Digital Government (Disclosure of Information) (Identity Verification Services) Regulations 2023 Debate
Full Debate: Read Full DebateLord Clement-Jones
Main Page: Lord Clement-Jones (Liberal Democrat - Life peer)Department Debates - View all Lord Clement-Jones's debates with the Cabinet Office
(1 year ago)
Grand CommitteeMy Lords, I am glad to see the noble Lord, Lord Stevenson of Balmacara, and others, and I echo what he said about our constructive discussions in 2014-16. I am also pleased to see my noble friend Lord Camrose championing intellectual property, as we try to do, and to see him accompanied by my noble friend Lord Evans of Rainow in his new position as Cabinet Office Whip.
The Digital Government (Disclosure of Information) (Identity Verification Services) Regulations 2023 are an important part of this Government’s commitment to strengthen the use of data and information across the public sector. We are bringing these forward so we can deliver better and more joined-up services and, in turn, improve outcomes for our citizens.
The regulations aim to allow information sharing between named bodies for the specific purpose of supporting cross-government identity checking when it is needed. Verifying a user’s identity—ensuring that a person is who they say they are—is a key part of delivering many government services. The draft regulations enable this by establishing a new data-sharing objective under Section 35 of the Digital Economy Act 2017 and by setting out which public bodies may use the new objective. This will create a legislative gateway, enabling us to use existing data sets, which public bodies already hold, to help as many people as possible to access the government services that they need online. It is therefore central to the development of more inclusive and accessible systems.
Specifically, the proposed objective would unlock the full benefits of the new cross-government digital system known as GOV.UK One Login. This is now live; users are able to set up an account, log in and prove their identity in order to access an initial set of 24 government services, with more being added all the time. However, at the moment, users must have photographic documentation, such as a passport or driving licence. This will change following the introduction of the new objective, as it will unlock new ways for people without photo ID to prove who they are, opening up the system to more users.
The delivery of One Login is a step change in simple joined-up access to government services online. This, in turn, delivers substantial cost and time savings for the Government and users by reducing duplication and providing enhanced capability to identify and stop fraudsters. In summary, the proposed objective will, first, enable checks against existing government-held information, such as PAYE and benefits data, to build confidence in the user’s identity, which will be particularly key where service users do not have a passport or driving licence. Secondly, it will provide a specific legal framework for checks against documents currently used in identity verification, such as driving licences. Thirdly, it will enable the sharing of the results of identity checks performed by one named body with another, so that users need to prove their identity only once.
The draft regulations set out which of the bodies already listed in Schedule 4 to the Digital Economy Act can use the new identity-verification data-sharing power, such as HM Revenue & Customs and the Department for Work and Pensions. They also add four new public bodies to the schedule that will be able to use the power: the Cabinet Office, the Department for Transport, the Department for Environment, Food and Rural Affairs and the Disclosure and Barring Service.
The public bodies listed in the regulations are either bodies that hold information that could be used in support of proving that someone is whom they say they are or those that own and manage services that people need to access, which they therefore need to receive the results of identity checks. Of course, some public bodies do both.
The territorial extent of the draft regulations is England, Wales and Scotland. The Information Commissioner’s Office and the devolved Administrations support the draft regulations, and indeed the Scottish and Welsh Administrations have requested that certain Scottish and Welsh bodies be included in the draft regulations to enable them to use the new data-sharing power—so it is devolved friendly.
I am sure noble Lords will be pleased to know that these draft regulations have been subject to the standard rigorous processes of internal and external review. In the first instance, the objective has been subject to scrutiny by the Public Service Delivery Review Board, as set out in the underpinning code of practice on public service delivery, debt and fraud of the Digital Economy Act 2017. The board recommended that Ministers take forward these draft regulations since they meet the required criteria of supporting the improvement, or targeting, of public services to individuals in order to enhance their well-being.
Furthermore, the objective has been subject to a public consultation, which received more than 66,000 responses. Some respondents recognised the benefits to individuals of improved and more inclusive services. Some mistakenly expressed concern that this was a back-door route to identity cards. Therefore, in response to the consultation, the Government confirmed that they have no plans to introduce mandatory digital ID or identity cards. We also published additional information on how GOV.UK One Login will operate within these regulations and within the overall data protection framework. We extended the time between the regulations being approved and coming into force, and we amended some of the wording to reflect that of the Act. Of course, the Government understand that people want to protect their personal information and this is central to our approach. The draft regulations relate to using data only for the purpose of identity verification.
Part 5 of the 2017 Act gives the Government powers to share personal information across organisational boundaries to improve public services. It lays down what data can be shared and for which purposes. Data sharing must also have regard to the accompanying statutory code of practice on public service delivery, debt and fraud, which sets out how the power must be operated, including how any data shared must be processed lawfully, securely and proportionately in compliance with data protection legislation and UK GDPR.
