The UK now has a legal framework for digital identity. The Data (Use and Access) Act 2025 — passed after years of consultation — created a formal register of certified digital identity providers and set out rules for how your identity can be checked and shared online.
For most people, this is background noise. But it shouldn't be. The framework changes what your phone number and email address mean in a practical sense — and it has direct consequences for how you should think about sharing them.
What is digital identity?
Your digital identity is the collection of data points that, together, prove who you are online. It includes things like:
- Your name, date of birth, and address
- Government-issued documents — passport, driving licence, national insurance number
- Your phone number (used for identity verification and SMS codes)
- Your email address (used for account recovery, verification, and communications)
- Biometrics — face recognition data increasingly used to match you to documents
Some of these are formally linked to your identity — your passport number is unique to you and issued by the state. Others are softer identifiers — your phone number and email address aren't government-issued, but they've become central to how services recognise and communicate with you.
The distinction matters. Soft identifiers are easier to change, but also easier to steal, replicate, or hand to the wrong person without realising the consequences.
What the UK Digital Identity and Attributes Trust Framework actually is
The UK Digital Identity and Attributes Trust Framework (DIATF) is the government's certification scheme for identity providers. An organisation that wants to verify identities on behalf of employers, landlords, or the government can apply to join the framework and be audited against a set of standards.
Once certified, these providers can issue digital identity checks that are legally equivalent to checking physical documents. A certified provider can confirm your Right to Work, Right to Rent, or criminal record history using digital checks rather than requiring you to hand over physical documents.
Practical example: Under the framework, a landlord can use a certified digital identity service to confirm your identity and right to rent — without you having to physically present your passport. The provider does the check digitally, cryptographically confirms the result to the landlord, and your raw document data stays with the provider.
The goal is efficiency and fraud reduction. Physical document checks are slow, inconsistent, and easy to forge. A certified digital check is standardised, auditable, and harder to fake.
But the privacy implications are significant.
Why this changes the stakes for your phone number and email address
Under the Trust Framework, certified identity providers can verify attributes about you — your age, your nationality, your right to work — and share those as digital credentials with third parties. The framework is designed so that only the minimum necessary information is disclosed.
However, to do any of this, you first have to verify with a provider. And that verification process starts with the basics: your phone number and email address.
Your phone number and email are the anchors of your digital identity. They're the first thing you hand over when signing up to any service. They're how you receive verification codes. They're the recovery options on every account you own. If either is compromised, the attacker gains a foothold into every account tied to those identifiers.
As digital identity checks become more common in everyday life — renting a flat, taking a new job, opening a bank account — the importance of those anchors only grows. Your phone number and email address aren't just contact details. They're the keys to your digital identity infrastructure.
The risk: what happens when those anchors are exposed
When you hand your real phone number or email address to a third party, you lose control of it. They may:
- Sell it to marketing partners or data brokers
- Suffer a data breach that exposes it to criminals
- Use it to build a profile of you across their services
- Pass it to a government regulator if required to do so
Each exposure is a small erosion. But over time, as more organisations hold your real contact details, the attack surface grows. Credential stuffing attacks — where criminals take email addresses and leaked passwords and try them across hundreds of services — rely entirely on the fact that most people reuse the same email address everywhere.
SIM-swapping attacks, where criminals convince a mobile carrier to transfer your number to a SIM they control, are increasingly common. Once they have your number, they can intercept SMS verification codes and break into accounts that rely on them — including banking and identity services.
The core problem: Your real phone number and email address are permanent. Once an attacker or a data broker has them, you can't take them back. The only way to limit exposure is to limit who gets them in the first place.
What the framework gets right — and where the gaps are
The Trust Framework does several things well. Certified providers are required to store minimum data, undergo regular audits, and give users access to and deletion rights over their data. The framework doesn't create a central government identity database — instead, it operates as a decentralised set of certified services.
But the framework applies only to certified providers. The thousands of websites, retailers, landlords, and employers who will rely on identity checks aren't necessarily subject to the same standards. Once a check is complete and a credential is issued, what the relying party does with it is governed by GDPR and their own policies — not the Trust Framework.
There's also a practical gap between formal identity infrastructure and everyday digital life. The Trust Framework covers formal checks — employment, tenancy, financial services. It doesn't cover the hundreds of smaller interactions where you hand over your phone number or email address: a restaurant's loyalty scheme, an online shop, a competition entry, a news site paywall. Those interactions remain as unregulated as ever.
The framework is a floor, not a ceiling. It protects identity checks in regulated contexts. Everything else is still up to you.
What you can do
Understand what you're handing over
Your real phone number and email address are identity anchors. Treat them accordingly. Give them to organisations you trust and intend to maintain a long-term relationship with. Don't hand them to every form, sign-up page, and loyalty scheme that asks.
Use separate identifiers for lower-trust interactions
For services where you need a working contact point but don't need it to be permanent or traceable, use a separate identifier. A virtual phone number can receive SMS verification codes, calls, and texts — but is disconnected from your real mobile account and can be discarded if it attracts unwanted contact.
An email alias works the same way. You give out a forwarding address that routes to your real inbox. The sender sees the alias. If it starts receiving spam or you want to cut off contact, you delete it — and all future emails to that address bounce.
Think about account recovery paths
Most people's real phone number is the recovery option for their email account, which is the recovery option for everything else. That chain is a single point of failure. If someone gets your real number through SIM-swapping or social engineering, they can work backwards through your entire digital life.
Using a separate, harder-to-discover number for account recovery — not one you've handed to fifty different services — tightens that chain considerably.
Stay ahead of the shift
The UK's digital identity framework is live, but it's early. Adoption will accelerate as more employers and landlords move to digital checks, more banks integrate certified verification, and the government expands use cases. The more central digital identity becomes to daily life, the more important it is that your identity anchors — your number and email — are protected.
Privify gives you a UK virtual phone number and randomly generated email aliases that sit between you and the services you sign up to. Your real contact details stay private. Hand out a Privify number for verification, a Privify alias for sign-ups — and if anything goes wrong, delete it. Get started from £2/month →
The bottom line
The UK's digital identity framework is a genuine step forward for security and convenience in formal identity checks. But it doesn't protect you from the everyday erosion of your identity anchors — the phone number and email address handed to hundreds of services over years of online activity.
As digital identity becomes more formally structured in the UK, the stakes attached to those anchors only increase. Protecting them now, before they become more central to your digital life, is the practical response to where things are heading.
Your digital identity is yours. The framework is a start — but what you do with your own contact details is still entirely up to you.
Own your digital identity
Get a UK virtual number and email aliases. Keep your real contact details private from day one.
Get started — from £2/month →