ScotAccount: equality impact assessment

1.5 Background

ScotAccount was developed to deliver the Digital Strategy commitment to create a secure and trusted digital identity system for accessing public services online.^[10]

The service was developed to address several critical needs:

• Digital transformation of public services: The Scottish public sector currently uses multiple processes to identify that a person is eligible for different services, resulting in duplication of effort and spend. People can be required to create multiple digital accounts, sometimes without assurance that their identity is being protected. The Covid-19 pandemic accelerated the reliance on digital solutions, reinforcing the need for a common, standards- based approach to identity verification that prioritised security, privacy and inclusivity.
• Reducing inefficiencies: Current processes are fragmented and often require repeated identity checks and paper-based proofs, which are costly, time-consuming, and prone to errors or loss.
• Improving user experience and trust: A reusable, verified digital identity reduces friction, enhances security, and fosters confidence in digital services. Users wanted assurances that their personal information would be handled securely and that they could decide when and how it is shared with service providers.
• Mitigating digital exclusion: In accordance with the Scottish Government commitment, ‘No One Left Behind’,^[11] ScotAccount development recognised barriers such as lack of internet access, digital skills, and ownership of identity documents. ScotAccount incorporates strategies such as knowledge-based verification and acceptance of Young Scot NEC cards to widen inclusion. Scotland’s Public Service Reform Strategy^[12] commits to delivering services ethically and inclusively through digital channels while preserving alternative routes for people who cannot or choose not to use digital services.
• Supporting privacy and security: In accordance with the Scottish Government commitment to privacy and data minimisation and avoiding large searchable centralised databases, the policy context is shaped by principles of data minimisation, user control and transparency, aligning with frameworks like the Digital Scotland Service Standard and the Scottish Approach to Service Design. These principles aim to ensure that digital identity supports equal access to services, protects privacy and fosters trust. The programme also reflects commitments under UK GDPR, the Data Protection Act 2018 and accessibility regulations. ScotAccount adopts robust security standards, such as GPG 44 and GPG 45, ISO 27001, to provide assurances that peoples’ data is being protected against fraud and misuse.

The EQIA process began in 2021, focusing on sign-in and identity verification, before ScotAccount was launched in private beta with Disclosure Scotland in February 2023. This EQIA refresh incorporates findings from the earlier assessments and includes new features such as attribute storage and reuse, reflecting the approach to continuous improvement and user-centred design principles.