The Digital Economy Act statutory code of practice on public service delivery, debt and fraud also requires information-sharing agreements to be listed on a public register of information-sharing activity under the powers. The framework for data sharing under the DEA provides a supportive background to help organisations to share data in ways that benefit the public, as confirmed by the Information Commissioner’s Office in its recent review. It includes robust safeguards that ensure that organisations share data responsibly and in alignment with data protection principles, while also safeguarding people’s rights.
I think these regulations are relatively straightforward and important, and I hope that colleagues will join me in supporting them.
My Lords, it is good to see the Minister move seamlessly from intellectual property to digital and data, but both can sometimes create their own questions. Since this is the first time we have debated One Login in the Lords, I hope that the Minister will not mind if she gets a large number of questions about the scheme. As I understand it, the goal of the One Login programme is to create a log-in database owned by the Government and containing the verified names, addresses, dates of birth, phone numbers and email addresses of everyone who uses—eventually—all Government-owned digital services, which is likely to be everyone in the country.
Perhaps unfairly, I have always thought of One Login with some scepticism, as the son or daughter of Verify, and not in a good way. The cost of the failed Verify scheme was over £200 million. It would be very useful as part of this debate to hear the cost of OneLogin so far and how much more is budgeted to be spent on its rollout. It does seem strange that the Government are having another crack at a single verification system, given the many other trustworthy existing systems that could be adopted.
First, I think it worth mentioning what the Secondary Legislation Scrutiny Committee said in its 55th report in October. I think it was rather baffled and scathing at the same time:
“This is a classic example of an Explanatory Memorandum … with too narrow a focus”.
I think it felt it was being bounced to some extent, without the context in which One Login was going to be designed to work. It said:
“We therefore request that the Cabinet Office revises its”
Explanatory Memorandum
“to include sufficient background information to enable any reader to understand the legislation’s practical effects”.
I suppose I am lucky in that I followed the gory progress of Verify through to One Login and the current date. I have some idea of the purpose behind One Login. As I understand it, the principal effect of these regulations is to allow the Government to share data for the purposes of identification. The SI does not restrict those flows of data; data can flow into the Cabinet Office as envisaged but identity data can also flow from the Cabinet Office to any other listed department. I hope that the Minister will be able to confirm that.
Will the Government allow population databases to be copied, whether openly or not? The revised Explanatory Memorandum is silent on this, and it is unclear if this assurance from the Government’s consultation response will be delivered. The response said:
“In particular, information will set out which departmental services are using identity verification services to support delivery and which will provide data to help departments establish who a person is”.
Will that actually happen? Will there be that level of transparency? There are apparently no safeguards on sharing bulk data if the Government want to share for this purpose across government. What transparency will there be if and when this takes place?
There is then the question of for whose benefit One Login really is. Is this a “better login to government” project, which many people might applaud, or is it a “one identity to government” project? The answer at the moment appears to be the latter. I say this because medConfidential, which I thank for its briefing, reports that a
“meeting held during the consultation was told that the Government’s intent is to actively prevent individuals from having multiple login accounts. A person may be able to have multiple email addresses— indeed, they may already do—but Government would attach them to a single ‘identity’. This regulation allows that database to be shared in bulk”.
Not to put too fine a point on it, that turns One Login into a tool of a centralising state—with implications for the privacy of the citizen—which the Government have previously assured us many times they were not building. I would therefore be extremely grateful if the Minister described the reality of One Login, as well as its purpose and operation.
At a roundtable on the consultation, the Government Digital Service apparently said that the regulation’s “first use is One Login”, which suggests there will be a second use. It is unclear to us to what extent the DWP will embrace One Login for government, for universal credit, for HMRC’s services, or indeed for the MoJ’s digital courts. What commitment from government departments and agencies is there? I can see that they are all listed, but Verify fell down precisely because of the lack of commitment from many government departments. What about the identities, too, of public servants? Will they be able to have multiple identities as both citizen and employee? What is the reality of that?
Let me understand this. In effect, data is being shared across departments so it is not simply a way of having a wallet, if you like, within the Cabinet Office that then gives you a clear identity for the purposes of accessing government services across government; it is a question of sharing that identity data across government departments. It is data sharing in bulk across government departments.
It is data sharing for the purposes of digital identity. Ultimately, by April 2025, we hope to have approximately 145 central government services that can be accessed via One Login. It is a mistake to think that this is somehow going to be used in the bulk way that the noble Lord describes. It is about identity checking, not collecting huge amounts of data for use in a Big Brother sort of way; the noble Lord may have misunderstood this. Users can delete their account at any time. I think that the noble Lord’s concern is perhaps misplaced.
