Yoti blog

Stories and insights from the world of digital identity

New adventures in digital identity

A few months ago, as I planned my move to a new Head of Social Impact role at Yoti, I started to do a little digging into who was saying what, and doing what, in the world of digital identity. At the risk of stating the obvious, it’s a bit of a hot topic right now (along with drones, big data, AI and 3D printing). I wasn’t surprised to find well over two dozen fairly recent papers and reports on the challenges and potential of digital identity in global development. Between accepting my new role and my start date, someone had even published a new book on the subject. Although my latest role in digital identity is new, my relationship with Yoti isn’t. Three years ago I became a founding Yoti Guardian, one of three ‘influential individuals who ensure that Yoti always seeks to do the right thing, and that we are transparent about what we are doing and why.’ I was excited by what Yoti were doing even back then, and that was before they’d launched. The smartphone app in the product roadmap was one thing, but another they had in the works, Yoti Key (an NFC-enabled tag which can digitally hold someone’s identity) had considerable resonance given my many years experience working on simple, low-tech, last mile solutions in global development. Because of the potential, Yoti Key was the first thing I honed in on when I came on board. Yoti may be a private company, but it’s a private company incredibly focused on its social impact. It was one of the first UK companies to be certified as a B Corp – the ‘Fair Trade’ for business – in late 2015, and my new role as Head of Social Impact is further testament to our commitment to doing well, by doing good. Yoti had already been working with a number of UK based charities on their identity needs when I joined, but global development is a something of a whole new ball game for us. Beginning in late April, we started ramping up our outreach to humanitarian organisations, demonstrated our offline Yoti Key concept at ICTD2018 in Lusaka, began designing a new, dedicated Social Impact section of the Yoti website and commissioned research in a number of African and South East Asian countries in order to better understand identity needs among local, grassroots organisations. Our initial scoping of the global digital identity space has highlighted a gap in understanding the needs of organisations working in offline environments, or areas of poor connectivity. Here at Yoti we’re committed to digital identity for everyone, and that doesn’t just mean everyone with a smartphone and an internet connection. We’ll be sharing our research findings in the coming weeks, along with details of how we plan to serve the local, grassroots community with digital identity solutions that work for them, where they are. We’ll also begin sharing Yoti case studies to help the nonprofit sector better understand the implications of digital identity in their work. If you’d like to get in touch, then send us a message. We’d love to hear from you.

