The UK Labour government has refreshed the previous government’s privacy law amendments with the Data (Use and Access) Bill. Similar to AI regulation, laws often trail behind technological advancements, leaving gaps that need careful consideration.
Let’s examine what this means for identity verification (IDV) providers and their clients.
Fully automated processing of biometrics gets stricter
The Bill introduces new rules around use of biometrics in fully automated decision-making in high-risk use cases. The Bill requires consent from end users as well as the biometric processing to be necessary to perform the contract between the end user and the controller.
The rules bite on those verifying users for critical services like:
- Government services access
- Right-to-work checks
- Right-to-rent checks
- DBS checks
- Bank account openings
- Access to health services
For organisations who already follow best practices by having manual oversight of the end-to-end flow, for example by reviewing all transactions flagged as potentially fraudulent, the changes will have minimal impact.
Organisations that don’t review flagged high-risk transactions will need to collect informed and genuine consent from the end user and also consider if the biometric processing is necessary.
And these entities will need to:
- Organizations must provide human appeals processes
- End users need clear information about rejections
- Users have the right to make representations
Scientific research gets clearer
Previous uncertainty around commercial use of data for research purposes led to extensive consultation feedback. The new Bill responds with welcome clarity:
- Commercial AI training now falls under scientific research
- Data reuse for research becomes more straightforward
- The distinction matters—especially since IDVerse maintains its commitment to never using personal data for training its algorithms.
This shift makes it crucial for organizations to scrutinize how their identity service providers handle data. The ethical implications of training data usage, as we’ve discussed previously, become even more relevant under these new guidelines.
Digital verification services: A legislative foundation
The Bill establishes legal backing for Digital Verification Services (DVS). Good news for IDVerse—our existing UK DIATF service (Beta) certification should transition smoothly to the new DVS framework.
A promising development lies in the legal framework for access to government data for certified DVS providers to be opened up. All identity companies in the UK have waited a long time for these data sources to be opened up and no one is holding their breath.
Looking ahead
This legislation represents a thoughtful approach to balancing innovation with privacy protection. Organizations using identity verification services should:
- Review their handling of biometric data
- Ensure appeal mechanisms exist for automated decisions
- Understand their providers’ data usage practices
Those using multiple IDV providers should pay particular attention to how each vendor sources their training data. The ethical implications of data collection practices, as highlighted in recent controversies, remain critical considerations.
The path forward requires careful attention to both compliance and ethics. Smart companies will use this moment to review their identity verification practices, ensuring they meet not just legal requirements, but ethical standards as well.
About the post:
Images and videos are generative AI-created. Prompt: A London street scene, double decker bus, Big Ben, Parliament, very surreal, Salvador Dali inspired, persistence of memory, drippy, psychedelic, colorful. Tools: Midjourney, Luma.
About the author:
Peter Violaris is Global DPO and Head of Legal EMEA for IDVerse. Peter is a commercial technology lawyer with a particular focus on biometrics, privacy, and AI learning. Peter has been in the identity space for 7 years and before that worked for London law firms.
