category: Blog / Opinion
When I want to perform a transaction online, it’s often important the organisation I’m interacting with can trust certain aspects about me as a digital user before I can complete a transaction.
In the commercial arena, when I want to book a train ticket online the train company will want to know whether I am an existing customer and whether I can pay for a ticket. It’s my user ID that I use during sign-on that tells the train company I’m an existing customer, and it’s my credit card number that enables the train company to collect a payment. In the financial arena, when I want to do online banking I need to establish my real world identity with a bank for fraud prevention reasons before I can do any transactions. And for some transactions, such as a transfer, my bank will ask for a second security code to protect both myself and the bank from a hacker.
The models for establishing and using a digital identity in the commercial and financial sectors are tried and tested and work well. I can often use my email identity to say who I am across the many sites I visit, and I can use my choice of debit or credit card with most web sites – but what about Government services? Different parts of government collect taxes regarding my car, my house and my income. Different parts of the NHS help to make me better when I’m ill, from my GP to my specialist consultant, and to a hospital and community nurse. And different parts of government can help with benefits and entitlements if I am disabled or unemployed.
Previously, Government departments have tried several approaches to provide online services where they need to trust the identity of online users. These approaches vary from each department asking a user to set up an online account to enabling a Government Gateway identity to be used across services. Asking someone to register for a new account at each department is not ideal, who wants to remember more passwords? Equally, asking departments to trust an identity that has been subject to limited verification is not ideal. So, is there a better way?
The Government Digital Service is addressing this challenge with the GOV.UK Verify programme. This programme is using the GPG45 standard for verification of identity of individuals along with a federated identity scheme. The use of the GPG45 standard enables a number of organisations to be certified as identity providers where they can demonstrate compliance with this standard. An individual can then choose which certified organisation to use to establish an identity.
The use of a federated identity scheme enables an organisation that delivers a service such as tax, health or welfare to trust the certified identity providers. In practice, this will enable me and other individuals to establish a verified identity with my choice of identity provider that can be used to pay my dues and taxes, help make myself better, and obtain benefits where I’m so entitled.
So problem solved, right? Not entirely, we still need to link a verified identity with existing departmental identifiers. A bank may verify that I am a real person, but they don’t know and shouldn’t know my Unique Tax Reference or NHS number. Linking a verified identity to a department identifier is a job for each department so that they can deliver services based on what they know about someone.
It is this approach of using a common standard for identity verification plus a federated identity scheme that NHS Liverpool is adopting to explore how to broaden access to online healthcare services. This work is led by the Liverpool Clinical Commissioning Group (CCG) as part of the digital strategy for a healthy Liverpool.
Sitekit is working in partnership with NHS Liverpool to deliver a platform that can integrate with Verify and 3rd party digital services, and connect these services to existing systems across the GPs and hospitals within Liverpool. This will enable an individual to access whatever health and care services they require using a single, verified identity.
Liverpool CCG is aiming to pilot and evolve the identity solution based on feedback so that a template and toolkit is established and made available for other health bodies. The Liverpool pilot project involves establishing interoperability with HSCIC and GOV.UK Verify so that other local health economies can re-use the toolkit and also reuse the shared services provided by HSCIC as well as GOV.UK Verify.
Today, HSCIC operates the Personal Demographics Service that holds the master patient index of NHS numbers and associated demographic details, such as name, address, date of birth and gender. For the Liverpool pilot project, HSCIC is building a Matching service that can take the verified demographics for an individual and look-up PDS for a matching NHS number. Where an accurate match is established the NHS number can be used by the receiving service provider to connect an online user with their existing records.
If you are interested in learning more about the Liverpool identity project or would like support building the identity toolkit into your local strategy, please get in touch.
Asking someone to register for a new account at each department is not ideal, who wants to remember more passwords? Equally, asking departments to trust an identity that has been subject to limited verification is not ideal. So, is there a better way?