3 min read
Getting to grips with GDPR: The right to be informed

Getting to grips with GDPR: The right to be informed

You may have been hearing a lot lately about GDPR – the new data protection law that comes into force on 25 May. There is a lot of information and misinformation out there and it can be confusing to understand what’s going on and whether you should be bothered about it. One area of confusion is the rights you have, some of which have been strengthened or amended and some are new. Over the next few weeks we aim to demystify the rights with a series of blog posts – one on each right – to explain what each right is, when it applies, what it means for you, and what Yoti is doing about it. We’re starting with the right to be informed – also known as transparency.   Part 1: The right to be informed GDPR puts a strong emphasis on transparency and as a result, unlike current law, these obligations are now listed as an individual right.  As well as setting out what information organisations have to provide to individuals, GDPR sets out requirements for how to communicate that information. Specifically, organisations must provide information: in a way that is clear, transparent, easy to understand and easily accessible; using clear and plain language; in writing, or by other means, including, where appropriate, electronically.   GDPR is also clear that the need to communicate in ‘clear and plain language’ is particularly important for any information aimed specifically at children. Some organisations are therefore looking at whether they need to rewrite their privacy information so it can be understood by children, or even to provide a separate version.   So what do organisations now need to tell you? GDPR distinguishes between where you get personal information directly from a person and where you get it from elsewhere in terms of what you need to tell people. However, in reality, it’s broadly all the same information apart from one or two things. However organisations decide to tell you, they should make you aware of the following. Who they are and how to contact them, including how to contact their data protection officer, if they have one.  What personal information they collect from or about you, and what they do with it. Who or what types or organisations they share your personal information with, if any. How long they keep your personal information for, or the criteria they use to decide on that. If they intend to transfer your personal information to a country outside the EU, and how they make that transfer compliant. Whether they carry out any automated decision-making using your personal information, meaningful information about the logic involved, and the significance and consequences to you of this automated decision. The rights you have, including the right to complain to the data protection regulator. What lawful basis they are using. Where this is your consent, that you have the right to withdraw it at any time. Where it is in their legitimate business interests to use your personal information, what those interests are. When they get personal information directly from you: whether it’s mandatory or voluntary to provide it (to get the product / service), and the possible consequences if you don’t. When they get personal information about you from somewhere else: where they got it from and whether it came from publicly accessible sources.   When do organisations need to give you this information? If they are getting the personal information from you directly: at the same time.  Rather than giving you a lot of information to read, organisations should get creative and tell you what you need to know, when you need to know it, and give you the ability to find out more details if you want to. Consumers will have more meaningful interactions with organisations and better relationships if they have the most relevant information at the right time.  If the organisation gets the personal information from elsewhere: within a reasonable period of time afterwards, but within one month at the latest.  If they intend to use the personal information they collected to communicate with you: in that first communication at the latest.  If they intend to disclose the personal information to another person or organisation: at the time of that first disclosure, at the latest.   Do organisations always need to provide this information? There are some scenarios where organisations don’t have to provide you with the information. Regardless of where they get the personal information from, they don’t need to provide you with any information that you already have. Where an organisation gets your information from somewhere else, there are some specific circumstances where they don’t need to provide you all the information. These are things like where it is impossible or extremely difficult, such as where they have no contact details for you. In these cases the organisation instead has to take other appropriate steps. This could be by making the information publicly available, such as in a privacy notice. The UK’s draft Data Protection Bill to implement GDPR is currently being finalised but the current version maintains the exemptions in current law that mean that an organisation may not have to provide you with some information in certain circumstances.       So what does all this mean? As organisations work to comply with GDPR you may find they send you or alert you to updated privacy notices setting out how they collect and use your personal information. Many people don’t bother to read privacy notices, and you may think that a lot of the information provided is not interesting or relevant to you. However, organisations should be making the information clearer and it should be easier to find details that do interest you. Understanding how organisations use your personal information helps you decide whether to trust them with it.       What is Yoti doing? Transparency is one of our core business principles, so we try very hard to make our privacy information as plain English as possible, so everyone can understand it. We are though also looking at testing it with under 18s and discussing whether we can simplify it further or if we need a children’s version.  We try to give you as much information as we can in the app at the point where we ask for your information, with links to find out more. We plan to keep improving this over time and learn from feedback from user testing. We also try to structure our website privacy policy in a way that makes most sense to the user, with clear headings. As we develop more products and services we will need to make sure that you can easily find the right information for the product or service you are using, rather than having to wade through pages of text to find what you’re looking for.  We’re currently looking at how we can improve our privacy notice so you will see some changes over the coming months. You can contact our data protection officer on privacy@yoti.com

6 min read
DataKind UK: using data science for good

DataKind UK: using data science for good

We invest a lot of time and effort into supporting other socially minded organisations. As part of our efforts, we regularly invite those organisations to use our Park area for meetups, talks and workshops. Last week we hosted DataKind UK and Global Witness who spoke to a large audience of friends and supporters about their work uncovering problems in the UK’s Companies Register. In this guest post, Suzy East from DataKind UK tells us a bit more about the project they presented.   Using data science for good What do you get if you cross four do-gooding data scientists, a corruption fighting nonprofit and more than 10 million data points? That’s exactly what the attendees at our recent meetup – kindly hosted by our friends at Yoti – came along to find out. Despite unprecedented temperatures and the World Cup beckoning, more than 80 people showed up on Tuesday evening to hear DataKind UK volunteers talk about their seven month endeavour to uncover the hidden patterns in UK corporate ownership data.   Who are DataKind UK? We’re a charity that uses data science for social good. We manage teams of pro bono data scientists and technical experts to deliver on projects with our nonprofit partners. We’ve been running for five years now and have a thriving community of volunteer data scientists who love to use their data skills for good.   It started with a DataDive It all started back in 2016, when we first worked with the anti-corruption organisation, Global Witness. We spent a weekend of exploratory analysis with them, which became known as DataDives. A team of 50 volunteers unearthed a wealth of insights on UK company ownership from the Companies House open dataset. Namely, a worrying lack of data integrity. For example, in the nationality field, people had found over 500 ways to say ‘British’, including ten people who identified as ‘Cornish’. This and other findings were fed directly back to Companies House, and they changed the way they collected data as a result! Problem solved, right? If only it were that easy.   Uncovering patterns After an initial look at the data, it was clear there was more work to do. So in 2017, Global Witness and DataKind embarked on a DataCorps project. On DataCorps, we work with a charity partner over 6-9 months to build a data science solution. The aim was to take a full snapshot of Companies House ownership data and build a network graph mapping beneficial owners, registered addresses and other key identifiers. This way we could better explore and visualise the data to spot emerging patterns.   A sneak preview Some of the key findings which we shared at our June meetup include: 4,000 owners are listed under the age of 2 – including one who has yet to be born! Over 40% of the beneficial owners of Scottish Limited Partnerships (SLPs) are either a national of a former-Soviet country or a company incorporated there – compared to just 0.1% of all Limited Companies. 5 beneficial owners control more than 6,000 companies – might some of these individuals simply be stooges put in place by the real owners?   For more info on what we unearthed throughout the project, check out the report from Global Witness, due to be released in July 2018. As well as sharing some results from the project, attendees got to find out what makes for a successful data for good project, and what it’s like to volunteer on one. If you’re interested in finding out more, or volunteering with DataKind UK, please come along to our next meetup or sign up to our mailing list.   Suzy East Project & Events Coordinator DataKind UK

