Identity and privacy principles
As with most of our releases and work at the Government Digital Service, we release our work early for review and comment. Recently the Identity Assurance Programme Privacy and Consumer Advisory Group, a working group of the main board, issued the following principles for discussion. Although not yet ratified by the full board, these principles clearly set out the main thrusts of user control and transparency which underpin the entire programme.
These principles have been continually discussed and reviewed with over a dozen privacy and consumer groups since autumn 2011, including No2id, Privacy International, Which?, London School of Economics, Oxford Internet Institute and Big Brother Watch. We will continue to work with these groups to ensure that user needs are put first as we re-create a digital relationship between users and Government services.
We would love your feedback via comments, or to Nick.Kalisperas@digital.cabinet-office.gov.uk
1. The User Control Principle
Identity assurance activities can only take place if I consent or approve them.
An Identity Assurance Provider or Service Provider must ensure any collection, use or disclosure of IA data in, or from, an Identity Assurance Service is approved by each particular Service-User who is connected with the IA data.
Identity Assurance Providers or Service Providers cannot use or disclose IA data without the Service-User’s knowledge and agreement (i.e. consent). Service-Users must be able to control / choose whether or not to use or disclose their IA data. Any exemption from the User Control Principle should be specified via the Exceptional Circumstances Principle.) The Data Minimisation Principle also applies to any collection, use and disclosure.
The requirement that processing is either legitimised by consent of the data subject is “necessary for a contract with the data subject …” (sched 2, paras 1 and 2 of the DPA) or unless exceptional circumstances apply. Consent takes the meaning in the Data Protection Directive (or any successor regulation). Also covers some “fair processing” requirements.
2. The Transparency Principle
Identity assurance can only take place in ways I understand and when I am fully informed.
Each Identity Assurance Provider or Service Provider must be able to justify to Service-Users why their IA data are processed. Each Service-User, prior to using an Identity Assurance Provider or a Service Provider for the first time, must be provided with a clear description about the processing of IA data in advance of any processing. The information provided includes a clear explanation of why any specific information has to be provided by the Service-User (e.g. in order that a particular level of identity assurance can be obtained) and identifies any obligation on the part of the Service-User (e.g. in relation to the User’s role in securing his / her own identity information).
Any subsequent and significant change to the processing arrangements that have been previously described to a Service-User needs the prior consent or approval of that Service-User before it comes into effect.
Organisations should engender trust by being open about all aspects of the processing of IA data (Processing means “collecting, using, disclosing, retaining, transmitting, copying, comparing, corroborating, aggregating, accessing” and anything else). Such information does not need to be provided at every transaction, if the Service-User has been previously informed. Where changes occur, any Provider would have to anticipate the fact that consent or approval might not be forthcoming. Any exemption from the Transparency Principle should be specified via the Exceptional Circumstances Principle.
First data protection principle requirement that the processing of personal data is fair.
3. The Multiplicity Principle
I can use and choose as many different identifiers or identity providers as I want to.
A Service-User is free to use any number of identifiers that each uniquely identifies the individual or business concerned. A Service-User can use any of his identities established with an Identity Assurance Provider with any Service Provider. A Service-User can choose any number of Identity Assurance Providers or Service Providers in order to meet his or her diverse needs. A Service-User shall not be obliged to use any Identity Assurance Provider or Service Provider not chosen by that Service-User; however, a Service Provider can require the Service-User to provide a specific level of Identity Assurance, appropriate to the Service-User’s request to a Service Provider. A Service-User can terminate, suspend or change Identity Assurance Providers or Service Providers at any time.A Service Provider does not know the identity of the Identity Assurance Provider used by a Service-User to verify an identity in relation to a specific service.
These first three need no explanation. Where Service Providers are a monopoly or near monopoly, they should not be able to require a particular Identity Assurance Provider to be used. However, a Service Provider must be able to insist on a particular (and not unreasonable) level of identity assurance before delivering a service. Any exemption from the Multiplicity Principle should be specified via the use of the Exceptional Circumstances Principle. It should not be possible to link a Service-User’s activities in different contexts.
4. The Data Minimisation Principle
My request or transaction only uses the minimum data that is necessary to meet my needs.
A data processed by an Identity Assurance Provider or a Service Provider to facilitate a request of a Service-User must be the minimum necessary in order to fulfil that request in secure and auditable manner.
Note: it is useful to remind the reader that this Principle has a wide reach because of the definitions of IA data andProcessing
“IA data includes “Personal data”, “Audit data, “Attribute data, “Identity data”, “Relationship data”; “Transactional data” and other “General data”
“Processing” in the context of IA data means “collecting, using, disclosing, retaining, transmitting, copying, comparing, corroborating, aggregating, accessing”… etc).
