Moving is the worst. The last-minute packing, the cost overruns, the too-small truck, and – of course – all the paperwork. The paperwork is maddening: completing change-of-address forms, waiting for the internet or television to get hooked up, electricity and gas, obtaining a piece of mail with your new address on it so you can prove residency, having to get that proof of residency so you can get a driver’s license and plates in your new home state. And don’t forget about the extra documents you’ll need if your state requires a Real ID.
Now, imagine you are leading an organization that requires many of its employees to routinely move around and that your organization cannot function unless those moves occur as seamlessly as possible. Oh, and your organization routinely ranks “among the five largest employers worldwide.”
That’s the problem faced by the United Kingdom’s National Health Service. The NHS oversees more than 1,200 hospitals in the UK and employs more than 1.1 million people. The NHS onboards or transfers staff members more than one million times each year; its junior doctors move an average of ten times during their training.
Imagine the stresses and paperwork from your most recent move and quite literally multiply it by a million. Every single time a staff member moves from one of the NHS’s 1,200 hospitals to another one, every single one of that staff member’s credentials must be re-verified because NHS hospital systems operate independently of one another. Staff members must thus complete “multiple forms to prove their identity, credentials, and prior employment, and nearly half are required to travel to complete the onboarding process in person.... [and] often retake training unnecessarily.” And that’s not even accounting for security clearances, authorizations to access sensitive data, and other relatively routine onboarding tasks. The costs for this verificatory work are huge: 800,000 lost work hours and an average annual loss of £22 million verifying junior doctors alone. Most importantly, physicians who are filling out forms or watching training videos cannot care for patients.
In 2019, the NHS began envisioning a solution: a digital staff passport that would share HR records and other mandatory records. Staff members would carry their credentials on their smartphones and would thus control who had access to said credentials. The COVID-19 pandemic accelerated this need to move staff quickly between hospitals.
As Mary Lacity and Erran Carmel explore in their whitepaper, “Implementing Self-Sovereign Identity (SSI) for a digital staff passport at UK NHS,” the lessons learned by the NHS may point towards ways of unlocking new business value. Although self-sovereign identity is a few years away from being widely adopted, organizations interested in SSI's potential have an opportunity to start examining it now as well as reaching out to communities already working on decentralized identity and verifiable credentials. Lacity, Professor of Information Systems at the University of Arkansas’ Sam M. Walton College of Business and director of the Blockchain Center of Excellence, and Carmel, Professor of Information Technology at American University, also explain what self-sovereign identity entails, the common challenges around it and how the NHS overcame them, and what aspects of SSI may interest businesspeople.
How Self-Sovereign Identity Works
Self-sovereign identity – or, as the authors prefer, “self-sovereign credentials,” refers to a “decentralized approach for verifying credentials in online relationships.” Instead of carrying around paper credentials, you would carry those credentials in a digital wallet with you once they’ve been validated by a governing authority.
The key, then, to a successful SSI initiative comes in the governance model and making sure that everyone’s able to play their role effectively. Once those roles are established – and automated – the real benefits of SSI can be reaped. Lacity and Carmel note that SSI often relies on a “trust diamond” comprised of issuers, holders, verifiers, and governing authorities. For the NHS, the issuers were organizations that could issue credentials, from teaching hospitals to medical councils. Holders were the physicians and healthcare professionals who received the credentials. Verifiers were organizations authorized to verify credentials – for example, a university hospital or another teaching hospital. The governing authority for the NHS’s SSI initiative was the NHS itself, which set the rules for the credentials and specified who can issue, hold, or verify them.
The elegance of the NHS’s solution comes from how the verification takes place: by using decentralized identifiers (DID). The NHS uses the Sovrin Network, thus allowing authorized parties to verify credentials by querying the public distributed ledger in lieu of using a trusted third party. A distributed ledger, a familiar term if you’ve read prior Insights articles on blockchain, refers to a time-stamped and permanent record of all valid transactions that occur on a digital network. Peer DIDs have generated a lot of excitement because they have no transaction costs and, among other benefits, do away with the need for log-on IDs and passwords.
