New law seeks to encourage digital verification services

After a few years where data protection laws in the United Kingdom were settled, the Data (Use and Access) Act 2025 (DUAA) is ushering in a period of change. 

For those of you who have only just recovered from the GDPR, the news that data protection laws are changing again may not be entirely welcome.  

The good news is that many of the changes DUAA is bringing in are intended to make your life easier, rather than introducing complex new obligations and – while some things are changing – much remains the same. 

This series of blogs from the IT & data team at Mills & Reeve aims to help you understand the impact that DUAA will have on established ways of doing things. 

If you need a reminder about the meaning of some of the key data protection terminology used (eg personal data, data subject, data controller, processing), please refer to our glossary here. 

DUAA isn’t just about data protection though. As discussed in this post, it also breaks new legal ground in other areas. For example, as discussed in this article, by introducing new rules governing the provision of digital verification services.

New law seeks to encourage digital verification services

I can vividly remember how angry my wife was when I temporarily misplaced a folder containing her academic transcripts. I remember attempting an ill-advised defence: surely there was a digital version somewhere?

When we had found the folder and simmered down, she explained that in the country her parents were born, the loss of such a document would be irreversible. In other words, a student who lost their transcript would be forced to repeat their exams in order to be permitted to start their university degree.

The point of this story is that identity verification matters. A range of different organisations have a valid reason for wanting us to prove that we are who we say we are and the wheels run more smoothly if the mechanism for providing this proof are cheap, safe and efficient.

Identity/credential proofing methods which rely on physical documents is that they can be expensive, inefficient, and vulnerable to fraud. In an effort to solve this problems, the government has said that it intends to encourage the development of the digital verification services (DVS) market. This journey began in 2019 with a public consultation on digital identity. The consultation concluded that the digital verification services market would benefit from: 

(i)    Clear rules about how DVS providers should operate; 
(ii)   Clear mechanisms to prove that those rules were being followed;
(iii)   A mechanism to allow such organisations to carry out checks against government held data.

Much work has already been done in this area. The government has already created a register of DVS providers that are certified against a government endorsed trust framework. 

DUAA puts the nascent DVS governance framework on the statute book. It requires the government to:

• Publish and maintain rules to govern the provision of digital verification services (“the DVS trust framework);
• Establish and maintain a publicly available register of persons providing digital verification services (the “DVS register”);
• Register DVS providers that comply with the DVS trust framework on the DVS register after they have been checked by an ‘accredited conformity assessment body.’

DUAA also envisages: 

• a new power for public authorities to disclose information they hold about an individual to DVS providers to enable the DVS provider to carry out digital verification services on that individual’s behalf (the “Information Gateway”); and
• DVS Providers on the DVS Register having exclusive use of a mark  to demonstrate that they comply with the DVS trust framework (the “Trust Mark”). At the time of writing,

The DVS governance framework is administered by the Office for Digital Identities and Attributes (OFDIA). On 18 September 2025, OFDIA published an update saying its current focus is on the following three use cases for digital identity verification:

• Hiring and onboarding employees.  
• Age verification (for example proving you are old enough to buy alcohol, tobacco, vapes and other age restricted products/services). As a first step, the Licensing Act 2003 will be amended to allow for the use of digital ID to prove you are old enough to buy alcohol. Landlords and retailers will not (at least initially) be required to accept digital proof of ID, but they will have the option of doing so.  
• Financial services (the Government has said that it will be releasing guidance to the industry on how to use DVS for identity verification for the purposes of proving compliance with the Money Laundering Regulations 2017). 

Practical tips

• Retailers that sell age restricted products should start trying to understand the ways in which their customers may now wish to provide digital proof of their identity.  
• The financial services industry should proactively explore ways to offer DVS as an alternative to existing ID verification methods that require customers to take hard copy documents in person to a physical location such as a high street bank.
• Providers of DVS that are not yet on the DVS register should consider joining. Those who are already registered should make sure that registration is maintained.
• Organisations that use DVS may wish to ensure that their provider is listed on the DVS register.