Challenge 9.7

Why does this Challenge need to be solved?

At present, Identity Verification in the public sector is done in a piecemeal, siloed way, with many different organisations carrying out their own checks in different ways using different documentation to meet different standards with limited real understanding of what constitutes good practice.

But what if we could create a single approach, appropriate for all the multiple organisations and use cases across the public sector?

The work being done in the Digital Directorate on ScotAccount seeks to redress that by introducing central standardised processes based on the UK governments Good Practice Guides (GPG) 44 and 45. GPG 45 sets out how to carry out Identity Verification checks using biometric checks against official documentation and/or knowledge-based questions based on an individual's credit file.

A recent Experian report, however stated that, “More than one million (1.2) consumers in the UK, with ‘thin file’ credit reports, have few options when it comes to accessing finance, according to Experian research.

Thin file credit reports are when consumers have a limited credit history which can make it difficult for them to get credit or be approved for a loan.”

This difficulty is also felt when those individuals try to prove their identity using knowledge-based questions and answers.

Reliance on possession of documentation to allow a biometric comparison to be carried out fares even worse. A parliamentary report into voter ID recently found,

“Limiting acceptable ID to passports and photographic driving licences would see potentially 11m electors, or 24% of the electorate, without acceptable ID”. This leaves a significant proportion of UK residents with difficulties in accessing services online which rely on either of the standards-based methods for identity verification.

Vouching is described as, “confirm that someone is who they say they are or that they are of good character”.

To vouch for someone, requires a level of trust to exist already. The extent of this trust is used as part of a process to establish a verified identity. The idea has always existed and is fundamental to human exchange and communities however the capability to “vouch” for another person to establish a digital identity is less developed.

Vouching has the potential to make use of existing relationships to help people that aren’t already able to access government systems to do so. This supports greater access to public services and strives to include people that are easily ignored by existing service capabilities.

Dignity and human rights are improved by making use of trusted relationships outside of existing digital services and systems for instance those related to cultural, community and placed-based relationships a person may hold.

How will we know the Challenge has been solved?

A previous UK government ID scheme GOV.UK/Verify’s success rate for identity verification is disputed but generally accepted to have been around 50% but may have been as low as 38% for some Universal Credit applications. If we can introduce a standardised, secure and trusted way for vouching to be introduced, we will enable previously excluded parts of society to have easy access to online information and applications, significantly contributing to the reduction of poverty; the respectful treatment of service users regardless of their backgrounds; the establishment of empowered and resilient communities; and many other contributions to the National Outcomes contained within the National Performance Framework.

Who are the end users likely to be?

The aim of the service is set out in Scotland’s Digital Strategy.

As described by the Open Identity Exchange : Digital Vouch with Photo - an OIX Proposal – 12 July 2022 - General area - OIX (openidentityexchange.org), there are many circumstances where users cannot readily prove who they are in order to obtain a Digital ID.

For example, where:

• there is no comprehensive central government record for all citizens,

• the enrolment process for Digital ID is through digitisation of pseudo ID documents, such as passports or driving licences, which not all citizens have.

• evidence of an individual’s existence in databases, such as credit databases, is relied upon as part of the proofing process

• the possession of a bank account is a key factor in ID enrolment.

The OIX ID Inclusion & Data Sets Project Report - September 2021 - General area - OIX (openidentityexchange.org) also includes within this group, those who cannot get a digital ID due to digital accessibility. Individuals without such information are described by OIX as being “ID Challenged”. OIX has identified that in the UK around 11% of the adult population are ID Challenged.

In other counties with lower passport and driving licence holding rates, and no “positive’ credit databases, this may be much higher.

Vouching is a process to bring the ID Challenged into the Digital ID Ecosystem. This process involves a person who is already trusted legally, vouching for another individual they have known for some time.

In the UK for example, the Digital Identity and Attribute Trust Framework supports the use of vouching. The use of vouching is currently limited to two parts of the proofing process:

• Evidence gathered from disclosure to accept a vouch as evidence of someone’s identity;

• Activity history, a check that the claimed identity has existed over time.

Has the Challenge Sponsor attempted to solve this problem before?

At this time we are not aware of anything in the existing marketplace.

Are there any interdependencies or blockers?

GPG45 Standards

Currently, guidance around vouching restricts its use to certain elements of the identification process as set out here

How to accept a vouch as evidence of someone’s identity - GOV.UK (www.gov.uk),

and restricts those who can vouch for others to defined occupations as set out here -

Who can vouch for someone’s identity - GOV.UK (www.gov.uk)

We want to understand how technology could not only enable these defined interactions to take place and form evidence towards the creation of a digital identity but also whether those trusted community relationships could extend the list of those able to vouch and/or the extent to which vouching could be used for other elements of the identity process, such as verification.

Will a solution need to integrate with any existing systems / equipment?

The solution will need to integrate with the existing ScotAccount solution. Our design philosophy has been to create and utilise discrete components that can be ‘plugged’ together creating an IDV service.

We anticipate that any proposed solutions would need to access systems/services that would ensure the individual vouching is able to do so.

Is this part of an existing service?

Yes. This will need to integrate to ScotAccount.

Any technologies or features the Challenge Sponsor wishes to explore or avoid?

No, however many of the reasons why people struggle to access services relate to digital skills or lack of access to modern devices, reliable connections or quality home broadband.

What is the commercial opportunity beyond a CivTech contract?

The difficulties individuals face in accessing services is not restricted to those in the public sector and vouching could be a means of helping individuals open a basic bank account as an example.

Who are the stakeholders?

• Digital Identity team

• Those involved in use cases for instance Health Digital Front Door or Social Security Scotland

• Third party commercial services

As well as

• Government Digital Service (GDS)

• Partners from technical architecture teams to the Scottish Government

Who’s in the Challenge Sponsor team?

Digital Identity Service, Scottish Government

What is the policy background to the Challenge?

What is the policy background to the Challenge?

• The Scottish Government Digital Strategy (2021) commits to introducing a digital identity service, providing users with a safe and secure way to prove their identity when applying to public services, while reducing time and cost for the public sector. 

• The first live trial version (private beta) of the new digital identity service, called ScotAccount, was launched at end February, in partnership with Disclosure Scotland.  Users are creating their secure ScotAccount and verifying their identity, in order to access the results of their Protection of Vulnerable Groups (PVG) checks. 

• A digital identity service, accessible and designed around the needs of users, is a priority common platform for high quality public services in Scotland. 

• ScotAccount adopts a best practice standards-based approach, embeds the Scottish Approach to Service Design, applies extensive user testing and draws on the outputs from deliberative public engagement.  This also applies core principles of privacy protection, transparency, and trust.

This aims to deliver benefits of consistency across multiple providers; reduce identity theft and fraud; apply best practice standards for privacy protection under users’ control; is more convenient and more efficient; and reuse means users don’t need to repeat the same processes across multiple services, and public services don’t need to build from scratch or repeat checks done elsewhere.