Data from GOV.UK Verify
When a user’s identity is successfully verified, the response from the GOV.UK Verify Hub will contain:
- the level of assurance the user’s identity was verified at
- a persistent identifier assigned by the identity provider
- a set of attributes about the verified user from the identity provider
When an identity provider verifies a user’s identity, they assign a unique persistent identifier (PID) to that user. The PID is a unique identifier that refers to a user and the identity provider that verified the user’s identity. It’s a pseudo-random value that has no resemblance to any real information from a user, for example their email address or name.
If a user verifies using multiple identity providers, that user will have multiple PIDs.
The Verify Service Provider will hash the PID to make it specific to each service (and meaningless to other services) before sending it on to your service.
The set of attributes contains verified information about a user including their:
- date of birth
It may also include additional data such as historical addresses and gender.
You must not use the user attributes for anything other than matching. If you do, you may be in violation of the General Data Protection Regulation .
European identities and eIDAS
The eIDAS regulation says that European citizens must be able to use their national electronic IDs to access public services provided by another EU member state.
In practice, this means European citizens will be able to use their national online identity schemes to confirm their identity and access UK government services.
If your service needs to be able to process EU identities, you need to configure your VSP to do this.
European identities will only include verified attributes:
- first name,
- date of birth,
- a personal identifier or equivalent from the EU member state (the equivalent of the PID),
The data from European citizens will not include any historical attributes or unverified attributes.
For names using non-Latin characters, both the non-Latin as well as a Latin equivalent will appear in the JSON received by your matching service. Because European identities will not contain middle names, only
surnames may contain a
nonLatinScriptValue property, where applicable.
The UK uses addresses as an extra attribute to establish identity and help with matching. Other countries can use a personal identification number or similar. Both approaches meet identity assurance standards.
If you configure your VSP to accept EU identities , make sure your matching strategy does not rely on receiving an
addresses attribute for all identities. EU identities won’t have an
addresses attribute. GOV.UK Verify identities will have at least one verified
addresses attribute that you can use in your matching strategy.
The identity provider may offer some unverified attributes to help you disambiguate between similar records. Any unverified attributes will be clearly labelled.
An unverified attribute does not mean the identity is invalid. For example, it can be difficult to verify current addresses, especially if an individual has not lived at that address for very long. Verifying a previous address can be enough to establish identity.
An unverified attribute will always be accompanied by a verified attribute of the same type. For example, an unverified current addressed and a verified historical address.