Beta framework released and first certified providers announced

UK Digital Identity and Attributes Trust Framework (DIATF) Beta Version - what has changed?

Following feedback from the alpha testing phase, the following changes have been made to create the Beta version of the framework, which was published last week. The key changes are as follows:

• Roles - the three main role types (identity, attribute and orchestration service providers) have been given sub-roles in order to further clarify how operators may identify their particular roles and responsibilities under the framework.

• Relying parties - further information has been provided on how flow-down terms from providers, will apply to relying parties.

• Fraud management - more explanation has been included on the existing requirements for fraud management solutions, along with some new requirements, designed to support organisations.

• Schemes - as schemes are only in the very early stages of development, the framework has been adjusted to reflect that providers can only join the framework through independent certification bodies at the moment, rather than through a licensed scheme—this will be proactively monitored as schemes develop, and is subject to change.

• Biometrics - strengthened requirements have been included to test any biometric technologies used by providers, to an industry standard.

• Data Schema - an overarching data schema will be offered, to allow consistency within different approaches to data exchange, whilst re-maining technology agnostic. It is not mandatory, but will enhance interoperability.

• Working within the market - it is no longer mandated that providers can only share data with other trust framework participants. Providers must instead, share information on the services used in their supply chains, as part of their certification.

• Inclusion monitoring - as part of the certification process, an “inclusion monitoring report” should be included as a reporting tool to further inform and monitor inclusion levels across the market. Details of what this involves will be provided by the certification bodies directly.

• User agreement - user agreements should be obtained for how personal data in digital IDs and attributes will be shared and disclosed.

• Good Practice Guide 45 - further details around how to gauge alignment with the GPG 45 has been provided in the guidance for clarity.

• Data Protection Impact Assessment - a DPIA will be published in due course to articulate how the privacy of citizens data is protected at the level of the framework.

• Alternative pathways - there is now a requirement for providers to allow users to re-take or retry an identity check in the case of a check fail, without compromising on the level of confidence (in the case of a transposition error for example), this is only in the event that there is no suspicion of fraudulent activity.

• Trust Marks - The Department for Digital, Culture, Media & Sport (DCMS) will maintain a list of certified organisations, but will no longer is-sue trust marks.

• Liability - clarification has been provided around liability within the framework.

The Beta testing phase will now begin, details on how organisations can take part will be published in due course. To read about this in full, please click here.

On the 13th June 2022, the Beta version of the UK Digital Identity and Attributes Trust Framework (DIATF), was released by the government. In addition to this, the list of certified digital identity service providers (IDSPs) has been published.

Certified IDSPs

The list of certified IDSPs has been published, and will be added to as more organisations achieve certification.

To see the current list, please click here.