Digital ID: Public Consultation Debate
Full Debate: Read Full DebateDepartment: Leader of the House
Lord Clement-Jones
Main Page: Lord Clement-Jones (Liberal Democrat - Life peer)Department Debates - View all Lord Clement-Jones's debates with the Leader of the House
(1 day, 8 hours ago)
Lords ChamberRead Full debate Read Hansard Text Watch Debate Read Debate Ministerial Extracts
The Earl of Courtown (Con)
My Lords, this Statement was delivered just one week ago and has already run into some serious difficulty. Reports in the press suggest that both the Health Secretary and the Education Secretary have made it clear that their departments will not provide some of the data required for the scheme. If that is correct, it raises a fundamental question: can this policy get off the ground?
The Chief Secretary to the Prime Minister announced that the Government sought to introduce a digital ID system that would allow individuals to log into the GOV.UK app to verify their identity. He said that
“unlike an ordinary login, digital ID will work across different departments … so you can access all of the services you need in one place”.
Yet it now appears that health and education—two of the areas where one might reasonably expect such assistance to be most useful—may not be included at all. The Chief Secretary stated that
“digital ID will, over time, bring all other public services into one app”
on your mobile phone. If that is the ambition, these reports raise serious questions about whether the Government’s own departments are prepared to make that vision a reality.
This proposal raises serious questions about accessibility. Noble Lords will know that when government services move online and on to apps, they do not always become simpler or easier to use. Often, the opposite is true. These systems can take years to refine. The user experience can be poor and tasks that were once straightforward become frustratingly complex. Take, for example, the process of verifying an identity with Companies House through the GOV.UK website. What would once have been completed in minutes can now take much longer, as users work their way through help pages, chatbots, online forms and endless CAPTCHA boxes. The current state of the Government’s digital infrastructure does not inspire great confidence that this scheme will deliver the outcomes Ministers promise.
If the ambition is to move large parts of the state on to a single digital platform, the issue of digital exclusion cannot be ignored. We can already see this in practice. Many now struggle to use the NHS app. Increasingly, patients must complete online forms or digital triage systems before they can book a GP appointment, resulting in delays in access to care.
We on these Benches also harbour concerns as to whether the system will truly remain voluntary. The Chief Secretary said:
“For those who really do not wish to, traditional routes will … still be made available”.
This assurance ignores that some people will genuinely struggle to use the new system rather than just being refuseniks. It is also unclear what this means in practice. The Chief Secretary did not guarantee that traditional routes will remain available to the same extent that they are today. People will naturally worry that, over time, this could lead to a real-term reduction in those routes, with fewer alternatives for those who cannot or do not wish to use the digital system.
I ask the Minister for clarity. Can he confirm that this policy will not result in any reduction in access to public services for those who either cannot or do not wish to use the digital ID system? Can he also confirm that the introduction of this scheme will not lead to any reduction in the availability of existing processes in departments or services that adopt this digital ID route?
I turn to the GOV.UK One Login system. How many public services now require systems to use GOV.UK One Login as a mandatory gateway rather than an option? How many of the National Cyber Security Centre’s 39 cyber assessment framework outcomes does One Login currently meet, and which does it not?
Can the Minister also say what whistleblowing concerns have been raised since 2022 about security clearances, administrator access, overseas development and undetected red team intrusions? What security incidents have occurred? Has any personal data been compromised?
These questions were asked in a UQ in January. I am concerned by the lack of detail in the Minister’s response. I hope the Minister can reply more fully this time. If not, I hope he will write to clarify these points.
I appreciate that the Government have opened a public consultation, but these questions are immediately obvious to us—and, I hope, to the Government. I look forward to the Minister’s response.
Lord Clement-Jones (LD)
My Lords, I thank the Minister for this opportunity to respond to last week’s Statement and, indeed, for his personal engagement with us at that time.
