Made Tech Investors

Made Tech Blog

Practical tips on managing identity in government services

by Tess Barnes on

Digital transformation

Managing identity in the public sector is a crucial task, especially when it comes to safeguarding citizens’ personal data. But it’s not just about protecting individuals – it’s about ensuring that internal staff only access the information necessary for their roles. External organisations, like training providers working with apprenticeships, also need seamless and secure access to government services and systems.

The challenge is to make the process both simple and secure, while also preventing fraud. According to Cifas, identity fraud has seen a 15% increase, with a 50% jump in fraud cases involving company accounts, highlighting a growing threat beyond just individual / consumer fraud.

The UK government promotes using Government Digital Services (GDS) for identity management. The intention is to streamline the process, saving time and money by centralising expertise and reducing the need for each agency to create their own identity services. This allows agencies to focus on their core work, whether that’s managing tax, driving licences, or social care.

Why identity data integration needs extra care

I’ve worked on other types of cross-agency integrations before, but I have found identity data integration needs extra care for a couple of reasons. First, it’s about the risks to both citizens and organisations. The stakes are higher when personal identity data is involved, and protecting it is crucial. Second, identity journeys are more vulnerable to attack. Unlike other system integrations, identity relies heavily on user interactions – generally via their web browser or mobile app. This means all the data passes through the user’s device, which opens up potential threats.

That said, this is a necessary trade-off. For trust to be established, users need to give consent and know their data is being shared securely. The relationship between the user, identity provider, and relying party is central to ensuring the process remains secure and functional, and that’s something I’ve seen time and again in practice.

Who’s responsible for identity checks?

Setting up secure identity checks relies on trust between three key groups.

  • Identity provider: Confirms who the user is by verifying documents and ensuring login details match.
  • Relying party: The organisation offering a service (like applying for a licence). It uses the identity provider to verify the user and then uses its own business rules to decide eligibility.
  • User: Confirms their information and allows the identity provider’s platform to share their information with the relying party.

A quick reminder of how it works

  1. Verification and authentication: The identity provider checks documents and may run liveness tests to ensure the user is genuine (for example, ensuring the person applying for a driving licence is real). The identity provider confirms the user knows their login credentials (e.g. password with multifactor sms message code).
  2. Eligibility: The relying party checks that the user meets specific requirements, like age or residency. For example, only residents in Great Britain are eligible to apply for a GB driving licence.
  3. Authorisation: The relying party receives verified data from the identity provider, confirms it, and grants access if all checks pass (such as allowing the user to file a tax return or renew their driving licence).

Each group has a clear role to make sure the process is secure and accurate.

Identity integration in the real world

Below, I’ll run through 2 examples that illustrate how these principles work in practice.

Citizen example: Department for Education (DfE)

To make sure that only verified individuals access their apprenticeship service, the Department for Education acts as the relying party and uses GDS OneLogin as their identity provider. Here’s how the process works:

1. Verification and authentication:

  • An apprentice begins at the service start page: https://my.apprenticeships.education.gov.uk/.
  • When they proceed to the next stage, their browser is redirected to GDS OneLogin.
  • At OneLogin, the apprentice either registers or logs in with their existing account. When registering, OneLogin verifies their identity using documentation and liveness checks, ensuring the user is legitimate.
  • Once authentication is complete, the apprentice is redirected back to DfE. If additional identity proof is needed, OneLogin can provide more data for a higher confidence level following GPG45 guidelines.

2. Eligibility check: DfE confirms the user is a registered apprentice with an active enrolment in an apprenticeship programme.

3. Authorisation: After proving their identity and eligibility, the user is authorised to update their apprenticeship account details securely.

Employee example: DfE employer account access

The Department for Education (DfE) ensures that only verified staff can securely access employer services such as updating apprentice enrolment, or creating adverts. Here’s how the process works:

  1. Verification and authentication:
  • A staff member starts at the service page
  • They proceed to the service portal 
  • DfE redirects their browser to GDS OneLogin, where the user registers or logs in using their employer email.
  • When registering OneLogin may verify their identity through documentation and liveness checks, confirming the individual is legitimate.
  • After authentication, OneLogin redirects the user back to DfE. For this journey, additional identity proving may not be required.

2. Eligibility check: DfE checks if the user is linked to an employer account and identifies their roles and permissions, such as updating employer details, managing PAYE or apprenticeship data, and handling account users.

3. Authorisation: Once identity and eligibility are verified, the user is authorised to perform their tasks based on their assigned permissions or the roles granted by the employer account manager.

Top tips on managing identity integration

Here’s what I’ve learned about successfully implementing identity integration – it’s all about being practical, proactive, and realistic.

1. Know your limits

If you’re considering acting as both the identity provider and relying party, think carefully.  It’s complex and unless you’ve got both the expertise and the budget, don’t attempt to do both.

2. Understand eligibility requirements

This is your opportunity to refine your business rules. What account data do you need to hold? Do you need extra data to confirm identity, like proof of residency or employment status? If so, figure out which agencies hold this data and how you’ll access it. 

3. Define roles and responsibilities clearly

Map out the roles and their scope across services. An employer representative looking after apprenticeships could be an apprentice themselves. A staff member for an employer provider may want to log into the employer account to confirm a new cohort of apprentices and also log into the training provider account to submit learning records for an existing cohort to claim funding. 

4. Plan for updates to identity records

Identity can be a snapshot in time.  People move, change citizen status, renew passports, and die.  Consider how often you want to reverify a citizen record and make a point of understanding when and how your identity provider keeps their records up to date. 

5. Foster a strong technical partnership

Work closely with your identity provider to minimise technical risks. For instance, cryptographic key rotation can cause major issues if it’s not handled well. Make sure you’ve got access to the right technical people – don’t rely solely on sales or project managers to handle the details. There’s a chance that technical and security details could be missed or misinterpreted. 

6. Understand your risk

Do a skills audit within your team. If there’s a gap in cryptography or security expertise, consider bringing in a partner or investing in upskilling. Regular threat modelling is also crucial, to identify risks specific to your services. Also take time to review guidelines like GPG44 and GPG45 to work out confidence levels suitable for your use cases.

7. Budget for maintenance

Identity management is an ongoing responsibility. Regularly update and maintain your systems, especially registration and sign-on mechanisms, which are frequent attack targets. Anticipate evolving security threats and allocate resources to adapt proactively. The work is never done.

Safeguarding citizen identity is a serious business but it needn’t be a scary one. By understanding the complexities, building partnerships, and planning for the future, you can create a secure and efficient identity integration system.

Take a look at our webpage for more information on the digital transformation services we offer at Made Tech.



      LinkedIn

      About the Author

      Tess Barnes

      Lead Software Engineer at Made Tech

      Expert insights

      Subscribe to our newsletter

      Read more about Digital transformation

      Technical architects: Agents of change

      A successful technical architect translates vision into action and drives outcomes. Find out more about the skills they need to become agents of change.

      Explore similar topics

      Made Tech logo

      We provide Digital, Data and Technology services to help organisations make a positive impact

      Made Tech Investors

      Carbon Neutral Business stamp Crown Commercial Service Supplier certification Cyber Essentials Plus certification SOCOTEC International certification for ISO 9001 - ISO IEC 27001 AWS partner certification