Service (“IAS”), this service being designed to provide users with a secure electronic identity that could be used to conduct online transactions across a number of service providers. The IAS is being developed as a way of protecting the privacy of individuals online while also allowing them control over their own electronic identities.
The principles within the IAP are as follows:
- User control –data subjects must be able to control whether to disclose IAS data. This will also facilitates the Data Protection Act 1998 requirement that data be processed with the subject’s consent.
- Transparency – each service provider must justify the requirement for data and properly inform the subject.
- Multiplicity – data subjects which use the IAS can establish as many identifiers as desired, and can cease or switch between service providers.
- Data Minimisation – transactions use only the minimum data necessary. Any aggregation, correlation or corroboration of data must be transient, and IAS data should not be centralised.
- Data Quality – data subjects must be able to update data easily and free of charge when they choose.
- Service-User Access and Portability – subjects should be able to access data on request and without conditions, and move/delete it at will.
- Governance/Certification – the IAS and participating service providers should all be properly accredited.
- Problem Resolution – a complaint resolution procedure should be in place and if this fails there should be an independent Ombudsman to resolve disputes.
- Exceptions only in exceptional circumstances – any exceptions to the IAP should be approved by Parliament and independently scrutinised.
The Consultation explains that the IAP go beyond the issue of privacy and data protection, and that they are supposed to provide full control to the identity holder as to how their identity is used, albeit with exceptions in exceptional circumstances (e.g. law enforcement).
As the Consultation only relates to the principles upon which the proposed service will be based, the IAS proposals are still at a very early stage. The IAP were developed by the Identity Assurance Privacy and Consumer Advisory Group and first published last year, they have since been updated and the UK Government now publishes the latest draft to obtain further comment. The Consultation is open until 12 September 2013 and submissions can be made by email.