4 min read
Getting to grips with GDPR: The right to have data restricted

Getting to grips with GDPR: The right to have data restricted

The sixth article in our series on GDPR rights is about the right to have data restricted. Catch up on previous articles on your right to be informed, the access right, correction right,  deletion right, and the right to object.   Part 6: The right to have data restricted This right is not strictly new, as current law provides for a court to be able to order an organisation to restrict their processing of certain data, but GDPR makes it a right you can exercise directly with an organisation. This right is essentially like putting your personal data in limbo – the organisation can continue to store it, but they cannot actively do anything with it.   What’s new? You can ask an organisation to restrict your data in the following circumstances. Where you dispute the accuracy of the personal data you can ask the organisation to restrict it until the dispute is resolved. Where you have objected to the organisation processing your personal data (see part 5 of our blog post series for more information on the objecion right) you can ask the organisation to restrict it until the issue is resolved. When the organisation has processed your data unlawfully, you can request restriction instead of deletion. If the organisation no longer needs the personal data (and so would ordinarily delete it) but you need the data to establish, exercise or defend a legal claim. The UK’s draft Data Protection Bill to implement GDPR is currently being finalised but the current version maintains exemptions that mean that an organisation may not have to comply with your request in certain circumstances. The organisation also has to be able to verify your identity before taking action as a result of your request.   Fees and timescales Under current UK law there are no set timescales for dealing with a deletion request, but organisations usually respond without delay. There is no charge for this kind of request. Under GDPR the organisation has 30 days to respond and cannot charge a fee. However, organisations can charge for ‘manifestly unfounded or excessive’ requests. They must base the fee on the administrative cost of providing the information. The current version of the UK’s draft Data Protection Bill provides for the Government to set limits on the fees. Organisations can also extend the response time to two months depending on the complexity and number of the requests. If they need to extend the response time, they should tell you within the first month. You can make a restriction request to privacy@yoti.com.

