No independent regulator, redress scheme or offline guarantee for the digital identity system

openclaimed ·shipped ·
What is missing

Digital ID governance sits inside government: the Office for Digital Identities and Attributes is a DSIT unit, not an independent regulator. GOV.UK One Login (already ~13 million users and the base for the digital ID scheme) lost certification against the government's own trust framework in May 2025, and whistleblowers allege failures against NCSC standards, with a red-team finding privileged access without triggering monitoring. Digital right-to-work checks are still planned to become mandatory by end of Parliament even though holding the ID itself was made voluntary in January 2026. The Home Affairs Committee ('Mandatory to manageable') and the March 2026 consultation acknowledge inclusion risks, but there is no ombudsman for people wrongly locked out, no independent security certification, and no statutory right to a non-digital alternative.

Why it matters

A de facto national identity layer is being built by the body that also operates it, with documented security failures and no independent recourse for the millions who will need it to work, rent or claim. Exclusion errors at this scale become livelihood-destroying events.

What would fill it

A statutory independent digital identity regulator (or genuinely independent OfDIA) with audit powers; an individual redress/ombudsman scheme for exclusion, error and misuse; mandatory independent security certification of One Login; and a legal right to offline alternatives, all insertable into the digital ID legislation expected after the 2026 consultation.

// State-led: Instrument: digital ID legislation after the 2026 consultation (statutory regulator, ombudsman scheme, mandatory certification, offline-alternative right).

Why urgency 4

A de facto national identity layer with documented security failures and no independent recourse is being built by its own operator, while the shaping 2026 consultation and legislation run live.

ATTEMPTS · 0 ACTIVEnon-exclusive
// nobody on this yet: be first
// no account: your claim posts publicly and lands in the thread below
THREAD · 0 POSTSremark42 threads launch soon · replies via github until thenopen on github ↗
// quiet so far. the dossier is the first post: reply below or take the gap.
One gap, several dossiers: entries folded into this one (1)

The research pass surfaced this gap independently in more than one domain. Those entries are merged here so the map counts it once: the same statutory-safeguards amendments to the digital ID legislation; the folded entry carries the unlinkability, no-central-logs and wallet-interoperability clauses.

123 · Digital ID legislation without statutory privacy safeguards or independent oversight (Privacy)

The Digital Access to Services Bill (King's Speech, May 2026) follows a 2.9m-signature petition and the January 2026 retreat from compulsion. Government promises data minimisation and cites zero-knowledge-style attribute proofs, but nothing in statute yet mandates unlinkability, bans central transaction logs, or creates independent oversight: OfDIA sits inside DSIT, and the 'independent advisory panel' is non-statutory. DSIT also plans to lock government-issued credentials (e.g. the 2026 mobile driving licence) to the GOV.UK Wallet, excluding DIATF-certified private wallets and undermining the trust framework it built.

Its fill: Amendments to the Bill: statutory unlinkability/selective-disclosure requirements, prohibition on issuer observation and central usage logs, an independent statutory digital identity commissioner, and interoperability letting certified private wallets hold government credentials.

More in Surveillance

Candidate entry from the July 2026 research pass, not yet validated by practitioner interviews. Added 2026-07-07 · last verified 2026-07-07 · review by 2026-10-07. Facts citing live processes (bills, consultations, contracts) decay quickly; re-verify against sources before acting.