1.  BACKGROUND

  1.  The Information Commissioner's Office is providing this additional information in response to the request from the Chairman of the Committee at the end of the evidence session on Tuesday 3 February 2004. The Committee specifically requested any additional information that the Commissioner may have regarding the international experience of the use of identity cards. We hope that the following is of use.

2.  EUROPEAN EXPERIENCE

  2.  In preparing our response to the government's consultation on entitlement cards in 2002-03 we submitted a questionnaire to the other European data protection authorities asking about their experience of entitlement/identity cards.

  3.  The responses that we received revealed that Austria, France, Italy and Switzerland operated an identity card scheme. Other European countries operate an identity or entitlement card scheme but did not respond to our consultation. We also received responses from countries that do not currently operate an identity card or entitlement card scheme.

  4.  The type of identity card used, the information it holds and the administration which underpins them varies across Europe. There are moves in some of the countries towards a more technologically advanced identity card system similar to the one being proposed by the current UK government but these have not been rolled out yet.

3.  AUSTRIA

  5.  Austria operates a scheme of multiple identity cards known collectively as Personalausweis. The cards are issued by district authorities and federal police departments. An individual may have more than one form of Personalauweis issued by different authorities. It is not compulsory for Austrian citizens to carry an identity card but most do.

  6.  Identity cards have been in use since the 1930s but a central database for passports and ID cards was not established until 2001.

  7.  The face of the card holds a photograph, the name of the holder, their nationality, place of residence (not address), date of birth, eye colour, height and distinguishing marks.

  8.  The cards are used as travel documents and are accepted as a substitute for a passport in most European countries. They are also used as proof of identity, this is required in a number of circumstances, for example opening a bank account, registering residence with a local authority, requesting a police check and when entering contracts which are to be closed before a public notary.

  9.  The cards were introduced for fraud prevention, national security and the prevention of illegal immigration.

  10.  There is no regulator or other body whose specific function is the regulation of the Personalauweis schemes as they currently stand.

  11.  There are no laws limiting the circumstances in which Personalauweis can be requested or used.

  12.  No particular privacy concerns about Personalausweis were identified by the Austrian data protection authority. This may be accounted for by the fact that many Personalausweis predate privacy laws.

  13.  There are plans for the introduction another more advanced form of identity card known as the citizen card. It will be a chipped card and act as identification and allow for electronic signatures. The chip will have additional capacity to store medical data and the use of that data for purposes other than medical treatment will entail a fine of up to almost 19,000 Euros. Details of the electronic card are available in English at http://www.buergerkarte.at/index—en.html .

4.  FRANCE

  14.  France operates a voluntary identity card scheme (CNI) administered by their equivalent of the Home Office. All French citizens also hold smart cards that contain administrative details for use by the heath sector only in obtaining reimbursement of healthcare costs.

  15.  The identity card is commonly used to establish identity and nationality when; voting in elections, opening a bank account, retrieving mail deposited at a post office, registering for health insurance, paying by cheque, registering for exams and obtaining administrative documents. The card is also used as a travel document for travel to countries where a passport is not required.

  16.  As the scheme is voluntary alternative forms of identification document to the CNI are acceptable such as passports or driving licenses.

  17.  The cards hold a card number (this is not an identifying number and changes when the card is reissued), name, gender, date of birth, height, signature of the holder, address, nationality, a photograph of the holder, date when the card should be renewed, date of delivery, local administrative authority that produced the card and the signature of the issuing authority.

  18.  The card contains a zone of optical recognition for the following fields of information; Surname, First Name, Gender, Date of Birth and the card number. Electronic readers could recognize and read the information in those fields. However, the facility has never been used.

  19.  The card does not have a fingerprint on its face but the supporting documentation held by the local authority does contain a fingerprint. The finger prints on the supporting documentation can only be used for detection of attempts to steal or fraudulently use an identity card.

  20.  The card was first issued in 1955 to provide citizens with a means of reliably identifying themselves and as a travel document. Counterfeiting of the cards was an issue when the format of the cards was changed in the 1980s.

  21.  The use of the identity card is subject to the a priori and posteriori control of the French Data Protection Authority (the CNIL). There is no express legal prohibition on the use of the card. Most companies are not permitted to set up copies of ID cards. One example of where the CNIL has permitted details of ID cards to be collected is the mobile telephone sector for fraud prevention purposes.

