Newly published documents indicate that, if users contest a decision, government ‘will generally prove that system is functioning without error or bias’, as DSIT pledges comprehensive ‘fairness, transparency and security’
The Government Digital Service has pledged that personal data gathered by the new GOV.UK One Login system will not be used for “marketing or profiling”, and that users wishing to challenge determinations made by the technology will be offered an explanation of how the contentious decision was reached, PublicTechnology can reveal.
In a newly published government transparency document, GDS has provided a privacy notice for One Login. The notice is intended to provide a public record of: what personal data will be collected by the new cross-department sign-in system; how this information will be stored, processed, and shared; what protective measures will be taken; and citizens’ rights in relation to their data and its use.
As is now common with many such policies issued by government bodies, the guidelines also set out how users’ sensitive information may be subject to “automated decision-making”.
“GOV.UK’s identity checking process is fully automated and therefore the majority of identity checking decisions are based solely on automated processing,” the notice says.
“We only keep data for as long as needed to deliver the service safely and effectively and we do not use it for marketing or profiling… Users can be confident that fairness, transparency and security are built into every stage of the process.”
DSIT spokesperson
If users wish to dispute or otherwise find out more about a decision made by One Login, GDS indicates that it will respond with an explanation – that should provide evidence of the technology working as intended.
“Individuals or services can ask us to prove that the automated decision has been made correctly and we will generally prove that GOV.UK One Login is functioning as anticipated without error or bias,” the notice says. “We may not be able to provide full information about individual identity checking attempts particularly where providing information would interfere with the prevention or detection of fraud or other crime.”
PublicTechnology understands that government’s position is that all personal data gathered by the sign-in platform will be kept for no longer than is required.
The privacy guidance outlines that, unless it is actively deleted by the individual in question, users’ information will be stored for five years after an account was last used.
Information on “audit events and activity” will be kept longer than any other kind of data – with a retention policy of seven years.
User feedback will be stored for two years, while call recordings and other contact will be kept for one year – as will “information about the actions” taken during citizens’ use of their One Login account.
Selfie videos used during the verification process, biometric facial, and images taken from driving licences will be retained for 30 days. Data from in-person ID checks at Post Office branches will be stored for 11 days.
The notice adds: “If you choose to delete your GOV.UK One Login, we’ll delete your account and your proven identity information.”
Users are promised that “all personal data processed directly for the administration of your GOV.UK One Login and for identity checking is stored in the UK or in the European Economic Area… [which] has been assessed by the UK government as having adequate legal protections for data privacy in line with those in the UK”.
However, information collected in service of GDS’s use of Google Analytics “may be transferred” outside of the EEA. Citizens are also advised that “some of our suppliers may provide technical support from outside of the EEA”.
“In both cases, we make sure your information is just as well protected, for example by including extra clauses in our contracts with suppliers,” the privacy guidance adds. “Google is also supported by the US Data Privacy Framework, which extends to UK data protection and processing security. Where locations of processors or sub-processors are outside the UK, we rely on agreed model contract clauses set out by GDPR for assurance and data protection.”
In response to enquiries from PublicTechnology, a spokesperson for GDS parent organisation the Department for Science, Innovation and Technology said: “GOV.UK One Login is designed to protect users’ privacy and security by storing and processing data only within the UK or countries meeting UK GDPR standards and protections. We only keep data for as long as needed to deliver the service safely and effectively and we do not use it for marketing or profiling. Where automated checks are used to help verify identity—such as document scanning—these are supported by other methods such as presenting documents at a Post Office. Users can be confident that fairness, transparency and security are built into every stage of the process.”
Data details
The privacy notice says that information gathered by GDS will include a comprehensive range of individuals’ details, including: name; data of birth; full address; email address; and date from passports and other state-issued identification, covering document number, photo, nationality and issuing country, and expiry date.
Alongside this personal info, One Login will also collect “technical information” – a category which encompasses “Online identifiers, like your internet protocol addresses, [and] technical information about the device you use such as the model, web browser operating system and unique device ID”, according to the notice.
Copies of users’ written communications with government – and recordings of telephone calls with official helplines – will also be stored. GDS may also use cookies to gather, via the Google Analytics platform, “information about the pages you use, how long you spend on each page, how you got to GOV.UK One Login, [and] what you click on while you use the service”.
Data collected may be shared with the online government service the user is trying to access via One Login.
“Other government services process the data we share with them as independent data controllers under a memorandum of understanding (MoU) we have with them,” the privacy notice says. “Each online government service will have its own terms and conditions and privacy notice. You should read these as well as the GOV.UK One Login terms and conditions and this privacy notice, so that you understand how your personal information is managed.”
Five years
Length of time after One Login account was last used that user data will be kept
Three million
Number of One Login accounts created as of late 2024
191
Number of discrete systems One Login is intended to replace
£329m
Projected cost of delivering One Login
Prominent recipients of data will include HM Revenue and Customs, which continues to operate the widely used Government Gateway sign-in and online accounts system – which now incorporates the GOV.UK ID Check App developed to support One Login.
“Additionally, HMRC conducts their own identity document checks against authoritative government data sources. We therefore share your driving licence and passport information with HMRC to enable them to conduct these checks,” the guidelines say.
HMRC is one of a number of named “third party identity service providers” with which GDS may share the personal data of One Login users during the ID-verification process. Others include: HM Passport Office; The Driver and Vehicle Licensing Agency and Northern Ireland’s Driver and Vehicle Agency; the Post Office; credit-reference agency Experian; and authentication tech specialist iProov.
One Login’s anti-fraud measures may also see data shared with law-enforcement agencies and the Home Office.
The commercial providers that support the operation of the login tool may also receive and process citizens’ information.
“We work with technology suppliers, for example we use an external hosting provider and a contact centre provider,” the notice adds. “We only give our suppliers access to your information if they need it to provide their service. Our suppliers act as data processors and are subject to contracts with us which restrict them to only processing your personal data for the sole purpose of providing their services in accordance with our instructions.”
The privacy notice will be subject to regular updates reflecting any changes in policy. Government also indicated, in the case of “significant” amendments, efforts will be made to draw users’ attention to the change and its implications.
One Login has recently been subject to concerns about its security credentials, not least because the system has lost the formal government digital identity trustmark awarded by GDS’s own parent organisation: the Department for Science, innovation and Technology.
The project recently awarded almost £20m in contracts for technical architecture and cyber services and, in response to enquiries from PublicTechnology regarding the security status of technology, a government spokesperson said: “As you would expect, we carry out regular, rigorous security testing to ensure we have the ability to respond to any potential cyber threats. While we don’t comment on specific operational security matters, One Login continues to meet high standards of cyber security and data protection, in line with best practice and government policy.”
