PID and Matching dataset
When an identity provider verifies a user’s identity, they assign a unique persistent identifier (PID) to that user. The PID is a unique identifier that refers to a user and the identity provider that verified the user’s identity. It’s a pseudo-random value that has no resemblance to any real information from a user, for example their email address or name.
If a user verifies using multiple identity providers, that user will have multiple PIDs.
The Matching Service Adapter will hash the PID to make it specific to each service (and meaningless to other services) before sending it on to the Local Matching Service.
The matching dataset contains verified information about a user including their:
- date of birth
It may also include additional data such as historical addresses and gender.
You must not use the matching dataset for anything other than matching. If you do, you may be in violation of the General Data Protection Regulation.
European identities and eIDAS
The eIDAS regulation, coming into force in late 2018, says that European citizens must be able to use their national electronic IDs to access public services provided by another EU member state.
In practice, this means European citizens will be able to use their national online identity schemes to confirm their identity and access UK government services.
If your service needs to be able to process EU identities, you need to configure your MSA to do this.
Once configured, both European identities and GOV.UK Verify identities you receive will always be in the format of the universal JSON matching schema.
European identities will only include verified attributes:
- first name,
- date of birth,
- a personal identifier or equivalent from the EU member state (the equivalent of the PID),
The data from European citizens will not include any historical attributes or unverified attributes.
For names using non-Latin characters, both the non-Latin as well as a Latin equivalent will appear in the JSON received by your matching service. Because European identities will not contain middle names, only
surnames may contain a
nonLatinScriptValue property, where applicable.
The UK uses addresses as an extra attribute to establish identity and help with matching. Other countries can use a personal identification number or similar. Both approaches meet identity assurance standards.
If you configure your MSA to accept EU identities, make sure your matching strategy does not rely on receiving an
addresses attribute for all identities. EU identities won’t have an
addresses attribute. GOV.UK Verify identities will have at least one verified
addresses attribute that you can use in your matching strategy.
The identity provider may offer some unverified attributes to help you disambiguate between similar records. Any unverified attributes will be clearly labelled.
An unverified attribute does not mean the identity is invalid. For example, it can be difficult to verify current addresses, especially if an individual has not lived at that address for very long. Verifying a previous address can be enough to establish identity.
An unverified attribute will always be accompanied by a verified attribute of the same type. For example, an unverified current addressed and a verified historical address.