THEVPNMATRIX
    ← Back to Blog

    HMRC & Companies House Digital ID: Privacy Guide for UK Directors

    What mandatory identity verification means in 2025, how to complete it with minimal data exposure, and how to exercise your erasure rights.

    PrivacyPublished · 11 min read· By Digital Identity Desk

    Evidence-based review per our 28-criteria methodology · affiliate disclosure

    1. Executive summary

    From 18 November 2025, Companies House will require every director and person with significant control (PSC) to verify their identity before appointments and routine filings. GOV.UK One Login is the primary route, backed by biometric liveness checks, Experian fraud screens, and a 30-day retention window for captured facial images. HMRC is migrating to the same credential, meaning one verification unlocks both corporate and tax obligations.

    Privacy-conscious directors still have options: a browser-based bank and knowledge-based verification (KBV) path, a Post Office assisted flow, or manual validation via Authorised Corporate Service Providers (ACSPs). Each route introduces different retention timelines and controller responsibilities, so you should align your choice with your risk tolerance and documentation needs.

    Premium Research Content

    Continue reading this in-depth analysis on Substack

    Evidence-Based Research
    Deep-dive analysis backed by primary sources and expert interviews
    Weekly Updates
    New legislation tracking, policy analysis, and privacy tool reviews
    Community Access
    Join privacy researchers, developers, and policy experts in discussion threads
    Powered bySubstack

    3. Verification routes compared

    Every route attains the same confidence level but the artefacts collected, the duration they persist, and the attack surface vary. Below you’ll find a plain-language walkthrough of each process, definitions for the jargon that GOV.UK uses, and a privacy risk rating based on impact if data leaks, likelihood of compromise, and your ability to audit the workflow.

    3.1 App or browser (default)

    What happens: You scan a biometric passport (contains an NFC chip), UK photocard driving licence, Biometric Residence Permit (BRP) or Card (BRC), or Frontier Worker permit. The GOV.UK app guides you to record a short “liveness” selfie, where your face is analysed for motion to prove you are a live person rather than a static image, followed by a “likeness” comparison to the document photo. The liveness/likeness checks are delivered by iProov’s Face Verifier SDK. Experian then runs a soft fraud search and, if needed, a knowledge-based verification (KBV) quiz using credit-file data.

    Key terms explained: Liveness detection looks for micro movements and depth cues to ensure a human is present. Likeness matching compares the biometric template derived from your selfie to the image embedded in the document. KBV (knowledge-based verification) presents personal financial questions that only the genuine individual should answer correctly.

    Privacy risk assessment: Medium

    • Impact: Face biometrics are special-category data—if compromised, they cannot be re-issued like a password.
    • Likelihood: iProov has passed multiple government assurance schemes, but concentrating millions of templates in one processor increases the blast radius of any breach.
    • Mitigations: 30-day deletion, selfie video discarded immediately, and encrypted transit. You control environment (e.g. can use a hardened device and VPN) but must trust the biometric vendor’s implementation.

    Who should prefer it: Directors comfortable with mobile biometrics who want the fastest route and plan to reuse the same credential for HMRC.

    Evidence & where to start

    3.2 Bank + KBV route

    What happens: Instead of submitting face biometrics you supply UK bank or building-society details, your National Insurance number, and consent for Experian to run an Enhanced Fraud Search. Experian cross-checks that banking data against industry databases and serves a KBV quiz (for example, “Which of these addresses have you been associated with?”). Pass the quiz and you receive the same Companies House personal code.

    Key terms explained: Soft fraud search means the query is visible only to you and does not influence your credit score. The bank check confirms account ownership by matching sort code, account number, name, and date of birth against the UK Payment Systems Regulator’s data.

    Privacy risk assessment: Low–Medium

    • Impact: No biometrics collected, but sensitive financial identifiers are shared with Experian.
    • Likelihood: Experian has experienced significant regulatory action and breaches historically, so data minimisation is crucial.
    • Mitigations: Consider using a dedicated bank account with limited funds, monitor credit files afterwards, and request deletion of KBV artefacts through Experian’s rights process.

    Who should prefer it: Directors who object to face biometrics yet have strong credit files and predictable banking footprints.

