Digital Identities

Design and Uses

A project of the Centre for Internet and Society, India
Supported by Omidyar Network

Mapping Digital Identity Systems: UK

July 10, 2019

Conceptualization by Saumyaa Naidu and Pooja Saxena
Research by Shruti Trikanad and Yesha Tshering Paul
Mapping by Akash Sheshadri, Saumyaa Naidu and Pooja Saxena
Text by Shruti Trikanad and Saumyaa Naidu
Review and editing by Pooja Saxena
With inputs from Amber Sinha and Anubha Sinha

Download as PDF

As part of our global survey of digital identity systems, this series of comprehensive research maps provides a coherent view of digital identity in the United Kingdom. These can be read along with our glossary of core concepts and processes. They illustrate the pervasiveness of digital identity, as well as dissect digital identity systems in a way that brings attention to the actions of key stakeholders, and to kinds of data and how they are shared. Designed as stepping stones to further research, the maps facilitate the identification of points of accountability and intervention.

The digital ID in the United Kingdom is in the form of GOV.UK Verify platform, and systems within the National Health Service (NHS).

GOV.UK Verify was developed by the Government Digital Service (GDS) as an identity verification platform to securely access online government services. The platform is federated, which means that residents can choose from a range of “identity providers” certified by the government. These identity providers verify the identities of residents, and provide login credentials to them to authenticate their identity. The providers are tasked with verifying the information provided by the applicant, and subsequently confirming the ID holder’s identity to the government service each time the ID holder is accessing that service. Currently, there are five identity providers in the UK. These include both private and public sector companies. GOV.UK is used across a range of public-sector services such as to apply for universal credit, file income tax, monitor state pension, apply for jobs, renew drivers license, etc.

The National Health Service (NHS) is the publicly-funded healthcare system of the UK, which uses digital ID to provide services in the form of a patient identifier, the NHS Number, and smartcards for healthcare staff.

Process Maps

The core processes within each digital identity system are being mapped in order to evaluate the existing technological and policy decisions. These process maps bring forward the advantages and barriers in the mechanisms of identification, authentication, and authorisation. These maps follow the Swim Lane Model to capture these processes. The use of this technique helps to read the processes with clarity, and also points out the multiple possibilities at different steps.

The Swim Lane Model represents a process as a sequence of steps, and places the entities in different lanes (or columns) to show who is responsible for taking those steps. Each column shows the action taken by the respective entity. The numbered rows establish the sequence of steps. The arrows connect the end of each step to the beginning of the next one (refer to the key to navigate the process maps). They also indicate multiple routes that can be taken within a step. Additionally, these process maps highlight the data being collected and digital identity artifacts being used in various steps.

1

Identification

1.1

GOV.UK Verify

The United Kingdom government uses the GOV.UK Verify platform for authentication (called “identity assurance” within this system) in order to provide digital services. The platform uses five commercial identity providers to conduct verification — Barclays, Digidentity, Experian, Post Office, and Secure Identity. GOV.UK Verify can be used by residents of the UK. There are nineteen online government services that are connected to the platform. Different identity providers require different data to conduct verification. The following map shows the process of a resident being verified by an identity provider and assigning them a Verify credential with corresponding account and login details.

1.2

National Health Service (NHS)

Healthcare services in the UK are carried out through the National Health Service. Within the NHS, the resident is required to register on the online NHS platform. The NHS verifies information provided by the resident and assigns them an NHS number upon successful verification.

1.3

Smartcard

Under the NHS system, the healthcare staff is provided with smartcards to access health information of residents. Different staff members have varying levels of access which is determined by their role. These smartcards are issued to the staff members by the healthcare providers.

2

Authentication

2.1

GOV.UK Verify

The authentication process includes the resident using the Verify credential to login and access the desired government service. The resident uses either a code sent by the identity provider on their registered mobile or landline number, or an M-PIN to authenticate themselves. The government service provider then locates the user in its own records and determines whether they are entitled to access the service being requested.



2.2

Smartcard

Within the NHS system, the healthcare staff uses the smartcard along with a passcode to log in to the Summary Care Records (SCR). They select their role and search for the specific patient using the NHS number. The staff member is required to take the patient’s permission in order to view the SCR. In cases of emergency, they can override this step.

