Ashurst Data Bytes 5: How the UK's Data (Use and Access) Act Digital ID provisions could revolutionise our lives

Rhiannon Webster:

Hello, I'm Rhiannon Webster, partner and head of data at Ashurst. Welcome back to our Ashurst Data Bytes Podcast on the Data (Use and Access) Act series. This is the fifth and penultimate episode of this miniseries. Today we're going to do a deep dive into another one of the non-personal data privacy parts of the Act, the provisions relating to digital ID.

Joining me today is Fiona Ghosh, my fellow partner in our Digital Economy Transactions practice in London, and a specialist in all things tech, including leading our AI practice and payments practice at Ashurst.

Welcome, Fiona. Thank you for joining me.

Fiona Ghosh:

Thank you for having me.

Rhiannon Webster:

My first question for you, back to basics. What are digital IDs and attributes?

Fiona Ghosh:

Good question. Digital IDs essentially do exactly what they say on the tin. They take our established paper forms of identification and essentially mean that we can access them electronically. But that actually means we can do all sorts of other clever things with them when they exist virtually.

Rhiannon Webster:

I suppose that leads me on to what's the relevance to the work that you do?

Fiona Ghosh:

Yeah. What we've really had happening over the last ten years or so is a real move towards a systemic ecosystem of digital transformation. We see that in all sorts of sectors. You could take the government wallet that's now being developed under the Date (Use and Access) Act. We've seen that as part of a whole journey for the public sector and digitalisation. We have seen a similar journey in payments, for example, around KYC and AML. Now that those things can be done, broadly speaking, digitally, digital ID will really underpin that on a legal basis to enable much more innovation in the payment space as well. I would expect to see that in all sorts of different arenas and it will affect us individually in all sorts of different sectors. Another great example of that is healthcare. I think COVID was a real driver for this move towards the importance of digital ID.

Rhiannon Webster:

Thanks, Fiona. I thought it might be probably worthwhile for our listeners for me to do a bit of a run-through about what the Data Use and Access Act actually does in relation to these provisions. There's a whole part in the Bill dedicated to it, Part Two. Essentially, it creates a regulated framework for these digital identity providers to operate and government oversight.

There's five markers of those for liability. There's a trust framework, so basically the standards for digital identity and attribute services. We'll touch on this in a bit I think, Fiona. The UK already had a voluntary trust framework since 2021.

Fiona Ghosh:

Yeah, that's right.

Rhiannon Webster:

The year before the DUAA. This seems to have brought it onto a statutory footing.

Fiona Ghosh:

Yeah.

Rhiannon Webster:

There's also supplementary codes, and I think a key word here is that the Secretary of State may, key word being may, publish from time to time. There's talk from the government that there may be the need for specific sector ones, so it'll be interesting to see whether anything comes out in the payment space for that.

There's a register of persons providing the digital verification services. An information gateway, the conditions under which the data transfers can take place to facilitate the digital verification service. And finally, a trust mark with the Secretary of State may, again, another word of may, decide is needed.
I think it's also probably worth making the point is that very similar to lots of the Data (Use and Access) provisions, most of the implementation of this will need to be via secondary legislation. Currently, actually part two, none of part two is in force. It's going to be apparently part of the second wave, which was originally due three to four months from Royal Ascent, which is around now actually. We're recording this podcast in the second week of September. We're expecting some of the provisions of that digital verification to come in force any day. But making my point again, most of it's going to come through secondary legislation.

Fiona Ghosh:

Yeah. When you go onto the government website, they seem to specifically say that they're envisaging DVS service measures to be coming out later this year. I think given that we're already in September, it wouldn't be entirely surprising if we have a short delay. I think the first thing that the UK government are really looking at working out is how you migrate existing providers onto this statutory register.

Rhiannon Webster:

Yeah.

Fiona Ghosh:

There's a little bit of mechanics I think that probably needs to happen first. Yes, I completely agree. I think what is happening here under the regulation is the setting up and establishment of a statutory framework, framework being the operative word.

