Identity Clasification

How ShareRing Uses Your Data

for ShareRing Holding Ltd​

ShareRing Holding Ltd

1. Overview

ShareRing provides a digital identity service that allows you to prove who you are, or specific facts about yourself, without giving away unnecessary personal data. Our platform is designed on principles of user control, data minimisation, and regulatory compliance. We are a Self Sovereign Identity (SSI) provider which means data is never stored by us in a centralised database. Your personal data is stored locally on your device.

When you use your ShareRing Me ID, you are always in control of your information. You choose:

  • Which organisations (Relying Parties) receive your data;
  • What attributes are shared (for example, your name, date of birth, or address);
  • The purpose for which that data will be used.

We do not store or sell your data, and we never share information without your explicit consent.

2. How Your Data Is Used

Your data is processed only for the purpose of identity verification, authentication, or compliance checks that you authorise. The main categories are:

Purpose

Description

Example

Identity Proofing

Establishing and verifying your identity
using trusted evidence (e.g. passport,
driver’s licence, or official records).

Proving your identity for opening a bank account or completing a right-to-work check.

Authentication

Confirming that you are the same person
who previously verified your identity.

Signing in securely using a passkey or biometric.

Verification Sharing

Providing a verified assertion
(e.g. “Over 18”, “Identity verified to high assurance”) to a third party.

Age verification for online content.

Compliance & Security

Recording and validating transactions
or audit logs in line with legal or certification requirements.

Anti-fraud logging and evidence assurance.


Data collected and verified during proofing is encrypted and stored under your control. It is released only when you explicitly approve a verification request.

3. Data Minimisation and Security

ShareRing follows strict privacy and security practices:

  • Data minimisation: Only the information required for a specific check is shared.
  • Encryption and integrity: All data and verification records are encrypted in storage and transmission.
  • User consent: No personal data is shared without your explicit approval.
  • Transparency: You can see which organisations you have shared data with, and for what purpose.
  • Standards compliance: ShareRing operates under international and regional digital identity standards (including ISO/IEC 27001, GDPR, and national trust frameworks).

4. Understanding Authenticators and Identity Proofing

Digital identity systems rely on two distinct but related components:

  1. Authenticators – How you prove you are the same person who owns a verified identity.
  2. Identity Proofing – How your identity was verified in the first place.

The standards governing these differ by country. For example, in the UK, they are defined by GPG44 and GPG45, which together form the foundation of the government’s Digital Identity and Attributes Trust Framework (DIATF).

United Kingdom

GPG45 – Identity Proofing and Verification

GPG45 (Good Practice Guide 45) defines how a digital identity provider confirms that an individual is real, genuine, and the rightful owner of the identity evidence they present.

The process includes several core steps:

  1. Evidence: Collecting identity evidence such as a passport, driving licence, or verified data from authoritative sources (for example, financial or utility records).
  2. Validation: Checking that the evidence is genuine and not forged, cancelled, or expired.
  3. Verification: Confirming that the evidence belongs to the individual through biometric comparison, liveness checks, or other mechanisms.
  4. Activity history: Where required, confirming the person has an active history associated with that identity (for example, confirmed addresses or credit activity).
  5. Fraud checks: Screening against databases for known fraud or impersonation risks (for example, deceased lists or fraud prevention systems).

Each element contributes to an overall “Level of Confidence” (LoC) rating:

  • Low: Minimal confidence in the identity (for low-risk services).
  • Medium: Reasonable assurance through multiple verified data sources.
  • High: Strong assurance based on high-strength evidence and biometric verification.

This scoring model ensures consistency and auditability in how identities are proven.

GPG44 – Authentication and Credential Management

GPG44 (Good Practice Guide 44) defines how users securely authenticate themselves to a service after their identity has been verified.

It focuses on three key aspects:

  1. Authenticator Strength: How difficult it is for someone else to impersonate you (e.g. single-factor password versus multi-factor passkey or biometric).
  2. Lifecycle Management: How authenticators are issued, replaced, or revoked if compromised or lost.
  3. Operational Environment: How the system protects against phishing, replay attacks, or device theft.

GPG44 defines two main assurance levels:

  • Medium Protection: Appropriate for most online services. Typically involves at least two factors of authentication (for example, device plus biometric).
  • High Protection: Required for reusable or high-value identities. Must resist targeted attacks, include device binding, and provide recovery mechanisms.

ShareRing authenticators are designed to meet High Protection requirements under GPG44, using passkeys, biometric verification, and secure device storage.

ShareRing Authenticators and GPG44

ShareRing uses a system of authenticators designed to meet or exceed the UK Government’s Good Practice Guide 44 (GPG44) requirements for authentication assurance.

  1. What a ShareRing Authenticator Is

A ShareRing Authenticator is the secure mechanism that proves it is you accessing your verified identity.

Each authenticator is unique to your device and bound to your cryptographic identity keys. It can include:

  • A passkey or cryptographic keypair stored in your device’s secure enclave.
  • A biometric check (e.g. Face ID, fingerprint, or liveness verification).
  • A PIN or device credential as a fallback or recovery option.

These authenticators are created and controlled only by you. ShareRing does not have access to your keys or biometric data.

  1. How This Relates to GPG44

GPG44 sets the benchmark for how digital identity services authenticate users securely. It defines assurance levels and controls that protect against impersonation, credential theft, and account recovery abuse.

