What is the UK Digital Identity & Attributes Trust Framework?

What is the UK Digital Identities and Attributes Trust Framework

The UK DIATF or UK Digital Identity & Attributes Trust Framework is a UK Government initiative that defines rules, standards and governance oversight for Digital Identity Service Providers (IDSP), Attribute Service Providers (ASP), and Orchestration Service Providers (OSP).

The Department for Digital, Culture, Media and Sport (DCMS) was initially developed the Digital Identity and Attributes Trust Framework which is intended to modernise the UK by introducing the ability for individuals to have reusable certified Digital IDs.

With the rapid adoption of remote biometric identity verification, the UK Government first published the framework in February 2021 before releasing an updated version in June 2022. The aim of the framework is to establish a digital identity ecosystem that is as trusted as using passports or bank statements. To achieve this, the Government introduced a new certification for IDSPs and ASPs that confirms they meet the trust framework’s requirements.

How was the framework developed?

The framework was developed by the UK Government under the stewardship of The Department for Digital, Culture, Media & Sport (DCMS) with input from recognised national bodies such as the Open Identity Exchange (OIX), Age Verification Providers Association (AVPA), UK Finance and The Finance and Leasing Association (FLA).

A new interim Office for Digital Identities and Attributes (ODIA), which sits within DCMS, was created to have ownership and oversight of the trust framework. A permanent home will be established as the framework moves into legislation with some suggesting the ICO take ownership while others have disagreed.

Developmental timeline

July 2019 – The government issued a ‘Digital Identity: Call for Evidence’ which sought views on how government can support the development and secure use of digital identities fit for the UK’s growing digital economy
September 2020 – The government published the outcome of their Digital Identity: Call for Evidence
February 2021 – The government published a policy paper on the UK digital identity and attributes trust framework
March 2021 – Interested parties were asked their submit comments by this date
July 2021 – The government published the digital identity and attributes consultation
March 2021 – The government published the outcome of the digital identity and attributes consultation
August 2021 – The government released alpha version 2 of the framework
June 2022 – The government released the beta version of the framework
January 2013 – The government released an update to the beta version of the framework and appointed the Department for Science, Innovation and Technology as responsible governmental department

What are the key components of the framework?

The aim of the framework is to give the general public assurance that Digital Identities are safe and secure while the companies that form part of the digital identity ecosystem are held accountable under strict governance.

To achieve this the framework sets out clear guidance and principles which include:

Privacy & data security – One of the biggest barriers to the adoption of Digital Identities is the public around privacy and data security which is why it’s a key component of the framework with clear standards for encryption and data management.

Interoperability – Under the framework, products and services should be interoperable with others placing the control of digital identities into the hands of their owner

Certification – IDSPs and ASPs will be required to be certified against the framework to ensure compliance

Accessibility & Inclusivity – In order to minimise the potential impact on vulnerable / minority (or marginalised) groups, providers are required to submit annual reports to identify and resolve any issues

What are the benefits to the public?

For the public, it sets clear standards for how they interact with certified IDSPs like Credas and how their data is used and protected. In addition, the ability to reuse digital identities will make it far easier to confirm one’s identity remotely while minimising who has access to their credentials. A more robust framework for the provision of digital identities will also reduce fraud as fraud management is an integral part of the framework.

What are the benefits for businesses?

Over the last few years, many new IDV providers have entered the market all with different standards and capabilities. Choosing the right IDV provider can be difficult and requires an in-depth knowledge of biometric technology to really grasp the difference between offerings. The new certification system allows businesses to make a more informed choice while being confident that the providers are meeting a high standard of compliance that has been independently assessed and certified.   

How are IDSPs certified?

If an Identity Service Provider wishes to be certified under the UK DIATF they will need to engage an approved certification body and complete a number of assessments. The certification bodies need to be accredited by UKAS in order for the certification to be valid.

The certification process itself will differ depending on the certification body and the type of activity the IDSP conducts. Currently, IDSPs can be certified against the Right to Work and Right to Rent Schemes only, b) the DBS Scheme only, or c) both.

During the certification process, IDSPs will be tested against the framework assessing:

  • how the organisation handles and protects people’s data
  • what security and encryption standards they follow
  • how user accounts are managed
  • how they protect against fraud and misuse
  • how they manage complaints and disputes

Those going through the certification process will be expected to provide substantial evidence to prove they meet the trust framework’s requirements.

In order to gain certification, an IDSP must be assessed by a recognised certification body. UKAS is responsible for accrediting certification bodies. Currently, the following certification bodies have applied for the programme.

  • Age Check Certification Services
  • British Assessment Bureau
  • Kantara
  • NQA
  • BSI

How do I know if an IDSP is certified?

All certified IDSPs like Credas are listed on the gov.uk website which can be found here. In addition to this website, IDSP should be able to provide you with an official certificate from a relevant accredited body.

What’s a scheme?

A scheme is effectively a use case for which the certified identity profiles can be used. Currently, the only schemes on the Framework are the Right to Rent and Right to Work which are managed by the Home Office and DBS. DIST are leading discussions on the creation of additional schemes which will fall under their remit.

In the alpha version of the framework there was an option that organisations could be certified against the trust framework through a Private sector scheme that was licensed by the governing body. In the beta version, this was revoked as they found that the market was not ready for certification through schemes and an effective licensing process has not been developed. The beta version of the trust framework states that providers can only join the trust framework through direct certification by independent certification bodies.

Private sector schemes will also be required to be accredited by UKAS using using a globally recognised standard such as ISO 17021:2012 or ISO/IEC 17065:2012. Schemes owners shouldn’t have a conflict of interest in their relationship with scheme participants and cannot prevent IDSPs from joining more than one scheme.

Do I need to use a certified IDSP for my ID checks?

Currently, the Home Office recommends that landlords, their agents, and/or employers use an identity service provider certified against the Framework for Right to Work and Right to Rent checks.

Money Laundering regulations recommend that when using an Identity Service Provider ‘it is accredited to give identity verification services through a government, industry or trade association process that involves meeting minimum standards.’ HMRC guidance echoes this. (4.104)

The SRA states that firms take into ‘consideration is whether the service has attained any accreditation or certification.’

While legislation and regulators currently only ask firms to take certification into consideration, when this guidance was issued there was no Government trust scheme in place. As the UK DIATF and legislation develops, it is likely that these recommendations will become requirements.

This article was written on 24/06/2022 and the information within is correct at the time of publishing. For official documentation on the UK Digital Identity & Attributes Trust Framework please refer to the links in the Developmental timeline section. Credas is a certified Identity Service Provider and not an accreditation body – a list of UKAS-approved certified bodies can be found here.