How does the UK National ID Card violate the Data Protection Act?

Let me count the ways…

The Data Protection Act of 1998 prescribes eight principles of Data Protection all organisations that collect and process personal data must apply.  It also requires these organisations to take adequate measures to ensure all staff are trained in and understand the application of these principles.

It seems the Labour government has been negligent in their Data Protection training, since as far as I can see, the National ID card scheme being rolled out in the UK violates all eight of them.  Let’s consider these principles one at a time.

1 Personal data shall be processed fairly and lawfully and, in particular, shall not be processed unless-

(a) at least one of the conditions in Schedule 2 is met, and

(b) in the case of sensitive personal data, at least one of the conditions in Schedule 3 is also met.

In brief, the Schedules referred to above require that the “data subject” (that’s you or me) gives consent, or that the processing is necessary for the performance of a specific legal or contractual obligation.

In the case of the National ID card, which will initially record the fingerprints of all UK residents (with the possible future addition of retinal scans and who knows what else), the ID Cards Act contains no specific legislative or contractual justification for its existence.  On top of that, the card is intended to be a compulsory piece of identification, which handily trashes the requirement of obtaining our consent.

2 Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes.

Here, the Labour government has argued that a National ID card will help combat identity theft.  I mean terrorism.  I mean illegal immigration.  In other words, the government’s reasoning for collecting your biometric data is little more than a random list of issues plucked from fear-inducing tabloid headlines.

Well, which purpose is it?  In order to comply with the Data Protection Act, the government not only has to choose, but also demonstrate that collecting the fingerprints of Cockney pensioners reduces the risk of foreigners trying to sneak into England in the back of a yoghurt lorry. Or it must demonstrate that maintaining a database of British fingerprints can combat identity theft – most of which is only possible because of the careless handling of personal data by the organisations that collect it.  Like, for example, the government. Or they will have to present some evidence that “the terrorists” are using phony ID, and can be stopped by having to give fingerprints in order to get it.

3 Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed.

The Identity Cards Act (2006) has tried to get around this obvious violation by making the “purposes” preposterously vague and far-reaching.  Surely no reasonable person can argue that building a national database of the biometric data of tens of millions of law-abiding UK residents is “relevant” to the job of ferreting out lawbreakers: all the criminals need to do is wear gloves and they can carry on with their lawbreaking, secure in the knowledge that police will be suspicious of everyone but them.

This principle is also blatantly violated by the government’s vision that the card can and should be required for access to a potentially infinite range public or private services from opening a bank account to visiting your GP.  Presumably any information regarding your use of these services will be stored in the chip along with your personal details, potentially accessible to anyone with a card reader and a taste for mischief.

4 Personal data shall be accurate and, where necessary, kept up to date.

Well, at least they have one principle wrapped up.  I suppose they can’t get much more “accurate” than all ten fingerprints.  Or can they?

5 Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.

It’s impossible to meet this obligation when there is no specific purpose for the data collection and no fixed parameters for who can require this information from you and why.

6 Personal data shall be processed in accordance with the rights of data subjects under this Act.

Epic Fail of a magnitude best illustrated by a metaphorical video interlude.


(courtesy of failblog.)

Moving right along…

7 Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.

Considering this government’s track record over the past year alone, it’s more than fair to point out that entrusting them with your sensitive personal data is quite a gamble.  To recap, here are a few highlights of the UK government’s spectacular incompetence when it comes to protecting sensitive information:

Secret terror files feft on train

MoD laptop stolen from McDonald’s

More MoD laptops thefts revealed

Personal data found on roundabout

Lost medical data is kept secret

Millions of L-driver details lost

Lost in the Post – 25 million at risk after data disks go missing

UK military says 3 disks of soldiers’ data lost

The list is nowhere near comprehensive, but it does illustrate the most important point to consider about effective data security:  the government can’t lose what the government doesn’t have.

Despite all the scrambling apologies, self-flagellations, punishments and policy reviews, the fact remains that collected data poses a security risk primarily due to the fact that it was collected and stored in the first place.

No matter how rigorous we public servants attempt to be in our adherence to security policy, and no matter how punitive the measures for reparation, accidents happen. The volume of information we juggle in our paper files, laptops, memory sticks, hard disks and unsecured databases; the extent to which we are required to pass it around between internal departments, contractors and public-private partnerships; the endless implementation of new software and technology that in most cases outpaces our ability to adapt our security procedures guarantees that accidents will happen.  They are unavoidable.  People make mistakes.

The government might also wish to consider the fact that at present, the ID card database can be accessed with a user name and password.  Just like Sarah Palin’s personal email.

8 Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.

According to the ID Cards Act, “The Secretary of State may, without the individual’s consent” provide your ID card information to the Security Service and the Secret Intelligence Service.

It’s anybody’s guess who they’ll be sharing it with, but I assume the United States isn’t likely to be ruled out.  Bush’s wiretapping program, widely acknowledged to be a violation of the country’s own privacy laws, clearly demonstrates the US does not “ensure an adequate level of protection for the rights and freedoms of data subjects”.

If the blatant illegality of the National ID Card scheme is not enough to convince the UK abandon it, we can also consider the fact that they don’t work.

The Biometric Assurance Group (BAG) says officials may struggle to cope with the number of false matches, which could run into tens of thousands.

Everyone applying for a passport from 2010/11 will have to submit to a digital fingerprint scan, with the prints to be stored on a database.

They will then have a choice of a passport or ID card which the government says will help them to prove their identity when challenged by the police, border officials or in some commercial transactions such as with banks.

Any false matches – which could result in the wrong person being arrested or prevented from entering the country – will be dealt with manually.

(emphasis added).

What a relief!  While the collection of your fingerprints will be automated and involuntary, if you have the misfortune to be erroneously nabbed at some godforsaken border crossing and shipped off to Guantanemo Bay on the basis of this information, your case will be dealt with “manually.”  Just think how comforting it must have been for Maher Arar to know his case of mistaken identity was being dealt with “manually” when the US nabbed him on the way home to Canada and shipped him off to Syria to be tortured for a year.

As a foreigner living (legally) in the UK, I wonder how long it will be before I have to call in for my mandatory fingerprinting, and whether there will still be any airlines at that time so that I and my future earnings can fly back home.

UPDATE:  As it turns out, I am not alone in my assessment.  The Information Commissioner seems to agree.  So I might not have to move home after all; I can potentially fight for my right to privacy in court, and quite possibly win.  How embarrassing that would be for a government that has already committed billions of pounds to the ID card act and spent tens of millions of pounds implementing the conflicting DP act.  Which will they choose?