We present our views as the Editors of Data Protection & Privacy Practice, published by Masons, a leading international firm of solicitors with a strong IT practice, especially in the field of data protection. The views expressed here do not represent the views of the firm, and are limited to the privacy implications of the ID card scheme. We have no objection to these views being published.

  Because the "Next Steps" document omits any reference to privacy protection (except for three general paragraphs), whereas the consultation document on "Entitlement Cards and Identity Fraud" provide a complete chapter, we are obliged to make our comments by reference to the latter document. We hope the Committee will consider the points we raise with respect to the latter Consultation Document in the context of the Next Steps framework.

  Our main observations are as follows:

  1.  The Next Steps documentation does not discuss the privacy matters associated with the ID card scheme. The consultation document "Entitlement Cards and Identity Fraud" did not lead a properly constructed and informed public debate on the privacy implications of the ID card scheme.

  2.  Our analysis, presented here, shows the Government's original proposals amount to the granting of an exemption from major elements of the Data Protection Act 1998 for the ID card scheme. This exemption negates the protection afforded by the first five data protection principles, leaves all existing disclosure gateways fully open (and unknown to the public), provides for new statutory disclosure gateways and permits the transfers of personal data from the scheme outside the European Economic Area (EEA).

  3.  We invite the Committee to state that it cannot support the introduction of an ID card scheme unless there is an informed debate on privacy matters or a substantial statutory improvement to the level of privacy protection associated with the scheme.

  4.  It is possible that the Government may ultimately oblige citizens to obtain an ID card and press ahead on the basis of the consultation document, without an informed debate on privacy matters. In such circumstances, it is likely that any future Government (whatever its political hue) will lose the trust of many its citizens, when it is realised that every interaction with the public and private sector which requires production of this card, could be electronically tagged as to date, time, location etc, and made available to numerous public authorities for a variety of purposes. This is especially the case in ethnic communities.

  5.  The ID card scheme has been separated from the Government proposals for data sharing—data sharing considerations should be included in the Committee's remit

  6.  The original consultation document states that the Data Protection Principles will apply to the scheme but does not address what this means in practice. The document is therefore limited in its analysis of the Data Protection Act 1998 and has serious omissions in relation to the privacy protection offered by this legislation. The Next Steps documents omits privacy protection considerations.

  7.  Given the many statutory disclosures envisaged in the scheme, it is surprising that the impact of the exemptions from non-disclosure provisions in the Act have not been not discussed. The effect of these provisions is also to negate the application of the first five data protection principles in relation to many disclosures of personal data to the public authorities named in the consultation document. The provisions will also apply to many of the disclosures to those bodies which are not identified in the consultation document.

  8.  It is disappointing that the consultation document does not commit the databases associated with the ID card to the minimum security protection offered by adherence to BS7799 as a base-line security standard.

INTRODUCTION

  Because the "Next Steps" document omits any reference to privacy protection (except for three general paragraphs), whereas the consultation document on "Entitlement Cards and Identity Fraud" provide a chapter, we are obliged to make our comments by reference to the latter document. We hope the Committee will consider the points we raise with respect to the latter Consultation Document in the context of the Next Steps framework.

  The Entitlement Card Consultation began by claiming that "The Government will ensure that any ID card scheme will operate in accordance with the eight principles set out in the Data Protection Act 1998". The document did not answer the question "what exactly does that mean in practice?".

  The ID card scheme has two components: a smartcard with the capability of supporting additional functions as the cardholder so wishes, and a central register of core information. This core information depends on the functionality of the card—but the key items of personal data which comprise the scheme are listed in the consultation document and will be identified in the proposed legislation. There will also be a "unique personal number", and the proposals also consider whether to establish an additional "population register" which will contain "a very limited range of core information" including the unique personal number.

  Although the consultation document does not spell it out, an Entitlement/ID Card is essential to the success of any joined-up Government based on the proposals specified in the numerous reports into "Privacy and Data Sharing". The reason for this is simple—if databases are to be combined reliably, there must be a method to identify the citizen uniquely and the ID card would perform that function.