GPG44 Requirement

ShareRing Implementation

Authenticator

Strength

ShareRing uses asymmetric cryptography (public/private keypairs) and device binding to achieve High Protection assurance.

Multi-Factor Authentication

Combines at least two factors: (1) something you have (your device + keypair) and (2) something you are (biometric) or know (PIN).

Binding to Identity Proofing

Each authenticator is cryptographically linked to your verified identity record, preventing credential reuse or replay.

Loss and Recovery Management

Device loss triggers a controlled re-verification process. You must re-authenticate using secondary proofing (consistent with GPG44’s lifecycle management rules).

Resistance to
Attack

Keys are stored in device secure enclaves (e.g. iOS Secure Enclave, Android StrongBox). No raw secrets are ever transmitted to ShareRing or third parties.

Operational Monitoring

Authentication events are logged with hash-based identifiers to support fraud monitoring and audit trails, consistent with GPG44 section 8.5 (“Event Logging”).

  1. Assurance Level

Under GPG44, authenticators are classified by their protection level.

ShareRing’s authentication methods are designed to achieve High Protection — suitable for reusable and regulated digital identity use cases (such as DIATF-compliant identity, right-to-work, and financial KYC).

Level

GPG44 Definition

ShareRing Approach

Medium Protection

Two-factor authentication (e.g. password + OTP) offering
reasonable protection against remote attacks.

Used for low-risk services, typically third-party logins.

High Protection

Strong resistance to targeted attacks and phishing, using cryptographically bound authenticators and biometrics.

Default level for ShareRing ID and reusable identity.

  1. Separation of Responsibility
  • ShareRing Authenticators handle who is accessing the identity (GPG44 domain).
  • GPG45 Proofing governs how that identity was established (GPG45 domain).

Together, they form the full identity assurance process:

  1. GPG45 ensures your identity was verified correctly and with sufficient evidence.
  2. GPG44 ensures that only you can access and reuse that verified identity securely.

DBS – Disclosure and Barring Service Checks

The Disclosure and Barring Service (DBS) is a UK government system that allows employers and authorised organisations to check a person’s criminal record status.

ShareRing can support the identity component of a DBS application by verifying your identity to the required GPG45 assurance level (usually Medium or High). Once identity is confirmed, the DBS record query is conducted by the authorised employer or screening organisation. ShareRing does not access or store criminal record data.

DIATF – Digital Identity and Attributes Trust Framework

The DIATF is the UK government’s overarching regulatory framework for digital identity providers. It ensures consistency, privacy, and interoperability across all participants.

Under DIATF:

  • Providers are independently audited against GPG44 and GPG45 standards.
  • Data protection and consent controls are mandatory and enforceable.
  • Assurance levels (Low, Medium, High) determine how identity data may be reused.
  • Providers must maintain audit logs and implement strong incident response procedures.
  • Cross-provider recognition is supported, allowing verified identities to be reused securely across compliant services.

ShareRing operates in accordance with the DIATF requirements and maintains ISO27001 certification for information security management.

United States

In the United States, digital identity assurance is based on guidance from the National Institute of Standards and Technology (NIST), primarily publication NIST SP 800-63.
These standards describe levels of identity proofing and authentication similar to those used in the UK.

NIST Standard

Area

Description

SP 800-63A

Identity Proofing

Defines the evidence, validation, and verification required to establish a person’s identity.

SP 800-63B

Authentication

Defines how users securely sign in, including password, multi-factor, and cryptographic authenticators.

SP 800-63C

Federation

Describes how verified identities can be securely reused across systems.

ShareRing aligns its verification processes to NIST assurance levels so that U.S. businesses can rely on ShareRing identity data for KYC, AML, and regulated use cases.

Australia

Australia’s digital identity ecosystem is governed by the Digital ID Act (2024), the Digital ID Accreditation Rules, and related instruments under the ACCC Digital ID Regulator.

Key principles include:

  • Voluntary participation: Users control whether and when to share their identity.
  • Accreditation: Providers must meet strict standards in privacy, security, and transparency.
  • Data minimisation: Only attributes relevant to a transaction may be shared.
  • Alignment with the Australian Privacy Principles (APPs): Users have rights to access, correct, and delete their personal data.

ShareRing’s systems are built to comply with ISO27001 and to align with the Australian Digital ID framework as it becomes operational.
For financial services, our KYC and AML checks follow AUSTRAC requirements and standard industry verification practices.

Other Countries

Outside the UK, USA, and Australia, ShareRing applies the same privacy-by-design principles and follows internationally recognised identity assurance models, such as:

  • ISO/IEC 29003 – Identity Proofing and Authentication
  • eIDAS 2.0 (EU) for electronic identification and digital wallets
  • OECD Digital Identity Guidelines

Each jurisdiction defines its own requirements for identity assurance.
If you are using ShareRing in another country, you should refer to your local government or regulator to understand:

  • Which identity assurance framework applies;
  • What level of identity proofing is required for your transaction;
  • How digital identity providers are accredited or recognised.

ShareRing will always make clear which assurance level applies to your verification and will only collect the data necessary for that level.

Summary

  • You always control your personal information and when it is shared.
  • ShareRing uses only the data needed to complete your verification.
  • Data is encrypted, securely stored, and never sold.
  • All verifications are based on recognised standards such as GPG44, GPG45, DIATF, NIST, and the Australian Digital ID Act.
  • You can review, update, or delete your data at any time through your ShareRing account.