14 February 2005
11 September 2013
6 August 2013
11 March 2014
31 October 2013
Un-safe Harbor: is Safe Harbor an adequate means of protecting EU personal data transferred to the US?
22 January 2014
The Government argues that the Identity Cards Bill is essential in order to adequately manage national security and prevent identity fraud. But is this really the case? Many EU countries do have a compulsory identity card scheme and yet there is no evidence these schemes have been successful in preventing terrorism. If the Government's intention is to introduce identity cards in order to better identify 'undesirables', then it makes no sense to have legislation that does not require the compulsory carrying of such a card, yet this is what the bill currently states.
In addition to ID cards, the bill also introduces the concept of a National Identity Register. The register is the main thrust of the legislation. It is the data that will be held on this register and the proposed smart cards that will impose on the Government the full force of the Data Protection Act 1998. Although Charles Clarke claims that the cards and database will not carry sensitive data such as medical records and religious beliefs, other sensitive personal data will clearly be included.
In addition to the more familiar photo ID, the smart cards will carry biometric data, such as fingerprints or iris scans, and there are big concerns (besides them being technically risky and practically expensive) about the Government's ability to adequately manage information security. The Data Protection Act 1998 imposes a requirement on a data controller to adequately manage information security, and yet the bill does not adequately recognise these obligations.
It appears from the bill that, despite it being the Government that requires the implementation of an identity card system, it has no liability for failures in the system. It is intended to be a criminal offence for an individual not to notify the authorities of any changes of information, such as address, yet where an individual does notify the authorities of errors in information, there is no requirement that the Government 'must' correct such information, but only that it "may" correct it. What is more, the creation of a centralised identity database is akin to an electronic Doomsday and, given the Government's record on failed or flawed IT projects, the fact that the bill does not give an individual any rights to compensation where that individual's identity is misappropriated through no fault of their own is a big concern.
The Government has stated that it does not intend to make the carrying of identity cards compulsory and, by way of a safety valve, the bill provides that any introduction of compulsory cards must be approved by Parliament. One cannot imagine that a government that is going to spend billions setting up an identity card system will simply allow it to remain voluntary for long. The costs of implementing the bill will be borne by the Govern-ment, citizens and businesses. The bill makes it clear that the provision of public services may be subject to production of identification and one assumes that every post office, hospital, social security office and other government department will have to have installed readers to enable them to cross-check the identity of an individual with the National Identity Register. The bill also provides that, where further information is needed to identify an individual, if this information is in the possession of a third party, such as an employer, the employer can be required to give assistance to the authorities. There must therefore be an additional cost to business, and yet no impact assessment appears to have been carried out in this regard.
Information Commissioner Richard Thomas stated that the bill is like "sleepwalking into a surveillance society". I would suggest that if the bill continues in anything like its current form, we are all walking into a surveillance society with our eyes wide open.