The Hidden Risks of the Digital Identity and Attributes Trust Framework (DIATF) and Interoperability

As everyone knows by now, the UK government has rolled out new digital identity verification requirements for directors through Companies House.

What people may not be aware of is that these requirements intersect with the UK’s Digital Identity and Attributes Trust Framework (DIATF) — the government’s set of rules for how verified identity attributes and credentials can be reused across services by certified organisations. These rules are published and updated periodically by government departments, not Parliament, and the latest version can be found here: UK Digital Identity and Attributes Trust Framework collection.

The purpose of this article is to explore DIATF, how it operates within the wider digital identity agenda, and how it could in practice lead to a de facto mandatory national digital identity system. Many people, myself included, find this whole area bewildering — and the UK government has not made it any clearer. I suspect this lack of clarity is not accidental. Much of the terminology used in official guidance and policy documents is unfamiliar and therefore confusing for most people.

This article is intended to cut through that complexity: to explain what DIATF is, how it operates, and why the framework carries significant risks. My hope is that by unpacking the jargon and showing how the pieces fit together, readers will better understand the dangers of this framework, and the way it could embed a national digital identity infrastructure by stealth because of how the Data Use and Access Act 2025 interacts with it.

Detailed Explanation of DIATF

What DIATF is: The UK Digital Identity and Attributes Trust Framework is a collection of rules and standards that define what “good” digital identity and attribute services look like. Organisations can seek independent certification against this framework to demonstrate compliance.

Who publishes and updates it: The framework is published and updated by the Office for Digital Identities and Attributes (ODIA) and the Department for Science, Innovation and Technology (DSIT). These are government departments, not Parliament.

Update process: The framework is periodically revised and released in versions (e.g., “beta,” “gamma”), with updates recorded on the official GOVUK site. For example, the gamma version (0.4) was published in November 2024 and updated in June 2025.

Certification role: Independent conformity assessment bodies (CABs) can certify services against DIATF requirements. This allows verified identity attributes and credentials to be created and reused across many different services by certified organisations.

Defines foundational attributes: The minimum set of identity details needed to establish a trusted digital identity. These are — name, date of birth, address, nationality/citizenship, and document reference numbers (like passport or driving licence numbers). DIATF also recognises other attributes beyond these basics, such as right to work, qualifications, or professional licences, which can equally be verified and reused.

Parliament’s role:Parliament is not directly involved in publishing or updating DIATF. Instead, Parliament’s role would only come into play if legislation were required to support or enforce aspects of digital identity policy. The framework itself is a government-led standards document, not an Act of Parliament.

The Data Use and Access Act 2025 (DUAA 2025)

Primary legislation already passed: The DUAA 2025 received Royal Assent in June 2025. It established a legal foundation for digital identity verification services, smart data schemes, and broader data-sharing initiatives.

Secondary legislation powers: Most of the Act’s provisions are designed to be implemented through secondary legislation (statutory instruments and/or regulations). This means ministers can expand or adjust the scope of data use without needing a new Act of Parliament each time.

Digital identity framework: The Act explicitly supports the Digital Identity and Attributes Trust Framework by giving it statutory backing. Certified providers of digital identity credentials can be listed in a public register, and services can carry a government “trust mark”.

Smart data schemes: The Act also established frameworks for “smart data” — enabling regulated data portability and reuse across sectors. This could, in principle, extend to government-held datasets if designated as part of such schemes.

Implications for expansion of use over already existing government datasets

Potential for wider reuse of current government datasets: Because the DUAA 2025 allows ministers to define new schemes and expand existing ones via secondary legislation, there is now a pathway for currently siloed government datasets to be reclassified as “foundational” and reused in digital identity systems.

Reduced parliamentary scrutiny: Secondary legislation typically receives less debate and oversight than primary legislation. This means significant changes could be introduced with limited parliamentary or public approval, as noted above.

Legal safeguards: Even with the DUAA 2025, any expansion must comply with UK GDPR and the Data Protection Act 2018 — including principles of lawfulness, fairness, and purpose limitation. However, these safeguards can be tested by broad policy interpretations. This is because although the DUAA 2025 does not formally repeal GDPR, it creates parallel legal pathways that weaken its practical effect.

