UK Digital ID: Ten Safeguards Parliament Must Legislate

On 5 May 2026 we submitted a formal response to the Cabinet Office consultation Making public services work for you with your digital identity (CP 1498). This is a condensed version of the substantive argument.

Our position is conditional support in principle, structural opposition to the proposed trajectory. Estonia, the EU under eIDAS 2.0, and Australia under the Digital ID Act 2024 demonstrate that privacy-preserving digital identity is technically achievable. The UK proposal does not, on its current architecture, meet that bar.

The convergence problem

The same passport, DVLA, and immigration biometric databases that would anchor a national digital ID are simultaneously the subject of expanded police facial-recognition access (Home Office DEP2025-0828). Two consultations, one infrastructure. Without a statutory firewall, identity verification for a council form and biometric search by a police officer end up drawing on the same lookup table.

That is the single most important fact in this debate. Everything else follows from how seriously you take it.

Why “voluntary” is not enough

The government has stated digital ID will be voluntary. That assurance is policy, not law, and it survives only until the next administration. Aadhaar in India was launched as voluntary in 2009. It now has 1,200+ statutory and de facto use cases — a 9,130% function creep. Companies House mandatory verification went live in the UK on 18 November 2025, affecting 6–7 million individuals. Function creep is not hypothetical; it is the default trajectory of any centralised identity system absent explicit legal constraint.

The OSA age-verification rollout offers a useful empirical signal. UK VPN demand surged ~1,800% in the week following 25 July 2025 enforcement. A 2.8 million signature petition followed. 127+ UK forums elected to exit the market. These are not the indicators of a public that has consented to expanded state identity infrastructure.

Ten demands in primary legislation

Anything short of statute can be reversed by a minister. We asked Parliament to legislate, in primary legislation, the following ten safeguards:

1. Statutory non-mandation. A right not to use the system, with enforceable remedies. Australia’s Digital ID Act 2024 ss.7–9 is the model.
2. Statutory firewall against police facial-recognition access. No identity database may be used to train, seed, or query an FR system without specific judicial pre-authorisation under PACE thresholds.
3. Decentralised architecture by design. W3C Verifiable Credentials, DIDs, zero-knowledge proofs, and selective disclosure as the default. No central wallet, no central ledger of transactions.
4. Statutory purpose limitation and anti-aggregation. A relying party may receive only the attributes it strictly needs. Cross-context linkage prohibited absent specific consent.
5. Right-to-work check redesign. Binary attestation only — “this individual has the right to work” — delivered by zero-knowledge proof. No underlying immigration data to the employer, ever. Good-faith reliance defence for employers.
6. Children’s data. Minimum age 16 for unsupervised use. No under-13s. A school-issued sandbox for 13–15s, sunsetting at 16.
7. Independent statutory Digital Identity Commissioner. JAC-style selection. Pre-authorisation power over new use cases. Two-year cooling-off period before commercial post-tenure roles.
8. Mandatory privacy-by-design technical controls. On-device biometric matching. Hardware-backed keys. Encrypted-at-rest by default. Third-party audited; published assurance.
9. Statutory redress framework. When the system gets it wrong — and biometric systems demonstrably do — individuals must have a meaningful, time-bounded path to correction and compensation. The Windrush failure mode must not be replicable.
10. Five-year sunset clause. The legislation must self-repeal absent parliamentary renewal. No identity infrastructure should outlive democratic mandate.

What the architecture should look like

The privacy-enhancing technologies needed for this already exist and are deployed in production elsewhere:

• Zero-knowledge proofs for attribute attestation without disclosure
• Selective disclosure JWTs (SD-JWT VC) for verifiable credentials
• BBS+ signatures for unlinkable presentation
• On-device biometric matching with hardware-backed keys
• Decentralised identifiers (W3C DIDs) for portable identity
• Secure multi-party computation for cross-organisation verification
• Differential privacy for any aggregate analytics

The UK has the technical talent and the regulatory machinery to build this. The Office for Digital Identities and Attributes (OfDIA) under the Data (Use and Access) Act 2025 is the obvious institutional home, with a substantially expanded remit and constitutional independence.

The vendor question

Any digital identity architecture will be implemented by suppliers. The current market — Yoti, Onfido, Jumio, ID.me, IDEMIA, AU10TIX — has known concerns: NIST FRVT Part 3 (2019) found ID.me’s algorithm to be 1:12,500 false positive rate for Black faces vs 1:48,000 for White. The AVPA’s anti-ZKP lobbying is on the public record. Vendor selection cannot be left to procurement alone; statutory criteria, including bias bounds and ZKP support, must constrain it.

What we are asking for

Not a moratorium. Not opposition to digital services. A statutory framework that takes the technical possibilities seriously and the political history of identity systems just as seriously.

If the UK builds a digital identity system on these foundations, it will be world-leading. If it builds one without them, it will be replicating, in slow motion, the surveillance architecture it would have to defend itself against in twenty years.

We have a window. It closes the day the first piece of secondary legislation expands scope without primary debate.

The full 80-section submission is on file with the Cabinet Office. Cosmo Codex Ltd, Company No. 16627148, is a UK privacy-first technology company. This submission was authored by the CEO, an IAPP Fellow of Information Privacy, and is internally consistent with our parallel submission to the Home Office FR consultation (11 February 2026).