The NHS, as the governing authority, created the first entry on the network, listing its public key and data schema for what it accepts as a viable credential. As an issuer of a credential, that hospital uses the data schema provided by the NHS to format the credential and then signs the credential with its own unique private key. Think of a public key as “an email address that you may share broadly, and the ‘private key’ [as]…. a password that is kept secret.” Holders can then decide whether to adopt the digital onboarding process or the old manual process – the new process takes a few minutes whereas the old process takes a couple of days. From there, a variety of identity binding processes occur – including the downloading of an SSI digital wallet app – all of which “ensures that credentials are created for the correct employee.” The NHS established a support center to assist users, and to date the most frequent issues reported have been minor connection problems and a lack of cellphone service coverage in some areas of the hospital.
To date, the NHS has not disclosed how many doctors and staff using the digital passport app, as adoption of the app remains voluntary, but many early adopters were armed forces healthcare staff deployed in a pandemic response capacity. The NHS plans to build on its early successes by expanding the application to enable its strategic people plan.
Unlocking the Business Benefits of Single-Sovereign Identity
The benefits experienced by users of the digital passport app are clear – control of their own digital identity, increased levels of transparency, privacy, and security – but what about benefits organizations experience? How does self-sovereign identity deliver business value? Yes, SSI can provide a single source of truth. And, as was the case with the NHS, SSI can create value in terms of time savings by speeding up onboarding processes. But many other potential benefits exist for organizations. Already, organizations in spaces as diverse as business licensing, credit unions, food supply chains, healthcare, and travel have developed similar applications.
As Lacity and Carmel note, “It’s hard work to get value from a new innovation.” But the path to value creation is made smoother when potential users consider the following:
- Does SSI solve the problem the organization is experiencing? Making sure that SSI is the solution to your organization’s problems is the first step. SSI is not a “silver bullet...that promises to instantly solve a long-standing problem.” What made SSI such a boon for the NHS is that SSI solved several problems at once for the NHS – speeding up onboarding, allowing the organization to respond to clinical needs, reducing extraneous communications, and increasing patient care. However, not every organization faces these sorts of problems.
- Do the potential benefits outweigh the costs and benefits? No matter how intriguing your management or organization might find SSI and how obvious the benefits might be, you cannot escape the costs. Enterprises can expect costs varying from building internal capabilities, developing or buying SSI applications, and operational costs, to change management, including educating stakeholders and target users. The NHS’s pilot was not expensive because “technology providers charged nominal fees because they were learning alongside NHS.” For your organization, the fee structure might be different; at the same time, the benefits your organization sees and the timeline until there’s a return on your investment might exceed what the NHS saw.
- How much and what sort of risk tolerance can the organization tolerate? Relying on a shared governance model had several benefits for the NHS, as peer-to-peer connections reduced the need for log-on IDs and passwords. For them, having no trusted third party or centralized databased controlling the relationship and the scalability this brought was enticing. The downside to this is that you cannot easily sue or pursue legal action against a “dispersed community of node operators.” If scalability and other considerations matter more than having a single organization to hold legally responsible, then your organization may be poised to unlock business value from SSI.
- Does the organization value open standards and software? While the NHS’s experience indicates that building capacity rather than product is ideal, it also demonstrates how to avoid vendor lock-in and the resultant high switching costs. If organizations use open standards and open software, designs can be future-proofed and thus retain their value and/or incorporate new developments. As was the case with risk tolerance, determining your organization’s standpoint and values will be key.
Although we’re still in the early days of SSI, Gartner anticipates that organizations will become better at extracting value from the innovations between 2023 and 2026. Lacity and Carmel encourage professionals and students alike to start learning about SSI now. As they rightly state, the pace of adoption for SSI is “not deterministic; individuals and organizations do not just sit around and wait for the future, but actively create it.”
A good question, then, to add to those above is what role your organization will play in shaping this future.