3 min read
Getting to grips with GDPR: The right to object

Getting to grips with GDPR: The right to object

The fifth blogpost in our series on GDPR rights is about the objection right. Catch up on previous articles on your right to be informed, your access right,  your correction right, and your  deletion right.   Part 5: The right to object There is already a right to object in current UK data protection law (the right to prevent processing), but it is set out a little differently to the GDPR right. In both current law and GDPR there are two aspects to this right: The right to object to direct marketing. The right to object to other processing of your information.   Objecting to marketing The right to object to marketing is a straightforward right that always applies. This means you can say ‘no thanks’ at any time to stop getting marketing from an organisation. All e-mail marketing should have an unsubscribe link in it (or other method to say no thanks). Organisations should tell you how and make it easy to stop getting marketing. GDPR adds to your right by including any profiling that has been carried out in relation to sending you marketing.   Objecting to other processing The right to object to other processing is more complicated and only applies in certain circumstances. Under current UK data protection law, you can prevent processing of your personal information if that processing is causing, or could cause, you substantial and unwarranted damage or distress. However, this right doesn’t apply if you gave your consent to the processing, if it’s necessary to deliver the product / service, if it’s a legal obligation or if it’s in your vital interests (life or death scenarios). Under GDPR, there are similar restrictions on when the right applies, but there is no threshold of damage or distress. So you can object to processing where the lawful basis is ‘legitimate interests’ or ‘public interest’ or where the processing is for scientific / historical research purposes. (However, for research, the right doesn’t apply if the research necessary for a task that is being carried out for reasons of public interest.)   When does the right not apply? An organisation does not have to stop processing your personal information if: they can demonstrate compelling legitimate grounds for the processing, which overrides your objection; or the processing is to establish, exercise or defend legal claims. You have objected to the organisation collecting/using your information and there are no overriding legitimate grounds for them to keep it.   The UK’s draft Data Protection Bill to implement GDPR is currently being finalised but the current version maintains exemptions that mean that an organisation may not have to comply with your request in certain circumstances. The organisation also has to be able to verify your identity before taking action as a result of your request.   Fees and timescales Under current UK law there are no set timescales for dealing with a deletion request, but organisations usually respond without delay. There is no charge for this kind of request. Under GDPR the organisation has 30 days to respond and cannot charge a fee. However, organisations can charge for ‘manifestly unfounded or excessive’ requests. They must base the fee on the administrative cost of providing the information. The current version of the UK’s draft Data Protection Bill provides for the Government to set limits on the fees. Organisations can also extend the response time to two months depending on the complexity and number of the requests. If they need to extend the response time, they should tell you within the first month.   What is Yoti doing? For marketing: Yoti only has your e-mail addresses for marketing purposes if you gave it to us because you wanted to hear from us. If you want to unsubscribe from e-mail marketing, use the unsubscribe link in the e-mail. For other processing: most of the personal information processing we do in relation to our app, products and services is necessary to deliver the app, products and services. For biometric data processing as part of the app’s security, we ask for your consent, which you can withdraw in settings at any time. Therefore, for app users, the only processing we do on the basis of ‘legitimate interests’ and so that this right applies to, is our metrics to understand how our app is being used. We de-identify and aggregate that data so we have no way to connect it to an actual user.   What other obligations do organisations have? As part of our other products and services (Dashboard, if you visit our office) we may have contact details from you as part of setting up accounts or signing in. The right to object applies to this information but we have justifiable business reasons for keeping it. You can contact our Data Protection Officer on privacy@yoti.com.

