Skip to main content

Draft Digital Government (Disclosure of Information) (Identity Verification Services) Regulations 2023

Debated on Wednesday 13 December 2023

The Committee consisted of the following Members:

Chair: Sir Gary Streeter

† Anderson, Lee (Ashfield) (Con)

† Ashworth, Jonathan (Leicester South) (Lab/Co-op)

† Blackman, Kirsty (Aberdeen North) (SNP)

† Buck, Ms Karen (Westminster North) (Lab)

† Burghart, Alex (Parliamentary Secretary, Cabinet Office)

† Crouch, Tracey (Chatham and Aylesford) (Con)

† Djanogly, Mr Jonathan (Huntingdon) (Con)

† Fletcher, Katherine (South Ribble) (Con)

† Fletcher, Mark (Bolsover) (Con)

† Glindon, Mary (North Tyneside) (Lab)

Mather, Keir (Selby and Ainsty) (Lab)

† Morrissey, Joy (Lord Commissioner of His Majesty's Treasury)

Owen, Sarah (Luton North) (Lab)

† Scully, Paul (Sutton and Cheam) (Con)

† Strathern, Alistair (Mid Bedfordshire) (Lab)

† Thomas, Derek (St Ives) (Con)

† Tolhurst, Kelly (Rochester and Strood) (Con)

George James, Committee Clerk

† attended the Committee

Fifth Delegated Legislation Committee

Wednesday 13 December 2023

[Sir Gary Streeter in the Chair]

Draft Digital Government (Disclosure of Information) (Identity Verification Services) Regulations 2023

I beg to move,

That the Committee has considered the draft Digital Government (Disclosure of Information) (Identity Verification Services) Regulations 2023.

It is a pleasure to serve under your chairmanship, Sir Gary.

The draft regulations are an important part of the Government’s commitment to strengthen the use of data and information across the public sector, so that we can deliver better and more joined-up services and, in turn, improve outcomes for our citizens. The aim is to allow information sharing between named bodies for the specific purpose of supporting cross-government identity checking when it is needed.

Verifying a user’s identity—ensuring that a person is who they say they are—is a key part of delivering many government services. The draft regulations enable this by establishing a new data-sharing objective under section 35 of the Digital Economy Act 2017 and by setting out which public bodies may use the new objective. That will create a legislative gateway, enabling us to use existing data sets that public bodies already hold to help as many people as possible to access the government services they need online. It is therefore central to the development of more inclusive and accessible systems.

Specifically, the proposed objective would unlock the full benefits of the new cross-government digital system known as GOV.UK One Login. This is now live. Users are able to set up an account, log in and prove their identity in order to access an initial set of 27 government services, with more being added all the time. That is a step change in the provision of simple and joined-up access to government services online. It is delivering substantial cost and time savings for the Government and for users by reducing duplication and providing enhanced capability to identify and stop fraudsters.

At the moment, however, users of One Login must have photographic documentation such as a passport or driving licence. That will change following the introduction of the new objective, as it will unlock new ways for people without photo ID to prove who they are, opening up the system to more users. In summary, the proposed objective will: enable checks against existing government-held information such as PAYE and benefits data to build confidence in a user’s identity; provide a specific legal framework for checks against documents currently used in identity verification such as driving licences; and provide a specific legal framework for sharing the results of identity checks performed by one named body with another, so that users only need to prove their identity once to access all the services they need.

The draft regulations apply to the relevant bodies already listed in schedule 4 to the Digital Economy Act, such as His Majesty’s Revenue and Customs and the Department for Work and Pensions. They also add four new public bodies to the schedule: the Cabinet Office; the Department for Transport; the Department for Environment, Food and Rural Affairs; and the Disclosure and Barring Service. The public bodies listed in the regulations either hold information that could be used in support of proving that someone is who they say they are, or own and manage services that people need to access and therefore need to receive the results of identity checks. Some public bodies do both.

