With the new Government Transformation Strategy aiming to have 25m users of its ID assurance platform by 2020, could healthcare and local government help achieve this?
With the government committed to expanding use of its GOV.UK Verify platform to 25 million people - a 2,400% rise - over the next three years, healthcare and local government adoption are among possible areas being considered to support this aim.
However, as Whitehall commits to build take up of its in-house ID assurance platform, questions remain how this may be achieved and the exact potential to extend use in the public sector. It is understood that potential ambitions to implement the technology for health and social care are not suited to the specific needs of the NHS due to an inability to support a unique identification number.
Part of Whitehall's strategy to build common platforms that can be used by different departments, GOV.UK Verify aims to allow users to select one of several pre-chosen companies to perform a check on their identity in order to access online services at a level of assurance (LOA) 2 security standard. This equates to a level of assurance for identity services that would stand up in a civil court.
Ongoing work between the Government Digital Service (GDS) and certain local authorities is expected to see the launch of pilot programmes this year that will adopt Verify to access select functions such as applying for disabled parking permits.
From next month, Warwickshire County Council will begin trialling a service built around Verify that can ascertain eligibility for Blue Badge renewal online as part of a private beta for 750 users that will last three months.
In expanding Verify beyond the 12 central government services it currently supports, GDS has also committed to look at functions that require lower proof of identity, such as planning application submissions, in order to try and curb the complexity and amount of documents needed for Verify. These services would be classed as LOA 1.
Another potential focus could include using Verify as a means to age check individuals wishing to access online pornographic material under provisions to be introduced in the proposed Digital Economy Bill that is currently undergoing scrutiny in parliament.
In 2015, representatives for the UK adult entertainment industry played down using or adopting Verify for age checks over fears it was not developed enough to meet industry needs compared to already existing commercial solutions.
Health and social care
The potential to use Verify accounts as a means to access health and social care also remains uncertain, despite GDS aspirations to commence work in the area.
NHS Digital says it is yet to take a decision on a preferred means of providing secure access to its online services either via existing government solutions such as Verify and Government Gateway, or via something more bespoke or commercially available.
"We are exploring a number of options that could meet health and care identity needs including GOV.UK Verify," the organisation said in a statement.
The need for a system that can potentially create an identity around the personal NHS number, as well as comply with incoming EU regulations, may be incompatible with the key design features of Verify that attempts to remove the need for a single government database.
It is understood that this difference in needs between healthcare providers wishing to have a system built on unique patient identifiers and GDS' privacy aims, may be delaying a clear plan for ID assurance in the NHS.
Critics of Verify have argued that common identifiers were an important issue for public service delivery, particularly for local authorities, with some councils using health numbers, or a stripped down variation of them, as the basis for a system to identify users.
The lack of a central unique identifier that can be held and uses to pool together information on an individual is a central part of why Verify was designed, partly as an indirect response to concerns around previous government ambitions to implement a national identity card.
A further challenge is seen within the components of the incoming EU regulation on Electronic Identity, Authentication and Signatures Regulation (eIDAS), which requires interoperability with other member states systems.
Under the electronic identification component of the regulation, sources working in the data protection sector argue that interoperability in Europe will require a consistent identifier, whether this might be the UK-specific National Insurance (NI) number or another similar concept.
North of the border
In the case of accessing devolved systems, the Scottish Government launched its own 'myaccount' service in 2014, which works to verify identity by checking an individual's name, date of birth and gender against publicly available information held by the National Records of Scotland (NRS) body.
Authorities argue there is a preference in Scotland for a public sector-managed ID service. On the other hand, Verify, which supports secure online access to individual users of a growing number of UK government online services, is intended to remove the need for a single Whitehall database to ascertain identity.
From a GDS perspective, Verify is the organisation's preferred solution to support individuals in accessing key online functions. This will include a new digital service that is intended to be in place by 2021 to deliver Whitehall's flagship welfare reform, Universal Credit.
Last year, the DWP said it was "evaluating" its identity assurance needs to access Universal Credit online to decide whether Verify may be suitable.
The ID assurance platform was raised by the Public Accounts Committee (PAC) in 2016 as a potential area of concern with regard to challenges facing Universal Credit, especially when considering previous programmes that were impacted by efforts to implement Verify. Questions were raised about the platform's previous readiness to support the Rural Payments Agency's (RPA's) IT systems underpinning the Common Agricultural Policy (CAP) delivery programme.
The RPA chose to be an early adopter of Verify for use with the programme's technology, which was withdrawn shortly after launching in 2014 over technical difficulties that limited access to the service, leading to the RPA returning to using pen and paper systems at the time due to having no alternative ID system.
"HM Treasury has asked the department for contingencies if there are delays with systems which Universal Credit depends upon, such as the GOV.UK Verify service. Given the problems we recently heard about regarding the Common Agricultural Policy (CAP) delivery programme's use of GOV.UK Verify, it is reassuring to hear that these risks are being considered," said the PAC in a progress report from last year.
Verify functions as one of two identity solutions presently in use by Whitehall departments. The other technology, a legacy system known as the Government Gateway that was introduced in 2001 to allow businesses and agents to identify themselves for access to Whitehall services, is presently in the process of being redeveloped by HM Revenue and Customs (HMRC).
The department, which took over management of decommissioning the existing system from the Department for Work and Pensions (DWP), has said a replacement gateway technology will support business, agency and individual users from 2018.
At first, HMRC noted that other departments would continue to have to use Verify to ascertain the identities of individual users at the behest of the Cabinet Office, with the gateway handling their businesses and agency needs.
Yet the department has now explicitly backed using the GDS ID platform too, saying it viewed Verify as the "single identification service for individuals".
"The authentication service that HMRC is developing to replace the Government Gateway will complement the existing Verify service for business representatives," said the department.