In our 2023/24 Workplan, the DRCF set out plans to conduct joint horizon scanning work into the future of digital identity, exploring how it may evolve in the medium term. This work reflects one of the core purposes of the DRCF - to ensure coherent, informed and responsive regulation of the UK digital economy through member regulator collaboration.
The purpose of our digital identity project was threefold: to pool knowledge and inform discussions between each member regulator’s internal subject matter experts; to add to that knowledge by seeking further insight from external stakeholders; and to further develop our overall understanding of the regulatory issues which might arise from ways in which digital identity and digital wallets might be used in the future.
This article sets out some of our key findings, including on what digital identity is, the insights gained from our research and potential regulatory implications that may arise depending on how digital identity develops.
NB. This is a landscape review based on findings from stakeholder interviews, this is not DRCF member regulator policy.
WHAT IS DIGITAL IDENTITY?
As the world increasingly moves online, digital identities are becoming more common. Whilst the UK does not yet have a commonly used form of digital identity, the Government’s UK Digital Identity and Attributes Trust Framework provides a set of rules for organisations to follow if they want to provide secure and trustworthy digital identity and/or attribute solutions. Furthermore, during the King’s Speech 2024, the Government announced plans for the Digital Information and Smart Data Bill, which will seek to support the creation and adoption of secure and trusted digital identity products.
For the purposes of the project, we based our definition of a digital identity on the UK Digital Identity and Attributes Trust Framework. This describes it as “A digital representation of a person acting as an individual or as a representative of an organisation. It enables them to prove who they are during interactions and transactions. They can use it online or in person”.
Digital identities are often created from “attributes”. Attributes are pieces of information that describe something about a person and can include things like someone’s name, date of birth, or national insurance number - all of which are personal data. A combination of attributes can be used to create a digital identity. These identities could be provided by private companies as a service, or supported by a government scheme.
Digital identity has the potential to deliver a range of benefits, depending on the digital identity model adopted. Possible benefits include an increase in convenience and efficiency; a potential reduction of personal data processing (as digital identity may allow individuals to provide the minimum amount of data necessary for a particular transaction such as proof that they are over 18, rather than their entire identity every time); an increase in accessibility and inclusion; and environmental benefits, if companies maintain fewer overlapping sets of data. Many of these benefits require further research and exploration. It is also important to note potential risks, including security concerns, risks of misuse of data, and digital exclusion. There may also be issues present in the technologies that might underpin digital identity, such as AI and biometric identification.
KEY FINDINGS
The following themes were identified through our stakeholder engagement. They represent the key factors identified influencing the future development, use, and deployment of digital identity technology across various sectors within the overlapping areas of interest of the DRCF members.
Future development of the technology and markets
Our research indicated that there were several uncertainties which may shape the direction in which digital identity develops:
Trust, interoperability and standards
There was consensus that people would need to trust digital identity systems if they were to adopt and use them, especially for important services such as financial transactions. The degree of trust that people have is likely to depend on a number of different factors:
Accessibility / the digital divide
There were mixed views, both positive and negative, about the effect that digital identity could have on accessibility and the digital divide:
Competition and key players
Given the relatively early stage of development of digital identity, it is not yet clear who the most important players will be and whether any barriers to effective competition will emerge:
CONSIDERATIONS FOR DRCF MEMBER REGULATORS
From the insight provided by our engagement with stakeholders, several key considerations for member regulators emerged for future consideration as the industry develops.
Digital identity wallets
Stakeholders highlighted possible barriers to development deriving from imbalances in market power, particularly where wallets capable of supporting digital identities were being bundled in with the operating systems of mobile devices. Regulators will need to be aware of any bottlenecks or barriers, so that organisations and the economy can take advantage of possible benefits from the technology.
As well as this, regulators will need to ensure that organisations across the ecosystem are aware of the need for transparency, the appropriate technical measures to secure data and the requirement for privacy by design in digital identity wallets. The need to ensure appropriate protections for the processing of people’s data is a requirement under data protection law, regulated by the ICO.
The use of AI
Other considerations revolved around the use of AI, both in terms of its responsible use in legitimate transactions, and by bad actors who might use it to attempt to circumvent authentication (through the creation of deepfaked identities, for example).
DRCF member regulators have previously issued guidance on the use of AI, around concepts like transparency, explainability and bias. The balance between ensuring AI can be used to enable beneficial innovation, whilst seeking to prevent its misuse and provide support for those impacted will be another key consideration for regulators moving forwards.
Decentralised ID
In decentralised ID systems, users may have greater control over what data is shared and with whom. This may create a greater need for users to understand the nature and extent of that sharing. Regulators will need to ensure that organisations that seek to process personal information as part of that sharing process are supporting users to have sufficient knowledge for users to make an informed decision as to what data they wish to share.
Transparency is a data protection requirement, but its effectiveness is partly dependent on the level of digital literacy in the user, which is relevant to both the ICO and Ofcom. The ICO has previously set out its views on decentralised identity as part of its response to the UK Government’s proposal for a trusted digital identity system. The response noted that the proposed model mitigates many of the privacy risks that would emerge from a centralised scheme, including a lack of autonomy and unwarranted intrusion, but noted that such a decentralised identity system would still have inherent risks. How users can exercise their rights in decentralised systems has been explored previously in the ICO’s Tech Horizons Report.
Another important consideration for regulators is the governance and liability for decentralised systems, in particular who is responsible for the governance, which was a recurring theme in the DRCF’s Web3 Insight Paper. If suppliers of digital identity services fail in a decentralised provision model, regulators will need to understand what that might mean for individual’s data, and how they could be supported.
Commercialisation and business models
Regulators should consider encouraging the development of commercial models which make use of the power of data without compromising data protection rights. This might involve opening up data on how digital identity as a market and technology is being used, without focusing on or disclosing information about individuals. Access to this high-level information on trends and usage patterns may support new market entrants as well as incumbents in identifying market opportunities.
Consumer trust and interoperability
From the ICO’s perspective, in addition to increasing consumer trust, data protection by design and default is a requirement, as is the need for appropriate technological and organisational means to safeguard personal data processed.
It is important that future digital identity systems are transparent, robust and secure to ensure consumer protection. For example, under the FCA's Consumer Duty, firms are expected to act in good faith with consumers. Therefore, the expectation is that the systems that are being used are enabling beneficial outcomes through a transparent and robust approach to support the deployment of financial products and services.
For the CMA, consumer law requires that consumers have sufficient information to make informed decisions and understand the impact of their decisions. More broadly, if use of digital identity becomes widespread, ensuring that individuals can either easily access digital identities, or the services that require them will be critical. DRCF member regulators will need to consider how to support continued innovation and development of this technology whilst ensuring it does not result in a digital divide, where some users are unable to access key services due to barriers such as a lack of mobility, a lack of digital literacy, or a lack of the right device.
NEXT STEPS
The DRCF will maintain a watching brief, engaging closely with internal and external experts to help identify any further emerging cross-regulatory opportunities and issues. Individual member regulators will also continue to consider areas specific to them:
Through this project, we have connected policy experts from across member regulators and provided them with insight into possible futures, drawing on input from a diverse set of external stakeholders. This will help colleagues across the DRCF to better understand the direction of travel of the digital identity industry, in turn allowing for better co-operation between member regulators.
[1] Decentralised identity is a model for identity management where there is no centralised provider and holder of identity information, instead the individual manages what data is shared with whom, and this is verified by independent third parties.
[1] Vouching is where a trusted organisation or person can attest to the legitimacy of another person’s identity.