    Evidence & where to start

    3.3 Post Office assisted

    What happens: Start the application online, then visit a designated Post Office branch. Staff use certified hardware to scan your documents and capture a selfie under supervision. The capture is uploaded to the same iProov backend, but the Post Office stores working copies for only 11 days before automatic deletion, giving you a shorter retention window than the purely digital route.

    Key terms explained: This process relies on the UK Digital Identity and Attributes Trust Framework’s branch standards, which mandate CCTV coverage and tamper-proof transfer to GDS. You receive a receipt number that can be used to query status.

    Privacy risk assessment: Medium

    • Impact: Same biometric capture as the app route, but adds physical observation risk (e.g. shoulder surfing in-branch).
    • Likelihood: Lower retention lessens long-term exposure, yet involves additional handling by Post Office staff.
    • Mitigations: Choose quieter branches, ask staff to confirm deletion schedule, and keep the receipt for any subsequent erasure requests.

    Who should prefer it: Directors without NFC-capable devices or who want human assistance but are willing to accept a short-term biometric capture.

    Evidence & where to start

    3.4 Authorised Corporate Service Providers (ACSPs)

    What happens: Regulated intermediaries (accountants, solicitors, formation agents) follow the Companies House identity verification standard. They must complete one of two authorised sequences:

    • Option 1 – IDVT: Use Identity Document Validation Technology (IDVT) that reads the document’s cryptographic chip, checks security features, and performs a likeness check (often using a selfie capture). This mirrors Companies House’s own digital route and may involve biometric comparison if the chosen IDVT supplier requires it.
    • Option 2 – Manual review: Collect two documents (e.g. passport plus proof of address) and examine them manually. The ACSP compares the individual either in-person or over a secure video call, checking that the person physically matches the photo—no biometric template is generated, but the practitioner must document how they satisfied the likeness check.

    ACSPs must log every step, store evidence securely for seven years, and furnish audit trails to Companies House on request. Unless the ACSP chooses an IDVT product with automated biometrics, the manual route relies on trained staff visually confirming the likeness rather than retaining a machine-readable biometric template.

    Key terms explained: IDVT refers to GOV.UK-certified services that interrogate document chips and security features remotely. Reasonable assuranceis the minimum confidence level the standard demands—a combination of document authenticity, biometric or in-person likeness, and address corroboration.

    Privacy risk assessment: Medium–High

    • Impact: ACSPs often hold complete document copies plus their own work notes for seven years, creating a rich target.
    • Likelihood: Highly dependent on the firm’s security posture; smaller practitioners may lack enterprise-grade controls.
    • Mitigations: Demand written data-protection addenda (encryption at rest, access logs, destruction schedule) and verify their regulatory status with Companies House before sharing documents.

    Who should prefer it: Directors who refuse automated biometrics or need tailored support (e.g. complex corporate structures, non-standard documents).

    Evidence & where to start

    4. Controllers, vendors, and retention

    GOV.UK One Login is controlled by the Department for Science, Innovation and Technology (DSIT) via the Government Digital Service (GDS). iProov is the primary biometric processor, with Veriff and Inverid as sub-processors. Experian acts as an independent controller for fraud and KBV checks. Key retention commitments include:

    • Biometric stills and licence images: deleted from iProov systems after 30 days; selfie video discarded immediately.
    • System logs: stored for one year to support troubleshooting and audit events.
    • Secure audit trail: retained for seven years to detect and respond to fraud attempts.
    • Post Office assisted captures: purged 11 days after collection.
    • ACSP archives: statutory seven-year retention of identity evidence, including failed attempts.

    Once HMRC finishes its migration, the same One Login credential will unlock personal and business tax services, so one verification spans corporate filings, PAYE, VAT, and income tax portals.

