Skip to main content

Digital Government (Disclosure of Information) (Identity Verification Services) Regulations 2023

Volume 834: debated on Monday 20 November 2023

Considered in Grand Committee

Moved by

That the Grand Committee do consider the Digital Government (Disclosure of Information) (Identity Verification Services) Regulations 2023

Relevant document: 54th Report from the Secondary Legislation Scrutiny Committee, Session 2022-23.

My Lords, I am glad to see the noble Lord, Lord Stevenson of Balmacara, and others, and I echo what he said about our constructive discussions in 2014-16. I am also pleased to see my noble friend Lord Camrose championing intellectual property, as we all try to do. I am glad to be accompanied by my noble friend Lord Evans of Rainow in his new position as Cabinet Office Whip.

The Digital Government (Disclosure of Information) (Identity Verification Services) Regulations 2023 are an important part of this Government’s commitment to strengthen the use of data and information across the public sector. We are bringing these forward so we can deliver better and more joined-up services and, in turn, improve outcomes for our citizens.

The regulations aim to allow information sharing between named bodies for the specific purpose of supporting cross-government identity checking when it is needed. Verifying a user’s identity—ensuring that a person is who they say they are—is a key part of delivering many government services. The draft regulations enable this by establishing a new data-sharing objective under Section 35 of the Digital Economy Act 2017 and by setting out which public bodies may use the new objective. This will create a legislative gateway, enabling us to use existing data sets, which public bodies already hold, to help as many people as possible to access the government services that they need online. It is therefore central to the development of more inclusive and accessible systems.

Specifically, the proposed objective would unlock the full benefits of the new cross-government digital system known as GOV.UK One Login. This is now live; users are able to set up an account, log in and prove their identity in order to access an initial set of 24 government services, with more being added all the time. However, at the moment, users must have photographic documentation, such as a passport or driving licence. This will change following the introduction of the new objective, as it will unlock new ways for people without photo ID to prove who they are, opening up the system to more users.

The delivery of One Login is a step change in simple joined-up access to government services online. This, in turn, delivers substantial cost and time savings for the Government and users by reducing duplication and providing enhanced capability to identify and stop fraudsters. In summary, the proposed objective will, first, enable checks against existing government-held information, such as PAYE and benefits data, to build confidence in the user’s identity, which will be particularly key where service users do not have a passport or driving licence. Secondly, it will provide a specific legal framework for checks against documents currently used in identity verification, such as driving licences. Thirdly, it will enable the sharing of the results of identity checks performed by one named body with another, so that users need to prove their identity only once.

The draft regulations set out which of the bodies already listed in Schedule 4 to the Digital Economy Act can use the new identity-verification data-sharing power, such as HM Revenue & Customs and the Department for Work and Pensions. They also add four new public bodies to the schedule that will be able to use the power: the Cabinet Office, the Department for Transport, the Department for Environment, Food and Rural Affairs and the Disclosure and Barring Service.

The public bodies listed in the regulations are either bodies that hold information that could be used in support of proving that someone is whom they say they are or those that own and manage services that people need to access, which they therefore need to receive the results of identity checks. Of course, some public bodies do both.

The territorial extent of the draft regulations is England, Wales and Scotland. The Information Commissioner’s Office and the devolved Administrations support the draft regulations, and indeed the Scottish and Welsh Administrations have requested that certain Scottish and Welsh bodies be included in the draft regulations to enable them to use the new data-sharing power—so it is devolved friendly.

I am sure noble Lords will be pleased to know that these draft regulations have been subject to the standard rigorous processes of internal and external review. In the first instance, the objective has been subject to scrutiny by the Public Service Delivery Review Board, as set out in the underpinning code of practice on public service delivery, debt and fraud of the Digital Economy Act 2017. The board recommended that Ministers take forward these draft regulations since they meet the required criteria of supporting the improvement, or targeting, of public services to individuals in order to enhance their well-being.

Furthermore, the objective has been subject to a public consultation, which received more than 66,000 responses. Some respondents recognised the benefits to individuals of improved and more inclusive services. Some mistakenly expressed concern that this was a back-door route to identity cards. Therefore, in response to the consultation, the Government confirmed that they have no plans to introduce mandatory digital ID or identity cards. We also published additional information on how GOV.UK One Login will operate within these regulations and within the overall data protection framework. We extended the time between the regulations being approved and coming into force, and we amended some of the wording to reflect that of the Act. Of course, the Government understand that people want to protect their personal information and this is central to our approach. The draft regulations relate to using data only for the purpose of identity verification.

