Save content
Have you found this content useful? Use the button above to save it to your profile.
UK government has invested £1bn in online ID systems. But do they do the job?
iStock_Stand out from crowd_farakos

Government struggles with £1bn identity problem

by

The government has an identity problem. There are numerous different unique identifiers in circulation, but data quality is inconsistent and frequently duplicated. Bill Mew asks is what we really need is yet another ID solution.

8th Dec 2021
Save content
Have you found this content useful? Use the button above to save it to your profile.

Aside from issues with unique IDs, there are more than 40 ways to log into government systems. The solution to this situation appears to be to add yet another. 

Taxpayers struggling with unique taxpayer reference (UTR) and national insurance number (NINO) problems, often due to duplicated records or references, need to understand the wider context of the government’s identity problem.

This is becoming particularly acute as we move to automated digital systems like Making Tax Digital (MTD).

In the UK the fundamental individual identifier is the birth certificate. It can be used to get other documents such as a driving licence or passport, which can then be used to get bank accounts and access government services.

Unfortunately, this system is open to abuse. As Frederick Forsyth famously exposed in ‘The Day of The Jackal’ a loophole (now fixed) meant that copies of birth certificates belonging to people who died as children could be used to create entirely fake identities. There are also examples of such documents either being fraudulently issued by corrupt staff or being stolen and used for identity theft.

Data quality can also be undermined when government departments run systems in parallel and updates to one system are not reconciled across others.

Too many identifiers

Having so many unique identifiers – including NHS number, driving licence number, national insurance number and passport number – increases the chances that they may not be unique. And these concerns becomes more acute as more systems are digitised and citizens are expected to access services online using these identifiers or some other form of primary identification.

The government took a first crack at digital identity with the Government Gateway system that was developed and delivered in three months. It launched in January 2001, using a number of commercial components that were integrated by a really smart team for just £15.8m.

The system worked well and could handle not only individual identities, but also agents and organisations, meaning that businesses could use it as well. It provided single sign-on and authentication and allowed individuals to prove their identity. However, for managing taxpayers, HMRC needed to prove a link between a user identity and a specific unique identifier or data record. The solution was based on an activation PIN which would be sent through the post.

The system is still in use today and an updated Government Gateway is still at the heart of HMRC’s online operation. The gateway upgrade allowed users to reset their passwords and introduced 2-factor authentication (2FA) to improve security.

Subsequently the government introduced a more ambitious identity system called Verify. This system was more secure, but reduced flexibility meant it could not be used by agents and was only for individuals not organisations.

HMRC problems

Verify posed a problem for HMRC, which needs to deal with both individuals and businesses and with accountants acting as their agents. Other parts of the public sector such as the NHS have a similar need to support users acting behalf of someone else, for example to look after elderly relatives records using power of attorney. Verify ultimately failed to hit its ambitious adoption targets and became something of a white elephant.

In the meantime, a proliferation of different systems means that there are 44 ways to access government services online. This is about to become 45 as the Government Digital Service (GDS) has just been awarded £400m for a new One Login digital identity project. Along with the cost of Verify and other systems this is likely to bring the overall total spent on identity to around or even over £1bn.

Do we need it?

The question is… do we need a new system? Or could we reuse some of what already exists? And what are we seeking to achieve anyway?

One potential alternative would be to use NHS Login. This has already been rolled out nationwide to provide proof of identity and associated Covid vaccination status. While some would be concerned with health records being shared beyond the NHS, this scenario can be avoided. The system could simply be used to authenticate a user before a handshake with other government systems that provides only basic details like name, address and date of birth and no health data.

Another possible approach would be to work with HMRC. Instead of creating yet another new system in parallel, with all the duplication risks, cost and timescales that this entails, HMRC could scale up its replatformed Government Gateway to provide an identity and authentication system for other government departments.

Indeed, while the new GDS One Login digital identity project does not initially incorporate agents and organisations, the HMRC system, being based on Government Gateway, already does so.

A further option would be to build the new system on commercially available identity solutions which are far more advanced and have far greater functionality than was available back in 2001. Identity apps like Yoti are already used by public and private sector organisations worldwide, including the government of Jersey on the Channel Islands. And commercial cloud providers offer authentication services, avoiding the need for government to develop its own bespoke approach. 

We possibly also need to reconsider whether a single identity or identifier is actually essential. Privacy activists fear that this would allow for greater mass surveillance, while security experts fear that it would make identity theft a far greater problem.  

Maybe we simply need one system for financial interactions – for say taxes and benefits – which could then be better integrated, and another for health and care – also in need of better integration. Citizens could be encouraged to use a password manager to retain multiple passwords and identities.

Fraud prevention

All of this however overlooks the need to cleanse the data and crack down on fraud. Whichever system is adopted we will still need to de-duplicate records and provide a means of verification for those either forgetting their password or needing to replace core documents like birth certificates, driving licences or passports. Such systems need to eliminate fraud without being too onerous.

These problems are particularly evident with HMRC and the records it manages. Only a proportion of taxpayers have a UTR, and they are all too easy to fake. The gaps in the system and potential for abuse have been exposed recently with widespread fraud involving furlough funds from poorly documented “entrepreneurs”. This kind of abuse recently prompted HMRC to seize £26.5m in fraudulent CJRS.

The whole MTD system itself will stand or fall on the quality of the data held by HMRC, which is fairly inconsistent and frequently impossible to reconcile.

