My Lords, I am glad to see the noble Lord, Lord Stevenson of Balmacara, and others, and I echo what he said about our constructive discussions in 2014-16. I am also pleased to see my noble friend Lord Camrose championing intellectual property, as we try to do, and to see him accompanied by my noble friend Lord Evans of Rainow in his new position as Cabinet Office Whip.
The Digital Government (Disclosure of Information) (Identity Verification Services) Regulations 2023 are an important part of this Government’s commitment to strengthen the use of data and information across the public sector. We are bringing these forward so we can deliver better and more joined-up services and, in turn, improve outcomes for our citizens.
The regulations aim to allow information sharing between named bodies for the specific purpose of supporting cross-government identity checking when it is needed. Verifying a user’s identity—ensuring that a person is who they say they are—is a key part of delivering many government services. The draft regulations enable this by establishing a new data-sharing objective under Section 35 of the Digital Economy Act 2017 and by setting out which public bodies may use the new objective. This will create a legislative gateway, enabling us to use existing data sets, which public bodies already hold, to help as many people as possible to access the government services that they need online. It is therefore central to the development of more inclusive and accessible systems.
Specifically, the proposed objective would unlock the full benefits of the new cross-government digital system known as GOV.UK One Login. This is now live; users are able to set up an account, log in and prove their identity in order to access an initial set of 24 government services, with more being added all the time. However, at the moment, users must have photographic documentation, such as a passport or driving licence. This will change following the introduction of the new objective, as it will unlock new ways for people without photo ID to prove who they are, opening up the system to more users.
The delivery of One Login is a step change in simple joined-up access to government services online. This, in turn, delivers substantial cost and time savings for the Government and users by reducing duplication and providing enhanced capability to identify and stop fraudsters. In summary, the proposed objective will, first, enable checks against existing government-held information, such as PAYE and benefits data, to build confidence in the user’s identity, which will be particularly key where service users do not have a passport or driving licence. Secondly, it will provide a specific legal framework for checks against documents currently used in identity verification, such as driving licences. Thirdly, it will enable the sharing of the results of identity checks performed by one named body with another, so that users need to prove their identity only once.
The draft regulations set out which of the bodies already listed in Schedule 4 to the Digital Economy Act can use the new identity-verification data-sharing power, such as HM Revenue & Customs and the Department for Work and Pensions. They also add four new public bodies to the schedule that will be able to use the power: the Cabinet Office, the Department for Transport, the Department for Environment, Food and Rural Affairs and the Disclosure and Barring Service.
The public bodies listed in the regulations are either bodies that hold information that could be used in support of proving that someone is whom they say they are or those that own and manage services that people need to access, which they therefore need to receive the results of identity checks. Of course, some public bodies do both.
The territorial extent of the draft regulations is England, Wales and Scotland. The Information Commissioner’s Office and the devolved Administrations support the draft regulations, and indeed the Scottish
and Welsh Administrations have requested that certain Scottish and Welsh bodies be included in the draft regulations to enable them to use the new data-sharing power—so it is devolved friendly.
I am sure noble Lords will be pleased to know that these draft regulations have been subject to the standard rigorous processes of internal and external review. In the first instance, the objective has been subject to scrutiny by the Public Service Delivery Review Board, as set out in the underpinning code of practice on public service delivery, debt and fraud of the Digital Economy Act 2017. The board recommended that Ministers take forward these draft regulations since they meet the required criteria of supporting the improvement, or targeting, of public services to individuals in order to enhance their well-being.
Furthermore, the objective has been subject to a public consultation, which received more than 66,000 responses. Some respondents recognised the benefits to individuals of improved and more inclusive services. Some mistakenly expressed concern that this was a back-door route to identity cards. Therefore, in response to the consultation, the Government confirmed that they have no plans to introduce mandatory digital ID or identity cards. We also published additional information on how GOV.UK One Login will operate within these regulations and within the overall data protection framework. We extended the time between the regulations being approved and coming into force, and we amended some of the wording to reflect that of the Act. Of course, the Government understand that people want to protect their personal information and this is central to our approach. The draft regulations relate to using data only for the purpose of identity verification.
Part 5 of the 2017 Act gives the Government powers to share personal information across organisational boundaries to improve public services. It lays down what data can be shared and for which purposes. Data sharing must also have regard to the accompanying statutory code of practice on public service delivery, debt and fraud, which sets out how the power must be operated, including how any data shared must be processed lawfully, securely and proportionately in compliance with data protection legislation and UK GDPR.
The Digital Economy Act statutory code of practice on public service delivery, debt and fraud also requires information-sharing agreements to be listed on a public register of information-sharing activity under the powers. The framework for data sharing under the DEA provides a supportive background to help organisations to share data in ways that benefit the public, as confirmed by the Information Commissioner’s Office in its recent review. It includes robust safeguards that ensure that organisations share data responsibly and in alignment with data protection principles, while also safeguarding people’s rights.
I think these regulations are relatively straightforward and important, and I hope that colleagues will join me in supporting them.