The Chief Secretary told the Commons on Tuesday that he was continuing the proud Labour tradition of building public services for the many. He invoked the NHS, the Open University and Sure Start. It was a stirring lineage. But there is history he omitted: Verify, which wasted over £220 million; GOV.UK One Login, for which the Cabinet Office sought up to £400 million; and now this national digital ID, which the OBR estimates will cost £1.8 billion over three years. This, indeed, is Verify 4.0.
The Government have confirmed that possession of a digital identity will not be compulsory. We on these Benches opposed mandatory digital ID at every turn, and I am pleased to say that the Government have listened. My honourable friend Lisa Smart MP pressed the Chief Secretary directly in the Commons last week and received his wholehearted assurance. He continued to claim that using digital ID will be entirely optional. So, I ask the Minister in this House, will the voluntary character of this scheme be placed in the Bill the Government intend to bring forward later this year? How can we trust any Government on how personal data, once surrendered to the state, will actually be used?
Earlier this month, this House considered an amendment to the Crime and Policing Bill, tabled by my noble friend Lady Doocey, which sought to prohibit police from using DVLA driving licence images for facial recognition searches. The DVLA holds over 55 million records. Every driver provided their photograph for one purpose only: to hold a driving licence. They did not consent to their image becoming part of what Liberty has rightly described as the largest biometric database for police access ever created in the United Kingdom. Yet the noble Lord, Lord Hanson of Flint, the Home Office Minister, did not accept the amendment and confirmed at all stages that the express purpose of Clause 138 of the Bill is precisely to permit facial recognition searches of DVLA records. So, within a single parliamentary week, we have a Government launching a national digital identity consultation on the basis of assurances about data use, while declining to place in statute the very protections that would make such assurances meaningful. The question is not whether the Government intend that digital ID will become an instrument of surveillance, but whether a future Government could.
The Chief Secretary said that he wants security at least as strong as online banking. That is the right aspiration, but, as mentioned by the noble Earl, GOV.UK One Login, the umbrella infrastructure for this system, reportedly satisfied only 21 out of 39 security outcomes required by the National Cyber Security Centre. Whistleblowers have described vulnerabilities that allow unauthorised access to sensitive functions without triggering any alert. How can the Government justify launching a national identity solution on a platform that fails to meet nearly half the NCSC’s mandatory security outcomes?
In part two of the Fisher review, published in January, Jonathan Fisher KC warned that AI-driven impersonation at scale is now a defining crime of our age and that we must implement upstream measures—stopping fraud at the point of identity issuance, not reacting after a digital identity has been stolen. If our foundations currently satisfy barely half the required security outcomes, how do we deliver the upstream protection Mr Fisher demands?
Will the Government commission and publish a full NCSC security audit before a single citizen is enrolled? Will they introduce an offence of digital identity theft that they, along with the previous Conservative Government, have so far resisted? The consultation proposes a universal unique identifier to link citizens across every departmental silo. Without strict legal guardrails, that identifier is the functional infrastructure of the national identity register that Parliament voted to abolish in 2011, and it is precisely the centralised data honeypot that hostile state actors would most wish to compromise. We need not mere parliamentary approval for services added to the app, but a statutory prohibition on bulk data matching across departments.
In summary, I put four questions to the Minister. First, will the voluntary character of this scheme be placed in primary legislation, with an explicit prohibition on any future mandatory requirement without a further Act of Parliament? In that context, and as the noble Earl has mentioned, how mindful are the Government of the possible consequences for digital inclusion? Secondly, the Home Office’s assurances on DVLA facial recognition mirrored word for word those given by the previous Government. Before the Minister can confirm the opposite, what statutory purpose limitation on digital identity data will be placed beyond the reach of secondary legislation? Thirdly, will the Government provide a statutory guarantee that the universal unique identifier cannot be used for bulk data matching across departments without primary legislation? Finally, will the Government publish an independently verified cost-benefit analysis before the Bill is introduced, and explain why £1.8 billion would not deliver greater public benefit directed to the NHS and front-line policing, for instance?
