Last updated: 24 May 2018
Who we are
GOV.UK Verify is built and run by the Government Digital Service (GDS). GOV.UK Verify allows you to prove your identity when using digital government services like the service you use to sign in and file your Self Assessment tax return. This privacy notice explains what information we might collect, how it’s used and how it’s protected.
How we use information
GOV.UK Verify provides a ‘hub’ between services and ‘certified companies’ who verify users’ identitieson behalf of government. Certified companies are organisations that have met government and industry standards to provide identity assurance services as part of GOV.UK Verify. We use personal data and other information to help you to transact securely with government services. This may include any of the following 6 things.
Sending information to certified companiesGOV.UK Verify may pass information about answers you gave on the GOV.UK Verify hub to certified companies. This helps certified companies to guide you through the verification process, making it simpler and faster.
Certified companies sending information to the hubThe certified company you choose will send the verified data about you (your name, address and date of birth along with your gender if you choose to provide it) to the hub, and the hub will send it to the government service that you want to access. The certified company you use won’t know which government service has requested this information, and the government service won’t know which certified company you have chosen.
We also provide a document checking service to certified companies so they can validate some of your data with other areas of government such as:
- HM Passport Office (HMPO)
- Driver and Vehicle Licensing Agency (DVLA)
- Driver and Vehicle Agency (DVA) in Northern Ireland
This is done via an API and cannot be accessed by GOV.UK Verify.
User supportWhen you contact the GOV.UK Verify user support team for help, we might:
- ask for further information from you
- pass your query or feedback to a certified company or government service
Monitoring and reportingWe monitor and report on GOV.UK Verify so we can review and improve the service that we provide to government organisations.
Identity standards and fraudWe process some personal data to help to prevent fraud in government services. We do this to maintain the government's identity standards and detect fraud when verifying identities.
What information we process
We process information about you when you use GOV.UK Verify. This may include:
We process the answers you provide in the GOV.UK Verify hub to help you select a certified company.
After you’ve been verified by the certified company we then pass your personal data to the government service that you want to access. Your verified identity will then be matched to a record in a government database.
This data includes:
- name (including previous names)
- address (which may include previous addresses)
- date of birth
- age (range)
- gender (optional)
- IP address
- personal identifier (PID)
In some situations we may also ask for some additional information such as:
- driving licence number
- Land Registry borrowers number
- National Insurance number
- HM Revenue and Customs unique taxpayer reference
- Rural Payments Agency Single Business Identifier
User support questions and feedbackWe process questions or feedback you send to user support, including your name and email address, details of your query, and actions we have taken to help.
When you connect to GOV.UK Verify, we collect other information that is used for monitoring, reporting and fraud prevention purposes. This includes:
- the IP address of the device you’re using to connect
- the ‘device fingerprint’, which is information collected about a remote computing device for device identification
- ‘user agent string’, which is the type and version of browser and operating system
Cookies and analytics
How long we keep your data for
We will only retain your personal data for as long as:
- the law requires us to
- we need to provide this service
Certified companies and government organisations
The government organisations and certified companies that we partner with are the data controllers who will also process your data for their own purpose. These purposes are not described in this privacy notice. Read their privacy policies to learn how they process your data and how to exercise your rights around how they do it.
Sharing information with third parties
We share information with government services and certified companies to verify your identity and only in the ways described in this privacy notice. We won’t share your personal data with any other organisations or for marketing, market research or commercial purposes.
We may pass on personal data if we have a lawful reason, for example as part of a criminal investigation or fraud prevention activity.
Where your data is stored
GOV.UK Verify processes your personal data in the European Economic Area (EEA).
Links to other websites
GOV.UK Verify is one of the services on GOV.UK and has links to other websites. This privacy notice only applies to GOV.UK Verify and doesn’t cover other government services and transactions that we link to.
Identity Assurance Principles
GOV.UK Verify has been designed to comply with the Identity Assurance Principles prepared by the Cabinet Office Privacy and Consumer Advisory Group. You can also find more detailed information about the service on the GOV.UK Verify blog.
Children’s privacy protection
We understand the importance of protecting children's privacy online. GOV.UK Verify is not designed for, or intentionally targeted at, children 13 years of age or younger. It is not our policy to intentionally collect or maintain data about anyone under the age of 13.
How we protect your data and keep it secure
We are committed to doing all that we can to keep your data secure. To prevent unauthorised access or disclosure we have put in place technical and organisational procedures to secure the data we collect about you - for example, we protect your data using varying levels of encryption.We also make sure that any third parties that we deal with have an obligation to keep all personal data they process on our behalf secure.
Changes to this notice
We may change this privacy notice at our discretion at any time. When we make changes to this notice, we will update the last modified date at the top of this page. Any change to this privacy notice will be applied to you and your data as of that revision date. We encourage you to review this privacy notice regularly to stay informed about how we are protecting your data.
Who controls your data
The data controller for your personal data is the Cabinet Office – a data controller determines how and why personal data is processed.
Your rightsYou have the right to request:
- information about how your personal data is processed and to request a copy of that personal data you’ve given to us
- that any inaccuracies about your personal data be corrected without delay
- that any incomplete personal data is completed, including by means of a supplementary statement
- that your personal data is erased if there is no longer a justification for us to hold it
- that the processing of your personal data is restricted in certain circumstances, for example when accuracy is contested
How to contact us
If you have any questions about anything in this document or if you believe your personal data has been misused or mishandled you can contact the Cabinet Office Data Protection Officer (DPO) at DPO@cabinetoffice.gov.uk.
Or by post at:
Data Protection Officer
London SW1A 2AS
You can make a complaint to the Information Commissioner’s Office (ICO), who is an independent regulator. The Information Commissioner can be contacted at email@example.com or on 0303 123 1113.
Or by post at:
Information Commissioner's Office
Cheshire SK9 5AF