By giving ministers powers to expand data-sharing schemes without further primary legislation, DUAA risks undermining GDPR’s core protections of consent, purpose limitation, and proportionality.

This is why privacy advocates such as myself warn that DUAA could enable incremental erosion of GDPR safeguards through policy-driven expansion, rather than open parliamentary debate.

The risk of “function creep”

The combination of DIATF and the DUAA 2025 creates the possibility of incremental expansion of digital identity data use without new Acts of Parliament. While updates are published (e.g., DIATF versions on GOV.UK), this is not the same as parliamentary debate or public consultation and agreement.

This opens the door to quiet policy shifts that could significantly repurpose personal data that is already held by government.

The Information Commissioner’s Office (ICO) retains oversight, and judicial review remains a backstop. But these are reactive rather than proactive safeguards. The DUAA 2025 therefore provides the legal machinery for expansion of DIATF and related schemes through secondary legislation, without further primary Acts.

This means there is a genuine risk of large‑scale changes to how current government datasets might be used in the future, with limited parliamentary or public approval, unless strong oversight mechanisms are enforced. Such changes would make current datasets interoperable.

Interoperability explained

Interoperability means different systems can “talk to each other” and reuse the same verified identity data (digital credentials). Under DIATF, certified providers issue these digital credentials once attributes are verified against authoritative records (for example, passport details checked against HM Passport Office).

Other DIATF‑certified organisations — such as banks or employers — can then reuse the credential without re‑checking the original record.

The danger here is broader data reuse: data collected for one purpose (tax, pensions) could be repurposed for another (banking, housing). DIATF and DUAA 2025 make this technically seamless, but politically it means that current government‑held data can be made interoperable and reused without fresh democratic oversight.

Current existing datasets at risk of reuse

Examples of current authoritative government datasets that could be classified as foundational by the mechanisms described above, and then reused in digital identity systems, include (but are not limited to):

• Companies House (director identity details)
• HM Passport Office (passport numbers, nationality, expiry dates)
• DVLA (driving licence numbers, expiry dates)
• HMRC (taxpayer identity details, NI numbers)
• DWP (benefits and pensions records)
• Electoral register (name, address, citizenship status)

All of these datasets are centrally held in government systems but currently siloed in separate databases. Under DIATF and the DUAA 2025, they could theoretically be designated as foundational through policy updates rather than new Acts of Parliament. This designation process would bypass direct parliamentary mandate and citizen consent, raising serious concerns about democratic oversight.

Because DIATF requires common formats and cryptographic verification, a credential issued from one foundational dataset (such as HM Passport Office) can be recognised by another organisation (like a bank or HMRC).

In practice, this means credentials can be consumed by multiple certified organisations — even if the individual NEVER sets up a One Login account.

Is this “like a sale of data”?

Although DIATF does not literally involve selling datasets, it creates functional equivalence:

• Government‑held data is opened to wider consumption by certified organisations, including private companies.
• Data collected for one purpose (tax, pensions, passports) can be repurposed for another (banking, housing, employment).
• Citizens have little control once datasets are designated as foundational.

The difference is that no financial transaction occurs — instead, certified providers issue credentials that commodify identity data by making it digital, portable and reusable. In practice, the effect is similar to a sale: data becomes a shared resource across contexts, without fresh democratic oversight.

To see how this plays out in practice, we need to look at how datasets move through the DIATF ecosystem.

How verified datasets move through the ecosystem and become interoperable

Once datasets are classified as foundational, the DIATF sets out how they can be reused across services to achieve interoperability. This happens through a chain of certified organisations:

Authoritative source: A government department such as HM Passport Office or DVLA holds an original dataset containing citizen details, which is then classified as foundational.

Certified providers: A certified provider checks an individual’s details against that foundational dataset, producing verified attributes. The provider then issues a digital credential — a cryptographically signed token containing verified identity data derived from those attributes. Verified attributes are the pre‑digital form, while the digital credential is the portable, digital representation under DIATF.

Certified organisations: Other organisations, public or private, that are certified under DIATF can consume the digital credential. For example, a bank can accept a credential issued by a provider as proof of identity.

This process is what makes interoperability possible. Certified providers are therefore central to the DIATF ecosystem: they transform raw government data into reusable credentials, enabling interoperability across certified organisations.

