Consultation Questions, Companies House Incident Highlight UK IDV Industry’s Fears

The UK Cabinet Office’s recent consultation on a national digital identity scheme has sparked a debate that goes beyond technical design. While the paper outlines a government‑run ID linked to the GOV.UK app, it makes no reference to the thriving ecosystem of private Digital Verification Service (DVS) providers that already process millions of identity checks. Industry groups such as the Association of Digital Verification Professionals argue that this silence risks cementing a monopoly, blurring the line between citizen‑owned data and state‑controlled credentials. Their position underscores a growing demand for a pluralistic, user‑centric identity architecture.

The urgency of the debate intensified after Companies House disclosed a vulnerability that potentially revealed the personal details of five million company directors. Security researchers at Ghost Mail first reported the flaw, but the agency’s response appeared delayed until a high‑profile tax‑policy advocate intervened. Under UK GDPR, such a high‑risk breach obliges the regulator to notify affected individuals within 72 hours, yet the public narrative has focused on the technical lapse rather than the systemic risk of entrusting identity verification to a single public entity. The incident illustrates how inadequate oversight can translate into corporate hijacking threats.

Policymakers now face a choice: embed a monolithic state ID or adopt a hybrid model that leverages existing DVS capabilities while guaranteeing data ownership for citizens. A transparent framework could preserve competition, lower taxpayer costs, and mitigate security gaps exposed by the Companies House episode. By defining clear data‑custody rules and allowing private verification services to operate alongside a government‑issued credential, the UK can build a resilient digital identity ecosystem that supports both public services and commercial innovation.