Scottish Government: Delivering ScotAccount to the highest standards
Enhancing access to public services
The Scottish Government’s digital identity programme is establishing a new way for users to access online public services in Scotland – a service called ScotAccount. It will make accessing online public services easier and simpler because users will be able to use one ScotAccount to securely sign in to a variety of public services.
Scott Logic was awarded the contract to act as the programme’s implementation and development partner, supporting the Scottish Government to deliver the four main strands: a secure sign-in for end users; an identity verification journey; an attribute store; and integration with public sector organisations that depend on verification.
Through its ambitious digital strategy, the Scottish Government wants to join the front rank of European countries in terms of the quality, availability and security of its digital public services and has drawn lessons from countries with the most advanced standards.
Our engineers and designers were onboarded onto the programme in lockdown during the COVID-19 pandemic, forming a virtual team across four Scott Logic offices. They set to work designing and building an ‘always on’, citizen-facing digital identity service that is user-centred, highly secure and resilient, and built to the highest standards.
Designing a user-driven common platform
With a remit to increase access to online public services, ScotAccount’s design had to balance the requirement to be highly secure with the requirement to be easy to use. The Scottish Government’s user researchers embraced the Scottish Approach to Service Design which advocates the active participation of users in the definition, design and delivery of a digital service. Rounds of user research have fed into every stage of ScotAccount’s implementation, helping to gain an understanding of users’ concerns and the trade-offs they are prepared to make, while simultaneously building trust in the new service.
This research has informed the work of Scott Logic’s UX experts in shaping the service’s user journeys, and they contributed some of their design solutions – including patterns and behaviour logic for the account creation process, and a show and hide function for the password pattern – to the Scottish Government Design System. This is a library of design standards and patterns that can be reused and adopted across the public sector.
ScotAccount is one of the Common Platforms prioritised in the Scottish Government's Digital Strategy, underpinning an approach where organisations can focus on front-line service delivery because they’re not wasting time reinventing or operating back-office processes that are best delivered in collaboration. To this end, our engineers designed and implemented a modern microservices architecture to provide the Scottish Government with long-term flexibility to connect, scale and upgrade services as required.
Not only that, but significant elements of the architecture and code – including the development and run-time platform, built with an Infrastructure as Code approach – were shared across from the Scottish Government payments service programme, ScotPayments, also managed by Scott Logic. This reuse on the digital identity programme is delivering efficiencies and value for money, and increased security.
Creating a secure, inclusive service
The Scottish Government was determined to ensure that ScotAccount would be as inclusive and accessible as possible. Taking an incremental approach to implementing identity verification, the first release of ScotAccount used a photo facial match against a passport, driving licence or biometric residence permit. The identity verification user journey we co-designed involves the user taking a live photo of themselves and their identity documentation; a third-party credential provider uses these to verify the citizen’s identity. Further releases will introduce additional verification methods.
Another means of delivering a secure, inclusive service was the implementation of ScotAccount sign-in. Through this feature, citizens can have one account to sign in securely to a range of public services. Striking a balance between security and usability, our engineers built two-factor authentication into the first release of the functionality. Users create an account using an email address and password, with access secured through codes sent as text messages. The introduction of other means to authenticate access to accounts brought further inclusivity – for example, through the use of telephone landlines.
Next, our engineers set to work on creating the attribute store, known as MySafe. This functionality offers users complete control over how their personal information is used, stored and shared, and removes the need to provide the same information multiple times. Public services in Scotland require various types of identification, but there is plenty of overlap between different services. When a user’s identity document is verified to access one public service, it is saved in MySafe as a verified ‘attribute’, and can be used individually or in combination to access other services. MySafe will enhance ScotAccount’s inclusivity over time, offering users the ability to store and share verification methods that are alternatives to biometric identity documents.
Delivery to the highest standards in a highly regulated environment
The design and delivery of ScotAccount by our engineers and designers is in full alignment with the Digital Scotland Service Standard which aims to ensure that services are continually improving and user-focused. Throughout its development, ScotAccount also worked incrementally towards full accordance with ‘Good Practice Guide (GPG) 45 – How to prove and verify someone’s identity’. Issued by the Government Digital Service in 2014, GPG 45 has become recognised as the standard against which digital identity verification services are measured and is aligned with the EU’s eIDAS regulations.
At Scott Logic, our engineers and designers are very experienced in building services that operate in highly regulated environments. In line with the Scottish Government’s ‘Principles of a Digital Nation’, they adopted a Secure by Design approach throughout the delivery of ScotAccount, working in close collaboration with the government’s security experts.
A key milestone on the roadmap was achieved with the launch of a Private Beta for testing with users of Disclosure Scotland allowing all aspects of the service to be tested in controlled conditions – including security, resilience and usability. Through this Private Beta, our team is incrementally and iteratively enhancing ScotAccount based on feedback from the user testing.
Although access to the Private Beta is restricted to Disclosure Scotland users, it is effectively a live service. As such, we are supporting the programme in establishing a service management capability to run ScotAccount. This involves providing the initial service management engineers, putting in place tools and processes to operate the live service, monitoring usability, performance and resilience, and supporting the capability to deploy improvements regularly.
Delivering early value to citizens
Through the Private Beta, the service is already making a difference to users, speeding up the checks that people go through when starting a new job. As more services onboard ScotAccount, it will make it much easier for citizens to achieve a range of tasks from receiving payments quickly to proving their eligibility for public services in real time.
While ScotAccount progresses along its delivery roadmap towards becoming a live public service, we are continuing to help our Scottish Government partners to achieve modern engineering practices with regular deployments to production, as well as helping them develop their operational capabilities.
Once it enters full operation as one of the Scottish Government’s Common Platforms, ScotAccount will continue to be integrated into new and existing online public services, providing citizens with inclusive, secure access while minimising fraud and delivering value for money to Scottish taxpayers.