Systems Maps

As part of the systems thinking approach, sectoral use cases have been mapped to understand how the digital identity system in the UK has been conceptualised and implemented. Studying these sectors allows a closer look at the various purposes of the digital identity, and how the residents, and state and private actors interact with it. The ERAF technique of systems mapping has been used for these maps to give a holistic view of the system and connections within it. It is an analytical tool rather than a representational tool. The ERAF model helps to place the various constituents involved in the system and divides them into entities, relationships, attributes, and flows. This technique of mapping reveals missing connections and flows in a system, and leads to the identification of specific leverage points where a small shift can produce a big impact on the system.

In the ERAF model, entities are the key components. These could be individuals, institutions, laws, places, etc. Relationships describe the way in which different entities are connected to each other. Attributes are characteristics that describe the entities. These could be duration, dimensions, costs, etc. The Flows show the direction of action between entities. This includes transaction of data and resources. Data and its flow within the system, and digital identity artifacts have been highlighted in these maps.

1

Employment

In the UK employment sector, digital ID is used primarily by job seekers to complete their disclosure and barring checks (DBS) — a process required by most employers — while applying for jobs. Through GOV.UK, an ID holder can authenticate their identity and submit the DBS application, without having to disclose unrelated information or provide documents.

2

Finance

ID holders in the UK can access services such as universal credit and rural payments online, and track or manage their applications for them, by authenticating their identity through GOV.UK. This circumvents an otherwise tedious process of submitting a physical application and accompanying documents.

3

Healthcare

The National Health Service (NHS) has its own digital ID, in the form of an NHS number. Through this number, patient data is stored and shared with other healthcare providers, and patients can access prescriptions and referrals electronically. This system was created to ensure accurate communication between the different healthcare providers a patient may seek services from, and to ensure a careful dispersal of medicine.

Stakeholders


GOV.UK Verify

GOV.UK Verify is an identity assurance system developed by the United Kingdom Government Digital Service (GDS). Verify allows the UK residents to log in and access the digital services provided by the government.


Government Digital Service (GDS)

The Government Digital Service (GDS), which aims at the digital transformation of government, is part of the Cabinet Office of the Government of the United Kingdom. It runs the GOV.UK website, and works with different government departments to build platforms, standards, and digital services.


Document Checking Service

Built by the GDS, the Document Checking Service is used by certified providers to check details of driver’s licences or passports of residents to make sure they are valid during the process of verifying their identity.


Identity Providers

Identity providers or certified companies are a set of companies approved by the UK government for verifying the residents’ identity. Presently, identity providers are Barclays, Digidentity, Experian, Post Office, and SecureIdentity.


Disclosure and Barring Service (DBS)

The Disclosure and Barring Service processes and issues DBS checks to residents. A DBS check allows employers to check the criminal record of a person applying for a job. The service is aimed at safeguarding and preventing unsuitable people from working with vulnerable groups. It conducts four levels of check; basic check, standard check, enhanced check, and enhanced check with barred list(s).


Responsible Organisations (RO)

Responsible Organisations are registered with the DBS. Through them, residents can apply for basic criminal checks about themselves via a web service. An RO captures the details of a basic check application in their system, before transferring it to DBS. The DBS then issues a certificate which shows unspent convictions and conditional cautions for the resident.


ACRO Criminal Records Office (ACRO)

ACRO Criminal Records Office is a national police unit that focuses on the management of criminal records information in the UK.


Universal Credit

Universal Credit is a monthly payment to help residents with their living costs. It is meant for residents who are on a low income or out of work. There is an option of receiving it twice a month for people in Scotland.


Rural Payments Agency

The Rural Payments Agency (RPA) is an executive agency of the UK Department for Environment, Food, and Rural Affairs (Defra). It makes payments to farmers, traders and land owners. It also makes payments on behalf of Natural England, and manages over forty schemes to help ensure a healthy rural economy and strong rural communities.


Rural Payments Service

The Rural Payments Service is managed by the Rural Payments Agency. It is the online service on which the residents are required to register to avail of the payments.


National Health Service

The National Health Service (NHS) is the publicly funded healthcare system of the UK. It provides primary care services, mental health, ambulance, social care and hospital services.

