ScotAccount – Why secure, reusable digital identity matters
The first minister’s new policy prospectus, Equality, opportunity, community, sets out the importance of “rolling out modern digital services that are easy to access, reliable and effective”. This will “remove the need for manual processing, reduce failure demand and meet people’s expectations of how they want to interact with government, securely and in a manner which protects their privacy”.
This is what we’ve set out to do by delivering ScotAccount as a public sector-wide digital identity service. This is a reusable set of digital common components, that can be integrated into public services, to enable people to securely access the services they are entitled to.
This is also a commitment within Scotland’s Digital Strategy, A changing nation: how Scotland will thrive in a digital world, jointly developed by Scottish Government and Cosla. The strategy commits to introducing a digital identity service for all users.
Being sure of the identity of the person applying or returning to a service reduces identity theft and fraud and ensures that services and payments go to the right person. ScotAccount simplifies things for both the user and the service they are accessing and offering a common approach, across the public sector, provides scale and value for money.
We launched the first live trial version (private beta) of ScotAccount on 28 February 2023, in partnership with Disclosure Scotland. Users can create a secure ScotAccount, using two-factor authentication, and verify their identity to access the results of their disclosure checks. We aim to begin roll out to other services later this year.
ScotAccount – a standards-based approach
ScotAccount is standards-based, accessible and designed around the needs of users.
We have designed ScotAccount with the Digital Scotland Service Standard at its core. The standard – which all organisations delivering public services should work towards – aims to make sure that services in Scotland are continually improving and that users are always the focus. ScotAccount also embeds the Scottish Approach to Service Design and has been shaped, so far, by over 40 rounds of user research, and deliberative public engagement.
ScotAccount has been independently assessed to meet the UK Government Good Practice Guide standards for digital identity, which mitigates the risk of identity fraud.
Our overall approach to ScotAccount is also designed to protect people’s privacy and personal information. There are several measures to implement “privacy by design”, for example: users only share the minimum information they need to provide to access a service and there is no centralised database of personal information. Additionally, personal data and biometric information, processed during identity verification, will be deleted after the checks are complete. This sensitive data cannot be retained by our technology partner – which is a clear condition of our use of private sector provider technology, within our service components.
ScotAccount follows technical and security standards, in line with National Cyber Security Centre guidance. ScotAccount has robust encryption and authentication protocols, making it difficult for malicious actors to forge or tamper with digital identities. This helps protect against identity theft, fraud, and unauthorised access to sensitive information.
With a reusable digital identity, people can verify their identity quickly and securely across services. Reuse across multiple services also means that people can use their secure ScotAccount login credentials and digital identity across multiple services. This means less repetition and reduces the effort for both users and public services.
A reusable digital identity can also lead to cost savings. Repeating similar online checks across different services duplicates effort and cost. Reusing a digital identity reduces the number of checks that need to be done. In-person checking of physical documents and manual processes can also be expensive and time-consuming. ScotAccount reduces the reliance on in-person checking, and enables users to directly access services online. Furthermore, ScotAccount is a set of common components ready for integration for public services – which means organisations do not need to build their own approach.
The Digital Scotland Service Standard states “make sure everyone can use the service”. This means providing a service that everyone can use, including disabled people and people who don’t have access to the internet, or lack the skills or confidence to use it.
We have tested ScotAccount against the Web Content Accessibility Guidelines, and we have included specific rounds of research with people with accessibility needs, including disabled people. For example, users with visual impairment showed us how they navigate our service using assistive technology, and we made design changes in response to their feedback.
We are also committed to maintaining offline routes, for users who are unable to use, or choose not to use, a digital route.
Public engagement research highlighted that people recognise the importance of overcoming barriers for those who have accessibility issues. They were also highly supportive of offering an offline alternative, where this is needed.
The Digital Scotland Service Standard also states that all services are designed to meet the end-to-end needs of the user.
By engaging with the public at every stage of the service development and using an iterative development process for ScotAccount, we have developed a user-friendly approach.
Our public engagement research showed that there is a strong appetite for ScotAccount. Most see it as a simple and convenient way to access public services in Scotland, addressing many pain points with existing services – such as the need to use multiple accounts and to repeat processes. People also value control over their own personal data at every stage.
Effective collaboration for digital transformation
I am presenting our work on ScotAccount, jointly with Disclosure Scotland, as part of a case study at the Digital Transformation 2023 event, and I am happy to speak to any services who are interested in rolling out ScotAccount as part of their service.
Isaac Smith is deputy director for cloud and digital services within the Digital Directorate of the Scottish Government. He will be speaking at Holyrood's Digital Transformation event on 6 June.