Let me count the ways…

The Data Protection Act of 1998 prescribes eight principles of Data Protection all organisations that collect and process personal data must apply.  It also requires these organisations to take adequate measures to ensure all staff are trained in and understand the application of these principles.

It seems the Labour government has been negligent in their Data Protection training, since as far as I can see, the National ID card scheme being rolled out in the UK violates all eight of them.  Let’s consider these principles one at a time.

1 Personal data shall be processed fairly and lawfully and, in particular, shall not be processed unless-

(a) at least one of the conditions in Schedule 2 is met, and

(b) in the case of sensitive personal data, at least one of the conditions in Schedule 3 is also met.

In brief, the Schedules referred to above require that the “data subject” (that’s you or me) gives consent, or that the processing is necessary for the performance of a specific legal or contractual obligation.

In the case of the National ID card, which will initially record the fingerprints of all UK residents (with the possible future addition of retinal scans and who knows what else), the ID Cards Act contains no specific legislative or contractual justification for its existence.  On top of that, the card is intended to be a compulsory piece of identification, which handily trashes the requirement of obtaining our consent.

2 Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes.

Here, the Labour government has argued that a National ID card will help combat identity theft.  I mean terrorism.  I mean illegal immigration.  In other words, the government’s reasoning for collecting your biometric data is little more than a random list of issues plucked from fear-inducing tabloid headlines.

Well, which purpose is it?  In order to comply with the Data Protection Act, the government not only has to choose, but also demonstrate that collecting the fingerprints of Cockney pensioners reduces the risk of foreigners trying to sneak into England in the back of a yoghurt lorry. Or it must demonstrate that maintaining a database of British fingerprints can combat identity theft – most of which is only possible because of the careless handling of personal data by the organisations that collect it.  Like, for example, the government. Or they will have to present some evidence that “the terrorists” are using phony ID, and can be stopped by having to give fingerprints in order to get it.

3 Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed.

The Identity Cards Act (2006) has tried to get around this obvious violation by making the “purposes” preposterously vague and far-reaching.  Surely no reasonable person can argue that building a national database of the biometric data of tens of millions of law-abiding UK residents is “relevant” to the job of ferreting out lawbreakers: all the criminals need to do is wear gloves and they can carry on with their lawbreaking, secure in the knowledge that police will be suspicious of everyone but them.

This principle is also blatantly violated by the government’s vision that the card can and should be required for access to a potentially infinite range public or private services from opening a bank account to visiting your GP.  Presumably any information regarding your use of these services will be stored in the chip along with your personal details, potentially accessible to anyone with a card reader and a taste for mischief.

4 Personal data shall be accurate and, where necessary, kept up to date.

Well, at least they have one principle wrapped up.  I suppose they can’t get much more “accurate” than all ten fingerprints.  Or can they?

5 Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.

It’s impossible to meet this obligation when there is no specific purpose for the data collection and no fixed parameters for who can require this information from you and why.

6 Personal data shall be processed in accordance with the rights of data subjects under this Act.

Epic Fail of a magnitude best illustrated by a metaphorical video interlude.


(courtesy of failblog.)

Moving right along…

7 Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.

Considering this government’s track record over the past year alone, it’s more than fair to point out that entrusting them with your sensitive personal data is quite a gamble.  To recap, here are a few highlights of the UK government’s spectacular incompetence when it comes to protecting sensitive information:

Secret terror files feft on train

MoD laptop stolen from McDonald’s

More MoD laptops thefts revealed

Personal data found on roundabout

Lost medical data is kept secret

Millions of L-driver details lost

Lost in the Post – 25 million at risk after data disks go missing

UK military says 3 disks of soldiers’ data lost

The list is nowhere near comprehensive, but it does illustrate the most important point to consider about effective data security:  the government can’t lose what the government doesn’t have.

Despite all the scrambling apologies, self-flagellations, punishments and policy reviews, the fact remains that collected data poses a security risk primarily due to the fact that it was collected and stored in the first place.

No matter how rigorous we public servants attempt to be in our adherence to security policy, and no matter how punitive the measures for reparation, accidents happen. The volume of information we juggle in our paper files, laptops, memory sticks, hard disks and unsecured databases; the extent to which we are required to pass it around between internal departments, contractors and public-private partnerships; the endless implementation of new software and technology that in most cases outpaces our ability to adapt our security procedures guarantees that accidents will happen.  They are unavoidable.  People make mistakes.

The government might also wish to consider the fact that at present, the ID card database can be accessed with a user name and password.  Just like Sarah Palin’s personal email.

8 Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.

According to the ID Cards Act, “The Secretary of State may, without the individual’s consent” provide your ID card information to the Security Service and the Secret Intelligence Service.

It’s anybody’s guess who they’ll be sharing it with, but I assume the United States isn’t likely to be ruled out.  Bush’s wiretapping program, widely acknowledged to be a violation of the country’s own privacy laws, clearly demonstrates the US does not “ensure an adequate level of protection for the rights and freedoms of data subjects”.

If the blatant illegality of the National ID Card scheme is not enough to convince the UK abandon it, we can also consider the fact that they don’t work.

The Biometric Assurance Group (BAG) says officials may struggle to cope with the number of false matches, which could run into tens of thousands.

Everyone applying for a passport from 2010/11 will have to submit to a digital fingerprint scan, with the prints to be stored on a database.

