Identity service: a summary of the call for input responses

Jon Pocock, Senior Product Owner for identity, reflects on responses received from pension providers to our call for input and how the workstream is taking those findings on board.

In February, I provided a summary of the feedback we received from the identity market, following our request for information on our high level proposal for our identity service. We took that information on board and have developed our approach further. 

We wanted to see if pensions providers understood our proposal and how we could further tailor our thinking to develop a final proposition. So, we issued a call for input, which asked similar questions to the earlier request for information and ran for six weeks, between late February and early April. 

I would like to thank all of those individuals and organisations that took the time to provide their views. We are reflecting all of these views in our ongoing work; to deliver a cohesive identity solution that supports all participants whether consumer, dashboard provider, pension provider or the supplier of the central architecture.

In principle we asked:

• do you agree that a central identity services support Good Practice Guide 45 is the correct approach to managing identity
• do you agree that a medium level of confidence of identity under GPG45 is appropriate
• do you agree that medium protection via authenticators under GPG44 is appropriate
• what additional factor does the programme need to consider

This blog provides a flavour of the responses received and highlights the key actions that we have identified as a result.

Spring 2021 feedback and themes

Similar to the request for information (market engagement), we looked to establish the principle defined in the Government Response to the Consultation on Pensions Dashboards as the underlying premise for the identity service:

“To enable a sufficient level of trust in the service, the department expects a standard level of identity assurance for all users (individuals and delegates) that satisfies the National Cyber Security Centre’s Good Practice Guide 45 on ‘Identity Proofing and Verification of an Individual’.”

The responses that we received were varied and displayed different levels of understanding of the provision of identity and the way in which the Good Practice Guides work.

A number of responses seemed either to be incomplete or provided no context to support the feedback provided.  Some respondents also appear to have provided more than one response with contradictory outcomes.

So, in analysing the outcomes, we have obviously had to take some of these idiosyncrasies into consideration.

85% respondents agreed that there should be a central identity service asserting identity in accordance with GPG45.

This is a reassuring validation of the principle that we are working to, however the confidence in this response is tempered slightly as it was clear that the identity proposition and the interaction with the core architecture is not as well understood as it could be. Varying responses displayed different interpretations of the programmes intention

On the specific question of whether we had proposed the correct level of confidence in identity and the level of protection under authentication, feedback was divided. 40% of respondents felt that was the correct level, while 38% felt something different was needed.

The primary view of those suggesting an alternative to a medium level of confidence, is that this was not high enough to given the sensitive nature of pension information. As such the majority requested a high level of confidence, instead of medium. Amongst the rationale provided was, the fact that the impact of the incorrect disclosure of an individual’s combined pension holdings was greater than any of the individual’s holdings on their own. 

Contrary to those suggesting high was the correct level of confidence, there were three responses suggesting that low was sufficient on the understanding that transactional capability would be added to the dashboard scope.

Where we asked for alternatives to the default levels of assurance under GPG45 and 44, 54% of the responses failed to include any feedback. Only four of the 57 responses provided a suggestion.

Within those that provided a view on alternatives, the principle appears to be that the programme should take a lead from government and utilise proven standards that already exist.

These options included engagement with the UK Digital Identity and Attributes Trust Framework and the use of GPGs45 and 44 (which is the principle we are following). The Trust Framework is something that we see as critical to the overall success of the identity service in the longer term and the programme is fully behind the activities to define the controls required and structure of the governance approach.

One question that did raise some interesting response, related to the experience that respondents had with internal identity proofing standards and processes.

Of the replies, 18 provided details of the current methodology and two indicated future plans. Just 10 firms suggested that they currently use a similar approach to that proposed.

A repeated theme from a further seven respondents advocated the use of biometrics (including, in three cases, photo ID). Of these, one recommended the introduction of biometrics, two briefly outlined their plans to start using biometrics later in 2021 and four already use biometrics as part of their ID verification process.

Three answers expressed the view that security for the proposed ID service should be tighter than their own current levels of security: where theirs is currently medium, they wish to see high for the central ID service.

Within the responses received, there were a number of themes that are driving ongoing actions from the programme:

• a number of comments suggested that the structure and nature of the core architecture is not well known
• some responses indicated that the principles underlying the identity solution are not clear
• there were calls for greater clarity on the rationale behind PDP’s proposals
• some respondents expressed concerns about the alignment of legislation, DPA responsibilities and liability – specific mention was made of the view of the ICO on the approach being taken

In response, we are undertaking the following actions.

To address understanding of the architecture and help fill in the gaps that providers may have, we have created the data providers hub on our website. This resource provides an overview of the architecture and the elements that data providers (ie pension providers and schemes) need to understand in preparation for connection.

Within the data providers hub is the link to the first version of the data standards being applied, which will answer some questions raised on the approach to matching users to records within providers’ systems.

Over the course of the next few weeks, we will provide more context for our approach to identity and the logic behind our decision making. This will go some way to addressing the specific questions that have been raised.

By the end of the summer, we will publish details of our work on liability and how that is reflected across the architecture as a whole, including the identity service.

We will continue to work with key partners in government, regulators and beyond, to ensure the appropriateness of the proposals we make and how they will impact the overall solution. We are committed to publishing our workings, once we know how they will affect the ongoing approach.