So for the absence of doubt, any aggregation, correlation or corroboration of IA data from diverse Identity Assurance Providers or Service Providers are subject to all the Identity Assurance Principles. All IA data processed has to be the minimum necessary in the context of service delivery or identity verificationNote that a Service User can, for his own convenience, request a Provider to hold information beyond the minimum necessary. Subject to any audit or legal requirement, the Minimisation Principle requires any aggregation, correlation or corroboration to be of a transient nature. Any decision that requires a risk assessment of the Service-User will need the correlation of data from possibly a number of sources will also be subject to the Data Minimisation PrincipleNote that the User Control or Transparency Principle should ensure the Service-User can provide informed consent / approval. There should be no centralisation of IA dataAny exemption from the Data Minimisation Principle should be specified via the Exceptional Circumstances Principle
Third and Fifth Data Protection Principles (“Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed” and “kept no longer than is necessary”). Also Privacy by Design objectives likely to appear in a future data protection regulation.
5. The Data Quality Principle
I choose when to update my records.
Service-Users should be able to update their own personal data, at a time at their choosing, free of charge, and in a simple and easy manner. Identity Assurance Providers and Service Providers must take account of the appropriate level of identity assurance required before allowing any updating of personal data.
Unnecessary retention and excessive data collection would breach of the Data Minimisation Principle. If a Service User fails to keep his information up to date, then his transactions could fail; this we believe is the incentive for Users to keep information up to date. The Identity Assurance / Service Provider has to be able to decide the level of identity assurance before accepting a change to a Service User’s data. Any exemption from the Data Quality Principle should be specified via the Exceptional Circumstances Principle.
Accuracy requirements of DPA (4th Principle)
6. The Service-User Access and Portability Principle
I have to be provided with copies of all of my data on request; I can move/remove my data whenever I want.
Each Identity Assurance Provider or Service Provider must allow, promptly, on request and free of charge, each Service-User access to any IA data that relates to that Service-User.It shall be unlawful to make it a condition of doing anything in relation to a Service-User to request or require that Service-User to request IA data.
The Service-User shall have the right to require an Identity Assurance Provider to transmit his personal data, to a second Identity Assurance Provider in a standard electronic format, free of charge and without impediment or delay.
The Service-User’s right to data portability shall also apply between Service Providers.
For the absence of doubt, such access includes access to logs of Service-User activity, disclosure logs of any Service-User data, and any audit data relating to that Service-User’s activity but excludes any anonymised data that can no longer be linked or associated with a particular Service-User. The prohibition is needed as there is a practice in the UK of requiring data subjects to use their subject access rights to criminal records and medical records and show the product of their access request to an employer or insurer. The prohibition stops unscrupulous use of the access right. The text is based on the prohibition in the ID Card Act 2005. This is the right to data portability. Any exemption from the Service-User Access and Portability Principle should be specified via the Exceptional Circumstances Principle.
Subject access under the DPA Privacy by Design should include a user access functionalityStopping Enforced Subject Access (Data Portability is envisaged in the Data Protection Regulation).
7. The Governance/Certification Principle
I can trust the Scheme because all the participants have to be accredited.
As a baseline control, all Identity Assurance Providers and Service Providers shall be certified. There shall be a certification procedure subject to an effective independent audit regime which ensures that all relevant, recognised identity assurance and technical standards, data protection or other legal requirements are maintained by Identity Assurance Providers and Service Providers. In the context of personal data, certification procedures include the use of Privacy Impact Assessments and Privacy by Design concepts. All Identity Assurance Providers and Service Providers shall take all reasonable steps to ensure that a Third Party cannot capture IA data that confirms (or infers) the existence of relationship between any Participant.Certification can be revoked if there is significant non-compliance with any Identity Assurance Principle.
The architecture of an Identity Assurance Service must be based on open standards.
This Principle mandates the use of all relevant standards as the baseline for all information assurance / security / integrity controls used. The “reasonable steps” tries to ensure that web-based services cannot capture details of a relationship between Service Users and any Identity Assurance Provider or Service Provider used by them even though the Service-User might have unwittingly allowed it. (Note: this is why relationship data includes in its definition relevant cookies and programs that collect such data). Any exemption can be specified via use of the Exceptional Circumstances Principle
The Accountability Principle expected in the forthcoming data protection regulation; also obligations in the Seventh Data Protection Principle and HMG Security Framework or ISO27000 Privacy Impact Assessments and Privacy by Design concepts are part of the Data Protection Regulation currently under discussion. Consideration needs to be given as to whether it should be made unlawful for such details to be captured (even overriding any User’s explicit consent). We are very concerned that many Users do not know what permissions they have given nor do they read privacy policies of organisations based outside the EEA. There is a need to take away the defence of a Third Party that it has the permission of the User to capture details from an Identity Assurance Service.
