Data (Use and Access) Bill: A New Register of Digital ID Verification Services

Data (Use and Access) Bill: A New Register of Digital ID Verification Services

On 23 October 2024, the UK Government introduced the new Data (Use and Access) Bill (the "DUA Bill") into Parliament.

In this article, the latest in our series of deep-dives into the Bill's provisions, we will be looking at the Bill's provisions around digital ID verification schemes.

The DUA Bill, announced originally in the King's Speech of July 2024 under the name of the "Digital Information and Smart Data Bill", is somewhat of a grab-bag of assorted data-related provisions, including amendments to the UK's data protection regime, provisions covering smart data schemes and improving access to public sector data for the private sector, digital identify verification services, changes to the structure and functioning of the Information Commissioner's Office, and more besides.

Overall, the Government intends the Bill's provisions to contribute towards three key objectives:

  1. To harness the power of data to grow the economy;
  2. To improve public services and enable and support modern digital government; and
  3. To make peoples' lives easier.

The full text of the Bill as introduced into Parliament is available here, and its explanatory notes may be read here.

Overview

The Bill's provisions on digital ID verification first give Ministers the power to set rules, called the "trust framework", governing the provision of Digital Verification Services ("DVS"); a new statutory register of DVS providers is then created, to which any provider that adheres to the rules and satisfies any other registration requirements can be added. The Bill then creates a power by which any public authority may disclose information about an individual to a registered DVS provider without this constituting any breach in confidentiality or any other duty towards that individual – referred to as the "information gateway".

Trust framework

The Bill requires the Secretary of State to publish a "trust framework" setting out rules governing the provision of DVS, which can include rules as to who can provide those services, and rules governing their conduct.

These rules can be revised and updated periodically, and must be developed in consultation with the ICO, alongside consultations with any other organisations or persons the Secretary of State considers appropriate to consult.

This trust framework is intended to set out the rules governing the provision of DVS generally, irrespective of the particular context or use case. Alongside the trust framework, therefore, the Secretary of State is also empowered under the Bill to publish "supplementary codes" to provide additional rules for specific DVS use cases.

The main trust framework, and any supplementary codes remaining in effect at the time, must be reviewed by the Secretary of State every twelve months.

New statutory register of DVS providers

The Bill then sets out the underpinnings for a new statutory register of approved DVS providers. The Secretary of State is required to establish and maintain the register, which must be publicly available.

Admittance to the register for a given DVS provider will be determined based upon whether that provider has been granted a certificate by a "conformity assessment body" confirming that they are in compliance with the rules set out in the trust framework. Providers seeking to be admitted must also comply with any registration requirements (the details of which are left under the Bill to be determined by the Secretary of State) and have paid the applicable fee which the Secretary of State may levy under the provisions of the Bill in connection with submitting an application.

Once registered, a provider can further apply to list additional services, which they also provide in accordance with the trust framework, on their register entry.

Similarly to the regime for admittance to the register where a provider has demonstrated compliance with the rules in the main trust framework, a provider may also apply to have a "supplementary note" added to their entry on the register, which records that the provider in question also provides a service or services in accordance with one or more supplementary codes.

The Secretary of State is afforded a power under the Bill's provisions to require (by written notice) both conformity assessment bodies and registered DVS providers to provide information to it, where the Secretary of State "reasonably requires" that information to carry out its functions in respect of the DVS register and the trust framework generally.

Conformity assessment bodies

The bodies that are empowered to certify that a provider is compliant with the rules in the trust framework are referred to in the Bill as "accredited conformity assessment bodies".

These bodies are defined in the Bill as being those which are accredited as competent, in respect of assessing a provider's compliance with the trust framework, by the "UK national accreditation body" established under the EU Accreditation Regulation (in the form in which it remains in effect in the UK). The UK national accreditation body is UKAS.

Powers and duties to refuse to register providers or to remove providers from the register

In some circumstances, the Secretary of State may, at his or her discretion, refuse registration of a provider that otherwise meets the requirements for registration, such as where the Secretary of State considers that registering that provider would be contrary to the interests of national security.

There are also circumstances in which the Secretary of State may, in the exercise of their discretion, remove a provider from the register. These include circumstances in which the Secretary of State is satisfied that the relevant provider is failing to comply with the rules of the trust framework or, where that provider has a supplementary note on their registration, failing to comply with the relevant supplementary code. The Secretary of State can also choose to de-register a provider if they have failed to provide information in response to a requirement by the Secretary of State to do so, or where the Secretary of State considers that de-registration is necessary in the interests of national security.

In other circumstances, the Secretary of State is under a duty to de-register a provider – such as where that provider loses its certificate from the relevant conformity assessment body, or ceases to provide all of the DVS for which they are registered.

The Bill also permits the Secretary of State to publish a "trust mark" which can only be used by registered DVS providers.

"Information gateway" – public authority data sharing

Once a provider is registered, the Bill then provides an "information gateway". Under this gateway, where a registered DVS provider is seeking to carry out DVS in respect of a particular individual – that is, to confirm that individual's identity – the provider may request public authorities to disclose relevant information, and those public authorities may disclose that information to the provider without this constituting a breach of confidentiality or of any other restrictions on the disclosure of information.

The only constraints on this route of disclosure are a) where doing so would violate certain provisions of the Investigatory Powers Act 2016, and b) where the disclosure would breach data protection legislation. However, the existence of the "information gateway", and the disclosure power created by it, will itself be a relevant factor in determining whether any breach of data protection legislation would be entailed by the disclosure.

Public authorities will be permitted to charge a fee for making a disclosure to a requesting DVS provider through the information gateway.

The Secretary of State is also required under the Bill to prepare and publish a code of practice in relation to the disclosure of information by public authorities through the information gateway.

Right to work and right to rent checks

Where individuals are required to complete "right to work" checks or "right to rent" checks to confirm their eligibility to work or rent property in the UK, the Bill introduces new provisions into the Immigration, Asylum and Nationality Act 2006 and the Immigration Acts 2014 and 2016 which permit the Secretary of State, when making regulations under those Acts as to how the checks are to be carried out, to require or permit identity verification to be carried out by using registered DVS providers.

Next up

In our next article in the series, we will consider a variety of other notable provisions in the Bill which defy easy categorisation, including the National Underground Asset Register, the creation of a new electronic register of births and deaths, and other miscellaneous provisions governing the use of, or access to, data in various contexts.

You can follow this article series, and access each article in the series as it is published, at this page on our data protection hub.

Katie HewsonKatie HewsonView biography
Joanne ElieliJoanne ElieliView biography
Sarah O’BrienSarah O’BrienView biography
Alison LlewellynAlison LlewellynView biography
Author
Author
Author
Author
© Stephenson Harwood LLP 2025. Information contained on this page is current as at the date of first publication and is for general information only. It is not intended to provide legal advice.