They will then have a choice of a passport or ID card which the government says will help them to prove their identity when challenged by the police, border officials or in some commercial transactions such as with banks.

Any false matches – which could result in the wrong person being arrested or prevented from entering the country – will be dealt with manually.

(emphasis added).

What a relief!  While the collection of your fingerprints will be automated and involuntary, if you have the misfortune to be erroneously nabbed at some godforsaken border crossing and shipped off to Guantanemo Bay on the basis of this information, your case will be dealt with “manually.”  Just think how comforting it must have been for Maher Arar to know his case of mistaken identity was being dealt with “manually” when the US nabbed him on the way home to Canada and shipped him off to Syria to be tortured for a year.

As a foreigner living (legally) in the UK, I wonder how long it will be before I have to call in for my mandatory fingerprinting, and whether there will still be any airlines at that time so that I and my future earnings can fly back home.

UPDATE:  As it turns out, I am not alone in my assessment.  The Information Commissioner seems to agree.  So I might not have to move home after all; I can potentially fight for my right to privacy in court, and quite possibly win.  How embarrassing that would be for a government that has already committed billions of pounds to the ID card act and spent tens of millions of pounds implementing the conflicting DP act.  Which will they choose?

0 Responses

  1. Thank you very, very much for taking the time to lay all that out. You know, this is going to be one of those occasion when the people of Britain will be judged in the future as to whether we stood up and fought back or bent over and told the government to do what they like. I went to Runnymede to visit the monument to the Magna Carta, which gave us freedom under law, and I felt a tingle. It’s odd to see written down rights that you take for granted. And then you think of how it is being threatened and, well, it made ME angry anyway.

    I don’t trust the current government with my data; but even if I did, how do I know I can trust the government twenty years from now? I think that’s what some people don’t understand: governments come and go but the state remains. And so do its powers.

    It’s like the terrorism act. That old man was forcibly removed from the Labour Party conference for heckling and then detained under the terrorism act. It’s no good the government distancing themselves from the incident by saying that was not how the act was supposed to be used: that’s what happens when laws, especially vague ones, are passed and you give the power to implement them to morons in uniforms.

    And then there’s 42-day detention. How long will it be before someone is threatened with 42-day detention if they don’t ‘move along’. The current 28 days is too long as it is, but you might be prepared to take the hit on that one. But 42 days? That’s a disappearance.

    Sorry for drifting from the point, but it all goes to prove a couple of things: even if law makers can be trusted, those who enforce them often cannot, and give them a little more power now, and they will later want a little more and a little more. That’s how 28 days becomes 42 becomes 60 becomes . . . and how ID Cards can turn into monsters in our wallets.

    The public aren’t as frightened as the government would like us to believe. We lived through the IRA bombing campaign, with bombs going off in our streets quite regularly, and we took pride in the fact we just got on with it. We haven’t changed that much in such a short space of time. Within an hour of the 7/7 bombs, kids were playing in the street half a mile away from the city centre and come five o’ clock, the bars and restaurants in the city were full. A CNN reporter was talking about the desperate appeal to Londoners not to panic. That made me chuckle. There was none.

    I also love the way they say they won’t sell ID Card information to private companies: just to banks. Banks ARE private companies and, as recent events have shown, wholly untrustworthy.


  2. Hi, Richard, thanks for the rant. I am entirely on your side. The government can piss right off when it comes to asking me to trade in my civil liberties so they can protect me from tabloid bogey-men. I can protect myself, thanks, FAR better than they can. For example I can best protect myself from identity theft by fighting superfluous efforts to collect and handle my personal information, whether from dubious spammers or dubious legislators. And terrorism? PLEASE! The very word is a simpleton’s refuge when critical thinking fails him. My first priority is to protect my own mind from the militant propagandistic rubbish that proliferates on BOTH sides of any war.

    I hear from civilians who are not concerned about the erosion of their right to privacy that they have “nothing to hide” because they aren’t the people they believe this wide net has been cast for. In the context of the National ID card, that’s exactly like dolphins pontificating they have no reason to be concerned about tuna fishing. And it amazes me. Truly.

  3. “Hi, Richard, thanks for the rant.”

    I prefer to think of it as a soliloquy! 🙂

    “I hear from civilians who are not concerned about the erosion of their right to privacy that they have “nothing to hide” because they aren’t the people they believe this wide net has been cast for.”

    If they have nothing to hide they won’t mind me rummaging through their post or looking over their shoulders when they write an email. But of course whether you have something to hide or not is not the point as Martin Niemoller so eloquently pointed out.

  4. “If they have nothing to hide they won’t mind me rummaging through their post or looking over their shoulders when they write an email. ”

    Actually, it’s not outside the range of possibility for ME to get that job (unless they find my blog) since the government is also aggressively pursuing exactly the type of snooping powers you mention. And I work for the government. (Or, A government, anyway).

    How droll a job it would be to read through millions of YOUR private accounts of knee injuries, fancy dress parties and school fees looking for that ONE email that says “I’m going to bomb London Paddington tommorrow”

    … and isn’t taking the piss.

    (Edit: Well, I suppose they’ll be finding it now. There go my career prospects.)

    1. I did do this myself. I’ve been neglecting it for years. I can’t remember anything about the theme and so forth, but they’d be obsolete anyway. I did the header in photoshop though. Maybe that helps?

Leave a Reply

Your email address will not be published. Required fields are marked *