The Chief Secretary asked what it is that critics fear from a public consultation. We do not fear the consultation; what we fear is a fourth cycle of the same expensive failure, grand ambitions and insecure foundations—a creeping identifier that becomes the digital spine of state surveillance. But what we fear above all is a system whose data acquires uses never publicly intended by its creators. We have just watched that happen in this very Chamber with the DVLA database of images. We on these Benches will support voluntary, secure, properly costed modernisation of public services, but we will not accept warm ministerial words as a substitute for hard legislative limits. We need a state that is not merely digital by choice today but constitutionally prohibited from becoming compulsory tomorrow. On the evidence of this and last week’s proceedings, we are very far from that guarantee.
The Deputy Leader of the House of Lords (Lord Collins of Highbury) (Lab)
I thank the noble Earl and the noble Lord for their contributions. The noble Lord, Lord Clement-Jones, is asking me questions to which, as he very well knows, I am not going to give the answer. That is the whole point of the consultation, and across the Chamber, everyone knows this in reality. We want to ensure that the public can access public services in the same secure way as they access many things in today’s society, including banking. Most members of the public assume that there is this great big database; they assume that their data is being used. The reality is that there are these silos. This consultation is not proposing what the noble Lord, Lord Clement-Jones, and the noble Earl were suggesting. It is not saying, “Let’s create this huge database, which could be vulnerable”. Instead, let us make it easier for the public to access the services that they need.
On the questions about inclusion and accessibility, I met with the noble Lord, Lord Holmes, and his group, and I said that what we want to ensure through this consultation and digital ID system is a much more accessible system. We want a system that is more open to people who have been excluded because they have to produce or send a certain form, ring a certain number, or go through a certain call centre. What we are trying to achieve is greater accessibility.
The question of inclusion also relates to people’s access to the internet. I am sorry that the noble Lord, Lord Arbuthnot, is not here, because I also had a meeting with him. There are strong, legitimate concerns, which is why we are conducting this consultation and why we want everyone in this House to participate in and make a contribution to it. The noble Lord made the same point: where there is exclusion, we can use community-based organisations—including post offices and sub-post offices—in a way that will ensure that people can maximise their opportunities to access public services.
The noble Earl asked me about cost, but there is no cost associated with this yet, because the system has not been designed. The system will be designed following the results of the consultation.
The consultation will not be limited to a certain number; it will be open across the board. We also want to establish a panel. Carnegie UK pointed out, in a letter to the Guardian, that a deliberative exercise in democracy—namely, selecting people randomly through postcodes—can produce a much more effective consultation. However, both approaches will be in what we end up designing.
I come back to this fundamental point. This is not only about how people access public services but about how they can determine the use of their data, so that they can set out when they want their data to be used for a particular purpose. For example, there are times when I might need to establish my ID. As I mentioned to the noble Lord, I occasionally go to a club—a dance club, by the way. If I am asked to produce an ID, I do not want to produce my driving licence because it has my name and address as well as my age—believe it or not, they sometimes do ask me my age. If they want to know my age, I am happy to release that data—but not my address or other things. So this is about how we establish that sort of process and about accessing public services.
In this day and age, for every private sector service we use, we expect to be able to access things. Tesco has more data on me than most government departments do, because it knows what time I go shopping, what I buy and what I favour, and it then sends me emails and messages about that. We have to try to turn away from the view that this is a rigid identity card system that will be on a national database. This is about public services, how people access and use them, and how they can control their data more effectively. I reassure the noble Lord on that.
There will be an initial consultation of 12 weeks, but that could be extended with the deliberative process. At the end of that, we will look at the results, and Parliament will be heavily engaged in that. No legislation has been drafted yet, because we want to see the results of the consultation and the scale of the project. I understand everyone’s concerns about cost, as well as some of the problems we have had in the past, but this is an opportunity to respond to people’s needs and to create more effective public services. Most people expect that from the private sector and we should expect it from the public sector too.