You are here: Parliament home page > Parliamentary business > Publications and Records > Committee Publications > All Select Committee Publications > Commons Select Committees > Home Affairs > Home Affairs
Select Committee on Home Affairs Written Evidence

22.  Memorandum submitted by the Information Commissioner

1.  BACKGROUND

  1.  The Information Commissioner is an independent officer who is appointed by Her Majesty the Queen and who reports directly to Parliament. The Commissioner has responsibility for promoting and enforcing the Data Protection Act 1998, Freedom of Information Act 2000 and associated regulations.

  2.  Any proposal to establish a system of universally held identification documents involving the allocation of a unique personal number to the bulk of the population, and under pinned by a national identity register, raises important privacy and data protection issues and could lead to changes in the very nature of society.

  3.  There is no inherent reason why all proposals for an identity card would be unacceptable on data protection and human rights grounds. However, such a proposal could only ever be acceptable if it included the necessary safeguards at every stage of development to ensure data protection compliance.

  4.  The Commissioner has approached this matter with an open mind but with great caution because, as mentioned previously, we are dealing with matters touching on the very nature of the society in which we live. We risk turning our society from one where the need to prove identity is commensurate with the service on offer to one where the highest level of identity validation becomes the norm for the most mundane of services. There is also the risk of the unique personal number being used to track our various interactions with the state and others, and to have all this recorded on a central register under its control. Of course, nothing in the government's current proposals is so draconian. But we must appreciate that, whilst we may be reassured that benign administrations will live up to their promises about limitations as to use, we will be creating a potentially powerful infrastructure. Our close European neighbours can account for how this can be misused at catastrophic social cost.

  5.  During the previous Commissioner's consideration of a previous government's proposals regarding identity cards in 1995, she was unable to conclude that any of the predicted benefits outweighed the privacy and data protection costs. Since then society's needs have changed. We conduct far more business electronically or through call centres. The government is encouraging increased electronic service delivery by the public sector, with the result that there are fewer opportunities to conduct business face to face where one person is known to the other. Individuals may have increased needs to be able to prove their identity with reliability and in a convenient way. Identity fraud still appears to be a persistent problem and there is nothing more sacrosanct to an individual than his or her own identity. There are clearly potential benefits to individuals to weigh in the balance. However, just as an individual's right to his or her own identity is important there are fewer more jealously guarded commodities than an individual's own personal privacy.

2.  THE GOVERNMENTS PROPOSALS

  6.  When the government's original proposals were published, the Commissioner faced a real difficulty in knowing what the scheme being proposed really amounted to. The publication of the identity card "The Next Steps" paper gives a clearer (but still limited) insight into how matters may progress. It only provides a general indication of the steps to protect privacy. The existence of so many potential options for use of the card and the lack of well defined safeguards still make it difficult to come to any firm conclusion as to whether the benefits would outweigh the risks to privacy, human rights and social values.

  7.  The Commissioner believes that without a greater elaboration of the proposals, a much more restricted and closely focused group of purposes and detailed safeguards, there would be substantial risks attached to the proposals proceeding.

  8.  The Commissioner believes that there may be merit in divorcing consideration of (1) the existence of an identity card and (2) a central register, possibly a national identity register. It does not follow that these have to go hand in hand. Both have significant issues attached to them in their own right and are worthy of separate scrutiny.

  9.  The Commissioner is aware of other government initiatives which propose the use of a central database including the Citizen Information Project under consideration by the National Office of Statistics. It is not clear at the present time how the creation of a national population register for the purpose of the identity card scheme would fit alongside these other proposals or indeed whether this is necessary or desirable.

  10.  The Commissioner is also concerned that (whatever the short term arguments for an identity card), although there may be plausible arguments made for the introduction of an identity card scheme in the short term there is the potential for "function creep" as administrative and political priorities change. Establishing a scheme on the basis of particular pressing needs in a way that would permit its subsequent use for other less desirable or unwarranted purposes would be of serious concern. To help guard against this the Commissioner welcomes the government's assurances about putting any scheme on a statutory footing but does not think these assurances go far enough if they envisage the use of secondary legislation for changes. In order to minimise any "function creep" in the future the mechanism of primary legislation should be necessary for any such changes to be implemented. From the outset primary legislation must include strong and effective restrictions against inappropriate demands on an individual to produce their card for inspection by others. It should be remembered that it is not the simple possession of a card that may have an impact on individuals; it is placing them in the position of having to identify themselves by use of it that may be the cause of real concern.