 

Bibliography


Identification

Janet Hughes, “How Does a Certified Company Establish That It's Really You?,” GOV.UK Verify, last accessed August 27, 2019, https://identityassurance.blog.gov.uk/2014/11/21/how-does-a-certified-company-establish-that-its-really-you/.

Government Digital Service, “Guidance: How to prove and verify someone's identity,” GOV.UK, last updated March 19, 2020, https://www.gov.uk/government/publications/identity-proofing-and-verification-of-an-individual/identity-proofing-and-verification-of-an-individual.

Government Digital Service, “GOV.UK Verify overview,” GOV.UK Verify, last updated August 07, 2019, https://www.gov.uk/government/publications/introducing-govuk-verify/introducing-govuk-verify.

National Audit Office, Investigation into Verify, Comptroller and Auditor General, HC 1926, London, 2019. https://www.nao.org.uk/wp-content/uploads/2019/03/Investigation-into-verify.pdf (accessed August 27, 2019).

Niko Tsakalakis et al, “Identity Assurance in the UK: technical implementation and legal implications under eIDAS,” The Journal of Web Science, 3, no. 3 (2017), https://eprints.soton.ac.uk/413943/1/WebSciJournal.pdf (last accessed August 27, 2019).

Edgar Whitley, “Trusted digital identity provision: GOV.UK Verify’s federated approach,” LSE Research Online (2018), http://eprints.lse.ac.uk/90577/1/Whitley_Trusted%20digital%20ID_2018.pdf (last accessed August 27, 2019).


Authentication

Niko Tsakalakis et al, “Identity Assurance in the UK: technical implementation and legal implications under eIDAS”, The Journal of Web Science, 3, no. 3 (2017), https://eprints.soton.ac.uk/413943/1/WebSciJournal.pdf (last accessed August 27, 2019).

Edgar Whitley, “Trusted digital identity provision: GOV.UK Verify’s federated approach,” LSE Research Online (2018), http://eprints.lse.ac.uk/90577/1/Whitley_Trusted%20digital%20ID_2018.pdf (last accessed August 27, 2019).


Healthcare

“About NHS Digital”, NHS Digital, last updated June 20, 2019, https://digital.nhs.uk/about-nhs-digital.

“The NHS digital , data and technology standards”, About NHS Digital, NHS Digital, last updated 21 December, 2018, https://digital.nhs.uk/about-nhs-digital/our-work/nhs-digital-data-and-technology-standards/framework#the-nhs-digital-data-and-technology-standards.

“Registration authorities and smartcards”, Systems and Services, NHS Digital, last updated 24 June, 2019, https://digital.nhs.uk/services/registration-authorities-and-smartcards.

NHS, The Care Record Guarantee: Our Guarantee for NHS Care Records in England, January 2011, https://digital.nhs.uk/binaries/content/assets/legacy/pdf/1/8/care_record_guarantee.pdf.

“Getting Started with SCR from 1 April 2017”, Summary Care Records, NHS Digital, last updated October 5, 2018, https://digital.nhs.uk/services/summary-care-records-scr/summary-care-record-scr-in-community-pharmacy/getting-started-with-scr-from-1-april-2017.


Financial

Rural Payments Scheme

“Rural Payments: registering and updating your details”, Gov.UK, last updated August 19, 2019, https://www.gov.uk/government/publications/rural-payments-registering-and-updating-your-details/rural-payments-registering-and-updating-your-details.

Universal Credit

“Universal Credit”, Gov.UK, last accessed August 25, 2019, https://www.gov.uk/universal-credit/how-to-claim?step-by-step-nav=7c08bbbf-a1ca-4cf5-850d-d9f2c796c750.


Employment

DBS Check

“Disclosure and Barring Service”, Gov.UK, last accessed August 25, 2019, https://www.gov.uk/government/organisations/disclosure-and-barring-service/about.

“Request a basic DBS check”, Working, Jobs and Pension, Gov.UK, last accessed August 26, 2019, https://www.gov.uk/request-copy-criminal-record.

“DBS Checks: Detailed Guidance”. Criminal Record Disclosure, Gov.UK, last accessed August 26, 2019, https://www.gov.uk/government/collections/dbs-checking-service-guidance--2.