  22.  An administrative database was set up specifically for the card scheme in the 1980s. Security features were incorporated into the development of the database, to prevent inappropriate access and minimize false applications and identity theft. The CNIL also has the ability to destroy the database in exceptional circumstances such as invasion or war.

  23.  Although it is not compulsory to carry a card, French citizens have a duty to prove their identity if legally requested to by the police (subject to conditions detailed in law). The health sector entitlement card does not have to be produced to receive health care but simplifies the procedure for paying any fees run up when receiving that health care.

  24.  Police and Security services access to ID card information is limited to name, date of birth, gender and card number. The information can only be accessed on a case by case basis in relation to identity checks or criminal investigation.

5.  ITALY

  25.  Italy operates a paper identity card scheme administered by the Ministry for Home Affairs through local municipalities. Identity cards have been used in Italy since the 1930s and were introduced for public security.

  26.  The cards hold a photograph of holder, full name, date and place of birth, citizenship, place of abode, type of employment, marital status, height, eye colour, hair colour and expiry date. There is a space for a fingerprint but it is not used.

  27.  Identity cards are used in circumstances where the citizen is required by law to prove their identity, for example in connection with public security controls and when lodging a request with a public administrative body. The card may not always be required as under Italian law an individual can self-execute an affidavit establishing factors including but not limited to name, date of birth and residence.

  28.  Inappropriate demands for sight of the cards is not specifically prohibited by law.

  29.  Cards are issued by local municipalities based on their registers of births, deaths and marriages and the civil status register. There is not a central database underpinning the ID card scheme. However, there are plans to create an index of the registers for the electronic card.

  30.  Police and Law Enforcement agencies access to the municipal registers is regulated by law. They are entitled to inspect the records held by the municipality but need to provide the municipal authority with a list of officers who are authorized to carry out those checks.

  31.  A law enabling the use of electronic identity cards was passed in 1999 with subsequent implementing regulation and decrees. The new cards will be able to hold biometric and medical data and will act as both an ID card and medical card. They would also have the capacity to hold an electronic signature. The new cards are being trialed in selected municipalities before national roll out.

  32.  No particular privacy concerns have been identified with the current ID card scheme in Italy. However, this may be as a result of the scheme predating any data protection law in Italy.

6.  SWITZERLAND

  33.  Switzerland operates a voluntary identity card scheme parallel to their existing passport scheme.

  34.  The identity card is used to prove identity only. The passport is an acceptable alternative to the card for proving identity.

  35.  The information displayed on the face of the card is as follows; surname and first name, gender, date of birth, place of residence (not address), nationality, height, signature, photograph, issuing authority, date of issue and date of expiry.

  36.  The cards do no have the capacity to store any biometric information on a smart chip or other electronic medium.

  37.  The card scheme was introduced to offer citizens an alterative to the passport for proving their identity.

  38.  The authorities responsible for issuing passports are also responsible for issuing and regulating the use of the identity card. The restrictions on access to the administrative databases and use of the card are the same as those for passports.

  39.  The Swiss data protection authority did not identify any particular privacy concerns with the current ID card scheme.

7.  SWEDEN

  40.  Further to our consultation responses we also received information from the Swedish Data Protection Authority about the means of proving identity in their country.

  41.  Sweden does not have a national identity card scheme at present. However, it does have voluntary identity cards issued by different organisations such as the post office and banks. There is no statutory regulation specifically for the issuing or use of the identity cards.

  42.  Driving licenses issued by the National Road Administration are also accepted as a valid form of identity. The processing of personal information on the driving license is regulated by specific legislation.

  43.  Identity cards are made in accordance with guidelines set by the Swedish Standards Institute and hold name, date of birth, a personal identification number, signature, photograph and the name of the issuer.

  44.  The Post Office, the National Police Board, the National Road Administration and the Swedish Banks Organisation have agreed on certain standards for the photographs to be used on identity cards and driving licenses.

  45.  Each issuer of an identity card keeps a record of the person to whom the card has been issued which is treated as a customer record.

  46.  The most common use of an identity card is proving identity when paying by credit or bank card. The cards are also used to fulfill the requirement that individuals prove their identity when colleting monies from a bank or post office. Individuals may also have to identify themselves to the police who have certain powers to demand proof of identity in relation to arrests or in order to uphold public security.

  47.  Sweden also has a system of unique personal identifying numbers (PIN) which are used to link records to individuals for example on health and social care records and for tax administration documents. The use of PIN is regulated by section 22 of the Swedish Personal Data Act. The Act restricts the processing of PIN without consent to certain valid reasons.

April 2004