INTRODUCTION

  1.  I welcome the opportunity to provide further evidence to the Committee as part of its pre legislative scrutiny of the draft ID Cards Bill. The Committee will recall from my previous evidence that my primary concern has been to establish whether any proposed ID card scheme has the necessary data protection and privacy safeguards in place. To judge this I must be certain what is intended and how a scheme will function in practice. I called for the publication of a draft bill to assist this process and I am pleased that the draft Bill has now been published to help focus in on the practicalities of the Government's plans and whether the necessary safeguards are in place.

  2.  My office is studying the contents of the draft Bill and intends to make a full response to the Government's consultation within the designated period. My opportunity to provide further evidence to the Committee comes before I have concluded my scrutiny of the draft Bill and established my own view on the totality of the Government's proposals. However, it is possible for me to make a number of initial observations about the Government's proposals and these are set out below.

  3.  The title "Identity Cards Bill" does not convey the full magnitude of what is being proposed. The draft Bill contains plans for not only ID cards but also a National Identity Register containing significant amounts of personal information accessible to others together with the allocation of a unique personal national identity registration number. Each of these engages substantial data protection concerns in their own right and attention should not be simply focussed on the implications of carrying an ID card but on the whole national identification system that is being proposed.

  4.  At a general level I have always called for a clear definition of what are the purposes we are trying to achieve by having an ID cards system. Once we understand these we can judge whether what is being proposed is proportionate to those objectives. I still find myself unsure of what all the purposes for which the Register, the National Identity Registration Number and the ID card itself may ultimately be used. The Government's assurances about function creep seem to centre very much on items to be held on the Register rather than the use the identity system is actually put to in practice. The Government has defined the statutory purposes of the National Identity Register in terms of providing a record of registrable facts about individuals, issuing cards based on these, providing for the verification of facts to service provider with consent and disclosure to authorised persons. This is not very illuminating in terms of the use made of the identity system in practice.

  5.  At the time of the Government's original consultation in July 2002, a number of possible uses were suggested and these centred on combating illegal working, better administration of public services and as a safeguard against identity theft. In the latest proposals addressing the terrorist threat has been given increased prominence. I remain concerned that we need to be clear about what are the pressing needs for an identity scheme and that any such scheme is limited to dealing with these. I am mindful of the fact that at the time of the introduction of the last national identity scheme in 1939 three administrative uses were envisaged (national service, security and rationing). Some eleven years later thirty nine government agencies made use of the records for a variety of services.[93] At the time of the debate on the abolition of that scheme, preventing bigamous marriages had become one of the main arguments in favour of the retention of the scheme.[94]

  6.  Understanding purpose is particularly crucial when purposes such as terrorism and crime prevention are envisaged because a register, a card and a number may not be of much assistance in dealing with such matters in isolation. It is the circumstances where you are asked to produce the card and the details recorded that may be the telling items of information when trying to spot a likely terrorist from his or her separate apparently benign transactions. If defeating terrorism is a major aim we should understand how such an identity scheme serves this objective in practice as this may give an all together more worrying picture of how we may have to conduct out lives in future having to produce identity documentation in most of our daily transactions.

THE ADMINISTRATIVE PROCEDURES

  7.  The system for establishing the Register and the issuing of ID cards is a crucial feature. The Government believes that the scheme will be the "gold standard" for identity. If this is the case then it must inevitably become the main target for the serious identity fraudster who may well capitalise on the existing identity documents of others in order to gain their identity. Although it is impractical to go into great detail on the minutiae of the issuing process in a draft Bill, it is worrying that issues such as governance and the general issuing procedures are not addressed, these still being open to debate. The Committee is already aware of my desire for independent oversight of the Register/enrolment process and this is not achieved by the proposal that these functions should fall to an existing executive agency under the direct control of the Secretary of State. I am pleased that the accompanying consultation paper indicates that the Government is still open to argument on this issue.

  8.  It is similarly disappointing that the issues surrounding the vital functions of identity enrolment, maintenance, verification and card manufacturing are still left unresolved. It is argued that the precise arrangements cannot be set out in the draft Bill but will be left to Regulations due to ongoing testing of different options. Unless we are certain of the rigour of the application procedure it is difficult to be confident that any system will work and that there will not be the potential for a significant impact on individuals who find difficulties with the operation of the system. These difficulties range from the theft of their identity down to delays in processing changes or producing replacement cards. The consequences for individuals arising from potential failures in the system should not be underestimated. Even with the best will on the part of those administering the Register there will inevitably be delays in sorting any such problems and individuals may well suffer delay in gaining access to services. This will particularly be the case if registration is made compulsory whereby an individual may be required to produce a card to gain a service without the opportunity to utilise alternative means of identification. We must be careful not to let the UK population become the test bed for the development of a comprehensive yet untried identity system which has the potential for a significant detrimental impact to the day to day lives of individuals if the administrative systems are found wanting.

