Digital
Privacy by design and default – ScotAccount
February 29, 2024 by Stewart Hamilton No Comments | Category Digital Identity, ScotAccount
Laurie Brown, Digital Information Security Officer, provides strategic information security direction, assurance, and governance across a number of Scottish Government digital public services including the work to introduce ScotAccount.
ScotAccount is an online service that allows people to sign in to public services in a user-centred and secure way. It makes accessing services easier and simpler because you will be able to use one account to sign in to a variety of services. You can also verify your identity, if necessary, and choose to save your verified personal information in your ScotAccount so you can use it again when applying for other public services.
Our approach towards privacy
In my previous blog, I introduced you to the privacy, security, and usability principles I use within Scottish Government to embed security in service design.
In this blog, I share more detail on the first of those three principles ‘Privacy by design and default’. My next blogs in this series will cover the other two areas.
Privacy is fundamental to ScotAccount. We understand that for the service to be trusted, it needs to demonstrate how personal data is being processed, as well as why, where and by whom.
Data protection legislation also sets out legal requirements on how organisations, businesses and government use personal data that we must adhere to.
As a rule, I approach security threat modelling and risk assessment of a service in terms of the confidentiality, integrity, and availability of information. The confidentiality assessment typically surfaces privacy-related risks and focuses any security efforts required to manage those risks. This activity is carried out once the solution architecture is clearly understood, and before any build work takes place.
For ScotAccount, I wanted to take a different approach given how integral privacy is to the service and how important it is that end-users can trust we are protecting their data every step of their journey. With that in mind, I commissioned a specific privacy threat model and risk assessment involving the Scottish Government information assurance and data protection team to evaluate an early conceptual idea of what ScotAccount could look like.
By completing the privacy modelling and assessment much earlier in the development process, the anticipated privacy risks influenced the solution architecture and fed into the subsequent security threat modelling and risk assessment activity. There is a very good Privacy Threat Modelling podcast episode available from Chris Romeo’s ‘the Threat Modelling Podcast’ series if you wanted to hear more on the value of this approach.
I also brought the same information assurance and data protection team into ScotAccount’s security and privacy governance board. There, they can directly challenge and support the service designers’ feature proposals from a privacy perspective, ensuring that where any involve personal data being processed, these are reviewed to meet regulatory needs such as proportionality, necessity, and lawfulness.
Through this approach towards privacy and data protection, I believe that a clear demonstration of privacy by design and default has and continues to be demonstrated within the ScotAccount service.
The importance to the public sector
Demonstrating privacy by default and design is not only important to ScotAccount end-users, but also the public service organisations adopting ScotAccount. This includes Disclosure Scotland, who are working in partnership with us to help shape the service.
We are doing this in several ways. One of these involves demonstrating compliance with a range of standards. Most are cyber security focused such as ISO/IEC 27001, but there are also privacy-specific standards including ISO/IEC 27701 which is called for under the UK Government trust framework. We are aligned with these for the benefit of ScotAccount end-users and our service customers.
We are also ensuring that privacy supporting features are built into ScotAccount to address the risks we have identified and assessed. The National Cyber Security Centre (NCSC) guidance on security outcomes covers many of the features we have built and are continuously improving. These include data encryption, multi-factor authentication, regular security penetration testing with NCSC approved suppliers, actively managing software vulnerabilities, security monitoring and well-rehearsed incident response plans.
ScotAccount also has the benefit of an external advisory Expert Group who have a strong ethics and privacy-focus amongst their membership. This has been invaluable to the service, allowing us to obtain challenge and support where needed.
A look to the future
Finally, privacy by design and default is not something you do at the start and shelve once you are fully operational. I am regularly looking at privacy-enhancing technologies and evolving guidance with a view to continuously challenging and improving the privacy of digital services, this includes, for example, the ICO consultation on the draft biometric data guidance.
In my next blog, I will talk more about ‘Security by design and default’ and explore the balance of making ScotAccount secure and efficient, without breaking it or making it unusable.
The final blog in the series will cover the ‘Usability by design and default’ principle, exploring the experience we want to deliver and how we are making it as widely usable as possible.
How to contact the team
You can subscribe to Scottish Government Digital Scotland newsletter for regular updates on ScotAccount and other digital projects.
If you work for a public service organisation and are interested in finding out more about ScotAccount, or to access our test environment, you can get in touch with the team by emailing: scotaccount@gov.scot
Tags: digital, Digital Scotland, Digital Scotland Service Standard, identity, ScotAccount, scotland
RSS
Email
Leave a comment