Version 4: OfDIA announces the gamma trust framework

The Office for Digital Identities and Attributes (OfDIA) has published a pre-release of the latest iteration of the UK digital identity and attributes trust framework (gamma version). Here we consider what has changed in the gamma version and what entities operating in the digital identity space need to be aware of, following the publication.

Re-cap

The UK digital identity and attributes trust framework (Trust Framework) was first published in 2021. The Trust Framework sets the standards that various categories of service provider operating in the digital identity space must meet to achieve certification against the standards, denoting that the organisation is a secure and trusted provider of digital identity products and services. The gamma version is the fourth iteration of the Trust Framework and will be the successor to the beta version, which was published in June 2022.

Pre-release

From the outset, it is important to note that the gamma version is currently a pre-release. The significance of this is that it is not possible for service providers to achieve certification against the gamma version at this time and the beta version will continue to be the certification standard for now. 

The pre-release has been issued to assist with business readiness. As OfDIA has confirmed that the requirements of the gamma version will not change between now and its final release, service providers should now review and consider the requirements of the gamma version and begin taking steps to prepare to meet the rules which will be applicable once the gamma version comes into force. 

The timeline for the gamma version going live is yet to be announced. However, this will be dictated by the speed with which UKCAS is able to prepare the conformity assessment bodies for assessing whether the provisions of the gamma version are being followed by organisations seeking certification. Once the conformity assessment bodies have been accredited, they will begin certifying organisations against the gamma version. This means it is likely that the gamma version will go live next year. 

Gamma vs beta

As with each prior iteration, the gamma version has refined the requirements that organisations seeking certification under the Trust Framework must comply with. The key changes introduced by the gamma version are set out below.

Roles

The Trust Framework sets out a number of roles, each with a distinct set of rules that are applicable depending on the type of product or service the organisation seeking certification is providing. The gamma version has introduced two new roles which providers can now achieve certification against: 

1. Holder service providers (section 7): this covers entities which provide products allowing users to collect, store, view, manage or share identity and attribute information. This will include those providing ‘digital wallet’ services and may be characterised by offering account functionality in the user interface. 
2. Component service providers (section 9): this covers service providers who design and build specific components of the identity proofing, verification or authentication processes. Identity, attribute or holder service providers will contract with component service providers for specific parts of their services, such as biometric verification or identity fraud services.

Entities fulfilling these roles will have to comply with their own specific rules (in particular Good Practice Guide 44 and Good Practice Guide 45, to the extent such guidance is applicable within the relevant sections of the gamma version) and other rules which are applicable to all entities seeking certification. 

It is notable that, as per the beta version, roles are not mutually exclusive and entities whose product offering covers multiple roles will need to be certified against each role. For example, a holder service provider whose product includes verification processes must also comply with the rules applicable to identity service providers. This is also true of identity or attribute service providers who offer reusable services, who would now also need to be certified as a holder service provider under the gamma version. 

Trust

The gamma version has introduced many amendments which seek to foster increased public trust in digital identity services, aiming to increase uptake and the benefits that progress in this space can bring:

• Inclusivity: providers are now required to submit more detailed inclusion monitoring reports to OfDIA on an annual basis (section 10.1.2). Specific provisions have also been built into the Trust Framework regarding biometric technologies (section 12.8), requiring performance testing and security testing for these technologies, to ensure that they can be widely used and are, for example, equally effective across different ethnic groups; 
• Support: providers are now required to implement incident and complaint processes which users are able to access and must also publish contact details to enable users to access support channels; and
• Identity repair: rules regarding identity repair, applicable once an individual has been the victim of identity theft, have been enhanced in the gamma version. Providers must publish contact details (as above) and implement a documented process to advise users on steps they can take to remedy the issue they have experienced (section 12.5.5). 

Security

The gamma version contains more comprehensive security provisions. OfDIA has indicated that security is a key mechanic to build trust in digital identity services and will, therefore, help encourage their wider adoption and use. New requirements include:

• enhanced requirements around fraud audits, including an additional obligation to implement a process to establish whether additional fraud audits conducted by an independent internal auditor or a third-party are required where suspicions of fraud exist (section 12.4.1.d); 
• obligations to put additional security policies in place where an identity has been verified at a low level of confidence, has been recently repaired or fraud activity associated with that identity has recently been detected (section 12.4.1.e); and
• requirements for providers to cooperate with law enforcement agencies if criminal activity is suspected and implement processes to prevent further criminal activity where this arises (section 12.4.2.d).

Providers must be aware that the rules set out in the Trust Framework are complementary to any industry specific rules and regulations which they may be subject to regarding fraud prevention, as well as any obligations under UK law.

Privacy

The confidentiality obligations set out in the Trust Framework have been enhanced in the gamma version. Additional requirements have been added regarding information security management systems which comply with the principles of the ‘CIA Triad’ i.e. confidentiality, integrity and availability.

• Confidentiality (section 11.6.1): Policies that classify confidential information and describe who can access what level of information must be created, which may follow ISO 27001 standards.
• Integrity (section 11.6.2): Information security policies must be in place explaining how the provider will protect the integrity of information, including audit trails, secure communication protocols and data backups and recovery plans.
• Availability (section 11.6.3): The availability requirements have been maintained and additional requirements to avoid single points of failure have been added.

The gamma version reiterates the importance of privacy and data protection at the heart of the Trust Framework. As per the beta version, high standards of data protection compliance are mandated, requiring providers to implement best industry practice on data protection. Further updates have also been introduced (section 12.7) including:

• enhanced transparency requirements, requiring providers to supply data subjects with a clear privacy notice; and
• for holder service providers, requirements to reconfirm users’ understanding of how their identity will be shared and disclosed at appropriate intervals throughout the customer journey,including re-verification and confirmation where the user’s account has been inactive for 14 months and, where feasible, confirming the user’s understanding whenever there is a request that their data is shared or disclosed to a third party.

The Register

New provisions have been introduced (section 13) regarding the register of certified providers, designed to enhance the integrity of the register as the source of truth regarding trusted providers operating in the digital identity space.

The business probity requirements (section 11.1) which have been introduced in the gamma version are designed to achieve a similar objective. This section includes requirements that providers: 

• must not bring the Trust Framework into disrepute; 
• must not misrepresent the certification status of services offered; and
• must evidence that they are not an entity which presents risk to the wider Trust Framework, for example by being subject to bankruptcy proceedings or prior OfDIA/ICO investigations. 

Schemes and supplementary codes

References to schemes set out in the beta version have been removed and the Trust Framework now confirms that any specific use case scenarios will be addressed via supplementary codes, prepared through stakeholder engagement (see section 4.4).

Significance and next steps

The gamma version comes at a pivotal juncture for the UK’s digital identity regulatory framework. The Data (Use and Access) Bill (Data Bill) was published at the end of October and has now reached the committee stage in the House of Lords. Part 2 of the Data Bill sets out the legislative framework for digital verification services in the UK, including obligations for the Secretary of State to create a statutory trust framework which would be kept under annual review.

OfDIA has confirmed that it will be launching its next round of stakeholder engagement to gather feedback on the gamma version to develop the next iteration of the Trust Framework. It intends to release this iteration following the passage of the Data Bill. As such, there is limited time until a statutory trust framework will be established. It is highly likely that the provisions of the statutory framework will be based upon the Trust Framework. This means that stakeholder engagement with OfDIA to refine the Trust Framework, to ensure it is fit for purpose and upholds consumer confidence without putting undue pressure and burdens on providers, is now more important than ever.