AN EXEMPTION FROM THE FIRST AND SECOND PRINCIPLES

  In relation to the First and Second Principles, the Government says that the ID card scheme would meet the "lawfulness test" as "legislation would set out the statutory purpose of the central register". The purposes of the scheme are to: "establish identity to a high degree of assurance", "to establish . . . one definitive record of identity", to "help" people "gain entitlement to products and services provided by the public and private sectors", and to "help . . . validate a person's identity and entitlement to such services".

  In data protection terms, the effect of prescribing these activities in legislation will clearly satisfy the lawfulness arm of the First Principle. Additionally, individuals will find it difficult to mount a challenge on fairness grounds, if legislation says a Data Controller can collect personal data. In general, the result of enacting legislation to define processing purposes is to set aside the protection of the First Principle so long as processing is within the statutory defined boundaries.

  The wider the statutory boundaries, the less the protection afforded by the First Principle. We note that the purposes identified in the consultation document are set out in broad terms in order to apply across the whole public and private sector.

PROPOSALS FOR GENERAL IDENTIFIERS WHICH WEAKEN PROTECTION

  The Government says it will prescribe that the unique personal number associated with the card is a "general identifier" and will also specify the lawful purposes for the use of this number—in order to "avoid abuse". That statement is perhaps surprising, as the Government has not found it necessary to use its powers to "avoid abuse" of the National Insurance Number, NHS Number and Pupil Identification Number which can also be classified as general identifiers.

  One reason is that there is no need for this prescription because the protection under the Act is already there—it would be excessive to use a nationally-distributed general identifier in circumstances where organisations could use their own locally-based identifier. Under the 1984 Act, the Data Protection Registrar took successful action against certain Data Users who used the NI number for purposes not connected with tax or benefits (details of these actions can be found in the Annual Reports of the Data Protection Registrar).

  Although this statutory prescription is presented as an additional protection for the unique personal number, it would be misleading to conclude that this leads to increased protection. Indeed the protection presently conferred by the Act could be weakened if a statutory instrument concerning general identifiers were widely cast so as to make lawful processing which would otherwise be vulnerable to the Third Principle if the order was not made.

  This point can be illustrated by the Community Charge legislation of the nineteen-eighties. In Scotland the Government enacted secondary legislation which required Community Charge Registration Officers (CCROs) to use a Community Charge form which collected the date of birth of everybody eligible for the Community Charge but in England there was no such statutory provision.

  When English CCROs collected dates of birth using Community Charge forms based on the Scottish model, the Data Protection Registrar enforced the Third Principle on the grounds that a CCRO only needed the date of birth in limited circumstances (eg when someone became eligible for the Charge on their 18th birthday; or where two people living at the same address had the same name). This proposition was tested before the Data Protection Tribunal, which judged that to collect personal data in general when you only need it in specific circumstances was a breach of the Third Principle. In other words, the statutory prescription of a specific Community Charge form weakened privacy protection.

  This judgement also gives legitimacy to the argument that to use a general identifier in circumstances when a specific identification number, designed for a particular task, could be used, would breach the Third Principle.

AN "EXEMPTION" FROM THIRD AND FIFTH PRINCIPLES

  According to the consultation document, the information in the central register and on the entitlement card will be as follows: name, date and place of birth, address, unique personal number, other personal identifiers such as NI number or driver number, nationality, sex, photograph, digitised signature, validity date of card, employment status, and a biometric. Note that this statutory route also in effect removes any protection of the Third Principle—if legislation says personal data are necessary then they must be necessary.

  The Government intends to retain personal data well beyond the expiry of the card to facilitate "further applications for cards" or to "guard against fraudulent activities", but no time limit has been set although clearly the Government has identified its retention criteria and they seem generous. However, if the Government identifies its retention criteria in legislation then the effect will be to kill off the Fifth Principle.

