Introduction
On 23 October 2024, the UK government introduced the Data (Use and Access) Bill (the “DUA Bill”) to Parliament, outlining proposed reforms to the country’s data usage and access laws. The DUA Bill is intended by the UK government to enhance the UK’s digital strategy and unlock the use of data, harnessing its capabilities to boost public services and contribute to the UK economy.
In this Law-Now update, we examine the provisions of the DUA Bill that will create a legislative framework for digital verification services. Once it is formally adopted, the DUA Bill will introduce four key elements: a trust framework, a public register, a trust mark, and an information gateway, which together are intended to ensure that digital identity products and services can be trusted by those who wish to use them.
This Law-Now update is the next in our series on the proposals under the DUA Bill. You can access our overview of other changes proposed under the DUA Bill here, our focus on Smart Data schemes here, and how data sharing under Smart Data schemes compares with data sharing under the EU Data Act here.
What is a digital identity?
A digital identity is a digital representation of identity information that enables individuals or representatives of organisations to prove their identity without the need for physical documents. Hundreds of thousands already use digital identity products monthly for tasks like opening bank accounts, securing jobs or renting a flat.
Digital verification services in the UK
To be accepted, it is important that digital identities can be trusted to be reliable and accurate. Since 2021, the UK government has been operating a set of rules and standards – known as the digital identity and attributes ‘trust framework’ – to establish trust in digital identity products in the UK. Providers of digital identity services can become independently certified against the trust framework in order to demonstrate to users and businesses that they follow its rules and standards. The government maintains a register of digital identity and attribute services that lists organisations which provide digital identity services and are certified against the trust framework.
New legislative framework under the DUA Bill
The proposals set out in Part 2 of the DUA Bill will create a legislative structure of standards, governance and oversight for organisations that provide digital verification services and who want to be registered as providers of trusted services. The new regime will be overseen by the Office for Digital Identities and Attributes (OfDIA), operating under the authority of the Secretary of State. The provisions on digital verification services will be commenced through secondary legislation.
Once these proposals complete their legislative journey and become law, this will be a significant milestone for the digital identity sector – moving what has operated on a non-statutory basis onto a statutory footing. This may increase certainty for service providers that are already certified against the UK digital identity and attributes trust framework, and encourage new entrants, both of which may boost investment and lead to growth in the sector.
Digital identities and attributes trust framework
The Secretary of State will be required to publish the rules for the provision of digital verification services (called the ‘DVS trust framework’ in the DUA Bill). The trust framework may be supplemented by one or more sets of rules – these will be known as ‘supplementary codes’. The Secretary of State will be required to carry out annual reviews of the trust framework and any supplementary codes.
Register of digital identity and attribute services
The Secretary of State will also be required to establish and maintain a register of digital verification service providers that have been certified as providing digital identity services in accordance with the DVS trust framework. This is called the ‘DVS register’ in the DUA Bill.
The DUA Bill provides for the Secretary of State to be given governance powers over the DVS register, including the authority to assess applications, grant or deny registrations, and remove providers if necessary to the interests of national security. These governance functions will be carried out by the OfDIA on behalf of the Secretary of State, reinforcing its central role in administering and enforcing the new regime.
Trust mark
The DUA Bill empowers the Secretary of State to designate a ‘trust mark’, which will be a recognised symbol for use in the provision or promotion of digital verification services. Only providers registered in the DVS register may lawfully use the trust mark. This is intended to be used as a badge of compliance in order to give users confidence that digital verification services are secure, and reliable and operate within the trust framework. The Secretary of State will have the power to prevent misuse of the trust mark through civil proceedings.
Information gateway
The DUA Bill will authorise public authorities to share personal information with registered digital verification service providers to facilitate identity verification, but only at the request of the individual concerned. Disclosures in contravention of UK data protection legislation are not authorised. Public authorities will be permitted to charge fees to digital verification service providers for sharing the information.
GOV.UK Wallet
In addition to the proposals for digital identity services under the DUA Bill, the UK government has announced plans to introduce a digital wallet – called the GOV.UK Wallet – and a digital driver’s licence for use in 2025. Once available, people will be able to access their GOV.UK Wallet and digital driver’s licence from their phone in order to (for example) prove their age when buying age-restricted items online and in person – as well as proving their right to drive. The UK government intends that, by the end of 2027, the GOV.UK Wallet will also include other forms of identity documents like veteran cards, DBS checks and every other credential issued by the government. Use of digital versions will be voluntary and traditional physical documents will remain available.
Certified providers can access and use information in GOV.UK Wallet
The original announcement of the GOV.UK Wallet raised several questions that digital identity providers were hoping would be addressed by the UK government. It was unclear whether the government intended for the private sector to be permitted to host digital driving licences and other government-issued forms of digital ID or whether GOV.UK Wallet would be the exclusive means for storing government-issued digital IDs. No mention of this was made in the January 2025 press releases. Some in the sector have questioned the rationale for the GOV.UK Wallet to have exclusivity–if that is the government’s intent–given that the proposals in the DUA Bill look to stimulate growth in the digital identity sector, there are already a number of certified providers who would be capable of providing this service, and the ‘information gateway’ will establish a means for public authorities to provide digital data for an electronic wallet.