  9.  Understanding the operation of the system cannot be overstated. For example it is not clear the extent to which identity verification will involve checking the central data base and how this is undertaken. If the biometric information and the enrolment procedures are reliable presumably fewer checks will need to be against the Register details as opposed to comparison with the information retained on the card on a chip by use of a biometric reader. This clearly has an advantage of reducing the amount of intrusive transaction details recorded about an individual on the Register and may reduce the higher error rate with "one to many" biometric checks.

THE NATIONAL IDENTITY REGISTER

  10.  Turning to detailed comments about the National Identity Register, there are a number of concerns that warrant further clarification. The Register is primarily founded on the concept of "applications" thus giving an illusion of choice. However individuals who have driving licences or passports that expire or who apply for such documents will have no choice. There is no provision for non ID card variants of these documents so inclusion in the Register will in effect be compulsory. Similarly entries can be made in the Register irrespective of an application for a card (clause 2 (4)). The ability to keep details of those already identified as not entitled to register is cited as the motivation but the provisions in the draft Bill contain no such limitation with the consequence that an individual may be entered on the Register without their knowledge. In this context it is particularly important to understand the relationship between the National Identity Register and other planned data bases such as the Citizens Information Project and the planned database of all children envisaged under clause 8 of the Children Bill. These may provide the particulars for individuals to be given an entry in the National Identity Register. In the case of the latter, for rising sixteen year olds. If such individuals contained on these other databases have no intention of applying to go on the National Identity Register and there are no suspicions about them in case of a future application then such details would be excessive.

  11.  Other significant issues relating to the Register and the "registrable facts" within it requiring further consideration include:

—  The relevance of all other places of residence, previous identities and previous residential status when an identity has satisfactorily been established using the principal place of residence and other current details (clause 1, clause3 and sch. 1). The details of other places of residence seem to have more to do with service delivery than identity verification.

—  The requirement to keep all information, including transaction details (sch 1 (7) and (9)) without precise time limits

—  The inclusion of all official reference numbers (sch 1 (4)). The relationship with the unique numbers to be issued as part of the Citizens Information Project and the database of all children under the Children Bill will require clarification

—  Potentially wide amount of information recorded about an individual on request (clause 1 (4) (i))

—  Extension of the registrable particulars by order (clause 3 (4))

—  Open ended requirement on an applicant for registration to provide such information as the Secretary of State sees fit to require (clause 5 (5) (d))

THE ID CARD

  12.  There are a number of issues surrounding the procedures for the issuing of the card and the information required to validate the registration applications that may raise data protection concerns. The most significant of these is that there is no specific detail of the extent of information to be recorded on the card or the form in which it is recorded. This is particularly worrying as there is no provision for "non ID card" variants of designated documents so there is no opportunity for an individual to limit the amount of information that may be available to those to whom the document is being presented to for its primary purpose by using the a non ID card version.

  13.  Similarly the form that the information is retained is crucial as this will determine what is visible on the card and what is available on a chip. The technical arrangements for the reading of the chip have not been specified. There are dangers if a contactless chip is used without any form of encryption, such as is specified by ICAO for travel documents (known as open contactless chips). It is possible at the point of it being interrogated by a legitimate card reader for the details to be captured by others who may be electronically "eavesdropping". The requirement to have information recorded on a contact chip or encrypted if a contactless one is used should be clearly set out.

  14.  Other areas of potential concern on the card issuing arrangements include:

—  Lack of certainty of the administrative arrangements for designated document authorities (clause 10 (3))

—  Open ended requirement on unspecified 3rd parties to provide information for application validation purposes (clause 11 (1))

—  Extensive duties on individuals to notify changes of information on the Register even though this may have little ongoing value (eg other places of residence) (clause 12)

NATIONAL IDENTITY REGISTRATION NUMBER

  15.  The form of the National Identity Registration Number is not specified in the draft Bill and will be left to Regulations. This will be a significant piece of information as it will allow the linking of records as well as being a reference number cited by an individual when other are verifying their identity. The number should not be based on an existing number with comparatively wide current circulation such as National Insurance Number to ensure the appropriate level of security. The widespread recording of the number by disparate service providers runs the risk not only of greater currency and less security but also that it may allow a picture to be built up of an individual based upon their dealings with many service providers, all linked together by a common reference number. The Government's assurance in the accompanying consultation paper that the number will be designated as an identifier of general application under the Data Protection Act 1998 is welcome but any Regulations must contain effective safeguards against the unwarranted capture and recording of such details by service providers.