While I am on the subject of benefits to the individual, there is an example that I would like to share with the committee; it reflects a question that I asked. Sometimes, married women have two different names. I am in that lucky, or unfortunate, position. We understand that some users will need or want to use multiple accounts, so users can already set up multiple accounts on One Login using different email addresses that can relate to different names. From next year, we plan to allow users to link accounts under the same verified identity. The noble Baroness, Lady Chapman, asked us to look through the eyes of the individual. This is one of the things we have been trying to do in this programme, learning from the past.
The difference is that, at the moment, you tend to have to provide a passport. It is difficult to log in to some of these services without a passport or a driving licence. In future, as I made clear in my introductory remarks, it will be possible to use different sorts of identity data and to have a system within government that allows us to do that. That will have the effect of making it easier for more people who are finding establishing their identity difficult without encouraging a lot of identity fraud, which is obviously another concern that one has to take account of in putting these systems together.
I entirely appreciate the Minister taking the trouble to talk us through this. The question is: for whose benefit is this? Is this so that government departments can identify somebody right across the board, so that you can have only one identity in government and so that the Home Office will share data with universal credit and every other department that interfaces with an individual? Is that the idea of this One Login? Or is it possible to have more than one digital identity?
One obvious benefit is that more and more government departments are using digital. The technology is transforming our lives, after all. Once you have this single digital identity, you will then be able to use it to access services and opportunities from other government departments as well. That is the point: the digital identity will be used across the board. That is helpful to individuals. I should add that a document is published on GOV.UK outlining what data is being used by One Login. I think it is worth noble Lords looking at that.
The noble Lord, Lord Clement-Jones, rightly asked a question about cost—something we always used to ask about in our previous debates. The One Login programme’s total budget for 2022-23 to 2024-25 is £305.4 million. Of this, the programme forecasts expenditure of £132.7 million on the development and rollout of the system by the end of the current financial year.
The noble Lord mentioned the Explanatory Memorandum. We did indeed make some changes, as he acknowledged, to the Explanatory Memorandum, which was made available to the SLSC, to provide a clearer explanation of which part of the law the instrument is changing and why. He mentioned that the revised Explanatory Memorandum was laid on 2 November, and provided more contextual information. In particular, it explained that the SI provides the statutory basis for specified public bodies to share data in order to verify an individual’s identity in a safe and secure way so that they can access public services online, and that duplicative systems are being replaced with a single account. This is an obvious benefit.
The SI will also enable the GOV.UK One Login to draw on a broader range of government-held data sources when users need to verify their identity. That is an important point, because it is difficult for people who do not have a passport or a driving licence under the current system.
We are committed to being open and transparent by making information about data shared under the Digital Economy Act easily available for all to find and understand in the public register of data-sharing agreements. That was one of the safeguards laid down in that Act, so we have obviously taken that on board. That is an important point of transparency.
This is also underpinned by a robust code of practice—I have read it—which was created by Section 43 of the DEA. That sets out how the power must be operated, and includes setting out how any data shared under this power must be processed lawfully, securely and proportionately, in line with data protection legislation. We therefore have the DEA and data protection legislation coming together to allow us to implement this, hopefully life-changing, bit of technology in a way that protects the citizen. Obviously, the Cabinet Office is responsible for maintaining that register, and the Public Service Delivery Review Board is overseeing strategic consistency.
We have not seen that many regulations made under this Act—I think there was one on social care before—but we can see the value of the Act and the safeguards that Parliament added to it coming through.
On voter registration, the noble Baroness, Lady Chapman, raised a very good point, to my mind. I will have to follow up in writing. Fundamentally, as she said, these regulations will enhance the user experience. Despite many improvements over the last few years, today’s experience of interacting with government is too fragmented. We have multiple logins, and we are repeatedly asked the same information, which sometimes one has recorded on the phone—and sometimes recorded wrongly, as I know from my own experience. This is the same for everyone trying to access government. One Login will replace this with one system; we are used to this on our phones and so on, and there is a lot to be said for this new arrangement. We will have better data sharing to help those people without traditional forms of ID to access the services online that they need.
I hope noble Lords, having heard the benefits of the regulation—
My Lords, I am sorry to interrupt the Minister as she comes to the final furlong, but the question of oversight raised by the noble Baroness, Lady Chapman, and by me, and the standards that will apply to this system, are extremely important.
Given the time, I will take that away, along with the voting point, if I may. I drew attention to the code of practice and the parent Act; we have every intention of following the principles, but the point about review and oversight is well made by the noble Lord, as always. I will come back to him on that point.
I am sorry that I have not been able to answer every question on the login area. I can introduce noble Lords to my honourable friend in the other place, Alex Burghart, who has spent a great deal of time developing these regulations. The point is that these narrow regulations before us today are a necessary enabler for this major change for the citizen. I hope that noble Lords, having heard the benefits, will join me in supporting the draft regulations. I commend them to the Committee.