DCMS publishes prototype trust framework on digital identity products and services
What is the potential impact of the trust framework on the provision and use of digital identity services published by the Department for Digital, Culture, Media & Sport (DCMS)?
The key takeaway
The draft “alpha” framework sets out principles, policies, procedures and standards governing the use of digital identity to allow for the sharing of information to check people’s identities or personal details. It also sets out the requirements that organisations will have to meet in order to be certified against the framework once, as is expected, it becomes law.
The draft framework
The publication of the draft framework follows off the back of the call of evidence on digital identify policy in July 2019. It sets out specific future standards and requirements for organisations which provide or use digital identity services, including:
- how organisations should handle and protect people’s data (published through a data management policy)
- what security and encryption standards should be followed
- informing users of changes made to their digital identity and how their accounts are managed
- having account recovery processes and notifying users if organisations suspect a user’s account has been fraudulently accessed
- following guidance on how to choose secure authenticators for their service.
Under the new framework organisations will also have to publish a yearly report explaining which demographics have been, or are likely to have been, excluded from their service and why. Additionally, the framework promotes “vouching” where trusted people within the community such as doctors or teachers “vouch for” or confirm a person’s identity as an alternative to using traditional identification documents (eg passports and driving licences).
Why is this important?
All organisations providing or using digital identity services will need to meet the requirements in order to be certified against the trust framework. It is therefore important to start preparing ahead of the framework becoming law in the future in order to ensure compliance ahead of certification.
Any practical tips?
The deadline for any comments from organisations was 11 March 2021 through an electronic survey. Following comments, the DCMS will incorporate the feedback into the framework and intends to publish a second iteration in short order after March 2021 containing further details relating to the framework and certification.
The publication of the “alpha” framework allows organisations to start planning ahead of the implementation of the framework into law and the introduction of any new requirements. If you’re providing digital identity products and services, now is the time to start studying how the framework may impact your business. Equally, if you rely on third party providers of these services, consider how to start integrating the requirements into your contracts.