Shared Key pilot

54. The decision to proceed with a pilot of infrastructure for shared keys, involving a number of 'live' agency applications (Component 5) is the only 'on the ground' product (as opposed to reports, standards etc) expected from the II during its expected (2 year) lifetime. Leaving aside any agency applications that follow Standards issued under Component 1, the Shared Key pilot is therefore the only component which has the potential to directly affect individuals privacy during the Initial Implementation. [There may of course be other agency authentication initiatives progressing in parallel with this project which will have direct privacy implications. While it is intended that these should operate within the framework of Standards issued under the all-of-government Initial Implementation, it remains to be seen (as with all non-statutory Standards approaches) how well this intention can be promoted and enforced.]

55. Whether it does affect individuals privacy in practice depends partly on which agencies and applications participate in the pilot, and partly on what if any personal information is involved in the use of the infrastructure.

56. The functionality of the proposed Key Hub has not been specified in any detail, but it is clear that it is intended to form the basis of a long term infrastructure for a much wider application - ie: it is not a 'throw away' pilot. In the absence of any detail about the pilot it is impossible to say which if any of the concerns expressed in the initial PIA, and resulting recommendations, will remain valid. However, a number of observations can be made on the basis of the documentation available to date.

57. The Project Team are confident that a shared keys function can operate independently of any EOI processes and without a centralised Credential. [This view is supported by the Hunter Group IQA assessors] Service Agencies (SAs) would remain responsible for registering clients, with a requirement for EOI processes appropriate to their specific trust levels [The IQA Assessors suggest that the trust level analysis needs to be updated, and this is consistent with some of the reservations in the initial PIA about the justification for requiring authentication] . New clients could be issued with a one-time code which would allow them access to a website to associate one or more Key Serial Numbers (KSNs) with the agency's customer ID.

58. In a idealised system, Key Providers (KPs) would not need to keep any personal information about Key holders, but it seems likely that KPs would hold personal information for a variety of purposes including the initial issuance of Keys, and the provision of help-desk services. The design does however provide for separation of roles to minimise the information held by KPs. It is possible that KPs will not hold any records of enquiries by individual Service Agencies in relation to particular keys, even for billing purposes. [High Level Technical Design, v.1.0, 18 February 2004. KPs would presumably bill the Central Logon Site, which in turn would bill the Service Agencies.]

59. The documentation about the Shared Keys pilot seems ambivalent about multiple keys - the purpose clearly anticipates multiple keys [Implementation Options for Shared Keys Pilot, v.0.3, 22 March 2004, paragraph 2] , but the objective appears to remain to enable individuals to have one Key for use in all of their authenticated government online transactions. [Outline of Shared Keys Pilot, v.1.0 December 2003, page 1] These are not necessarily incompatible, but it would be helpful to confirm that the scheme will accommodate individuals who choose to hold multiple keys and use different keys for different government services. (See Recommendation 6 of the initial PIA).

The issue of whether Service Agencies should also be Key Providers is to be given further consideration - privacy and security factors are involved.

60. The pilot will also need to address the privacy and security issues about the potential use of Key Serial Numbers, highlighted in Recommendations 7 and 20 of the initial PIA.

61. A 'report-back' on the development of plans for a Shared Key Pilot is proposed in October 2004. The PIA consultants recommend that a further privacy impact assessment/technical review of these plans be undertaken for this report-back.