  To satisfy the Fourth Principle, the Government obliges card-holders by law to provide information when they apply for a card and to notify changes of address. The consultation document states that it will remain an offence not to provide the required details if the entitlement card is needed for a passport or a driving licence; in other cases, the lack of the card will mean no entitlement. Some offences will also apply if there is a failure to notify the card-issuing authorities if the card holder changes address (eg in relation to entitlement to driving licences).

  The usual application of the Fourth Principle arises when individuals want organisations to correct or update personal records which relate to them. If such organisations do not correct or update their records, then individuals can use the protection afforded by this Principle to oblige amendments. The application of this Principle is balanced by allowing an organisation to show just cause as to why it should not correct or update personal data which are subject to a dispute over accuracy.

  The ID card scheme reverses the approach adopted by this Principle. Accuracy is maintained, not by the organisation taking all reasonable steps to maintain accuracy, but by placing obligations on individuals, some backed by criminal sanctions, to provide personal data about themselves. To pretend that this then is a measure which protects individuals seems to us to over-rely on sophistry.

EXEMPTION FROM THE NON-DISCLOSURE PROVISIONS

  It is surprising that given the many statutory disclosures envisaged in the scheme, the impact of the non-disclosure provisions in the Data Protection Act are omitted from the discussion. Many disclosures described in the scheme will be subject to these provisions [Section 28 (national security), or Section 29 (crime, taxation and other duties) and Section 35 (disclosures between public authorities pursuant to statutory powers)].

  The effect of these provisions is to negate the provisions in the Act which relate to the:

—  fairness of the disclosure (eg no need to inform individuals of disclosure);

—  lawfulness of the disclosure (except for a Schedule 2 or 3 condition);

—  Second, Third, Fourth and Fifth Principles in relation to the disclosure; and

—  right of an individual to block disclosure or object to disclosure.

  It can be seen from this list that the application of the exemption from the non-disclosure provisions removes the protection afforded by several data protection principles.

  We do not argue that the authorities should or should not obtain personal data from the scheme for their own purposes, many of which are in the public interest. We argue that such disclosures should be identified in the consultation document in order to lead to an informed public debate.

COMMENTS ON THE SIXTH, SEVENTH AND EIGHTH PRINCIPLES

  In relation to the Sixth Principle, there is little to say—the right of access to the register details is emphasised, but this is just a right to access personal data which one is obliged to provide by law! The fact that access might not be charged at £10 counts for little.

  In relation to the Seventh Principle, the PIU Report on data sharing commits public authorities to BS7799, yet the consultation document does not repeat this commitment. Given that the security of personal data is a key element identified in the PIU Report as engendering public trust, this omission is surprising.

  Although personal data from the central register will be shared within the European Union for immigration purposes, the question of transfer outside the EEA is omitted, even though there are major plans for government agencies to share personal data globally (eg the Council of Europe Convention on Cybercrime). Additionally, the fact that the Secretary of State has powers to authorise such transfers (paragraph 5, Schedule 4 of the Data Protection Act 1998) is also omitted.

  It could be that the many public authorities who can have access to personal data from the scheme could well transfer those personal data outside the EEA—technically, this would not be a direct transfer from the scheme but an indirect one. As with our comments in relation to disclosure, an informed public consultation would discuss the circumstances under which those powers might, or might not, be used and whether or not there would be direct or indirect transfers of personal data originating from the scheme.

INCOMPLETE DESCRIPTION OF PRIVACY ARRANGEMENTS

  The implication of the "Privacy Issues" chapter is that the Data Protection Act is to be satisfied—any member of the public who knows little of the legislation will draw the conclusion that privacy rules are being applied. They are not—these rules are being set aside. Those who criticise the Government for being misleading or disingenuous will find ample evidence in this chapter to substantiate that view.