    Supplier risk snapshot

    • iProov (biometric processor): UK-based vendor certified under the Digital Identity and Attributes Trust Framework. Strengths include ISO 27001 accreditation and patented anti-spoofing. Risks centre on single-provider dependency and the fact that biometric templates—while deleted after 30 days—transit through their cloud infrastructure. Ask GDS for any independent penetration test summaries if you need board-level assurance, especially in light of whistleblower concerns raised about One Login’s security posture.
    • Experian (credit and fraud checks): Operates as an independent controller. Experian was fined by the ICO in 2020 for failing transparency duties in direct-marketing data broking and has faced breaches internationally, so monitor your credit file post-verification and exercise your Article 15/17 rights directly with Experian where required.
    • Post Office Limited: Government-owned company with mature physical-security controls and direct accountability to BIS/DSIT. Residual risk stems from branch-level handling—conduct a quick visual check that devices are sealed and that staff follow the scripted workflow before presenting documents.
    • ACSPs: Highly variable. Large firms typically employ ISO 27001 or SOC 2 controls; smaller agents may rely on basic file servers. Treat ACSPs as processors you appoint—execute a data-processing agreement covering encryption, role-based access, incident notification timelines, and destruction after seven years.

    Public reaction & best practice advice

    Industry commentators are split: business forums welcome stronger gatekeeping, while infosec professionals warn that rolling out a national biometric platform at scale without complete secure-by-design assurance could expose millions. Analysts speaking to the technology press highlighted that One Login has faced whistleblower claims about tens of thousands of outstanding vulnerabilities, and fraud specialists have questioned the year-long transition window.

    1. Choose the least intrusive route: Opt for the bank/KBV path or Post Office assisted route if you wish to avoid live biometrics.
    2. Harden your endpoint: Use patched devices, private networks, and disable unnecessary analytics cookies before uploading documents.
    3. Minimise data footprints: Provide only the requested identifiers, delete local copies immediately, and use a dedicated email for One Login.
    4. Monitor and challenge: Check your credit files for the Experian soft search and invoke UK GDPR rights (Articles 15–17) once the 30- or 11-day retention windows lapse.
    5. Demand assurance from ACSPs: Confirm registration, encryption standards, access logs, and destruction commitments before sharing documents.
    6. Document the journey: Keep timestamps, confirmation emails, the personal code, and any branch receipts to prove compliance and support later erasure requests.

    5. Privacy-first playbook for directors

    1. Map your obligations: Align confirmation statement dates, PSC windows, and HMRC filing cycles so you are never locked out by missed verification.
    2. Choose the right route: Default to the bank/KBV or Post Office flow if you want to avoid live biometrics; use an ACSP when you need a human audit trail or bespoke guidance.
    3. Harden the exchange: Dedicate an email alias and device profile for One Login, disable optional analytics cookies, and delete local copies of IDs once uploaded.
    4. Log everything: Record the route chosen, documents provided, timestamps, and reference numbers—vital if you later challenge retention or seek erasure.
    5. Plan for reuse: Update internal compliance playbooks so company secretaries, accountants, and legal teams know how to reference the personal code instead of requesting fresh scans.

    6. Exercising your data rights

    Once the 30-day (or 11-day assisted) window lapses, you can submit a UK GDPR Article 17 request to confirm biometric deletion and ask what audit records remain. DSIT can refuse only when a legal obligation requires retention, such as fraud monitoring. ACSPs may lawfully defer deletion until their seven-year duty expires, but you should still request written confirmation.

    Use this ready-to-send template for the GOV.UK One Login route:

    To: gds.data.protection@dsit.gov.uk
Cc: dataprotection@dsit.gov.uk
Subject: Article 17 Request – Deletion of Biometric Images (GOV.UK One Login ID Verification)

Dear DSIT/GDS Data Protection Team,

I verified my identity using GOV.UK One Login for Companies House. Under UK GDPR Article 17, I request confirmation and, if necessary, deletion of any biometric facial data and associated still images generated from my selfie during the likeness/liveness checks, and any driving-licence images, in line with the GOV.UK One Login privacy notice stating these are deleted after 30 days and that the selfie video is not retained.

Please confirm:
1. whether these items have already been deleted;
2. if any copy remains, that it will now be erased; and
3. what audit/log data (if any) will be retained, the legal basis, and retention period.

My details:
• Full name:
• Date of birth:
• Email address used for One Login:
• Approximate date and time of verification:
• Companies House personal code (if issued):

Kind regards,
[Name]
[Postal address]
[Preferred contact number]

    Keep the acknowledgement email and any refusal rationale; both form part of your compliance evidence if the Information Commissioner’s Office ever needs to review the case.

