The Government has decided to mandate the processing of excessive personal data and expose more young adults to ID theft. How? Just read on.
Just imagine you run a night-club that requires a licence to sell alcohol. A new law, enacted using Ministerial powers (thus ensuring limited Parliamentary scrutiny) requires you to have an “age verification policy” that “applies to the premises in relation to the sale or supply of alcohol”. In addition, that “policy must require individuals who appear ... to be under 18 years of age (or such older age as may be specified in the policy) to produce on request, before being served alcohol, identification bearing their photograph, date of birth and a holographic mark”.
As most identity cards used by staff at work do not show date of birth, what official identification document would satisfy you in this regard? I think there are three main contenders: passport, driving licence or ID Card. Remember, if things go wrong, you will need to prove that you have performed a “proof-of-age” check; so the chances are you will scan in identification documents present to you and keep them for a while. In this way, you are definitely a data controller subject to the Data Protection Act.
In fact, you might keep these details on a database, so that regular customers can register beforehand and quickly pass through your security on their next visit. The advantage of this approach is that once registered, customers do not need to bring their ID documents. Of course, if you decide on the Government’s ID Card, you should be able to check with the Identity and Passport Service national database to make sure the ID Card is valid. In this way, the database’s audit trail will keep a record of where the card holder goes clubbing (which can be disclosed to the authorities, whenever appropriate).
Note that there are any number of biometrics you could use to make sure that registered customers are who they say they are on the next visit. One could use a signature, or two fingerprints, or facial feature (e.g. scar on left cheek), location of mole or whatever is combination is convenient to you and your customers. However, the law now mandates “photograph” in every case. It is the Henry Ford approach to ID management: any biometric so long as it is the photograph.
Why this prescription? Well that is why we have Parliamentary scrutiny – when it occurs – to ask such questions! One suspects, however, that Government has rushed through secondary legislation because of the political imperative to show action against “binge drinking”; this has taken precedence over careful consideration of the law’s practical consequences. There are even those who suspect that this law is deliberately framed to promote the uptake of that increasingly unpopular ID Card.
Now we come to the crunch. The purpose of the law is to stop under-age drinking. To do that, all you need is a document that authenticates that the person is aged over 18 and verifies the card-holder as that person. You do not need to identify the individual, or mandate a photograph, or date of birth, or holograph or anything else: all you need is a verification and authentification process specifically designed for a particular narrow task in hand. What is more, there are companies that have these kinds of privacy enhancing technologies and products already on the shelf.
In other words, the Government’s law mandates excessive processing of personal data: the collection and retention of dates of birth when not needed, the unnecessary use of its official ID documents and the collection a particular biometric (the photograph). In addition, there are security concerns: by insisting on its own ID documents, the Government are ensuring that more passports, driving licences and ID Cards will be lost by young adults when they are “the worse for wear”.
I therefore recommend to Mossad (or anybody else) wanting to perform another bout of ID theft using stolen documents that they infiltrate night clubs as I am confident there will be lots of official ID documents to choose from.
These problems are self-evident to anyone who performs the most cursory of Privacy Impact Assessments (which hasn’t been done of course – see the official 37 page “impact assessment”). So to end by misquoting Laurel and Hardy: “Well, that's another fine mess in the making”.
Reference: The Licensing Act 2003 (Mandatory Licensing Conditions) Order 2010; http://www.opsi.gov.uk/si/si2010/draft/ukdsi_9780111491553_en_1. The 37 page Impact Assessment (which does not consider privacy concerns) can be found at: http://www.opsi.gov.uk/si/si2010/draft/em/ukdsiem_9780111491553_en.pdf