What is GPG45?
Good Practice Guides are a set of best practice standards produced by the UK government to help drive consistent and widespread standards. There are many different Good Practice Guides. GPG45 concerns itself with how to verify and validate someone’s identity in the most secure and robust way.
Who does GPG45 apply to?
GPG45 was written for any organisation that wishes to make use of electronic identity verification services and is designed to be practical guidance on how to do so with confidence.
Any organisation is therefore able to refer to GPG45 as a point of reference and it is becoming increasingly adopted across both the public and private sectors.
What GPG45 says – the big picture
GPG45 starts out by explaining that an identity is a combination of multiple attributes or characteristics that belong to a person. What that means is that a single attribute is not usually strong enough to prove someone’s unique identity. Rather, it says, the strongest line of defence for organisations is to use a combination of attributes.
The purpose of GPG45 is to help organisations understand the various different identity verification methodologies and choose the ones that best suit the needs of their organisation.
That means GPG45 doesn’t actually dictate the specific technology or processes that a company should use for ID verification – it is technology agnostic. Instead, it focuses on outcomes and leaves it up to organisations to consider their internal and external requirements before deciding what tools or processes they need to use.
Ultimately, what GPG45 does is hand responsibility back to businesses to decide – based on their own specific internal and external business requirements and the risk environment they’re operating in – what tools or processes they need to use to verify someone’s identity confidently.
What GPG45 says – breaking it down
The guidance makes it clear that organisations do not need to check an identity in exactly the same way as another organisation or service. That means different assurance techniques can be performed – the important outcome is the level of confidence in someone’s identity that it’s possible to gain as a result of those checks.
GPG45 starts by breaking down the identity checking process into five steps:
- Get evidence of the claimed identity
- Check that the evidence is genuine or valid
- Check the claimed identity has existed over time
- Check if the claimed identity is at high risk of identity fraud
- Check that the identity belongs to the person who’s claiming it
A score of one to four is then assigned to each of the identity checking steps based on the pieces of evidence collected. The scores for each part of the identity checking process can then be combined in several ways to achieve a final confidence score. These combinations are known as identity profiles.
An identity profile relates to a level of confidence (low, medium, high, and very high) that an organisation can have in trusting the verified identity.
Need more help? HooYu helps businesses meet GPG45 standards
HooYu provides support to organisations across the different parts of the GPG45 self-attestation process to help them accomplish different levels of identity profile confidence.
Join our webinar: October 27th
We’ll be discussing the role of digital identity verification in the recruitment industry in a joint webinar with experts in employment verification, Konfir. Join us as we explore:
✅What is changing in recruitment identity verification, and why?
✅GPG45 and the Digital Identity & Attributes Trust Framework – what does it cover and what do you need to do?
✅Explore what’s involved in making the switch to digital identity screening
27 October 2022, UK GMT 12PM