Fact check: How does the UK's digital ID system handle user consent under GDPR?

1. Why the government says consent is central — and what that claim actually covers

Government guidance frames the digital ID scheme around user-initiated sharing and device-stored credentials, presenting consent as a cornerstone of design rather than a mere afterthought; officials explicitly say that sharing “should be instigated by you” and that credentials are held on users’ devices to strengthen control ^[1]. Those official descriptions emphasise privacy by design, encryption, and user choices about when and how to prove identity, which aligns conceptually with GDPR’s demands for lawful, transparent processing and user control over personal data ^{[1] [2]}. Yet these claims are high-level and do not substitute for concrete procedural safeguards such as granular consent UIs, revocation processes, purpose limitation records, or controller-processor contractual proof that GDPR requires.

2. What the One Login privacy notice actually explains about consent

The GOV.UK One Login privacy notice details the categories of data collected for identity verification — names, dates of birth, document images, and address data — and says information is used for specified service access and checks via identity providers ^[2]. The notice references user choice when sharing data with services but stops short of granular explanation of how consent is obtained, recorded, or withdrawn in line with GDPR’s standards for freely given, specific, informed and unambiguous consent. This gap matters because GDPR requires not just claims of control but demonstrable consent mechanisms and records, especially where sensitive identity verification and third-party attribute provisioning are involved.

3. The certification loss: a practical red flag on consent and trust

One Login losing certification against the government’s Digital Identity and Attributes Trust Framework signals operational or compliance shortcomings that go beyond abstract design promises ^[3]. Certification assesses conformity with the framework’s security, governance and privacy norms; losing it suggests auditors found gaps possibly including how consent, data minimisation, or accountability measures are implemented. The certification loss does not by itself prove GDPR breaches, but it elevates the importance of transparent remediation: clarifying consent flows, logs, vendor relationships, and independent oversight to demonstrate lawful processing consistent with GDPR obligations.

4. Competing framings: security/utility vs. privacy/safeguards

Promoters frame the scheme as solving practical problems — smoother access to services, tackling illegal working, and offering alternatives for non-smartphone users — while asserting privacy-protective technology like on-device credentials and encryption ^[4]. Critics and audit outcomes raise concerns that mandatory uses (such as Right to Work checks) and reliance on identity service providers could create pressure to share data or obscure consent dynamics, risking function creep or disproportionate processing. This tension underscores the need to reconcile public policy goals for utility and enforcement with GDPR’s strict limits on lawful bases, necessity, and individual autonomy.

5. What specific GDPR compliance elements remain ambiguous in public documents

Public materials do not clearly document several GDPR-critical elements: whether consent is the primary lawful basis for all attribute sharing or whether other bases (legal obligation, public interest) are relied on for specific checks; how consent granularity is presented to users; how revocation and portability are enabled; and how controllers demonstrate accountability through Data Protection Impact Assessments and processor agreements ^{[1] [2] [3]}. These omissions are consequential because GDPR demands not only rights on paper but operational evidence of their invocation and enforcement for high-stakes identity processing.

6. What independent actors and audits should demand next

Given the certification setback, regulators, civil society, and auditors should press for published remediations: detailed consent UI examples, logs showing consent capture and withdrawal, DPIAs, and contractual assurances with identity providers about purpose limitation and data deletion ^[3]. Parliamentary and ICO scrutiny should also clarify when and how mandatory uses (e.g., Right to Work) rely on consent versus statutory bases, and ensure redress pathways are clear and usable for individuals who believe their data has been misused.

7. Bottom line: promises exist, proof is still needed

Official materials promise user control and GDPR-aligned design, but those promises are not yet matched by publicly available operational evidence showing how consent is captured, structured, and audited across the ecosystem ^{[1] [2]}. The One Login certification loss amplifies the urgency for transparent, documented fixes and independent verification so that consent in practice — not only in policy statements — meets GDPR’s legal and accountability standards ^[3].