Rhiannon Webster:

Great. Once all these mechanics have been sorted out, what do you think will be the impact of these provisions once in force?

Fiona Ghosh:

I think the main impact of digital ID will be the enablement for citizens to access services in multidisciplinary ways. What do I mean by that? I mean that you may be able to access some of your benefits physically. You may be able to access other social benefits electronically. You may be able to access some of your healthcare records physically. You may choose to have them electronically. It is that element of choice that I think is the first thing that individual citizens will notice.

But then, I think there are also structural changes that will be enabled by having digital ID. I think essentially digital ID underpins this whole movement towards smart data, which I'm sure you covered in previous podcasts. But the ability to be able to be interoperable around systems is only really lubricated when individuals are verified and that verification is trusted. Digital ID is the lubrication for the smart systems that the government envisages, but it also underpins all of the trust and governance frameworks that need to come with it.

Rhiannon Webster:

Is it worth touching on the history of digital ID in our nation? Because I know that traditionally, we've been a nation of people not keen to have an ID card, for example.

Fiona Ghosh:

Yes. I don't think it's so much the history of digital ID as the history of standardised ID in the UK. I think as an island nation, we've always resisted that, particularly when we looked across to our counterparts. The French have had ID for decades. I think it's always been resisted, and it has been tried by various governments to be brought in and not worked.

I think the difference post-COVID and also the difference with some of the political debate that is now going on has brought the topic of identification and verification, and legitimate rights and access to particular services really to the fore. I think where this framework back in 2021 may have really been accelerated because of the pandemic, it has now really been embraced for a whole host of political and policy reasons.

There has been a systemic shift amongst the way in which I think we as a nation think about ID. I also think that there has been a generational shift towards understanding that identification online is something that is absolutely critical in order to be able to access and exercise your rights as a citizen.

Rhiannon Webster:

Thanks, Fiona. Probably also worth saying that, yes, we have already covered some of this, the smart data schemes provisions which are under the Data (Use and Access) Act, in podcast three of our series, where we compared it with the Data Act in Europe.

I think this is another example of legislation in the UK where we're playing a bit of catch-up. We have the Data Act in Europe, and we're now bringing these provisions in, similar provisions.

Fiona Ghosh:

I agree.

Rhiannon Webster:

Not identical. Then we've got the EU Wallets in Europe and this seems to be, again, a similar, but not the same provision to that.

Fiona Ghosh:

I totally agree. I think also there's a couple of interesting facets around it as well hinged to the historic take of the UK. One of those is I think the government has very, very keenly felt that the move towards becoming digital, particularly around something as critical as ID, mustn't exclude more vulnerable individuals. Those who may not be able to operate a smartphone or have access to the internet, nor necessarily choose to live online. I think that's very, very key.

I think the other thing the government have been very explicit about is not excluding the private sector. Therefore, I think that's the reason why you've not had a parallel shift. It's about wanting to provide the framework, provide the foundation, and lead the way. I think the fact that the Government Wallet will have a driver's license in it, will have veteran ID in it is great and we will start to see that I think in the next couple of years. I think it will be even more useful when it can also hold my passport.

I think the government have been quite mindful about parties that may feel excluded. The physical forms of ID will continue and there is no particular debate about getting rid of those, which I think is important still. I think it will look increasingly like it'll be the private sector that come to offer a lot of those solutions. Again, I think that's a good thing because I think that the pace of technological innovation, and in particular AI, in particular the Metaverse, in particular the digital currencies. These things will be led primarily by the private sector, and therefore it makes absolute sense that they should have a stake in digital verification services.

Rhiannon Webster:

Absolutely. I think it's also worth touching on the regulation of this, too. The trust framework will be managed by the Office for Digital Identity and Attributes, which as you mentioned, Fiona, at the beginning, that's part of DSIT. Having, I would say flicked through the trust framework, it's quite long, it disclaims data protection compliance. That's the bit that I was most interested in. It sets out that signatories to the framework need to ensure their own compliance with data protection laws. It mentions they have a ROPA to use the correct lawful basis, to contact the ICO in case of breaches.

