Written evidence submitted by Onfido (DDA0021)





We strongly welcome the Committee’s decision to launch an inquiry into effective data sharing and the importance of public trust and transparency. As a UK-headquartered technology company, the use of data in a responsible, ethical and transparent way is essential to us and our customers. We are therefore delighted to respond to the call for evidence and set out our views on some of the issues raised.


Having left the EU, the UK is now in a unique position to consider areas in which the data protection regime might be improved. It is not contentious that improvements can and should be made. Targeted and proportionate reform can be a key pillar in driving good outcomes for the UK’s data strategy, while at the same time maintaining the necessary safeguards and protections for citizens. The UK can act in an agile manner and has the potential to take a “first-mover” position in refining GDPR to better serve the needs of individuals and businesses. We therefore welcome the recent comment by the new ICO Commissioner that the UK can be “fleet of foot [in the] fast-moving digital environment” we are in.[1]  The key is to ensure that any reform makes a genuine difference to innovation, while protecting the interests of individuals.


One key way this can be achieved is to genuinely unlock the power of data-sharing, removing actual or perceived barriers. Doing so will drive huge improvements in the way services are delivered, incentivise innovation in the UK and set best-practice benchmarks for the rest of the world to learn from and follow. We set out some examples of how this can be achieved below.


Regulatory context


The regulatory framework needs to encourage and incentivise the responsible and trustworthy use of data. We therefore need to see clear coordination across the various initiatives on data currently existing or planned, and the ability for data-led providers to engage with them in a meaningful way. This will not only help businesses, but also encourage citizens to see the joined-up approach being taken and increase consumer trust which is vital to success.


For example the National Data Strategy must result in clear coordination across various Government data initiatives and develop strong and clear leadership across all departments and bodies on data issues.


There is also an important role for the Centre for Data, Ethics and Innovation (CDEI) to play in providing expert advice to help guide industry in its data-driven innovation. However, the role of the CDEI needs to be clear to stakeholders, as one of an expert body rather than anything else. It should not be conflated with one of governance, and we need full clarity and transparency on the regulatory drivers impacting industry, from regulation and governance to guidance and consulting.


We also need maximum effectiveness and coordination from existing governance arrangements such as the Digital Regulation Cooperation Forum (DRCF). While this can help to deliver a coordinated approach between regulators, we need to see a greater level of transparency on the work of the DCRF, its concrete value for regulated entities and a vision for how industry can engage with this initiative.


The ICO is of course key in terms of providing UK business with pragmatic and proportionate guidance on the implementation of the data protection regime. We broadly welcome the Government’s consideration on expanding its responsibilities in Data: a new direction in order to align it more closely with other UK regulators such as Ofcom.


However, the effectiveness of the ICO is underscored by its independence, and we caution the Government against proposals that would undermine this. Any actual or perceived conflict of interest between the Government and the regulator will undermine its credibility and may jeopardise the EU’s positive adequacy decision which is vital for UK businesses large and small.


Enabling responsible research and innovation


A thriving innovation-led market will allow home-grown businesses to remain competitive internationally and help drive the UK’s ambition of being a global digital leader.


Access to data and greater data sharing is vital for this, especially in tackling pressing societal and economic issues following the pandemic such as fraud. Never has this fight against fraud been more important, with well  over £4 billion of UK taxpayers money suspected of having been lost to fraud during the pandemic.[2]


Onfido’s services directly benefit both individuals and businesses because they are a vital tool in the fight against fraud. We identify suspected fraudsters using leading AI and biometric technology and, in doing so, drive consumer protection, trust and inclusion. Many of our financial services customers use our services to help comply with their regulatory obligations associated with fraud prevention, in particular anti-money laundering and know-your-customer rules.

In order to provide our service, we process personal data on behalf of our customers, and re-use it to test and improve our technology, in particular our algorithms. This re-use of data is fundamental to driving down bias in our algorithms and is a key example of using data for R&D in an ethical and responsible manner. Without being able to share data in this way we would not be able to drive the necessary incremental improvements in performance that benefit both our customers and wider society.

