I take your point about everything being in one place. Everything keeps coming back almost to Facebook and Cambridge Analytica at the moment, because it's a great example of what happens when somebody gets access to all of your data in one place, impacting not only you but potentially your whole circle of acquaintances as well.
When I look at the Estonia model, I think you could take what they've done together with what your colleague was talking about, which is looking at how you put citizens in control of a particular method of proving identity and then enabling them to link back to their other pockets of services and data so they become the trusted pivot point. A lot of this is about trust and about citizens trusting not only the intent of government but also the technology. I do worry that the more they see what some in the private sector are doing with technology, the more they will worry about government's intent in using data.
The other thing is the government's appetite for risk. If we look at how things are currently done in the paper world or have been done in the paper world, and the level of risk and the risk mitigation that was done there, we might then ask if we are sometimes expecting too much of technology, or overloading it, because we think it can do a better job.
In the past, whenever I signed the document for the tax office, it always amused me that they obviously never asked me for a copy of my signature when I first started doing tax, so quite what my signing a document proved to them I don't know. However, when we moved to the digital domain, suddenly people talked about digital signatures or electronic signatures. That may be appropriate depending on the financial risk or exposure of a government department, but there may be many services for which the appropriate risk model would be to say that we understand the risks and we have appropriate mechanisms for dealing with them that don't require the very highest level of citizen identity to be used.