DCMS provides latest update on digital identity trust framework

DCMS provides key principles behind the trust framework and its priorities for further policy development during testing

Posted 23 June 2022 by Christine Horton

DCMS has provided an update into its current work on the proposed digital identity and attributes trust framework.

It follows DCMS’ rollout of a beta version of the trust framework last week.

“At DCMS, we’re convinced that safe digital identities will bring significant benefits for businesses and the public,” said George Muscat, digital identity & attributes trust framework lead at DCMS.

Muscat, who was speaking at the hybrid Think Digital Identity for Government event, outlined the key principles behind DCMS’ approach to developing the trust framework.

“Firstly, we are outcome-oriented,” he said. “Wherever possible, we focus on supporting services to achieve a desired outcome, as opposed to being evangelical about the best process for achieving it.”

Muscat said that DCMS was aware of the work on digital identity and digital identity standards already done. He said, “we want to build on that, we don’t want to start things from scratch.”

He added that DCMS has been working in partnership with our stakeholders through rolling engagement and testing, to develop the trust framework iteratively with them.

Another objective is to facilitate interoperability of digital identity products, he said. For example, the data schema DCMS published alongside the beta version of the trust framework will provide a common language for organisations to describe the checks they make. This will make it easier to trust framework participants to share information with each other, he said.

Further policy development

Muscat highlighted four areas that DCMS is prioritising four further policy development during testing.

“Our key objectives for beta testing are twofold. Firstly, we’ll be testing whether the trust framework is fit for purpose. And we’ll also be looking to build market confidence in the framework,” he said.

The first is the end-user agreement. Trust framework participants will have to follow those rules in addition to their other existing data protection obligations like GDPR. Muscat said DCMS is also keen to test how much friction is added to the user experience, if any, and if the user agreement is transparent to users.

“We also want to understand whether users value the requirements on top of existing legislation. We want to understand what the users feel that the requirements enhance their control over their data,” he said.

“Secondly, the trust framework doesn’t require organisations who consume the services of organisations who are certified to themselves be certified. But it does include requirements for certified services to have processes to ensure they’re relying parties meet key high level principles that underpin the trust framework.

“In the trust framework beta version, we define these as flow down terms. During beta testing, we plan to test how monitoring and enforcement of these flow down terms works best practically. And also map whether behaviours we want to incentivise through these flow down terms are already captured by existing regulations.”

The third key area, he said, is around the fact that the trust framework allows certified providers to work with other services that are not certified, for example in their supply chain.

“We will assess the risk posed to the trusted ecosystem by uncertified providers and consider our options for mitigating this,” he said.

Finally, the trust framework beta also includes new requirements on fraud management across a number of areas, including fraud monitoring, intelligence and analysis. During beta testing, DCMS will look at how effective this new guidance is in practice, he said.

“The trust framework is about enabling consistency,” said Muscat. “Consistency in how organisations conduct identity checks and share identities and attributes and consistency in the standards that they follow. This consistency enables trust; a citizen that opens an account with a trustmarked service will be able to trust that their digital identity is stored securely and that their privacy will be protected.

“Organisations that consume the products of trustmarked organisations will be able to trust that potential users are who they say they are. And organisations that use the trust framework will be able to trust each other and this is really important as well.”

Another key objective, he said, is to create consistency in the trust required for reusable digital identities, including giving users the power to choose when and how they use their digital identity.

Register here to hear the plans in full – plus have access to a host of other private and public identity experts – at the Think Digital Identity for Government on-demand.