    References

    1. [1]Companies House (2025) 'Authorised Service Provider search', Companies House. Available at: https://find-and-update.company-information.service.gov.uk/authorised-service-provider-search (Accessed: 16 October 2025).
    2. [2]Computer Weekly (2024) 'Whistleblower warns of serious data protection shortcomings in GOV.UK One Login', Computer Weekly. Available at: https://www.computerweekly.com/news/366563883/Whistleblower-warns-of-serious-data-protection-shortcomings-in-GOVUK-One-Login (Accessed: 16 October 2025).
    3. [3]GOV.UK (2025) 'Verify your identity for Companies House', GOV.UK Guidance. Available at: https://www.gov.uk/guidance/verifying-your-identity-for-companies-house (Accessed: 16 October 2025).
    4. [4]GOV.UK (2025) 'GOV.UK One Login: privacy notice', GOV.UK Publications. Available at: https://www.gov.uk/government/publications/govuk-one-login-privacy-notice/govuk-one-login-privacy-notice (Accessed: 16 October 2025).
    5. [5]GOV.UK (2025) 'How to meet Companies House identity verification standard', GOV.UK Guidance. Available at: https://www.gov.uk/guidance/how-to-meet-companies-house-identity-verification-standard (Accessed: 16 October 2025).
    6. [6]GOV.UK (2025) 'Companies House confirms identity verification rollout from 18 November 2025', GOV.UK News. Available at: https://www.gov.uk/government/news/companies-house-confirms-identity-verification-rollout-from-18-november-2025 (Accessed: 16 October 2025).
    7. [7]Government Digital Service (2023) 'The new in-person identity check for GOV.UK One Login', GDS Blog. Available at: https://gds.blog.gov.uk/2023/08/30/the-new-in-person-identity-check-for-gov-uk-one-login/ (Accessed: 16 October 2025).
    8. [8]Government Digital Service (2024) 'GOV.UK One Login: celebrating 50 services', GDS Blog. Available at: https://gds.blog.gov.uk/2024/11/12/gov-uk-one-login-celebrating-50-services/ (Accessed: 16 October 2025).
    9. [9]Information Commissioner's Office (2020) 'ICO considers appeal following tribunal judgment on major credit reference agencies investigation', ICO. Available at: https://ico.org.uk/about-the-ico/media-centre/news-and-blogs/2020/10/ico-ponders-appeal-following-tribunal-judgment-on-major-credit-reference-agencies-investigation/ (Accessed: 16 October 2025).
    10. [10]IT Brief (2024) 'Government mandates Companies House identity checks', IT Brief UK. Available at: https://itbrief.co.uk/story/government-mandates-companies-house-identity-checks (Accessed: 16 October 2025).
    11. [11]Norton Rose Fulbright (2025) 'Economic Crime and Corporate Transparency Act 2023: key corporate measures', Norton Rose Fulbright. Available at: https://www.nortonrosefulbright.com/en-gb/knowledge/publications/5d3c82be/economic-crime-and-corporate-transparency-act-2023 (Accessed: 16 October 2025).
    12. [12]Orrick (2024) 'Companies House Identity Verification Countdown', Orrick Insights. Available at: https://www.orrick.com/en/Insights/2024/12/Companies-House-Identity-Verification-Countdown (Accessed: 16 October 2025).
    13. [13]Post Office (2025) 'Prove your identity with GOV.UK One Login', Post Office. Available at: https://www.postoffice.co.uk/identity/gov-uk-verify (Accessed: 16 October 2025).
    14. [14]UK Parliament (2023) 'Economic Crime and Corporate Transparency Act 2023, Part 1 Chapter 1', Legislation.gov.uk. Available at: https://www.legislation.gov.uk/ukpga/2023/56/part/1/chapter/1/enacted (Accessed: 16 October 2025).
    15. [15]UK Parliament (2025) 'UK GDPR Article 17 – Right to erasure', Legislation.gov.uk. Available at: https://www.legislation.gov.uk/eur/2016/679/article/17 (Accessed: 16 October 2025).

    ProtonVPN

    Most transparent VPN for privacy

    Get Deal

    Cookie Preferences

    We use essential cookies for site functionality. Our analytics are cookie-free and don't require consent.

    Learn more
    Questions or concerns?

    Contact us via X, Substack, or see our Cookie Policy for full details.