Privacy notice

Last updated: 28 September 2018

Who we are

GOV.UK Verify is built and run by the Government Digital Service (GDS). GOV.UK Verify allows you to prove your identity when using digital government services like the service you use to sign in and file your Self Assessment tax return. GOV.UK Verify has been extended to comply with the eIDAS regulation, which lets users with digital identities from some EU countries to access government services in the UK. This privacy notice explains what information we might collect, how it’s used and how it’s protected.

How we use information when you use GOV.UK Verify

GOV.UK Verify provides a ‘hub’ between services and ‘certified companies’ which verify users’ identities on behalf of government. Certified companies are organisations that have met government and industry standards to provide identity assurance services as part of GOV.UK Verify. We use personal data and other information to help you to transact securely with government services. This may include any of the following activities.

  1. Sending information to certified companies

    GOV.UK Verify may pass information about answers you gave on the GOV.UK Verify hub to certified companies. This helps certified companies to guide you through the verification process, making it simpler and faster.
  2. Certified companies sending information to the hub

    The certified company you choose will send the verified data about you (your name, address and date of birth along with your gender if you choose to provide it) to the hub, and the hub will send it to the government service that you want to access. The certified company you use won’t know which government service has requested this information, and the government service won’t know which certified company you have chosen.
  3. Document checking

    We also provide a document checking service to certified companies so they can validate some of your data with other areas of government such as:

    • HM Passport Office (HMPO)
    • Driver and Vehicle Licensing Agency (DVLA)
    • Driver and Vehicle Agency (DVA) in Northern Ireland

    This is done via an API and cannot be accessed by GOV.UK Verify.

How we use information when you use a digital identity from another European country

GOV.UK Verify provides a ‘hub’ between government services and the digital identity schemes of EU member states. If you’re an EU citizen who has signed up to another identity scheme, this lets you prove your identity online and use a UK government service.We use personal data and other information to help you to transact securely with government services. This may include any of the following activities.

  1. Choosing a digital identity scheme

  2. GOV.UK Verify hub will ask you to choose which digital identity scheme you want to use.

  3. EU member states sending information to the hub

  4. The digital identity scheme you choose will send verified data about you (your name and date of birth) to the hub, and the hub will send it to the government service that you want to access. The identity scheme you use won’t know which government service has requested this information, and the government service won’t know which identity scheme you have chosen.

How we use information for monitoring and security

User support

When you contact the GOV.UK Verify user support team for help, we might:

  • ask for further information from you
  • pass your query or feedback to a certified company or government service

We might also ask for further feedback to help improve the service.

Monitoring and reporting

We monitor and report on GOV.UK Verify so that we can review and improve the service that we provide to government organisations.

Identity standards and fraud

We process some personal data to help to prevent fraud in government services. We do this to maintain the government's identity standards and detect fraud when verifying identities.

What information we process

We process information about you when you use GOV.UK Verify. This may include any of the following.

How personal data is used when signing in with GOV.UK Verify

After you’ve been verified by the certified company, we pass your personal data to the government service that you wish to access. Your verified identity will then be matched to a record in the corresponding government service database.

This data includes:

  • name (including previous names)
  • address (which may include previous addresses)
  • date of birth
  • age (range)
  • gender (optional)
  • IP address
  • personal identifier (PID)

In some situations we may also ask for some additional information such as:

  • driving licence number
  • Land Registry borrowers number
  • National Insurance number
  • HM Revenue and Customs unique taxpayer reference
  • Rural Payments Agency Single Business Identifier

How personal data is used when signing in with a digital identity from another European country

After your digital identity from another EU country has been authenticated, we’ll pass your personal data to the government service that you want to use. Your verified identity will then be matched to a record in the corresponding government service database.

This data includes:

  • family name
  • first name
  • date of birth
  • personal identifier (PID)

In some situations we may also ask for some additional information such as:

  • driving licence number
  • Land Registry borrowers number
  • National Insurance number
  • HM Revenue and Customs unique taxpayer reference
  • Rural Payments Agency Single Business Identifier

User support questions and feedback

We process questions or feedback you send to user support, including your name and email address, details of your query, and actions we have taken to help.

