UK MPs condemn rushed digital ID rollout as a “fiasco” and warn of GDPR breaches

What happened

The UK government announced a mandatory digital identity programme that would be used for everything from accessing NHS services to proving eligibility for employment. Within days, the Home Affairs Committee published a scathing report calling the launch a fiasco. MPs said the announcement came “out of the blue”, that ministers could not answer basic questions about privacy, data security or how the system would work, and that journalists were barred from an advisory‑panel event.

Legal basis for the criticism

GDPR and the UK‑GDPR

Even after Brexit, the UK remains bound by the UK version of the General Data Protection Regulation (UK‑GDPR). The regulation requires lawful, fair and transparent processing of personal data, a data‑protection impact assessment (DPIA) for high‑risk processing, and adequate safeguards for any sharing of data with third parties. The committee’s findings suggest the government skipped several of these steps:

• No public consultation – transparency is a core GDPR principle. Without a clear, accessible explanation of the scheme, the processing cannot be considered “fair”.
• No DPIA – a digital ID that links biometric data, employment status and health records is a high‑risk activity. The GDPR obliges the controller (the government) to conduct a DPIA before any processing begins.
• Insufficient safeguards – MPs raised concerns about surveillance and “function creep”. Under Articles 5(1)(f) and 32 of the UK‑GDPR, the controller must implement appropriate technical and organisational measures to protect data.

The UK Data Protection Act 2018 (DPA)

The DPA gives the Information Commissioner’s Office (ICO) power to issue up to £17.5 million fines or 4 % of global turnover for serious breaches. If the digital ID scheme proceeds without addressing the identified gaps, the ICO could issue an enforcement notice, demand a halt to processing, or levy a substantial penalty.

Employment‑related legislation

The proposed “right‑to‑work” checks would effectively make a digital ID a condition of employment. This intersects with the Equality Act 2010, which prohibits indirect discrimination. People who lack a passport or cannot obtain a digital ID could be disadvantaged, exposing the government to legal challenges.

Impact on users and companies

• Individuals – Without clear safeguards, citizens risk having a single identifier that aggregates health, financial and location data. A breach could expose highly sensitive information, leading to identity theft or unwarranted surveillance.
• Employers – Companies would be forced to verify employees against a government‑controlled database, raising liability if the data is inaccurate or if the verification process breaches GDPR.
• Tech suppliers – Vendors building the infrastructure could become joint controllers under the GDPR. They would share liability for any non‑compliant processing, meaning they must conduct their own DPIAs and ensure contractual clauses meet Article 28 requirements.

What changes are needed to meet the law

1. Publish a comprehensive DPIA – The government must assess risks, outline mitigation measures, and make the DPIA publicly available.
2. Run a genuine public consultation – Stakeholders, including civil‑rights groups and industry bodies, need a chance to comment. The consultation should be documented and its outcomes reflected in the final design.
3. Adopt a privacy‑by‑design architecture – Data minimisation, pseudonymisation and strong encryption should be built in from day one, not added as an afterthought.
4. Define clear data‑sharing limits – A transparent matrix of who can access what data, for which purpose, and under what legal basis must be published.
5. Provide an opt‑out or alternative mechanism – To avoid indirect discrimination, the scheme should allow people to use existing documents (e.g., passports, driving licences) without penalty.
6. Establish independent oversight – An external board, perhaps chaired by the ICO, should audit the system regularly and report to Parliament.

Potential penalties if the government proceeds without compliance

• ICO enforcement notice – Could require the suspension of the digital ID rollout until compliance is achieved.
• Administrative fines – Up to £17.5 million or 4 % of annual turnover for the Crown, whichever is higher.
• Judicial review – Affected individuals or groups could challenge the legality of the scheme in court, potentially leading to injunctions.
• Reputational damage – Continued breaches would erode public confidence, making future digital transformation projects even harder to implement.

Bottom line

The Home Affairs Committee’s report highlights a classic case of technology being pushed forward without respecting the legal framework that protects citizens’ data. To avoid costly fines, legal challenges and a loss of public trust, the UK government must pause the rollout, conduct a proper DPIA, engage in a transparent consultation, and embed GDPR‑compliant safeguards from the outset. Only then can a digital identity system deliver the promised convenience without sacrificing fundamental privacy rights.