  11.  The Commissioner also believes that leaving responsibility for the administration of the scheme and any central register(s) with a government department raise anxieties. The Commissioner would prefer as a safeguard that any scheme and register should be under the control of a new independent statutory body accountable to Parliament for the conduct of its functions. If an identity card scheme is established, there will be need to be a substantial educational programme to ensure individuals and service providers understand the circumstances where a card should or should not be used. This educational role could also be given to the suggested independent body.

  12.  The Commissioner notes that the only option under consideration remains a single identity card system with a monolithic state run central register. However this is not the only possibility. A system establishing several issuers each issuing cards to a standard respected by other service providers may be an alternative. Legislation could set the basic standards for verifying identity and issuing cards, as well as further safeguards against misuse. It is regrettable that this option has not been explored further as the prospect of several card issuers may reduce some of the anxieties about function creep and reduce the risks that a single scheme would exacerbate, rather than reduce, problems of identity fraud. To the extent that financial institutions might be involved in the process, there may also be opportunities to include digital certificates to provide safeguards for online transactions.

  13.  The Commissioner has concerns about the proposed incremental approach to introducing the identity card scheme. The government must ensure that the necessary data protection safeguards and other restrictions are in place from the inception of the scheme as it is from that point that the national identity register will begin to be populated with data. To fail to incorporate the necessary safeguards at the outset runs a real risk that these will be absent during the early stages of data acquisition and will be increasingly difficult to incorporate at a later stage.

  14.  The Government's consultation recognised that any unique personal number needs to be designated as an identifier of general application under the Data Protection Act 1998. This should include safeguards against wider use. The Information Commissioner's powers in respect of inspection could also be extended to ensure specific and proactive scrutiny of the operation of the scheme. "Enforced subject access" to any data held on the smartcard chip and central register—requiring individuals to exercise the right to obtain their own personal data—should also be prohibited. Given that an aim of the scheme would be to make identity fraud much harder a compensatory review of existing legislation facilitating data matching could be undertaken to see if such privacy intrusive powers are still warranted.

3.  ESTABLISHING AN EFFECTIVE SCHEME

  15.  Turning to the arrangements for establishing a scheme, the government proposes that the driving licence and proposed passport card should form the bulk of the cards issued, amended to reflect the needs of the identity card scheme. This has a number of significant difficulties attached to it. The Commissioner is concerned that the existing collections of data held, particularly in the case of the driving licence, were not compiled with identity verification in mind. The existing quality of the data will be inadequate for the issue of identity cards. The government recognises this and will collect information afresh backed up by reference to existing databases. Care must be taken to ensure that any discrepancies between these databases do not cause difficulties for individuals. Similarly the government has suggestions about the utilisation of other government information and the use of credit reference agency information to show economic activity to help root out false applications before the issuing of cards. The Commissioner remains concerned that there may be an unrealistic view of the value of this sort of information particularly where individuals are young, involved in limited economic activity or have been absent from or are newly arrived in the UK. The extent to which electoral roll information may be of value has also been overestimated.

  16.  If an identity card scheme was introduced the card itself would be viewed as having an unrivalled status in terms of identity verification. It may be relied upon as the definitive proof of an individual's identity and other particulars relating to them. If this is the case it must be established and maintained with reliable and high quality data. Extreme care must be taken to ensure that existing data and documents used as part of the issuing process are up to the necessary standard and can be relied upon. The potential for mistakes and errors being introduced during the processing of applications or the maintenance the scheme should not be underestimated. To fail to address these matters would run a risk of individuals suffering serious detrimental effects in the variety of circumstances where they may be required to use an identity card.

  17.  If a reliable indicator of identity is the core aim of the scheme then it should seek to achieve this aim in the most reliable way. It is recognised that the inclusion of a biometric encrypted on a smartcard chip would be a way to link identity to a particular person by way of a `unique' physical characteristic. To put in place the necessary infrastructure will be expensive but any scheme must be fit for its identified purpose. If the necessary infrastructure cannot be put in place then this calls into question the value of the card as a reliable and strong validator of identity.