But what it does do is it adds that this Office for Digital Identity and Attributes, so part of DSIT, will need to be notified when the ICO is notified. For example, in the event of a breach.

Fiona Ghosh:

Right.

Rhiannon Webster:

That would be another interesting dynamic of this. Not just in breach notification. You've got a dual regulation from these two regulators. If you're in the financial services industry, then you could have a tri-regulation.

Fiona Ghosh:

That's exactly what I was going to say. More than tri because you might need to notify the FCA, you might need to notify the PSR. The way in which payments will become authenticated, the way in which AML, KYC may happen. It's such an interesting intersectionality of regulators in the space. Particularly when you layer on top the fact that most AI use cases at the moment, particularly in financial services, are around these topics of onboarding, and KYC, and AML. You can absolutely see that you would have AI systems needing to have access to digital verification services in order to be able to create the efficiencies that financial institutions and firms in general are looking for out of their use of AI.

Rhiannon Webster:

I'm just thinking through in my head, because I do a lot of work with finance now on breach readiness, and thinking about all the extra things that we would need to put in if we were to do some breach readiness work. I was also thinking about, frankly, the carnage that could occur if these are not secure. It's the ultimate security breach if this fails.

Fiona Ghosh:

Yes. Also, there are questions of resilience. You move into cloud. If it's going to be financial firms that provide those identification services, they obviously have a whole host of requirements on them. I think the other really linked question, because we've spent a lot of this podcast talking about how we as a nation deal with these topics, is that the big question mark is once my passport will sit within the Gov.UK Wallet, or maybe a private sector wallet, or both. Probably both. How will that be interoperable? How will it allow me to exercise my rights to travel as a British citizen, particularly in a post-Brexit environment? I think that then starts to intersect with trade agreements and all sorts of things, but it really is key.

There's a really interesting debate around citizen expectation. In that, now that we've opened the doors towards this digital verification, individuals will expect, exactly as you say, for those details to be kept securely so that they are then able to be relied on and trusted. Yes, absolutely, security will be key, but individuals will also expect to be able to do things with that identification in that wallet. It really is there's question mark about, great, we've set up the framework. But how do we now operationalise this digital arm that we've now set up?

Rhiannon Webster:

I think I have a final question for you. It's always about future-gazing in this podcast. Do you think that the setting up of this formal system is going to expand the use of digital ID verification and be truly game-changing?

Fiona Ghosh:

I think we're now set on a pathway towards digitalisation. I think my children will find it really bizarre that they have to panic about losing their passports when they're in their 20s and 30s. I think they'll find that really old-fashioned. Even I do now.

Rhiannon Webster:

But we still panic when we lose our passports. I lost my passport in France, I had to spend two days in the embassy.

Fiona Ghosh:

Yeah. Didn't it make you think, "Why on Earth is this not digital and held centrally?" Particularly when I turn up at the border and present my passport in Melbourne, Australia, and they already have it electronically, as well as my fingerprint, and probably my iris, and goodness. So much of our information is held globally that is personal data. My fingerprint is so unique to me. My name might get ... Maybe not mine, there aren't too many Fiona Ghoshs. But lots of people's names might be replicated, but your fingerprint can't.

There is this anathema that we already live in that I think the next generation and the generation after that just simply won't accept. Have we set ourselves on a pathway to that? Yes, I think we genuinely have, and about time, too. But I think it will take a little bit of time for us to see the day-to-day benefits. That passport is definitely a future-gazing, but let's hope not too far.

In terms of the near position that we're in, I think unless there is an extraordinary event, that we will start to see digital ID creeping up on us month-by-month, year-by-year to the point where we will not be surprised that our driver's license is in the wallet. In fact, we'll say, "Oh, thank goodness for that, because I would have lost that one as well."

Rhiannon Webster:

Thanks, Fiona. That was super interesting. Thank you so much for joining me and providing such practical insights. Thank you to our listeners for listening to our podcast. Please do share the podcast with interested colleagues. Look out for our final upcoming podcast on the ct. Thank you, and goodbye.