5 min read
Getting to grips with GDPR: The right to request deletion

Getting to grips with GDPR: The right to request deletion

The fourth article in our series on GDPR rights is about the deletion right. Catch up on previous articles that cover your right to be informed, the access right, and the correction right.   Part 4: The right to request deletion There has been a lot of hype and misleading information about this right and it is often called ‘the right to be forgotten’. The reality is that there is no such right, and it has always been the case that your right is to request deletion, not demand it. This is a complicated right in that it only applies in certain circumstances and, even where it applies, organisations won’t have to delete your information in some scenarios. In current UK law, this right is part of the right to correct data, in that a court can also order an organisation to delete inaccurate personal data. In practice, organisations will usually consider any deletion request they receive without insisting you go to court. Most organisations in most circumstances will have legitimate reasons for having or using your information, so they will not be required to delete it. The most likely reason for needing to delete it is if they should have already done so, and are continuing to hold information they no longer need.   What’s new? GDPR provides a direct right to have an organisation delete your personal information in certain circumstances. The information is no longer necessary for the purposes for which the organisation collected/used it. The organisation collected/used the information based on your consent, and you withdraw that consent, and there is no other lawful grounds to keep it. You have objected to the organisation collecting/using your information and there are no overriding legitimate grounds for them to keep it. You object to your information being used for direct marketing purposes. The organisation has collected/used the information unlawfully. The organisation has a legal obligation to delete the information. The organisation has collected the information to offer an online service to a child.   What does this mean? The reality is that if you ask an organisation to delete your information, they will only have to do so where they have not complied with other GDPR or legal obligations. Essentially this is a ‘safety net’ right making sure that if an organisation still has information it shouldn’t, it must delete it. There are two exceptions in the list above, relating to marketing and children. The right to say ‘no thanks’ to marketing and have that respected has not changed under GDPR, so organisations will have to stop using your information for marketing if you ask them to. It is important to know that in practice the organisation will not actually delete the information, they will add your details to a suppression list. This is a list of contact details for everyone who has objected, and organisations check against this list when doing marketing, to make sure they don’t contact anyone who has said ‘no thanks’. If they deleted your data completely, they might collect it again somewhere else and not know that you have said you don’t want marketing. With regard to children, there is still uncertainty as to what the right to deletion means. The section in GDPR on offering online services to children (that this right refers to) is quite narrow, and is essentially a requirement to get parental consent, instead of the child’s consent, if the lawful grounds you are using is consent. (There are multiple lawful grounds an organisation can use, and consent isn’t always the most appropriate.) It’s not clear if the right to deletion applies only to the consent-based information collected to offer a child online services, or whether it applies to any information collected from or about a child when offering online services. In the UK the regulator (ICO) is drafting guidance on the children’s aspects of GDPR, so we hope to get clarity on this point soon.   Automatically deleting your data For the above scenarios, GDPR describes this right as both the right for you to get your data deleted, and the obligation for an organisation to delete the data without undue delay. However, automatically deleting data might not actually be the best outcome or be in individuals’ interests. As mentioned above for marketing, deleting your data rather than adding you to a suppression list might mean you get more unwanted marketing! Also, if an organisation has been doing something it shouldn’t have with personal data, deleting the data may delete the evidence and prevent a regulator investigation or the ability for individuals to take legal action.   What other obligations do organisations have? If the organisation has to delete your information, but has already made it public, they are obliged to inform other organisations who have it that you have requested its deletion. These other organisations should then delete their copy of your information or any links to it. What does that really mean though? This aspect of the right has come from court cases against Google relating to whether information they link to in search results should still be available. (See below for more information.)   When does this right not apply? As mentioned in the first paragraph, even if your request for deletion matches one of the above list of circumstances, the organisation might still not have to delete your information, if one of the following applies. The organisation needs the information to exercise their right to freedom of expression and information. (This is likely to be more relevant to news organisations and publishers.) The information is necessary to comply with a legal obligation. (This could be where organisations are required by law to keep certain data for a certain amount of time for audit, tax or other purposes.) The information is necessary for an activity the organisation is carrying out that is in the public interest or as part of their official duties. (This is likely to be relevant to public sector bodies.) The information is necessary for reasons of public interest in the area of public health. The organisation needs the information for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, if deleting the data would make those purposes impossible or seriously impair the organisation from achieving its aims. (This is most likely to be used by official archiving or research bodies.) The organisation needs the information to establish, exercise or defend legal claims.   The UK’s draft Data Protection Bill to implement GDPR is currently being finalised but the current version maintains exemptions in current law that mean that an organisation may not have to comply with your request in certain circumstances. The organisation also has to be able to verify your identity before taking action as a result of your request.   The right to be forgotten by search engines As already mentioned, some aspects of this right come from court cases against Google, where individuals requested that certain information no longer appear in searches on their name. This is really about being delisted from search results, as the original publication of the information may have to remain. The court cases have looked at the balance between privacy and freedom of expression to set the lines on when each prevails. The decision in each of the cases depends on the facts of the case, and sometimes the court has decided the information is no longer relevant and so must not be linked to, whereas in other cases they found in favour of Google.   Fees and timescales Under current UK law there are no set timescales for dealing with a deletion request, but organisations usually respond without delay. There is no charge for this kind of request. Under GDPR the organisation has 30 days to respond and cannot charge a fee. However, organisations can charge for ‘manifestly unfounded or excessive’ requests. They must base the fee on the administrative cost of providing the information. The current version of the UK’s draft Data Protection Bill provides for the Government to set limits on the fees. Organisations can also extend the response time to two months depending on the complexity and number of the requests. If they need to extend the response time, they should tell you within the first month. If an organisation decides it can’t comply with your request, they should explain why, without undue delay and at the latest within one month. They should also tell you about your right to complain to the regulator (ICO).   What is Yoti doing? You are able to delete your account at any time from within the app settings. If you delete the app before deleting your account you just lose the connection to your data, and it remains ‘orphaned’ in our system. We delete orphaned data after three years. If you use our Dashboard to create pages and applications as a way to collect personal information from others, you can also delete your account. Yoti will need to keep certain information for billing records and auditing purposes. You can make a deletion request to privacy@yoti.com

8 min read

Essential reading

Get up to speed on what kind of company we are