DIATF Creates Risks Beyond One Login and Gov Wallet

The government promotes One Login and Gov Wallet as the main way to reuse identity data. But DIATF certification is broader:

• Reuse without One Login: Certified providers and certified organisations can handle foundational attributes directly.
• De facto national digital ID risk: Even if no one ever opens a One Login account, centrally held government datasets could underpin a mandatory national digital identity system once designated as foundational and made interoperable.
• Function creep: Data collected for one purpose (e.g., company registration) could gradually be reused for many others (e.g., tax, welfare, banking).
• Privacy concerns: Sensitive details (passport numbers, NI numbers, addresses) are stored centrally and reused widely.
• Security risks: Centralised datasets are high‑value targets for cyberattacks.
• Consent ambiguity: Users may not realise their data already given away to government can become reusable once classified as foundational.
• Cross‑sector use: Private players like banks and landlords can consume verified attributes.
• Irreversibility: Once attributes are federated across services, it is very difficult to roll back.

These risks don’t exist in isolation. To understand why DIATF and foundational datasets are being pushed so hard, we need to look at the wider forces driving this agenda — from government ambitions and private sector reliance, to globalisation, Agenda 2030, and the rise of digital finance.

Once those drivers are clear, it becomes obvious where resistance must be directed.

What’s Driving DIATF and Foundational Datasets

It’s not enough to say DIATF is about One Login or Gov Wallet. The real drivers are bigger, global, and financial. Here’s the full picture:

1. Government ambition

The UK government says it wants “efficiency”: one identity check reused across multiple services. It also wants “fraud reduction”: fewer fake accounts, stronger verification. It wants “digital service delivery”: faster, cheaper, and more “joined‑up” government. By designating datasets as foundational, government creates the structural conditions for reuse without needing new Acts of Parliament.

2. Private sector demand

Banks, landlords, employers, and utilities already face legal duties (AML/KYC, right to work, right to rent). DIATF gives them a government‑endorsed standard to meet those obligations.

Certified providers (like Yoti, GBG, Post Office EasyID) see commercial opportunity in issuing reusable credentials.
Once major players adopt DIATF, citizens may find they cannot function without credentials — creating a “backdoor” mandatory ID system.

3. Globalisation and international pressure

Agenda 2030 (UN Sustainable Development Goals): SDG 16.9 calls for “legal identity for all by 2030.” Digital identity frameworks like DIATF are governments’ way of meeting goal 16.9.

International institutions: The IMF, World Bank, OECD, FATF, and BIS all promote interoperable identity as “essential” for financial inclusion, anti‑money laundering, and cross‑border trade. Interoperable digital ID also underpins the digital currency systems being developed globally.

Global alignment: The EU is rolling out its European Digital Identity Wallet under eIDAS 2.0. Other countries (Canada, Australia, Singapore) are building similar systems. DIATF is therefore not just a domestic project — it is part of a global identity infrastructure being built above national governments.

4. Digital finance: CBDCs, stablecoins, and tokenisation

CBDCs (Central Bank Digital Currencies): Issued directly by central banks, requiring verified identity for AML/KYC, fraud prevention, and programmable features. DIATF provides the identity layer that makes CBDCs workable.

Stablecoins: Private digital currencies pegged to fiat (e.g., £1 stablecoin backed by sterling). Regulators insist on identity checks to prevent money laundering and ensure stability. DIATF credentials are likely to become the standard way to prove identity when using stablecoins in everyday transactions.

Tokenisation of assets: Real‑world assets (property, shares, bonds, even art) are increasingly being “tokenised” — represented as digital tokens on blockchain or distributed ledgers. To buy, sell, or trade tokenised assets, identity verification is required. DIATF credentials are likely to become the gateway to participating in these markets, embedding identity into ownership and transfer of assets.

Together, these developments mean identity is being fused with money and property. Even if One Login or Gov Wallet remain optional, citizens may find they cannot access financial services, own tokenised assets, or use stablecoins without DIATF credentials.

Compliance and security narratives

Governments and regulators frame digital identity as essential for:

• Preventing money laundering and terrorism financing
• Meeting financial compliance standards
• Protecting citizens from fraud

These narratives are shaped by international bodies (FATF, IMF, World Bank), not just domestic policy.

