UK digital identity and attributes trust framework
What is a trust framework?
A trust framework is a set of rules and standards that organisations agree to follow. If an organisation is part of the trust framework, they can be relied upon to be following the agreed requirements.
The trust framework sets out requirements so that organisations know what ‘good’ identity verification looks like.
Specific rules will be defined to ensure that:
- products and services are inclusive
- privacy and data protection are ensured
- fraud management is central
- security follows recognised standards
One of the key aims of the framework is to enable people to create, use and reuse their digital identities. It should also provide them with a way to share their personal attributes securely with other people and organisations more easily.
Why can’t PDP use an existing government identity service?
There are two government identity services currently in use and we’re often asked why we can’t simply use one of:
- Government Gateway
- GOV.UK Verify
While this might seem like an attractive option, these identity services are open only to government services. The Pensions Dashboards Programme (PDP) is a part of the Money and Pensions Service (MaPS), which is an arms-length body, however other dashboard providers will be commercial organisations, as will data providers (ie pension providers and schemes), so these services are not available to us.
The involvement of commercial organisations with pensions dashboards also rules out using further government identity initiatives, such as GDS GOV.UK Accounts (Single sign on) or DWP Dynamic Trust Hub that are planned in coming years.
The UK digital identity and attributes trust framework and pensions dashboards
PDP has identified the forthcoming UK digital identity and attributes trust framework as a key building block to the delivery of an efficient and interoperable digital identity market in the UK. As such, it will provide an appropriate identity solution for the future of the pensions dashboards service. Consequently the programme’s intention is to deliver an identity service under the governance and controls regime that the trust framework provides.
However, the trust framework is in its early stages and will not be available to the programme during our testing phases. As a result, PDP will procure a single identity supplier via G-Cloud 12, during October 2021, for a two-year period. We anticipate that the trust framework will be operational ahead of initial dashboard availability.
Key features of the UK digital identity and attributes trust framework for PDP
The central governing body will set rules for the whole of the framework.
These rules will ultimately enable certainty on interoperability at participant and scheme level.
By being part of the trust framework, the onus of setting rules and managing the certification of identity providers can be deferred to the governing body. This is a massive reduction in overhead for the programme.
The trust framework, under the auspices of the governing body will oversee the certification of participants. This function is likely to be managed through the United Kingdom Accreditation Service (UKAS).
Through the accreditation and certification process, participants will be awarded a Trust Mark.
Trust marks will provide the consumer, and participants within the framework, with the confidence that the organisation has been accredited within the framework.
The certification process within the framework counters the need for the programme to manage any audit or validation of identity providers. This removes an overhead and negates the need for an additional relationship with an accreditation service.
Rules to be followed by participants have clear definition.
The programme can be certain that all participants are operating to the same minimum standards.
The programme has options for how they participate:
- as a member of a third party scheme
- creating and operating a ‘pensions’ scheme
- as a single firm
Roles and responsibilities
Roles within the trust framework are clearly defined:
- an identity service provider (IDP)
- an attribute service provider (ASP)
- an orchestration service provider (OSP)
- a relying party (RP)
In the structure of the framework, PDP is a relying party.
The trust framework mandates that identity providers and attribute service providers follow accessibility regulations. The suggested standards are:
- Web Content Accessibility Guidelines (WCAG)
- European Telecommunication Standards Institute (ETSI) standard on accessibility requirements suitable for public procurement of ICT products and services in Europe
The second of these does not appear to be appropriate for the programme’s service, however WCAG is incorporated within our expectations.
While not incorporated yet, the framework will recommend technical specifications that will encourage interoperability.
These recommendations will include the range of data that can be shared and how it will be shared.
Interoperability is key to the future plans for the programme with the ability to source identities created through other services reducing impact on identity providers incorporated in our service.
Complaints and disputes
The trust framework mandates that all participants operate a process for managing complaints and disputes. This aligns with the programme’s requirements.
All participants must follow industry standards and best practice. They could (and probably should) be following the National Institute of Standards and Technology (NIST) standards
- FIPS 140-3
- SP 800-175B
- SP 800-67
They are also guided to follow National Cyber Security Centre (NCSC) guidance on:
- using IPsec to protect data
- using TLS to protect data
These requirements from the trust framework are closely aligned with the programme’s requirements for the identity service.
Participants will require a quality management system following a recognised standard such as ISO 9001:2015. A quality management standard documents the organisations objectives and how they will be achieved.
While not necessarily a prerequisite for a procured service, it would be beneficial for the programme for the service to support a recognised quality management standard.
Aligned with other standards, participants are required to have an information management system (IMS) that follows an industry standard. The suggested standard is ISO/IEC 27001:2017
An information management system is a collection of documents covering:
- why an organisation needs to keep information it keeps
- how an organisation creates, organises and stores information
- who has access to the information
- how they share information (including why it’s shared, who it’s shared with, how often it’s shared, what format it’s in and how it’s protected)
- how they archive information
The programme has defined requirements for information management across the whole of the digital architecture, which the trust framework standard satisfies.
The information management system also relates to information security, which is of primary importance to the programme.
Controls documented in the information management system for the trust framework adequately support the requirements of the programme.
The trust framework includes a provision for participants to have a risk management framework following industry standards. The suggested standards are:
- ISO/IEC 27005:2018
- ISO 31000:2018
These standards align with those that we would expect to include in the programme.
All participants of the trust framework must follow best practice guidance on fraud management. The recommended guidance is:
- from the Chartered Institute of Public Finance and Accountancy (CIPFA)
- Government Functional Standard GovS 013: Counter fraud
- Government Internal Audit Agency’s standards
In addition to following best practice on fraud management there are five specific requirements to meet relating to:
- fraud monitoring
- legal, policies and procedures
- fraud reporting
- intelligence and fraud analysis
- sharing of threat indicators
Again these requirements reflect those that we would anticipate as a minimum for the programme.
In line with our expectation and logical business sense, the trust framework ensures that participants have documented processes for responding to incidents, whether they be fraud, service delivery or data breach related.
Privacy and Data Protection
All participants will be required to follow data protection legislation when handling personal data. The Information Commissioner’s Office (ICO) has a guide to data protection that details the requirements.
The Data Protection Act 2018, which will be the minimum requirement for the programme, falls within this scope.
Should PDP use an identity scheme?
An identity scheme is made up of different organisations, which agree to follow a specific set of rules around the use of digital identities and attributes. These organisations might work in the same sector or region, which means they provide services for similar types of users.
In the instance of PDP’s identity service, a scheme would be likely to include multiple identity providers, a hub provider, the ecosystem and dashboard providers. This would have the following benefits:
- flexibility for the user
- giving no one party total control of identity provision
- increased scope for inclusion
The programme’s preference is for a service including a hub / broker in line with the diagram below.
Identity scheme operator
To achieve this the programme is proposing that the service joins an identity scheme under the structure of the UK digital identity and attribute trust framework.
In the event that the trust framework is not available in an appropriate time frame, the programme will look to implement an identity scheme specifically for pensions dashboards, with the acceptance of the overhead required.
The UK digital identity and trust framework defines a set of rules that show what good identities look like.
One of the key tenets of the framework is the establishment of a governance and oversight function to own the rules and development of proposals to remove legislation and regulatory restrictions to the use of secure digital identities with safeguards for the individual.