DISCLOSURE OF INFORMATION

  16.  The arrangements for disclosure of information from the Register and the circumstances where a card may be checked raise issues that must be clarified. A significant concern centres on clause 14 (4). This appears to remove any right, including any provided by statute, to an individual having access to the record of accesses made to their Register details. It is not clear what the intention is here and whether this is an attempt to fetter the right of subject access provided under the Data Protection Act 1998. Whilst the DPA does have specific provision effectively overriding such restrictions in other statutes and this would safeguard the right of access (S. 27(5) DPA), the basis for this provision in the draft Bill is a concern. The potential for disclosure with consent to be manipulated by others should not be underestimated; a persistent problem under data protection legislation is enforced subject access where an individual is required to use their access rights to produce information as to their bona fides for the benefit of others. Great care needs to be taken in the procedures to be established by Regulations under this section

  17.  A further substantial concern centres on those who may have access to the Register details showing previous access by others. Although this information is differentiated from the rest of the information in an entry, whole classes of organisation are granted potential access without having to justify their need. For example the Director General of the National Crime Squad may have access to for any of his functions whereas a chief officer of police could only have access in relation to purposes in relation to serious crime. Further specific concerns include:

—  The extent, in practice, to which an individuals consent to a check will be freely given, specific and informed (Clause 14)

—  The lack of precision about the public services who could require an identity check leaving this to Regulations with potential for function creep over time ( clause 15 (2) and (5))

—  The expansion of checks via other legislation and the ability to check the Register event though no card has been issued (clause 16)

—  The disclosure without consent of general Register information to the Secretary of State for any of his purposes (clause 20 (5))

—  The power to extend the provisions on disclosure without consent still further by Regulations permitting potential function creep (clause 23)

INDEPENDENT OVERSIGHT

  18.  The lack of a total system of independent oversight is of concern. One area where a positive attempt to introduce this is in relation to disclosure from the Register without consent. Whilst the appointment of a National Identity Scheme Commissioner is a step in the right direction, it falls well short of the level of independent supervision required due to the limited remit. Indeed it is a concern that even if the Commissioner discovers misuse there is no provision to require him to bring this to the attention of the individual affected or to provide any remedy for such an individual. His ability to report to Parliament is subject to a Prime Ministerial override down to the level of "prejudicial to the continued discharge of the functions of a public authority (Clause 26 (4)). This undermines the independence of the supervisory arrangements.

  19.  The Draft Bill does contain welcome offence provisions relating unauthorised disclosure, provision of false information and the tampering with the Register (clauses 29-31). However, the offence related to unauthorised disclosure (clause 29) is limited to those involved in the registration process. Others who may consult the Register as part of their official duties may also misuse the details available to them but are not covered by such a provision and would have to be dealt with by different means, presumable the offences at S. 55 of the Data Protection Act. A more comprehensive offence provision should be considered.

  20.  Returning to the issue of oversight, there is currently a significant gap that should be remedied. There is no mechanism proposed under the legislation for an individual to be able to appeal against decisions of the Secretary of State when administering the National Identity Register. An individual could face a situation where their identity has been assumed by and allocated to another or they could be having real difficulties with the particulars entered in the Register. Given the consequences described above where an individual may potentially suffer great detriment as a result of such problems it is important that there is a mechanism to allow individuals to appeal against the actions of the Secretary of State. Providing for a judicial remedy may be the most effective safeguard for individuals.

FUTURE COMPULSION

  21.  Finally, it is a significant concern that if clause 6 is ever used to introduce a compulsory scheme then existing safeguards will simply disappear. For example the very welcome provision making unlawful the requirement to establish identity by use of an ID card is undermined once clause six is applied (Clause 19 (2)(c)). This appears to mean that any private sector organisation could demand production of an ID card for any service it offered to an individual. This clause also effectively removes the opportunity to produce alternative forms of identification. Similarly, if clause 6 takes effect then the provision of all public services can be made conditional on production of an ID card (clause 15 (2)). The description of a "public service" at clause 15 (5) is extremely wide so even the most mundane of public services could become dependant on production of an ID card.

Richard Thomas

May 2004

94   Modern Horrors: British Identity and Identity Cards-John Agar: Documenting Individual Identity Princeton UP 2002. Back