6. Commercial ecosystem

Certified providers and tech companies lobby for frameworks like DIATF because it creates a market for reusable credentials and profit opportunities. Once certified, they can sell services across multiple industries, commodifying identity data. This commercial incentive accelerates adoption, even without direct government compulsion.

Conclusion

Given all the above, the real issue we are facing is not just One Login and Gov Wallet — it is DIATF itself. By allowing current datasets to be classified as foundational attributes without further parliamentary approval, and then enabling them to become interoperable through common standards and credential issuance, DIATF creates the conditions for identity data already held by government to be reused across both public and private services. Access to these services could then become impossible without such credentials.

This means there in fact appears to now be three distinct pathways to a de facto mandatory national digital ID:

1. Directly through government systems — One Login and Gov Wallet are designed to federate identity data, making it portable across departments.
2. Indirectly through private‑sector reliance — banks, landlords, employers, and utility companies can become DIATF‑certified and demand foundational credentials from citizens in order to access everyday services. Over time, this creates a “backdoor” identity system where citizens cannot function without presenting DIATF‑verified data – essentially mandatory digital ID.
3. Through foundational data and interoperability itself — even without One Login or Gov Wallet, the simple fact that datasets are centralised and can be designated as foundational under DIATF, means they can be converted into cryptographic identity tokens, which can then be shared and reused across certified organisations. None of this would require further primary legislation, as designation happens via framework updates within government and/or secondary legislation, not through direct democratic mandate. In functional terms, this resembles a sale of data because:
   1. Government‑held information is opened up to wider consumption, including by private companies.
   2. Data collected for one purpose (tax, pensions, passports) can be repurposed for another (banking, housing, employment).
   3. Citizens have little control over this reuse once foundational status is applied.
   4. While not literally a commercial sale, DIATF commodifies identity data by making it portable and reusable across contexts, without fresh democratic oversight.

Together, these pathways mean that even if One Login/Gov Wallet remain optional, DIATF interoperability and foundational data classification could still theoretically embed a mandatory national digital identity system into everyday life by (2) or (3) above. So, the danger lies not just in whether people choose to sign up for One Login and Gov Wallet, but in the way DIATF makes identity data reusable across multiple contexts — government and private alike — effectively treating it as a tradable resource.

Accountability and Action: Who to Protest, What to Do

Government

Why: Sets the DIATF framework, designates datasets as foundational without parliamentary oversight, pilots One Login, Gov Wallet, and CBDCs.

Where to protest: MPs and Parliament (demand oversight), Cabinet Office and HM Treasury (challenge transparency).

Actions:

• Write to MPs demanding parliamentary control over foundational dataset designation. (This requires belief that your MP understands the topic, has influence, and will listen — a big ask, admittedly.)
• Support civil society groups campaigning for privacy and digital rights.
• Push for independent oversight bodies to monitor DIATF implementation, with public consultation and agreement before datasets can be classed as foundational.

Private Sector

Why: Banks, landlords, employers, and utilities are adopting DIATF credentials, making them mandatory in practice.

Where to protest: Large banks, housing associations, employers, and utility company offices.

Actions:

• Refuse services that demand DIATF credentials where alternatives exist.
• Pressure companies through consumer campaigns, petitions, and shareholder activism.
• Support organisations promoting non‑digital pathways to access services.

Global Institutions

Why: UN Agenda 2030, IMF, World Bank, BIS, FATF push identity‑linked digital finance as part of globalisation.

Actions:

• Raise awareness of Agenda 2030’s identity goal and its implications.
• Participate in international campaigns against mandatory digital ID and digital finance fusion, demanding true non‑digital pathways.

Digital Finance (CBDCs, Stablecoins, Tokenisation)

Why: Identity is being fused with money and property. DIATF credentials could become structurally mandatory.

Where to protest: Bank of England, HM Treasury, regulators overseeing stablecoins and tokenisation.

Actions:

• Engage in public consultations on CBDCs and digital asset regulation.
• Demand guarantees for cash retention and anonymous payment options.
• Support campaigns resisting the fusion of identity and currency.

Originally posted on Conscientious Currency, follow them on SubStack

SUPPORT OFFGUARDIAN

If you enjoy OffG's content, please help us make our monthly fund-raising goal and keep the site alive.

For other ways to donate, including direct-transfer bank details click HERE.