The territorial extent of the draft regulations is England, Wales and Scotland. The Information Commissioner’s Office and the devolved Administrations support the regulations. Indeed, the Scottish and Welsh Administrations have requested that certain devolved bodies already listed in schedule 4 be able to use the new power.

I am sure hon. Members will be pleased to know that the draft regulations have been subject to the standard rigorous processes of internal and external review. In the first instance, the objective has been subject to scrutiny by the Public Service Delivery Review Board, as set out in the underpinning code of practice on public service delivery, debt and fraud under the Digital Economy Act. The board recommended that Ministers proceed with the draft regulations since they meet the required criteria of supporting the improvement, or targeting of, public services to individuals in order to enhance their wellbeing.

Furthermore, the objective has been subject to a public consultation, which received many responses. Some respondents recognised the benefits to individuals of improved and more inclusive services. Some, however, expressed concern that it was a back-door route to identity cards. That concern was mistaken. In response to the consultation, the Government confirmed that they have no plans to introduce mandatory digital identity or identity cards.

We also published additional information on how GOV.UK One Login will operate within the draft regulations and within the overall data protection framework. We extended the time between the regulations being approved and coming into force, and we amended some of the wording to reflect that of the Act.

The Government of course understand that people want to protect their personal information. I want to emphasise that that is central to our approach in developing both the draft regulations and the One Login system. Bodies that use this legislation will be required to do so with a robust set of controls that are designed to ensure that the data sharing is limited and to protect the individual.

The draft regulations relate only to using data for the purposes of identity verification. Part 5 of the Digital Economy Act 2017 gives Government powers to share personal information across organisational boundaries to improve public services. It lays down what data can be shared and for which purposes. Data sharing must also have regard to the accompanying statutory code of practice on public service delivery, debt and fraud, which sets out how the power must be operated including how any data shared must be processed lawfully, securely and proportionately in compliance with data protection legislation and UK GDPR.

The Digital Economy Act code of practice on public service delivery, debt and fraud also requires that information-sharing agreements be listed in a public register of information-sharing activity under the powers. The framework for data sharing under the DEA provides a supportive background to help organisations share data in ways that benefit the public, as confirmed by the Information Commissioner’s Office in its recent review. It includes robust safeguards that ensure organisations share data responsibly and in alignment with data protection principles, while also safeguarding people’s rights. I hope that colleagues will join me in supporting the draft regulations.

It is a pleasure to serve under your chairmanship this morning, Sir Gary. I will indicate at the start that I do not intend to divide the Committee nor to detain it for very long, because the Opposition support the principle of using data to improve public services, to improve Government services for citizens and our constituents, and to drive public sector productivity. We therefore support these measures.

I just have a few questions that I hope the Minister can briefly answer for us this morning. He rightly mentioned the controversies and those who will be concerned that this is a move to some form of ID card. I do not agree with that objection but none the less, as I am sure he and many members of the Committee will be aware, the issue can arouse strong feelings in some parts of the country. Will he reassure us about what processes will be in place for complaints from individuals about how their personal data is used? How will Departments obtain consent from users when they are sharing data between public bodies? How will Ministers monitor that?

I believe that the changes are key to unlocking productivity gains across the public sector and Government services. Have the Government scored any productivity improvements? Over what timeline does the Minister think that we could be reaping benefits from the changes?

I totally endorse the Government’s objective to move to the One Login system. I think they have promised that 150 public services will be using the GOV.UK One Login system by 2025. I would be grateful for an update on to what extent we are on track to hit that target. How many have already moved? As I say, if the Minister does not have the detailed answers, I would be very happy for him to write to me, but we support his endeavours today.

The right hon. Member for Leicester South asked me to be brief, so I will be. The whole notion of consent is wrapped up in how the regulations have been put together. That is to say, the DEA provides the framework for consent. On complaints, I refer him to One Login’s privacy notice. I am pleased to tell him that we are on track to deliver One Login on time and in the near future.

Question put and agreed to.

Committee rose.