  Forty pages after the "Privacy Issues" (in the Annexes), there is reference to "links to other systems" which are not mentioned in any detail in the "Privacy Issues" section. The document refers to new statutory gateways to facilitate access links from the central database to: UK passport service; Foreign Office databases; DVLA databases; births deaths and marriages databases; central index of NI numbers; immigration databases; possible links to credit reference agencies; and electoral registers. Chapter 3 (40 pages before the Privacy section), refers to access to the central database by law enforcement agencies (such as Customs and Excise, the police, the security services); Chapter 2 refers to the development of a unique personal number for use across the whole of the public service—and into the private sector.

  These developments are not explored in the context of the application of the Data Protection Principles, as one would normally expect, in a debate intended to inform the public.

  Also not mentioned in the context of the data protection principles are:

—  Disclosures from the central database made possible by virtue of the non-disclosure provisions.

—  Disclosures from the central database made possible by virtue of existing powers already granted to other public authorities (eg the benefits agency).

—  Transfers from the central database made possible by virtue of the powers granted in the Data Protection Act to the Secretary of State to sanction transfers of personal data where they are in the "substantial public interest".

  Finally, (44 pages from the Privacy Issues chapter), the consultation document refers to a "population register" which is different (but obviously linked) to the central register associated with the ID Card. If developed, this population register could contain details "such as name, address, date of birth, sex and unique personal identifier on UK residents" which "could be used across the public sector"; the lack of the population register is identified as a barrier which "inhibits the joined-up delivery of public services" (the key objective of the data sharing reports).

  However, such a population register, according to the document, "would have stringent safeguards to protect the privacy of personal data". Unfortunately, this register fails to get a mention in the "Privacy Issues" chapter and the reader is left guessing as to what form these "stringent safeguards" might take. If the "stringent safeguards" are the eight data protection principles, then we suggest that in the light of comments we make here, that the safeguards are not particularly stringent.

CHANGES TO THE DATA PROTECTION ACT 1998

  In relation to the right of access the Government is considering whether there should be modifications to the right of access and whether more exemptions from the right of access should apply. The Lord Chancellor's Department has issued a consultation document which does not identify what impact these proposals will have on the ID card scheme. Although we have commented that the right of access is not particularly important in relation to the scheme, nevertheless, the Government should clarify the position in relation to the proposed modifications to rights of access to personal data.

  In relation to the Data Protection Directive 95/46/EC, the Government has suggested (with the support of the Irish, Swedish and Finnish Governments) several changes which could filter down to changes in the Data Protection Act 1998. One proposal would mean that any statutory authority obtaining personal data via the exercise of statutory powers would not need to provide a fair processing notice which makes transparent the processing of personal data. If this provision is enacted, it will serve to enhance the secrecy established by the application of the non-disclosure provisions.

  So what does the commitment to "ensure that any entitlement card scheme will operate in accordance with the eight principles set out in the Data Protection Act 1998" amount to in practice? It means drafting legislation which:

—  negates the protection afforded by the first five data protection principles;

—  obliges individuals to provide core personal data including a biometric and obliges individuals to keep such data up to date;

—  leaves all existing disclosure gateways fully open and unlisted;

—  promises new statutory disclosure gateways; and

—  permits transfers outside the EEA.

CONCLUSION

  In short, the consultation document fails to lead a properly constructed analysis of the privacy problems of the ID card scheme and its "Privacy Issues" section has glaring omissions. The Government's commitment to make the scheme consistent with the data protection legislation can be summarised as outline proposals to exempt the scheme from five of the eight data protection principles though the use of statutory powers.

  It is possible that the Government may ultimately oblige citizens to obtain an ID card and press ahead on the basis of the consultation document, without an informed debate on privacy matters. In such circumstances, it is likely that any future Government (whatever its political hue) will lose the trust of many its citizens, when it is realised that every interaction with the public and private sector which requires production of this card will be electronically tagged as to date, time location etc, and made available to numerous public authorities for a variety of purposes. This is especially likely to be the case in ethnic communities.

Dr Chris Pounder and Sue Cullen

Editors, Data Protection & Privacy Practice

January 2004