Yet for companies that do not have a direct relationship with end users there is a great reliance on customers to give notice to and collect consent from end users. This creates barriers under existing laws where, in Onfido’s case, our clients may have to describe in detail how Onfido may use data for testing and research purposes.

We therefore see a need for a greater level of flexibility in the legislative framework to alleviate some of this friction whilst maintaining adequate safeguards. We consider that it should be made clearer that user consent is not the only basis on which organisations should rely and that, subject to suitable safeguards, there may be other appropriate bases.

As a broader point, we believe that in determining how data can be appropriately used and shared, the use case needs to be at the heart of the consideration. The ability to use data to combat fraud, whether that be sharing data between financial service providers, or between those providers and data processors supporting them, should have a clear mandate in the legislative framework.  This mandate needs to apply to all legislation which impacts the use of data, such as the Privacy and Electronic Communications Regulations.


We therefore have specific recommendations in this regard which the Committee may wish to consider:


  1. Improving legal clarity and certainty on definitions and legal bases for data processing activities related to research. Onfido is supportive of the Government’s proposals for a statutory definition of scientific research, provided this explicitly includes research undertaken by commercial organisations in a commercial context and seeking to clarify the research specific provisions within the UK GDPR.


  1. Removing limitations on the re-use of data for research purposes, by clarifying the legal bases for the (re)processing of personal data beyond consent, when thresholds are met and with suitable safeguards. In particular, any such changes should take into account the role of service providers in a B-B-C context and not just focus on controllers or B2C businesses wishing to repurpose personal data.  This will better accommodate the serendipitous nature of research.


  1. Providing access to more data sets for the responsible, ethical development and training of AI systems. We support the research provisions outlined above which will provide organisations developing AI technologies more legal clarity and flexibility when processing personal data.


To reflect the contribution of business to UK R&D, which amounted to £25 billion or over two-thirds of all R&D funding in 2018[3], Government should ensure commercial and industry-led research is kept within scope of the statutory definition of “scientific research”.


Additionally, we supported the proposal in Data: a new direction, to clarify ways organisations can lawfully share data with Government agencies which could encourage greater collaboration between the public and private sector. However, Government and the public sector also hold a significant amount of valuable data that could support businesses in driving research and innovation. This is particularly relevant now as the government is actively considering  innovative digital solutions such as digital identity.


We hope and expect that inquiries such as yours can help the Government make the refinements needed to boost growth and innovation within our tech sector, while also maintaining public trust and transparency. This will ensure that the UK continues to be seen as a trusted destination for data transfers and a global hub for data and innovation.


We would be delighted to share our expertise and discuss our response further with your committee at a time convenient to you. 


About Onfido 


Onfido is a UK-headquartered global identity verification provider. We partner with organisations across the world to remotely onboard users securely and swiftly, providing a best-in-class user experience. Our leading biometric and AI technology, coupled with human-in-the-loop oversight, enables clients to prove that their customers are who they claim to be.


Started ten years ago, we have scaled rapidly and now employ over 250 people in the UK and more than 600 in total worldwide, with offices across Europe, the US, Singapore and India. We are continuing to invest and grow our team and global presence to meet increasing customer demand in both the fintech space and other verticals.


We are thought leaders in AI bias, ethics, fraud, security and privacy. In 2109 we partnered with the ICO in its sandbox to pioneer research on data protection considerations when improving algorithmic bias. We were winners of the 2020 CogX Award for “Best Innovation in Algorithmic Bias Mitigation” and “Outstanding Leader in Accessibility” and were “Highly Commended” in the SC Europe Awards 2020 for “Best Use of Machine Learning”. We work with Interpol to develop leading practice in fraud prevention and publish a widely-acclaimed annual Fraud Report considering the state of the market. Onfido is a founding member of the Better Identity Coalition in the US and a board member of the FIDO alliance that is dedicated to best-in-class global authentication standards.


January 2022


[1] https://www.ft.com/content/e8aedd54-040d-4e7e-91df-d35c3183ac00

[2] https://www.bbc.co.uk/news/business-59504943

[3] UK Research and Development Roadmap - GOV.UK (www.gov.uk)