The Government has decided to mandate the processing of excessive personal data and expose more young adults to ID theft. How? Just read on.
Just imagine you run a night-club that requires a licence to sell alcohol. A new law, enacted using Ministerial powers (thus ensuring limited Parliamentary scrutiny) requires you to have an “age verification policy” that “applies to the premises in relation to the sale or supply of alcohol”. In addition, that “policy must require individuals who appear ... to be under 18 years of age (or such older age as may be specified in the policy) to produce on request, before being served alcohol, identification bearing their photograph, date of birth and a holographic mark”.
As most identity cards used by staff at work do not show date of birth, what official identification document would satisfy you in this regard? I think there are three main contenders: passport, driving licence or ID Card. Remember, if things go wrong, you will need to prove that you have performed a “proof-of-age” check; so the chances are you will scan in identification documents present to you and keep them for a while. In this way, you are definitely a data controller subject to the Data Protection Act.
In fact, you might keep these details on a database, so that regular customers can register beforehand and quickly pass through your security on their next visit. The advantage of this approach is that once registered, customers do not need to bring their ID documents. Of course, if you decide on the Government’s ID Card, you should be able to check with the Identity and Passport Service national database to make sure the ID Card is valid. In this way, the database’s audit trail will keep a record of where the card holder goes clubbing (which can be disclosed to the authorities, whenever appropriate).
Note that there are any number of biometrics you could use to make sure that registered customers are who they say they are on the next visit. One could use a signature, or two fingerprints, or facial feature (e.g. scar on left cheek), location of mole or whatever is combination is convenient to you and your customers. However, the law now mandates “photograph” in every case. It is the Henry Ford approach to ID management: any biometric so long as it is the photograph.
Why this prescription? Well that is why we have Parliamentary scrutiny – when it occurs – to ask such questions! One suspects, however, that Government has rushed through secondary legislation because of the political imperative to show action against “binge drinking”; this has taken precedence over careful consideration of the law’s practical consequences. There are even those who suspect that this law is deliberately framed to promote the uptake of that increasingly unpopular ID Card.
Now we come to the crunch. The purpose of the law is to stop under-age drinking. To do that, all you need is a document that authenticates that the person is aged over 18 and verifies the card-holder as that person. You do not need to identify the individual, or mandate a photograph, or date of birth, or holograph or anything else: all you need is a verification and authentification process specifically designed for a particular narrow task in hand. What is more, there are companies that have these kinds of privacy enhancing technologies and products already on the shelf.
In other words, the Government’s law mandates excessive processing of personal data: the collection and retention of dates of birth when not needed, the unnecessary use of its official ID documents and the collection a particular biometric (the photograph). In addition, there are security concerns: by insisting on its own ID documents, the Government are ensuring that more passports, driving licences and ID Cards will be lost by young adults when they are “the worse for wear”.
I therefore recommend to Mossad (or anybody else) wanting to perform another bout of ID theft using stolen documents that they infiltrate night clubs as I am confident there will be lots of official ID documents to choose from.
These problems are self-evident to anyone who performs the most cursory of Privacy Impact Assessments (which hasn’t been done of course – see the official 37 page “impact assessment”). So to end by misquoting Laurel and Hardy: “Well, that's another fine mess in the making”.
Reference: The Licensing Act 2003 (Mandatory Licensing Conditions) Order 2010; http://www.opsi.gov.uk/si/si2010/draft/ukdsi_9780111491553_en_1. The 37 page Impact Assessment (which does not consider privacy concerns) can be found at: http://www.opsi.gov.uk/si/si2010/draft/em/ukdsiem_9780111491553_en.pdf
Having run bars, this mandate only makes compulsory an existing inferred standard which will probably be followed by the same bars as before.
There has always been the potential for what you are talking about, but in my experience this is not the way that bars operate. Partly because they are a people business and don't think in a systems fashion, perhaps a little untrusting of technology. Also, individual staff have always been responsible for age-checks and this is a much cheaper option. The mandate only stipulates a 'policy', not a database & audit trail.
Companies are far more likely to collect & retain this sort of information if they can use it for commercial purposes (such as a loyalty scheme), but generally they will try to avoid doing anything like this on account of the effort involved.
The truth is, if having a thumb-print reader at the door was cost-effective and practical, it would be in common use already. This mandate is not going to change this a great deal.
Posted by: Matt Hudson | 29/03/2010 at 09:04 AM
When young people become inured against the intrusion of ID cards and the regular taking and use of their biometrics then the rest of us will have no chance of turning back the tide. And to be honest as long as they can get their pint they generally don't mind what they have to do (or at least they don't if they are anything like I was).
This simple fact is something I believe any government is well aware of. The fact that their strategy seems transparent to me doesn't stop me from admiring its audacity. Bypass the people that might resist and go for those that don't care by hitting them where they do. In their leisure time.
Genius really, and very difficult to do anything about.
Posted by: Secretgeek | 29/03/2010 at 09:18 AM