Part 5 of the 2017 Act gives the Government powers to share personal information across organisational boundaries to improve public services. It lays down what data can be shared and for which purposes. Data sharing must also have regard to the accompanying statutory code of practice on public service delivery, debt and fraud, which sets out how the power must be operated, including how any data shared must be processed lawfully, securely and proportionately in compliance with data protection legislation and UK GDPR.

The Digital Economy Act statutory code of practice on public service delivery, debt and fraud also requires information-sharing agreements to be listed on a public register of information-sharing activity under the powers. The framework for data sharing under the DEA provides a supportive background to help organisations to share data in ways that benefit the public, as confirmed by the Information Commissioner’s Office in its recent review. It includes robust safeguards that ensure that organisations share data responsibly and in alignment with data protection principles, while also safeguarding people’s rights.

I think these regulations are relatively straightforward and important, and I hope that colleagues will join me in supporting them.

My Lords, it is good to see the Minister move seamlessly from intellectual property to digital and data, but both can sometimes create their own questions. Since this is the first time we have debated One Login in the Lords, I hope that the Minister will not mind if she gets a large number of questions about the scheme. As I understand it, the goal of the One Login programme is to create a log-in database owned by the Government and containing the verified names, addresses, dates of birth, phone numbers and email addresses of everyone who uses—eventually—all Government-owned digital services, which is likely to be everyone in the country.

Perhaps unfairly, I have always thought of One Login with some scepticism, as the son or daughter of Verify, and not in a good way. The cost of the failed Verify scheme was over £200 million. It would be very useful as part of this debate to hear the cost of OneLogin so far and how much more is budgeted to be spent on its rollout. It does seem strange that the Government are having another crack at a single verification system, given the many other trustworthy existing systems that could be adopted.

First, I think it worth mentioning what the Secondary Legislation Scrutiny Committee said in its 55th report in October. I think it was rather baffled and scathing at the same time:

“This is a classic example of an Explanatory Memorandum … with too narrow a focus”.

I think it felt it was being bounced to some extent, without the context in which One Login was going to be designed to work. It said:

“We therefore request that the Cabinet Office revises its”

Explanatory Memorandum

“to include sufficient background information to enable any reader to understand the legislation’s practical effects”.

I suppose I am lucky in that I followed the gory progress of Verify through to One Login and the current date. I have some idea of the purpose behind One Login. As I understand it, the principal effect of these regulations is to allow the Government to share data for the purposes of identification. The SI does not restrict those flows of data; data can flow into the Cabinet Office as envisaged but identity data can also flow from the Cabinet Office to any other listed department. I hope that the Minister will be able to confirm that.

Will the Government allow population databases to be copied, whether openly or not? The revised Explanatory Memorandum is silent on this, and it is unclear if this assurance from the Government’s consultation response will be delivered. The response said:

“In particular, information will set out which departmental services are using identity verification services to support delivery and which will provide data to help departments establish who a person is”.

Will that actually happen? Will there be that level of transparency? There are apparently no safeguards on sharing bulk data if the Government want to share for this purpose across government. What transparency will there be if and when this takes place?

There is then the question of for whose benefit One Login really is. Is this a “better login to government” project, which many people might applaud, or is it a “one identity to government” project? The answer at the moment appears to be the latter. I say this because medConfidential, which I thank for its briefing, reports that a

“meeting held during the consultation was told that the Government’s intent is to actively prevent individuals from having multiple login accounts. A person may be able to have multiple email addresses— indeed, they may already do—but Government would attach them to a single ‘identity’. This regulation allows that database to be shared in bulk”.

Not to put too fine a point on it, that turns One Login into a tool of a centralising state—with implications for the privacy of the citizen—which the Government have previously assured us many times they were not building. I would therefore be extremely grateful if the Minister described the reality of One Login, as well as its purpose and operation.

At a roundtable on the consultation, the Government Digital Service apparently said that the regulation’s “first use is One Login”, which suggests there will be a second use. It is unclear to us to what extent the DWP will embrace One Login for government, for universal credit, for HMRC’s services, or indeed for the MoJ’s digital courts. What commitment from government departments and agencies is there? I can see that they are all listed, but Verify fell down precisely because of the lack of commitment from many government departments. What about the identities, too, of public servants? Will they be able to have multiple identities as both citizen and employee? What is the reality of that?

The SI allows any identity information to be shared from and to almost anywhere across those government departments, and any restrictions appear to depend entirely on current departmental policy, not on legislation or regulation. There is, it seems, no explicit assessment of compliance with the identity assurance principles set out by the Privacy and Consumer Advisory Group in 2015. Do those principles remain government policy, despite that group currently being reconstituted? To summarise, these are an important set of principles, covering user control, transparency, multiplicity, data minimisation, data quality, service user access and portability, certification, dispute resolution and exceptional circumstances. Will all those principles be observed, and do the Government commit to them again? If so, what independent scrutiny will check that they are being observed in the course of the operation of One Login?