Aware of its data and identity issues HMRC has put in place new controls to prevent fraud from phantom taxpayers. However, this means UTRs are taking much longer to issue, and that more checks are happening for self assessment. Not only is this slowing down payments, but it is preventing many taxpayers from being able to submit or pay tax at all. With delays of up to six months, this is becoming a real problem.

HMRC is far from alone in having such problems. Benefits fraud is widespread and we are also seeing an increase in property title fraud – which could end up costing you your house. Nor is HMRC the only department with a massive data processing backlog. We saw with the HGV test issues some of the problems that DVLA has, and this is just the tip of the iceberg.

All of this does not necessarily mean that we need to build a completely new identity system from the ground up (at great cost to the taxpayer). Existing systems or new commercially available alternatives could easily be modernised and scaled up to provide a perfectly workable platform. And while HMRC may be central to much of the frustration that we are currently experiencing over data inconsistency and identity, it might also be sitting on one promising solution.

Replies (13)

Please login or register to join the discussion.

Tornado
By Tornado
09th Dec 2021 10:44

A good Article, and one more reason (or perhaps several) to add to the ever growing list of why MTD will inevitably fail.

Thanks (2)
Replying to Tornado:
avatar
By Hugo Fair
09th Dec 2021 12:25

The failed projects (many more than those listed here) and wasted billions (ditto) never succeed for rather more basic reasons - namely power politics (with the Cabinet Office being a prime instigator of conflicting camps over the years) and personal career protection (by up-and-coming mandarins in waiting).
Sure there are technical considerations, and (as to be fair the article points out social/political issues to reconcile) ... but even with a perfect spec the 'interested parties' will ensure that it never comes to fruition.
[And yes I'm biased, or embued with cynicism, because I wasted large chunks of my life over a nearly 3 year period in meetings at Whitehall/Horseguards Road ... trying to get a single plan off the ground *before* the current cacophony of logins came into existence.]

Thanks (3)
By SteveHa
09th Dec 2021 10:49

Anyone remember "Joined up Government"? - https://www.instituteforgovernment.org.uk/sites/default/files/publicatio...

Whatever happened to that?

Thanks (2)
Replying to SteveHa:
avatar
By North East Accountant
09th Dec 2021 13:02

I'd settle for joined up HMRC.

Thanks (2)
avatar
By raybackler
09th Dec 2021 11:02

This is a good article that lays down the challenge to government. Government that is increasingly not joined up in its IT systems. HMRC is way off the mark and I have detailed examples in several postings. My recent experience with the NHS is not great. I had my booster jab on 9th November and it appears in the MyGP app and the NHS app. On 17th November and on 6th December, I got text messages saying that their records showed I was due to get the Booster jab and needed to make an appointment. Somewhere along the line the NHS systems are not properly joined up and using them for identity at the moment could lead to problems. Most clients run away from the Government Gateway, because it is unwieldy. A new approach is needed and maybe advice could be taken from commercial organisations with systems that do work.

Thanks (2)
By Charlie Carne
09th Dec 2021 11:47

Interesting topic and raises issues of confidentiality and siloing of different government departments' data when all are accessed via a single login ID (though this issue has been dealt with in this article).

At the accountingWEB live Expo last week, I raised a related issue with Jim Harra (HMRC's chief exec) when other delegates had commented on clients' confusion on what references to use when making tax payments. I suggested that each business (whether sole trader or company, etc.) could have a single 10-digit UTR with a suffix letter to denote the relevant tax (mainly CT, VAT or PAYE for companies and IT, VAT or PAYE for sole traders and partnerships), which would reduce ID confusion within the tax realm.

Thanks (3)
Replying to charliecarne:
avatar
By flightdeck
09th Dec 2021 13:05

A simple excellent idea!

Thanks (1)
Replying to charliecarne:
Pile of Stones
By Beach Accountancy
09th Dec 2021 15:54

Excellent idea, but clients would simply use last time's reference on their phone banking app and so pay CT into the PAYE account. Again.

Thanks (0)
Replying to Beach Accountancy:
By Charlie Carne
10th Dec 2021 09:24

Although some will, it will certainly be much easier for them to just change the suffix letter and get that right (it doesn't require much effort or memory to use 'C' for corp tax or 'P' for PAYE) than it currently is to use a completely different UTR. Also, I'd hope that we will soon get a combined tax payment screen in which we (as agents) or the taxpayer can move payments across tax headings when an error has occurred.

Thanks (0)
avatar
By flightdeck
09th Dec 2021 12:54

Yes, absolutely. Let us have another failed project / system where lipstick is applied to the pig.

Thanks (0)
avatar
By NotAnAccountant2
09th Dec 2021 16:12

https://xkcd.com/927/

For every complex problem there is an answer that is clear, simple, and wrong.

Thanks (1)
Replying to NotAnAccountant2:
Avatar
By TBro4iuABEW6Qmh74nRteQz3
10th Dec 2021 15:44

> reminded of relevant xkcd cartoon
> came to post this cartoon
> mfw already posted.

Bobby Tables next week then?

Thanks (0)
John Toon
By John Toon
10th Dec 2021 12:37

As an e-resident of Estonia this isn't a big or overwhelming problem to overcome if it's planned and implemented properly with a coherent, cohesive strategy to draw together all the various government departments.

Yes Estonia is a much smaller country than ours but they've had e-residency for over 20 years now and you interact with healthcare, business, tax agencies and government with one single digital identity

Thanks (0)