Global
Brands & Business

GBB Logo
Nominate
GBB Logo
Nominate
Technology

The High Stakes of Digital Identity: UK Citizen Data at a Crossroads

A Spending Review with Digital Ambitions

On 11 June 2025, the UK Chancellor announced the outcome of the government’s spending review. Much of the focus was on investment in infrastructure and health. Yet a key theme was digital transformation and the management of citizen data.

The review outlined projects such as the GOV.UK Wallet and the GOV.UK App both currently in beta testing. The Wallet is designed to store verifiable digital credentials, while the App aims to bring together multiple government services into one personalised platform.

The government also committed to creating a National Data Library and introducing a new NHS patient record system. Officials stated that patients should be able to view their full record on the NHS App from 2028. This represents a consolidation of existing data, rather than a guarantee that every patient interaction will be fully integrated by that date.

By framing data as a foundation of modern governance, the review makes clear that digital identity is no longer a side project—it is becoming central to how citizens interact with the state.

The Promise and the Peril of Centralisation

Centralisation promises convenience. A single login can reduce repetitive form-filling. A more unified NHS record could save doctors time and improve coordination. The European Commission has suggested that measures like reducing duplicate administrative work could save billions of euros annually across member states.

Yet centralised systems carry heightened risk. The 2017 WannaCry ransomware attack on the NHS demonstrated this vulnerability, forcing around 80 of 236 NHS trusts in England to delay appointments and divert patients. Official reviews confirmed the disruption but did not publish an overall financial cost. Some estimates put the cost at around £92 million, though this figure has not been formally verified by the Department of Health.

Public and private organisations alike have faced breaches. Capita, a key public sector contractor, reported a cyber incident in 2023 that exposed sensitive data. Marks & Spencer disclosed a customer data breach in early 2025. [Unverified] There is no confirmed evidence of a major Qantas data incident in 2024, so claims of such events remain unsubstantiated.

These examples underline the reality: centralised records make tempting targets. A breach does not just expose information—it undermines public confidence in digital governance itself.

Security by Default, Not by Patch

Security, therefore, cannot ever be considered a bolt-on when we aim at digital identity-building projects. Security by default should hence pave the way for encryption, access controls, and continuous monitoring within every system.

International standards such as ISO/IEC 27001 provide systems for handling information security. The National Cyber Security Centre recommends their use for public and private sectors alike.

But adopting standards must go further than just compliance. It entails a cultural shift within government departments; senior leaders buy into cyber risks with the same seriousness they assign to financial oversight. Developing a culture of risk awareness takes a while, but it greatly reduces the chances of an incident bearing serious consequences.

Being given a security-by-default tag means constant change. Threat actors change. The attack methods that were on the rise in 2020 are unlike the kinds appearing today. Continuous monitoring, penetration testing, and real-time response capabilities are now standard expectations in critical infrastructure, and citizen data systems fall into that category.

Public Trust Hinges on Transparency

When it comes to accepting digital identity, people are more likely to do so with the perception that their information is kept safe and secure. Surveys conducted by the Information Commissioner’s Office and other public bodies indicate low levels of trust from the general population about how organisations secure personal data, but the exact figures vary from one report to another. [Unverified] The precise figure of “36% confidence” cited in some commentary cannot be verified.

Trust comes from transparency. People want clear answers about how data is kept, who can access it, and what remedies are available should a breach occur. Regular audits coupled with public reporting are key tools to instil confidence.

One of the reasons Estonia’s system is praised is that citizens can check in real time who has accessed their information. By comparison, UK citizens rarely have that visibility. Giving people more control over their data could be a strong step towards building confidence.

Lessons from Abroad

The UK is not alone in pursuing digital identity systems.

  • The EU’s eIDAS 2.0 framework promotes cross-border recognition of digital identities. Its “once-only” principle aims to prevent citizens from repeatedly providing the same information, with projected savings of around €11 billion annually for citizens and businesses.
  • Estonia is widely recognised as a model for digital governance. Its X-Road system allows secure data exchange and gives citizens the ability to see who has accessed their information. Over 99% of public services are available online, which makes transparency and security inseparable.
  • Self-sovereign identity (SSI) frameworks, explored by firms such as Deloitte, propose a decentralised approach where individuals hold and selectively share their credentials. This reduces reliance on central repositories and could mitigate systemic risks. While promising, these models are still under development.

International examples suggest there is no single solution. Centralised systems, decentralised frameworks, and hybrid approaches all have trade-offs. The key is making security and trust non-negotiable features.

Expanding the Security Challenge

The scale of the UK’s digital identity ambition demands investment not just in infrastructure, but also in people. Industry bodies have warned about shortages in the cybersecurity workforce. [Unverified] Figures such as an annual shortage of 11,000 specialists have circulated, but these numbers cannot be independently confirmed. What is clear is that the gap between demand and supply remains significant.

The UK is threatened by talent from the vendors working in the private sector and abroad. The downside is the difficulty of retention due to lagging salaries in the public sector. This entails training pipelines and university partnerships, followed by incentives for retaining skilled experts.

Then, there is the matter of supply chain security. The government services lean heavily on a third-party supplier. Incidents such as the Capita breach may show the world how exposing public data is a risk confronting the partner. Therefore, there is a dire need for the enhancement of vendor oversight and risk-sharing frameworks.

What Needs to Happen Next

For the digital identity projects to succeed in the UK, some priorities need to be taken into account:

  • Adopt standards: Fully commit to ISO 27001 and international security frameworks related to it.
  • Invest in skills: Build the public sector cybersecurity workforce with adequate long-term training and retention while ensuring cybersecurity work is respected.
  • Create a culture of security: Instil risk awareness in all levels of government, not just IT.
  • Communicate openly: Communicate audit results and breach response plans in a language accessible to the general public.
  • Experiment with hybrid models: Allow decentralised identity elements to coexist with centralisation and citizen control.
  • Strengthen the supply chains: Hold vendors to the same rigorous standards expected from government departments.

Why This Matters for You

For citizens, these initiatives will shape how you access health services, pay taxes, or apply for documents. If designed securely, they could save you time and provide clearer control over your interactions with the state. If not, the risks of misuse or breach could be significant.

For businesses, higher security expectations will extend through supply chains. Contractors working with the government will need to demonstrate compliance with rigorous standards. This may mean adopting new certifications, undergoing independent audits, or committing to continuous monitoring of systems.

For policymakers, the stakes are equally high. Digital identity projects are about more than technology. They define the trust relationship between the state and citizens in the digital era.

The Bigger Picture

The UK’s 2025 Spending Review signals a clear commitment to digital identity and citizen data projects. Done responsibly, these could modernise public services and set an example for others. But their success will be judged less by how quickly they roll out and more by whether the public trusts them.

Security and transparency are the foundation of that trust. Without them, digital systems may falter. With them, the UK has the chance to lead globally in digital governance.

Scroll to Top