I do not really understand why the Government are proposing that this much identity data should be shareable in bulk to this many government departments with this little oversight. There must be explicit limits so that data may be shared only to the Cabinet Office, with explicit limits on what it may share to others. What is sauce for the goose is sauce for the gander. Not that long ago, the Government set out a framework for identity verification for the private sector, with clear forms of authentication and certification—indeed, many people thought that it was over-elaborate—but I see nothing in the scheme of One Login that means that there is that equivalent form of authentication and certification.

This is an exceptionally broad power with almost no oversight. It is far broader than is remotely acceptable or than those other powers under the DEA. Where do biometrics and genomic data fit? Can they be shared in the same way as the other data? Again, what standards will the system conform to? We need to know about that. One Login will have a great deal of information on users and the government services they use. As drafted, it looks as if that will all be within scope of the sharing powers. Is that correct?

Will the GDS be the accountable agency in providing all the details of a verified identity document to any department? For instance, if it is disclosing that somebody is a former prisoner or the nationality of the passport that they used to validate their identity, to whom are complaints made and where is there redress if that is not done properly?

In summary, there are many questions but three key ones for the Minister to answer. First, what is the real answer to this: has the Government’s One Login moved from a convenient “better log-in to government” project to a “one identity to government” project? Secondly, can the entire database be shared, in bulk, to almost anywhere in government for any purpose? Thirdly, what independent oversight of the One Login system will there be and what standards will it conform to? I heard what the Minister said about the public service delivery board and wonder whether it has something to do with oversight, but maybe not.

My Lords, I am grateful to the Minister for her helpful introductory remarks. This regulation concerns the sharing of information between public authorities to ensure that any information sharing under Section 35 is justified and proportionate. It permits public authorities to share information only for purposes consistent with tightly constrained objectives which are set out in regulations. This measure adds a new objective relating to identity verification.

In future, individuals will be able to create a reusable digital identity, which the Government say would be secure, convenient and efficient. Instinctively, we would be very supportive of this, but it would be helpful, certainly to me, if the Minister could perhaps explain with a practical example exactly how this will work from a citizen’s perspective, imagining perhaps that she is applying for universal credit. What will she be able to do that she cannot do now? How would her interaction with the service provider be enhanced by this new objective? Will there be a benefit to those who do not have a passport or a driving licence and who, on occasions, find it difficult to prove their identity? What future use does the Minister anticipate?

There are some future uses. The noble Lord, Lord Clement-Jones, quite rightly highlighted some of the potential problems with this, but there are potential benefits that I can see. For instance, could digital verification, in time, be helpful at polling stations in enabling individuals without passports or driving licences to vote, without having to obtain a certificate in advance? I do not know if noble Lords have ever seen one of these certificates that people have to get at the moment, but the one I saw recently was just a blurry picture on a piece of A4 paper. These things are meant to last for years. Perhaps the Minister could make inquiries as to whether digital verification at polling stations might be more convenient, perhaps even allowing real-time voter registration. It does matter, and it is vital that digital transformation benefits and enhances citizens’ experience and access to services, as well as making public services more efficient.

A number of respondents to the consultation were concerned—and I think everyone will have anticipated this—about the security of their information, and whether or not this could be the thin end of the wedge as they see it. We are pleased that this amendment would make things, I think, more convenient for individuals. To anticipate what the Minister may say, this is because they will no longer have to prove their identity multiple times, and should have a more seamless experience when accessing public services online.

However, there is concern from some that digital verification may become in some sense compulsory. It is rather like the banks, which have a strong high street presence—then online banking becomes very popular, and suddenly the more traditional methods of accessing the service become less viable and therefore less available, which arguably excludes some individuals. It is important that individuals are able to decline to access services digitally, if they wish, for whatever reason, and are not coerced or nudged into accessing services, which goes against their preference over time. With this in mind, it is important that individuals are provided with the right amount of information, so that they can understand what data is being shared, with whom, and what the benefits to them are in consenting to the data sharing. Can the Minister tell us more about how exactly this will be done and how consent will be obtained?

Having in mind the NAO’s report on digital transformation of government services from earlier this year, there are a number of potential issues that the Minister might also wish to comment on. The NAO found that departments are finding that in current market conditions, they cannot acquire sufficient digital skills and expertise in their teams. Can the Minister tell us what the Cabinet Office are doing to make sure that departments have the skills needed to safely progress with this change and future digital transformation across Government?