8. The Problem Resolution Principle
If there is a problem I know there is an independent arbiter who can find a solution.
A Service-User, who after a reasonable time, cannot or is unable to resolve a complaint or problem directly with a Identity Assurance Provider or Service Provider can call upon an independent Identity Ombudsman to seek independent resolution of the issue.As part of the certification process, Identity Assurance Providers and Services Providers are obliged:
- to co-operate with the Identity Ombudsman and accept his impartial determination and
- to ensure that contractual arrangements
- reinforce the application of the Identity Assurance Principles, and
- contain a reference to the Identity Ombudsman as a mechanism for problem resolution.
The Identity Ombudsman can resolve the same or similar complaints affecting a group of Service-Users.
The Identity Ombudsman can co-operate with other Regulators in order to resolve problems and can raise relevant issues of importance concerning an Identity Assurance Service.
An adjudication / recommendation of the Identity Ombudsman shall be published
There can be more than one Identity Ombudsman.
The Identity Ombudsman can recommend changes to standards or certification procedures or that an Identity Assurance Provider or Service Provider should lose their certification.
The central problem is that many different Regulators (e.g. Information Commissioner; FSA, OFCOM) could be involved and that an individual has to be able to complain to a central point of contact in order to resolve an issue. Without an Ombudsman / Advocate, there is a risk that the Service User will be passed from pillar to post. One assumes, however, that a Service-User will resolve a complaint in the usual way. However, it is possible that complaints will not be resolved satisfactorily. We expect that any determination made by an Identity Ombudsman can be appealed to the Courts by any party to the dispute.Any exemption from the Problem Resolution Principle can be specified via use of the Exceptional Circumstances Principle (but we can’t see the need of any exemption as explained as follows). Take an extreme example, and suppose there was an exemption needed for say “national security”, then the Regulator who has the responsibility for the national security function could be designated as the “ombudsman” for that purpose. This would maintain the integrity of this Principle and the secrecy required of the national security function.
9. The Exceptional Circumstances Principle
Any exception has to be approved by Parliament and is subject to independent scrutiny.
Any exemption from the application of any of the above Principles to IA data shall only be lawful if it is specified in the statutory framework established by the general legislation needed to legitimise all Identity Assurance Services. Any exemption from the application of any of the above Principles that relates to the processing of personal data must also be necessary and justifiable in terms of one of the criteria in Article 8(2) of the European Convention of Human Rights: namely in the interests of national security; public safety or the economic well-being of the country; for the prevention of disorder or crime; for the protection of health or morals, or for the protection of the rights and freedoms of others. Any subsequent processing of personal data by any Third Party who has obtained such data in exceptional circumstances (as identified by Article 8(2) above) must be the minimum necessary to achieve that (or another) exceptional circumstance. Any exceptional circumstance involving the processing of personal data must be subject to a Privacy Impact Assessment by all relevant “data controllers” (where “data controller” takes its meaning from the Data Protection Act).Any exemption from the application of any of the above Principles in relation to IA data shall remain subject to The Problem Resolution Principle.
There are a myriad of data sharing laws each with different standards and rules. To engender trust in the identity assurance and to improve Parliamentary scrutiny, it is proposed that ONLY statutory gateways created by the legislation needed to establish the programme are valid. There might be a phasing in period. The special interests indentified in Article 8(2) are expressly put into this Principle. However, the linkage to individual human rights means that the link can only relate to personal data (i.e. an identifiable living individual). This is why we need the definition of “personal data”. This allows for limited onward data sharing, so long as it is consistent with Article 8 of the HRA. There is a real issue as to whether the current level of privacy protection is adequate for some public bodies (e.g. is the protection in RIPA adequate? is the Regulatory regime for the Security Service, GCHQ or the Police OK?). This construction avoids the opening up what would be an everlasting debate; however, the last paragraph of this Principle is the necessary “quid pro quo” for this position. (See comments at the bottom of Principle 8 re Governance on national security)
It is expected that any exemption will be limited, and expressed in terms of particular subsets of IA data (e.g. “personal data”, “audit data”, “relationship data”) necessary for the application of any exemption.