Question to the Department for Science, Innovation & Technology:

To ask His Majesty's Government why they have not published a mandatory Data Protection Impact Assessment for One Login; whether they obtained explicit user consent for biometric processing prior to live rollout; and whether they conducted statutory prior consultation with the Information Commissioner’s Office.

It is not a mandatory requirement to publish a Data Protection Impact Assessment (DPIA). We do have an obligation to let citizens know how we are processing their data, which we do via a privacy notice published on GOV.UK. We continually develop our DPIA to take into account the new identity verification journeys, such as the no photo ID route. Nevertheless, we are working on a publishable version of our DPIA which will be easy to digest for the public. The One Login programme meets with the Information Commissioners’ Office (ICO) on a monthly basis, engaging openly on programme developments, including iterations of the DPIA, and has been doing so since 2022. The lawful basis for data sharing in place has been agreed by the ICO.