Also, what oversight are the Government planning? This is vital in establishing public confidence. What will the complaints process be? How are the Government planning to monitor the departmental use of this new objective and assess any inequalities created or made worse by its introduction? Will the Government check whether, in time, the less well off, older people, or people with certain disabilities or certain language issues, for example, are being disadvantaged by the preference of service providers to move to digital access? I look forward to the Minister’s responses to those questions.

My Lords, I thank the Committee—thin though we are—for its time and excellent questions in scrutinising the draft regulations. I think it is right to say that we have learned from Verify. One of the key things is always to learn from errors and learn how to improve things. This is a very different proposition.

The regulations will enable us to harness data more effectively, ensuring that as many people as possible can access the government services that they need online. This is particularly important where citizens and residents lack access to a passport or a driving licence, compelling them to resort to slower and costlier offline alternatives; the noble Baroness, Lady Chapman of Darlington, made that point. Approving the new objective allows us to construct more inclusive and accessible identity verification systems, namely GOV.UK One Login, which will deliver substantial user benefits and savings by minimising duplication and fraud risks.

The noble Lord, Lord Clement-Jones, asked many questions, mostly on the GOV.UK One Login programme, of course. This legislation is relatively narrow and is not about the programme as a whole, but I will try to answer some of his questions. I am sure that we can talk about things on another occasion, because I detect a lot of support for the principle of making it easier for people, particularly more vulnerable people, to access government services.

On the PCAG principle, GOV.UK One Login is being delivered in line with existing privacy principles. GDS has been working closely with members of its advisory groups to ensure this. The principles are a framework that GDS works within; they have never been official government policy. However, the data protection regime certainly gives me quite a lot of reassurance about how this will work. I tried to bring that out in my opening remarks.

On the question of population data, the purpose of GOV.UK One Login is to allow citizens who choose to use the service to prove their identity safely and securely in order to access government services online. It is not new that users need to prove who they are to access certain government services, nor that departments have to store information as a result. Let me assure noble Lords that users can delete their accounts at any time. The service standard requires services to provide a joined-up experience across all channels, so doing so would not lock a user out of all government services.

In response to the questions about benefits to individuals, let me say that the objective on data sharing would enable public bodies to share a wider range of specified data than is currently possible. This will allow GOV.UK One Login to draw on a broader range of government-held data sources when users need to verify their identity. This will benefit individuals and households by improving digital inclusion as people without photographic documentation, such as a passport, will still be able to provide their identity online and access government services by answering questions based on additional datasets. They will not have to provide the same data again and again. This will underpin users’ ability to reuse their verified identity across all government services without needing repeatedly to re-enter the same information each and every time they interact with a new service. Of course, that also brings savings to individuals and to government.

Let me understand this. In effect, data is being shared across departments so it is not simply a way of having a wallet, if you like, within the Cabinet Office that then gives you a clear identity for the purposes of accessing government services across government; it is a question of sharing that identity data across government departments. It is data sharing in bulk across government departments.

It is data sharing for the purposes of digital identity. Ultimately, by April 2025, we hope to have approximately 145 central government services that can be accessed via One Login. It is a mistake to think that this is somehow going to be used in the bulk way that the noble Lord describes. It is about identity checking, not collecting huge amounts of data for use in a Big Brother sort of way; the noble Lord may have misunderstood this. Users can delete their account at any time. I think that the noble Lord’s concern is perhaps misplaced.

While I am on the subject of benefits to the individual, there is an example that I would like to share with the committee; it reflects a question that I asked. Sometimes, married women have two different names. I am in that lucky, or unfortunate, position. We understand that some users will need or want to use multiple accounts, so users can already set up multiple accounts on One Login using different email addresses that can relate to different names. From next year, we plan to allow users to link accounts under the same verified identity. The noble Baroness, Lady Chapman, asked us to look through the eyes of the individual. This is one of the things we have been trying to do in this programme, learning from the past.

I am on my third surname as I have had two marriages, but that is not really where I was going. I was looking at it from the perspective of somebody trying to access a service. I cannot imagine that many people would be that interested in how you could link your different accounts, although I can see that it might be important at certain stages in someone’s life. In accessing a service, what will I be asked for or not asked for? It is about the practicality of it. If I am turning up at the benefits office, what is the difference?

The difference is that, at the moment, you tend to have to provide a passport. It is difficult to log in to some of these services without a passport or a driving licence. In future, as I made clear in my introductory remarks, it will be possible to use different sorts of identity data and to have a system within government that allows us to do that. That will have the effect of making it easier for more people who are finding establishing their identity difficult without encouraging a lot of identity fraud, which is obviously another concern that one has to take account of in putting these systems together.

