ENG

OfDIA announces the Gamma Trust Framework

Published

Feb 26 2025

Reading Time

5 minutes

Written By

callum granger Module
Callum Granger

Associate
UK

I am an associate in our commercial practice, based in London. I advise clients across the gambling, sports, media and entertainment sectors on regulatory, transactional and commercial matters.

elizabeth dunn module
Elizabeth Dunn

Partner
UK

As a partner in Bird & Bird's Commercial team and a member of our Media, Entertainment & Sport Group based in London, my practice focuses on regulatory and commercial matters in gambling and sport.

Related

Practices

The Office for Digital Identities and Attributes (OfDIA) has published a pre-release of the latest iteration of the UK digital identity and attributes trust framework (Trust Framework) (gamma version). This is the fourth iteration of the Trust Framework, which was first published in 2021.

Pre-release

The gamma version is currently a pre-release, meaning it is not possible for service providers to achieve certification against the gamma version at this time. The beta version will continue to be the certification standard for now, but given that the requirements of the gamma version will not change between now and its final release, service providers should consider the requirements of the gamma version and begin taking steps to prepare to meet the rules which will be applicable once the gamma version comes into force.

The timeline for the gamma version going live is yet to be announced but will be dictated by the speed with which UKCAS is able to accredit conformity assessment bodies for assessing whether the provisions of the gamma version are being followed by organisations seeking certification. This means it is likely that the gamma version will go live this year.

Key changes (gamma vs beta)

Roles

The Trust Framework sets out a number of roles, each with a distinct set of rules that are applicable depending on the type of product or service the organisation seeking certification is providing. The gamma version has introduced two new roles which providers can now achieve certification against:

  1. Holder service providers (section 7): entities which provide products allowing users to collect, store, view, manage or share identity and attribute information. This will include those providing ‘digital wallet’ services.
  2. Component service providers (section 9): service providers who design and build specific components of the identity proofing, verification or authentication processes.

Entities fulfilling these roles will have to comply with their own specific rules (in particular Good Practice Guide 44 and Good Practice Guide 45 where applicable) and other rules which are applicable to all entities seeking certification.

As per the beta version, the roles are not mutually exclusive and entities whose product offering covers multiple roles will need to be certified against each role.

Trust

The gamma version has introduced many amendments to build public trust in digital identity:

  • Inclusivity: providers are now required to submit more detailed inclusion monitoring reports to OfDIA on an annual basis (section 10.1.2). Specific provisions have also been built into the Trust Framework regarding performance testing and security measures for biometric technologies (section 12.8);
  • Support: providers must implement incident and complaint processes which users are able to access and must also publish contact details; and
  • Identity repair: rules regarding identity repair following instances of identity theft have been enhanced. Providers must publish contact details (as above) and implement a documented process to advise users on steps they can take to remedy identity theft (section 12.5.5).

Security

The gamma version contains more comprehensive security provisions (sections 12.4.1 and 12.4.2), including:

  • enhanced requirements around fraud audits;
  • obligations to put additional security policies in place in some circumstances, including where an identity has been verified at a low level of confidence; and
  • requirements for providers to cooperate with law enforcement agencies if criminal activity is suspected.

Providers must be aware that the rules set out in the Trust Framework are complementary to any industry specific rules and regulations which they may be subject to regarding fraud prevention, as well as any obligations under UK law.

Privacy

Additional requirements have been added into the gamma version regarding information security management systems:

  • Confidentiality (section 11.6.1): Policies that classify confidential information and describe who can access what level of information must be created, which may follow ISO 27001 standards.
  • Integrity (section 11.6.2): Information security policies must be in place explaining how the provider will protect the integrity of information.
  • Availability (section 11.6.3): The availability requirements have been maintained and additional requirements to avoid single points of failure have been added.

The gamma version reiterates the importance of privacy and data protection at the heart of the Trust Framework. As per the beta version, high standards of data protection compliance are mandated, requiring providers to implement best industry practice on data protection. Further updates have also been introduced (section 12.7) including:

  • enhanced transparency requirements, including providing a clear privacy notice; and
  • for holder service providers, requirements to reconfirm users’ understanding of how their identity will be shared and disclosed at appropriate intervals throughout the customer journey.

The Register

New provisions have been introduced (section 13) regarding the register of certified providers, designed to enhance the integrity of the register as the source of truth regarding trusted providers operating in the digital identity space. The business probity requirements (section 11.1) which have been introduced, including a requirement not to bring the Trust Framework into disrepute, aim to achieve a similar objective.

Schemes and supplementary codes

References to schemes set out in the beta version have been removed. Use case scenarios will be addressed via supplementary codes, prepared through stakeholder engagement (see section 4.4).

Next steps

Part 2 of the Data (Use and Access) Bill (Data Bill), which has now reached the report stage in the House of Lords, sets out the legislative framework for digital verification services in the UK, including obligations for the Secretary of State to create a statutory trust framework which would be kept under annual review.

OfDIA has confirmed that it will be launching the next iteration of the Trust Framework following the passage of the Data Bill. As such, there is limited time until a statutory trust framework will be established. It is highly likely that the provisions of the statutory framework will be based upon the Trust Framework. This means that stakeholder engagement with OfDIA to refine the Trust Framework, to ensure it is fit for purpose and upholds consumer confidence without putting undue pressure and burdens on providers, is now more important than ever.

Latest insights

More Insights
Curiosity line yellow background

Paving the future of Europe’s space ambitions

3 minutes Feb 26 2025

Read More
Curiosity line teal background

Competitiveness Compass outlines vision for Europe’s digital future

3 minutes Feb 26 2025

Read More
Curiosity line blue background

To setting the national DSA scene: ACM designated with starring supervisory role

4 minutes Feb 26 2025

Read More
More Insights