Jon Pocock, Senior Product Owner for identity, provides an update on the identity service, which will verify that pension dashboard users really are who they say they are.
My last update included details of the steps we were taking to gather insight on the identity service. Our October 2020 market engagement exercise helped understand the shape of the identity market and test some proposals that were likely to form the background to our requirements. This blog takes you through some of the results of that exercise, plus our latest Call for Input.
We asked identity providers to comment on our initial proposals by the end of November 2020. Subsequently, we have assessed the responses and incorporated findings into our analysis.
We asked the following:
- do you agree that our proposal on the use of government guidelines on identity is appropriate
- do you agree that the standard of identity proof that we propose is appropriate
- can you provide identity proofing and authentication at the level we have proposed
- additionally we validated respondents ability to support our proposals
There was a high level of agreement that our proposals were appropriate and supportable, as we detail below.
October 2020 market engagement outcomes
The market engagement looked to build on the principle defined in the Government Response to the Consultation on Pensions Dashboards:
“To enable a sufficient level of trust in the service, the department expects a standard level of identity assurance for all users (individuals and delegates) that satisfies the National Cyber Security Centre’s Good Practice Guide 45 on ‘Identity Proofing and Verification of an Individual”.
90% confirmed that they could provide identity in line with Good Practice Guide (GPG) 45
Of those that could not support our proposal, some used different approaches to identity or would look to engage a partner to assist with them with verification.
While we are including different approaches in our research, there is enough evidence for us to proceed in line with the principle in the consultation response. We therefore expect to base our standards on GPG 45, as the principle requires.
71% agreed that the GPG 45 medium level of confidence for identity proofing was the correct approach for the Pensions Dashboards Programme (PDP)
There were differing views on whether a medium level of confidence was appropriate. Several respondents felt that high, or very high, confidence levels were more appropriate, but this related more to respondents’ capability, rather than reservations about the medium level itself. We will factor any reservations into our research.
Other respondents indicated that a low level would be sufficient. Again, we are factoring those views into our research.
That said, the broad consensus has given us sufficient confidence to continue with our approach and seek clarity from pension providers.
76% confirmed that they could provide identities to a low level of confidence
86% confirmed that they could provide identities to a medium level of confidence
By way of validating capability, we wanted to see if respondents could support differing levels of confidence, in the event that we move away from the proposed level of medium.
Interestingly, there is a difference in ability to satisfy the two different levels. But this is largely based on interpretation, with some respondents unable to support low but capable of providing a medium level of confidence. The reality being, if we choose a low level of confidence as our standard, those providing a medium level would still qualify, however the evidence required would be stronger and therefore more difficult to achieve.
As in the previous answer, some respondents could only support higher levels and therefore cannot support the lower levels.
Again, we are factoring the different responses into our research, however we are confident in our proposals and comfortable that it is possible to support different options.
86% would be able to support a level of confidence between low and medium if appropriate
In the event that neither low nor medium levels of confidence were deemed appropriate, we wanted to understand whether there was the ability for identity providers to support a level between low and high.
Ignoring the fact that this would require the creation of a new policy, it is positive that the majority of respondents could support such a level.
81% confirmed that they could support a medium level of authentication in line with GPG 44
In addition to the level of confidence in identity verification, we need to factor in the different possible levels of authenticating users, which are included in a separate good practice guide.
We asked respondents whether they could support a defined medium level, within the definition of the good practice guide, and we were pleased that the majority confirmed that it was in the scope of their services.
Some respondents cited alternative approaches that did not directly follow the guidelines. We will incorporate their feedback into our research, however we are confident that there was enough evidence for us to continue developing our approach based on our proposal.
Call for Input on the PDP approach
We are very grateful to all the individuals and organisations that took part in this market engagement exercise. Every part of creating pensions dashboards is an exercise in collaboration and this input was invaluable in further shaping the identity service.
As a result of the positive response, we now have the confidence to engage pension providers with our proposals. We want to clarify any questions that pension providers may have around how we intend to support identity and provide verified personal information so they can find users’ pension holdings.
We have launched a Call for Input on our approach, targeting pension providers, schemes, trustees and software suppliers. We aim to gain feedback and views and seek broad acceptance from those parties that are responsible for providing data to dashboards, which we refer to as data providers.
The Call for Input will run for four weeks until 2 April and I encourage anyone interested to respond.