I entirely appreciate the Minister taking the trouble to talk us through this. The question is: for whose benefit is this? Is this so that government departments can identify somebody right across the board, so that you can have only one identity in government and so that the Home Office will share data with universal credit and every other department that interfaces with an individual? Is that the idea of this One Login? Or is it possible to have more than one digital identity?

As I said, it will be possible. You are not confined to one. It is very much coming at the problem from the user, not simply from the government department, which I think was one of the problems with Verify.

I am still not quite sure that I get this. Let us say that I am going to the benefits office; I do not have a passport or a driving licence, and I am asked for other information instead to verify who I am. How will this benefit me in the future, assuming I have never had a driving licence or a passport? What difference will I experience? I am not trying to pick at this; I just want to see the benefit.

One obvious benefit is that more and more government departments are using digital. The technology is transforming our lives, after all. Once you have this single digital identity, you will then be able to use it to access services and opportunities from other government departments as well. That is the point: the digital identity will be used across the board. That is helpful to individuals. I should add that a document is published on GOV.UK outlining what data is being used by One Login. I think it is worth noble Lords looking at that.

The noble Lord, Lord Clement-Jones, rightly asked a question about cost—something we always used to ask about in our previous debates. The One Login programme’s total budget for 2022-23 to 2024-25 is £305.4 million. Of this, the programme forecasts expenditure of £132.7 million on the development and rollout of the system by the end of the current financial year.

The noble Lord mentioned the Explanatory Memorandum. We did indeed make some changes, as he acknowledged, to the Explanatory Memorandum, which was made available to the SLSC, to provide a clearer explanation of which part of the law the instrument is changing and why. He mentioned that the revised Explanatory Memorandum was laid on 2 November, and provided more contextual information. In particular, it explained that the SI provides the statutory basis for specified public bodies to share data in order to verify an individual’s identity in a safe and secure way so that they can access public services online, and that duplicative systems are being replaced with a single account. This is an obvious benefit.

The SI will also enable the GOV.UK One Login to draw on a broader range of government-held data sources when users need to verify their identity. That is an important point, because it is difficult for people who do not have a passport or a driving licence under the current system.

We are committed to being open and transparent by making information about data shared under the Digital Economy Act easily available for all to find and understand in the public register of data-sharing agreements. That was one of the safeguards laid down in that Act, so we have obviously taken that on board. That is an important point of transparency.

This is also underpinned by a robust code of practice—I have read it—which was created by Section 43 of the DEA. That sets out how the power must be operated, and includes setting out how any data shared under this power must be processed lawfully, securely and proportionately, in line with data protection legislation. We therefore have the DEA and data protection legislation coming together to allow us to implement this, hopefully life-changing, bit of technology in a way that protects the citizen. Obviously, the Cabinet Office is responsible for maintaining that register, and the Public Service Delivery Review Board is overseeing strategic consistency.

We have not seen that many regulations made under this Act—I think there was one on social care before—but we can see the value of the Act and the safeguards that Parliament added to it coming through.

On voter registration, the noble Baroness, Lady Chapman, raised a very good point, to my mind. I will have to follow up in writing. Fundamentally, as she said, these regulations will enhance the user experience. Despite many improvements over the last few years, today’s experience of interacting with government is too fragmented. We have multiple logins, and we are repeatedly asked the same information, which sometimes one has recorded on the phone—and sometimes recorded wrongly, as I know from my own experience. This is the same for everyone trying to access government. One Login will replace this with one system; we are used to this on our phones and so on, and there is a lot to be said for this new arrangement. We will have better data sharing to help those people without traditional forms of ID to access the services online that they need.

I hope noble Lords, having heard the benefits of the regulation—

My Lords, I am sorry to interrupt the Minister as she comes to the final furlong, but the question of oversight raised by the noble Baroness, Lady Chapman, and by me, and the standards that will apply to this system, are extremely important.

Given the time, I will take that away, along with the voting point, if I may. I drew attention to the code of practice and the parent Act; we have every intention of following the principles, but the point about review and oversight is well made by the noble Lord, as always. I will come back to him on that point.

I am sorry that I have not been able to answer every question on the login area. I can introduce noble Lords to my honourable friend in the other place, Alex Burghart, who has spent a great deal of time developing these regulations. The point is that these narrow regulations before us today are a necessary enabler for this major change for the citizen. I hope that noble Lords, having heard the benefits, will join me in supporting the draft regulations. I commend them to the Committee.

Motion agreed.

Committee adjourned at 6.26 pm.