Technical information

When you connect to GOV.UK Verify, we collect other information that is used for monitoring, reporting and fraud prevention purposes. This includes:

  • the IP address of the device you’re using to connect
  • the ‘device fingerprint’, which is information collected about a remote computing device for device identification
  • ‘user agent string’, which is the type and version of browser and operating system

Cookies and analytics

You can read our full cookie notice to find out how we use cookies.

How long we keep your data for

We will only retain your personal data for as long as:

  • the law requires us to
  • we need to provide this service
In general, this means that we will only hold your personal data for a minimum of 1 year and a maximum of 7 years.

Certified companies, digital identity schemes in other European countries and government organisations

The government organisations, digital identity schemes in other European countries and certified companies that we partner with are the data controllers who will also process your data for their own purpose. These purposes are not described in this privacy notice. Read their privacy policies to learn how they process your data and how to exercise your rights around how they do it.

Sharing information with third parties

We share information with government services and certified companies to verify your identity and only in the ways described in this privacy notice. We won’t share your personal data with any other organisations or for marketing, market research or commercial purposes.

We may pass on personal data if we have a lawful reason, for example as part of a criminal investigation or fraud prevention activity.

Where your data is stored

GOV.UK Verify processes your personal data in the European Economic Area (EEA).

GOV.UK Verify is one of the services on GOV.UK and has links to other websites. This privacy notice only applies to GOV.UK Verify and doesn’t cover other government services and transactions that we link to.

Identity Assurance Principles when signing in with GOV.UK Verify

GOV.UK Verify has been designed to comply with the Identity Assurance Principles prepared by the Cabinet Office Privacy and Consumer Advisory Group. You can also find more detailed information about the service on the GOV.UK Verify blog.

Children’s privacy protection

We understand the importance of protecting children's privacy online. GOV.UK Verify is not designed for, or intentionally targeted at, children 13 years of age or younger. It is not our policy to intentionally collect or maintain data about anyone under the age of 13.

How we protect your data and keep it secure

We are committed to doing all that we can to keep your data secure. To prevent unauthorised access or disclosure we have put in place technical and organisational procedures to secure the data we collect about you - for example, we protect your data using varying levels of encryption.We also make sure that any third parties that we deal with have an obligation to keep all personal data they process on our behalf secure.

Changes to this notice

We may change this privacy notice at our discretion at any time. When we make changes to this notice, we will update the last modified date at the top of this page. Any change to this privacy notice will be applied to you and your data as of that revision date. We encourage you to review this privacy notice regularly to stay informed about how we are protecting your data.

Who controls your data

The data controller for your personal data is the Cabinet Office – a data controller determines how and why personal data is processed.

Your rights

You have the right to request:
  • information about how your personal data is processed and to request a copy of that personal data you’ve given to us
  • that any inaccuracies about your personal data be corrected without delay
  • that any incomplete personal data is completed, including by means of a supplementary statement
  • that your personal data is erased if there is no longer a justification for us to hold it
  • that the processing of your personal data is restricted in certain circumstances, for example when accuracy is contested
If your personal data is processed on the basis of consent, then you have the right to withdraw your consent at any time.

How to contact us

If you have any questions about anything in this document or if you believe your personal data has been misused or mishandled you can contact the Cabinet Office Data Protection Officer (DPO) at DPO@cabinetoffice.gov.uk.

Or by post at:

Data Protection Officer
Cabinet Office
70 Whitehall
London SW1A 2AS

You can make a complaint to the Information Commissioner’s Office (ICO), who is an independent regulator. The Information Commissioner can be contacted at casework@ico.org.uk or on 0303 123 1113.

Or by post at:

Information Commissioner's Office
Wycliffe House
Water Lane
Wilmslow
Cheshire SK9 5AF

GOV.UK VERIFY