Skip to the content

Putting privacy and consent in the hands of citizens



Eve Maler, VP innovation and emerging technology, ForgeRock Identity Platform, explains that the User-Managed Access protocol benefits citizens and organisations

Many of our favourite apps today have a ‘Share’ button. Wouldn’t it be great if we could have such a simple way of sharing – and controlling – our digital identity information? Just think how such a facility could help improve delivery of public services whilst building trusted relationships with the citizen.  

A new technology called User-Managed Access (UMA) offers the potential to do just that. UMA is an internationally agreed web protocol that gives citizens, patients, and consumers one-stop fine-grained control over sharing their digital information with others – whether it be applying for financial services, for example, or proving eligibility for public services.

This is great for the citizen! But from the organisation’s point of view the benefits are also enormous. Exercising a duty of care to give citizens proper data sharing controls is important. But equally, being sure that the parties accessing the personal data are who they say they are, is key.

Think of UMA as providing a capability for a central authorisation service at which citizens can set, monitor, and manage sharing preferences for data that could be held by multiple organisations – private or public sector. Think of the ‘sharing preferences’ as policies: they’re about who and what gets access, for how long, and under what circumstances to what information. ‘Share’ buttons in user applications might literally drive the creation of these preferences.

The latest update to ForgeRock’s open-source Identity Platform implements the UMA standard. In fact, I am proud to say that the ForgeRock Identity Platform is the first identity management platform to support UMA for consumer consent and data sharing.

Why do we need UMA?

For individuals to sustain and grow trust in the organisations with which they interact online, it is essential for those organisations to demonstrate trustworthiness and transparency. And with that trust can come better public service and health outcomes, improved data quality and accuracy, and even improved data sets for clinical research. In many cases, individuals are motivated to share data for reasons of their own; they are simply uncomfortable about the intentions of those with whom they have shared it. With control back in their hands these trusted relationships can be forged.

However, most businesses and most regulations have – understandably – focused on the data protection, risk mitigation, and compliance aspects of privacy. In other words, privacy has largely been about “ensuring that data doesn’t get out”. As a result, tools for enabling individuals to share data selectively – what could be called “consent technology” – have been limited.

But new forces are coming into play. Consumers have become ever more sceptical and cynical as data leaks, hacks and breaches are reported in the mainstream press on a seemingly weekly basis. In addition, the regulatory landscape is now shifting - as we have seen with Safe Harbour and the approval of the new EU General Data Protection Regulation regime – and the Internet of Things is pushing data volumes and sources to new heights. In the face of all this, the public sector is keen to build trusted digital relationships with its citizens.

UMA’s design centre can be expressed simply: Based on OAuth (the international standard for identity) the protocol is designed to give an individual a unified control point for authorising who and what can get access to their digital data, content, and services, no matter where all those things live. The resulting architecture makes UMA a strong basis for tools and solutions for building trusted digital relationships, both from the perspective of addressing externally imposed consent requirements and from the perspective of demonstrating trustworthiness to citizens.

Managing consent more effectively in practice

Warwickshire County Council, the Open Internet Exchange (OIX), the DWP & ForgeRock have been working on the concept of an online service eligibility checker in a leading edge, digitised Blue Badge application pilot. The results are proving so interesting that the NHS are now joining the team to explore whether automated checking of NHS data could widen the range of such a service.

In the trial, if a citizen is citing a DWP benefit as their evidence for Blue Badge eligibility, identity is first checked via the GOV.UK Verify platform before asking the applicant for their permission to make the necessary eligibility checks with DWP records. Under UMA rules, control of the data lies with the applicant at all times.

If successful, this reusable, scalable concept could deliver a "seismic shift" at the heart of digital public service provision.

Here’s to more “context, control, choice, and respect” for citizens' data in 2016!


Read the new whitepaper written by Eve Maler, Chair of the UMA Work Group, and VP of Innovation and Emerging Technology at ForgeRock: Achieving Scalable Access Control and Privacy Protection With User-Managed Access

User-Managed Access (UMA) is an OAuth-based access management protocol standard. Version 1.0 of the standard was approved by the Kantara Initiative on March 23, 2015.

Register For Alerts

Keep informed - Get the latest news about the use of technology, digital & data for the public good in your inbox from UKAuthority.