The UK's Data (Use and Access) Bill was published on 23 October 2024. It replaces but is very similar to the failed Data Protection and Digital Information (DPDI) Bill which did not make it through the last Parliament. Part 2 of the DUA Bill sets out the regulatory framework for the provision of digital verification services (DVS) in the UK. With these provisions, the government aims to increase acceptance of digital identities across the UK, by enabling:
- DVS providers to get certified against the government’s framework of standards
- Users to recognise trusted DVS providers, and
- Digital identities and attributes to be used with the same confidence as paper documents.
DVS trust framework and supplementary code
The DUA Bill requires the Secretary of State (SoS) to publish a DVS trust framework outlining rules for providing DVS. This framework may be supported by "supplementary codes", which set out additional rules concerning the provision of DVS. These rules may include (among other things) stipulations as to the conduct of a person who provides such services and may be tailored to specific sectors or requirements (e.g. to address the additional requirements of individual sectors or use cases).
These provisions set out the key features for the development and maintenance of the framework and supplementary codes. Each of these:
- must be developed in consultation with the Information Commissioner and other entities that the SOS considers appropriate
- may set out different rules for different DVS
- must be annually reviewed and may be updated based on the review findings.
The SoS may withdraw a supplementary code 21 days after publishing a determination to this effect.
DVS register
The DUA Bill requires the SoS to establish and maintain a public DVS register listing certified DVS providers. The SoS can set:
- the form and manner in which applications for registration, supplementary notes and amendments to the register would be made, and
- the fee structure for DVS registration and related processes (including applications for registration, supplementary notes and amendments, and continued registration on the DVS register).
How can DVS providers be added to the register?
To be added to the register, a DVS provider must:
- hold a certificate from an accredited conformity assessment body certifying the DVS are provided in accordance with the DVS trust framework
- have applied to be registered for one or more of the DVS for which they hold a certificate, and
- have complied with the registration requirements and paid the fee payable, as set out by the SoS.
Once added to the register, a DVS provider may apply to add a supplementary note to it recognising that they are providing services in accordance with a supplementary code. A provider may further apply for such an existing supplementary note to be amended to include additional services.
In both cases, the DVS provider must hold a certificate from an accredited conformity assessment body certifying that relevant DVS is provided in accordance with a supplementary code, comply with any other application requirements imposed by the SoS, and pay the applicable fee.
SoS's rights to refuse/remove registration
The Bill sets out discretionary powers, as well as requirements for the SoS to refuse registration of a DVS provider, and to remove DVS providers from the register.
The SoS may refuse to register a DVS provider on national security grounds, or if they were satisfied the provider is failing to comply with the DVS trust framework. Once registered, DVS providers may be removed by the SoS under specified circumstances.
The SoS is required to remove a DVS provider from the register if the provider:
- asks to be removed
- ceases to provide all of the DVS for which they were registered, or
- no longer holds a certificate from an accredited conformity assessment body confirming that they provided at least one DVS in accordance with the DVS trust framework.
Further, the SoS may also decide to remove a DVS provider from the register if:
- they are satisfied that the provider is failing to comply with the DVS trust framework when providing one or more of the DVS in respect of which the provider is registered
- the provider has a supplementary note included in the DVS register and the SoS is satisfied that the person is failing to comply with the supplementary code to which the note relates when providing one or more of the DVS recorded in the note
- they are satisfied that the person has failed to provide it with information requested by the SoS, or
- the SoS considers that it is necessary to do so in the interests of national security.
The SoS is required to amend the register to remove services that a registered provider:
The SoS also has similar obligations to remove supplementary notes, and services from supplementary notes.
Information sharing between public authorities and DVS providers
The DUA Bill includes provision establishing an "information gateway" for public authorities to share individual information with DVS providers if requested to do so by the individual, to enable the individual to receive DVS services from such a provider. However, disclosure of information that would breach data protection legislation will not be authorised. Public authorities may charge fees to the DVS provider for sharing the information. Onward disclosure of such information by the DVS provider without the consent of the disclosing public authority (other than for the purpose of providing DVS for the individual) is prohibited.
The SoS is required to publish a code of practice about such information sharing, which public authorities will have to consider when sharing information with DVS providers. This code will be consistent with the Data sharing code of practice published under section 121 of the Data Protection Act 2018.
Trust marks
Registered DVS providers will be designated with a 'Trust mark', to enable the public to recognise them. In case of use of Trust Marks by non-registered DVS providers, the SoS may bring civil proceedings for an injunction (or interdict in Scotland) against such a party.
Operation of the DVS regulatory framework
The SoS will have the authority to require an accredited conformity assessment body, or a registered DVS provider to provide information that the SoS reasonably requires for exercising their functions.
The Bill also allows the SoS to make regulations delegating certain functions (except for their regulation-making powers) to a third party, subject to the affirmative procedure in Parliament.
The SoS is further required to publish annual reports on its operations relating to DVS regulatory framework.
Impact on immigration
The DUA Bill also contains provisions that would amend existing immigration legislation to allow the SoS to refer to registered DVS providers when making regulations relating to checks made by employers, landlords and lettings agents to verify right to live or work in the UK.
Completing prescribed checks will allow employers, landlords and letting agents to have a statutory defence to the imposition of a civil penalty if they are found to be employing or renting to individuals with inadequate/inappropriate immigration status.
Further, the Bill will allow the Home Office to legislate to require employers and landlords who use identity document validation technology to carry out their right to work and right to rent checks to use a registered DVS provider. However, overall, the Bill does not introduce mandatory digital identity requirements. The government has clarified that using digital identification will be voluntary, and people will still be able to prove their identity using physical documents if preferred. Additionally, the government also clarified that it has no plans to introduce national digital ID cards.
Key aspects of the new proposed trust services regime under the DUA Bill
Trust services, which include electronic signatures, seals, time stamps, delivery services, and website authentication certificates, are currently governed by the UK eIDAS Regulation, and are supervised by the Information Commissioner.
The Bill expands on the current regime by:
- allowing what will become the Information Commission to accept reports from accredited conformity assessment bodies in the European Union when granting qualified status to UK trust service providers. However, the SoS may revoke this if they consider it is no longer appropriate
- enabling the SoS to make regulations to recognise services provided by overseas trust service providers, provided such services meet UK reliability standards
- enabling the SoS to make regulations to recognise specified electronic seals and signatures provided by non-UK-based trust service providers (for the use of online public services) as equivalent to ones that meet certain standards in the UK eIDAS Regulation, and
- allowing the SoS to designate certain overseas regulators or supervisory bodies with which the ICO can collaborate for effective regulation or supervision of trust services.
What next?
As with much of the DUA Bill, the parts of it dealing with DVS and trust services are dependent on the introduction of secondary legislation. There is no indication as to when that might be published or about the detail it will contain. The DUA Bill lays the foundations for the framework but there is much detail to be filled out.