On 14 May 2025, the government published new guidance, Using GOV.UK Wallet in the digital identity sector, which states that organisations that are certified against the trust framework will be able to access and use the information in GOV.UK Wallet to offer a range of ways to prove identity. The guidance sets out that, once on the register, digital verification providers can use GOV.UK Wallet in two ways:
- First, they will be able to use the information in GOV.UK Wallet to offer a range of identity and attribute services. For example, use the information in GOV.UK Wallet to help someone prove something about themselves digitally. But if they are also certified as a holder service, they will be able to use information from GOV.UK Wallet to create a new reusable digital identity document (a ‘derived credential’).
- Second, businesses that are certified as orchestration service providers will be able to provide information from GOV.UK Wallet to other businesses who need to prove information about an individual (for example, they could connect GOV.UK Wallet with an online shop so it can share a user’s age).
The government’s technical documentation provides three example flows that illustrate how GOV.UK Wallet can be used to purchase age-restricted products from a private sector business via a registered digital verification services provider.
The guidance clarifies that only government issued-documents can be saved in the GOV.UK Wallet and it also provides an update on what will be available in the GOV.UK Wallet and by when: the Wallet will hold the HM Armed Forces Veteran Card from summer 2025, followed by the full driving licence later in 2025. Further documents will be added ‘over time’ but in a Government Digital Service blog post issued on the same day, the government repeated its commitment to require government services to issue a digital verified credential alongside any paper or card based credential or proof of entitlement eligibility by the end of 2027.
The release of this guidance will require close scrutiny by providers of digital wallets and digital verification services who were concerned that the government intended to operate GOV.UK Wallet as a monopoly and shut out the private sector. The use cases described above appear to stop short of permitting government-issued IDs being stored and held in digital wallets other than the GOV.UK Wallet but digital verification services will have a role to play in enabling the use of those digital IDs in the private sector.
There is an opportunity for digital verification service providers to shape how the GOV.UK Wallet will work with the private sector – the government has requested feedback on its technical documentation and to contact the government at [email protected] if they would like to take part in research to help shape how GOV.UK Wallet will work with the private sector.
Digital identity in the EU
The government’s plans to introduce the GOV.UK Wallet and a digital version of the driver’s licence (and other digital versions of identity documents) will mean that the UK will operate a similar digital identity scheme to that which is due to come into effect in the EU in 2026.
Under the European Digital Identity Framework (which came into effect in 2024), Member States are required to introduce their own version of the EU Digital Identity Wallet (which must be built to a set of common specifications). Once the Wallets become available, users in the EU will be able to store digital versions of verified documents in their wallet and present the digital documents directly from their Wallet to service providers as a form of digital identification. The Wallets are intended to be interoperable across EU borders.
However, there are some significant distinctions between the current UK proposals and EU Digital Identity Wallets. This includes that under EU rules, service providers like banks and online platforms must accept EU Digital Identity Wallets as a means of authentication. In the UK, while digital identities can already be used in specific contexts (e.g. proof of age for alcohol sales, Right to Work and Right to Rent), they are not yet legally equivalent to physical IDs across the board and sector-specific rules will need to be updated so that digital forms of ID, such as driving licences, are recognised as valid alongside their physical versions.
Second, the key features of EU Wallets will be implemented following harmonised technical standards. This means that the EU Wallet should be interoperable across Member States, offering users the same basic services and functionalities irrespective of which Member State issues it. But by building the EU Digital Identity Wallet on international standards, the European Commission also hopes that it can be recognised anywhere, not just within the EU. It remains to be seen whether the UK government has similar ambitions for the GOV.UK Wallet to be more than a domestic form of electronic ID and to receive mutual recognition outside the UK. Achieving full reciprocity may be challenging if the GOV.UK Wallet is not built to technical standards that are as robust as, for example, the harmonised standards on which the EU Digital Identity Wallets will be built.
Next steps
The DUA Bill moved back to the House of Lords for consideration of the most recent amendments from the Commons on 12 May 2025. The Lords have proposed an amendment to the provisions in the DUA Bill that is relevant to the proposals for digital verification services (the Lords’ amendment is about the provisions that require the Secretary of State to assess whether personal data–in particular data about a person’s “sex at birth” and “acquired gender” data–are reliably acquired by public authorities). This proposed amendment (along with others from the Lords) was considered in the House of Commons on 14 May 2025 and rejected. The Bill now passes back to the Lords to decide whether to insist on its amendments. Despite this ping pong, it is still anticipated that the DUA Bill will receive Royal Assent by the summer of 2025.
Look out for future Law-Now updates, in which our specialists will focus in more detail on other key areas of change proposed by the DUA Bill.
This update was co-authored by Ana-Maria Curavale (trainee solicitor).
Social Media cookies collect information about you sharing information from our website via social media tools, or analytics to understand your browsing between social media tools or our Social Media campaigns and our own websites. We do this to optimise the mix of channels to provide you with our content. Details concerning the tools in use are in our Privacy Notice.