4.  THE IDENTITY CARD

  18.  Turning to the card itself, the use of a function specific card such as the driving licence poses real concerns when additional information is endorsed upon the face of it. This runs the risk that organisations may be tempted to capture this extra information and this would be intrusive. The information endorsed on the front of any card must be kept to a bare minimum with extra information encrypted on to the smartcard chip and only available for view by those who need to know it. Such an identity card's aim should be limited to identifying an individual in order to gain secure access to the necessary information held securely elsewhere.

  19.  The security arrangements surrounding an identity card scheme would have to be highly robust given its own potential to be turned to the advantage of the identity fraudster. In addition to the need to ensure that cards are only issued to bona fide applicants, the range of information appearing on a card could be at real risk of perpetuating, rather than reducing, identity fraud. Including so much detailed information, such as address and various identification numbers, on the face of a card that will be used in many circumstances runs the risk that this may gain greater currency and be used to gain unauthorised access to information about that individual if it falls into the wrong hands. An official identity card will have a spurious authority—making it an attractive target for fraudsters and counterfeiters and exposing individuals to substantial detriment if a false card is in use.

  20.  If a central register is to be established then the information contained within it should be the minimum necessary to permit the efficient functioning of the identity card scheme. This should not include details of the particular services being sought and any audit trails of access should not be available for any other purpose than identifying misuse.

  21.  The issue of what are the appropriate safeguards again stem from what are the purposes for which it is intended to be used. It is clear there needs to be strong prohibition on the misuse of identity cards, the information held on them and the national identity register in addition to those safeguards provided by the Data Protection Act 1998. It was suggested in the original proposals that a new criminal offence of identity fraud be created. Great care needs to be taken to avoid criminalising the assumption of a fictitious identity to preserve anonymity in legitimate or inconsequential circumstances.

  22.  Consideration must also be given to the appropriate biometric data to include on the identity card. Biometric data taken from a physical characteristic that does not leave a trace is preferable in privacy terms, especially where that biometric data will be stored on a central database. This indicates that data collected from an iris rather than a fingerprint is preferable from a privacy perspective.

  23.  Privacy enhancing technologies should be incorporated on the identity card in order to minimize the collection of data and prevent the unlawful use of the data contained on the card. The biometric data on the card should be held in the form of a template rather than a full image of a fingerprint or iris. The use of a template ensures that reconstruction of the full image of the iris or fingerprint in its entirety is rendered impossible thereby reducing the potential for misuse of the data. At the same time there should be an appropriate level of encryption so that the information kept on a card can only be decrypted by the authorised bodies.

  24.  There are currently proposals at a European level for a Council Regulation (COM(2001) 157 Final) on a uniform format for visas and residence permits for third country nationals, which is separate from ICAO requirements for two biometrics to be present on travel documents. The Council proposals may dictate the biometric data that will have to be used on identity cards where they are to have dual function as passports. At this time the Council has a preference for the inclusion of fingerprint images. In addition to this being the least privacy friendly option it could lead to the situation where three biometrics are required on travel documents which serve the dual purpose of identity cards thus eroding personal privacy still further.

5.  CONCLUSION

  25.  In conclusion, the Commissioner does not take the stance that an identity card scheme should never be proceeded with on the grounds that there will inevitably be insurmountable privacy and data protection obstacles. It should be possible to establish a scheme with the necessary data protection safeguards in place. However, the Commissioner remains concerned that there may still be risks that the current proposals will not lead to establishing a data protection compliant scheme. More detailed proposals on the purpose for which identity cards may be used, and the administrative arrangements surrounding them, are required. It is a prerequisite of any proposals that there need to be reliable safeguards against function creep over time, with strict legislation and independent control being crucial features. The government made clear in its consultation paper and subsequent document that for any identity card scheme to be established it must address data protection requirements. These are not optional features but mandatory legal safeguards to ensure that personal privacy receives the appropriate level of protection.

January 2004



 
previous page contents next page

House of Commons home page Parliament home page House of Lords home page search page enquiries index
© Parliamentary copyright 2004
Prepared 30 July 2004