The Trust Framework in lay terms

Last year the Department for Digital, Culture, Media & Sport (DCMS) launched the Trust Framework. They aimed to establish principles, policies, and procedures for securely managing identities in the digital age. The beta phase is now live and gaining traction, with innovative companies moving quickly to certify against the standards and help shape the space.

But what does the Trust Framework really do, and how will different companies engage with it? Never keen on unnecessary complexity, we've tried to boil it down below in an effort to get everyone up to speed. 

What's its purpose?

The Trust Framework creates rules and standards against which companies are certified and processes are built. It establishes what 'good' looks like regarding digital ID and data protection. It also creates an oversight function to determine whether these new standards are fit for purpose and are being followed. And, importantly for companies like Konfir, it helps the industry navigate the changing technical and regulatory landscape, so we can get on with building solutions.

Why do we need it?

Although the concept of your identity becoming digitised sounds undeniably sci-fi, it's overwhelmingly practical. Don't have a driver's licence and don't fancy bringing your passport on a night out? Well, now you can demonstrate that you're over 18 through your phone. Opening a bank account, but don't have the recognised physical documents or are unable to travel? Soon you'll be sharing the relevant proof securely, at the touch of a button. While these examples may sound trivial, the big picture is clear; digitising different elements of who you are and what you do saves time, reduces fraud, and empowers the UK to become a more competitive, modern economy.

Who's involved? 

Perhaps the single most perplexing part of the framework are the different parties involved, their names, and what they do. Fear not, we've got you covered:

Identity Service Providers: As the name suggests, IDSPs are in the game of proving someone's identity. They can do this in a narrow context (e.g a company that validates fingerprints), or more broadly (e.g by providing a 'wallet' that combines multiple elements including your personal details, biometrics, and certifications)

Attribute Service Providers: ASPs collect, check, and share information that relates to an individual (e.g their credit score, driver's licence number, or employment status). Typically these attributes will be shared with an IDSP or a relying party.

Relying party: this is any party that 'consumes' information from others in the framework. For example, a bank that receives a credit score to decide on a loan, or an airline that requests your passport number to book a flight.

Orchestration Service Providers: OSPs are the infrastructure through which the data is transported.  They aim to enable the secure sharing of information among different participants of the framework.

Scheme Owners: these folks set the rules for, and oversee a particular area. That area may be a sector, industry, or region, and contain a mix of IDSPs, ASPs, and OSPs. For example, this could be an aerospace company that wants to establish standards that airlines, passengers, and airports follow.

Looking specifically at the employment verification use case, it will be IDSPs confirming who you are, but ASPs dictating what you can do. Yes, I am John doe, but I can also demonstrate my relationship to a previous employer, verify my eligibility for a new role, and sign a contract of employment. ASPs enable these functions by capturing data through a verified process. Through this process, an ASP might capture, store, and share data points like employer name, employment dates and job title. In doing so, it validates what someone has claimed on their CV and marks a paradigm shift away from the 'contact previous employer' model, which is slow and prone to errors.

It's important to note that the Trust Framework is continually growing and evolving. For now, we hope we've helped demystify things slightly. We'll be watching the space closely, and look forward to sharing more insights soon.