There is an adage (disputed by Transport for London) that if one waits at a bus-stop for more than half an hour, three or four buses will then turn up, almost in a convoy. Curiously, this adage appears to apply to the management of digital identity.
There are four recent proposals recent proposals relating to ID which have overlapped. They are:
- the parts of the legislation in the dormant Data Protection and Digital Information (DPDI) Bill that relates to digital information. These parts take the form of a paving Bill where many of the details of how digital identity works in practice is reserved for Ministerial powers. It is focused on enabling digital identity use in the wider economy.
- Proposed legislation based on the public consultation on “Consultation on draft legislation to support identity verification” which the Government intends to enact by Statutory Instrument (again leaving important detail to Ministers). These proposals are a pre-cursor to a digital identity scheme operating in the public sector and aims to facilitate data sharing within the public sector and thereby establish such a digital identity scheme.
- The proposals from Tony Blair’s Institute for Global Change, co-authored by Lord William Hague (ex leader of the Conservative Party), which require a “single digital-ID system for all residents” (which by implication is a compulsory digital ID scheme).
- The ID requirements for voting in elections. Conspiracy theorists will no doubt claim that these “No specified ID – No Vote” provisions “soften-up” the public for general acceptance of the idea of presenting some form of ID when dealing with public authorities.
This blog is limited to the public consultation on proposals to support data sharing for the purpose of digital identity verification as specified in the second bullet.
Summary of the problems
The problems with the Consultation’s proposals are as follows:
- There is no detailed information on the protection afforded to data subjects (other than the UK_GDPR provisions). In practice, although data sharing is voluntary and transparent to the data subject, there is no way of returning a data subject to the position prior to that data sharing, should the data subject wish this. The data subject thus loses control of what is supposed to be in that subject’s interests.
- Data sharing is likely to include unexplained and unspecified items of special category of personal data.
- There is no reference the Government’s promised changes to the data protection and human rights legislation (e.g. the DPDI Bill). The Consultation’s assumptions on the level of protection afforded to data subjects by the UK_GDPR are likely to be incorrect.
- There is no reference to the risks associated with data sharing (and the potential to resurrect the equivalent of the National Identity Register which was at the centre of the Identity Card Act 2005).
- There is no reference to Nine Identity Assurance Principles which were officially published to guide Government on a privacy friendly approach to the introduction of a digital identity scheme.
In summary, the Consultation has too much missing for it to be treated as a reliable representation of what is being proposed.
Identity Assurance Principles
As background, I refer to the “Nine Identity Assurance Principles” that were published in 2015 for inclusion in any Governmental future digital identity project (see references). The objective was to avoid a repeat of the ID Card debacle a decade earlier; the Government asked a number of privacy experts (including the ICO and yours truly) to debate and draft a set of objectives.
As a result, these Principles emerged to provide a benchmark for all digital identity schemes. It allows one to identify which Principle is not being considered and the consequences of that lack of consideration. In this Consultation, none of the Principles have been considered.
In summary, these Principles are:
- The User Control Principle (Identity assurance activities can only take place if the data subject consents or approves them).
- The Transparency Principle (Identity assurance can only take place in ways a fully informed data subject understands).
- The Multiplicity Principle (The data subject can use and choose as many different identifiers or identity providers).
- The Data Minimisation Principle (Any request from the data subject or identity assurance transaction only uses the minimum personal data that is necessary).
- The Data Quality Principle (The data subject chooses when to update their records).
- The Service-User Access and Portability Principle (The data subject is provided a copy of all personal data on request and can move/remove their personal data on request).
- The Governance/Certification Principle (There is public confidence in any Identity Assurance System because all the participants have to be accredited).
- The Problem Resolution Principle (If there is a problem there is an independent arbiter who can find a solution).
- The Exceptional Circumstances Principle (Any exception to the above Principles has to be approved by Parliament in new legislation to ensure the law is subject to scrutiny in the context of the operation of a digital identity scheme).
Note that together, these Principles set out the circumstances which maintain public confidence in any digital identity proposal. Such confidence is achieved by placing the data subject in control and at the centre of any processing of their digital identity details.
Although the Principles are ignored with the current Consultation, some Principles partially arise as a result of the implementation of the UK_GDPR (e.g. data minimisation, limited transparency). Other omissions, however, raise matters of concern. For example, there is only to be one identity available, contrary to the Multiplicity Principle.
In addition, an individual whose identity has been established is not fully in control of when public authorities reveal their identity details. This is because any associated identity database held by a public authority falls foul of the Exceptional Circumstances Principle and access to digital identity information could be lawful, when that law allowing access did not have any Parliamentary scrutiny or consideration of its impact on a digital identity scheme.
Attributes for a National Identity Database?
The Consultation states that “Public authorities will process the minimum number of data items, known as attributes, necessary for verifying the identity of an individual”. Remember these data items are then potentially available to any other public body involved within the proposed data sharing scheme, or accessible via any other legislation that allows access to these identity attributes.
Examples of attributes include: “user’s full name; date of birth; home address; email address; photographic images; various identifiers such as passport number or driving licence number; attributes held by government departments necessary for verifying the identity of an individual; the outcome of identity checks previously performed on a user; and transactional data, for example, income”.
It is not obvious to me that “income” and “email address” are attributes that identify an individual.
The Consultation also adds that “other data items may be processed as identity verification services develop. This may include special category data….”. Obvious examples of special category of personal data, used in the context of identity includes facial recognition, fingerprints and DNA profiles. So are these going to be used?
Sadly, the Consultation dumbs down on the detail here, when in practice it should have been crystal clear what is intended with the processing of special category of personal data in the context of digital identity. This resultant lack of clarity raises more questions than answers (and is likely to engender mistrust of the proposals themselves).
Finally, just imagine if these personal data items held by each public authority for establishing a digital identity scheme were collated in one database; this would essentially replicate the National Identity Register (NIR) specified in the ID Card Bill of 2005 (and resurrect all the horrendous privacy issues discussed two decades ago).
The only difference with the Consultation? Each public body now has its own database which it can share with other public bodies. In effect this is a proposal for new NIR, distributed across participating public bodies.
Data subjects are unprotected
So what protects the data subject? According to the Consultation, protection arises from the fact that data sharing occurs subject to the UK_GDPR (e.g. the data sharing code) and other data ethics guidance.
In practice, the data subject is not in control. There is no way that the data subject, having agreed to data sharing, can recover to the position which applied prior to that data sharing; this is contrary to the Service-User Access and Portability Principle.
Although the data subject is fully informed, there is little the data subject can do with that information because:
- withdrawing consent to the data sharing does not work. Consent is irrelevant as any data sharing is justified in terms of the public task of participating public bodies.
- the right of erasure does not apply as the processing is made lawful by being part of the public task of participating public bodies.
- the right to object to the processing is going to be very difficult as the data subject has to demonstrate grounds in relation to his position and these grounds are likely to contested.
What about DPDI or Human Rights changes?
The Consultation ignores the potential impact of the Government’s proposed changes to the data protection and human rights regimes.
For example, in an earlier blog, I showed that the DPDI Bill allowed HMRC to lawfully obtain personal data for its purposes via voluntary disclosure from any controller even when there is no “public interest” component to a particular disclosure of personal data to HMRC (see references).
Indeed a particular disclosure did not need to be associated with any specific HMRC investigation (i.e. a failure to disclose does not prejudice HMRC’s collection or assessment of tax). HMRC is specified in the Consultation as a participant in data sharing (but one suspects that data sharing occurs only in one direction).
With respect to Human Rights changes, I raised the issue that the British Bill of Rights changes who interprets the meaning of necessity, public interest and proportionality and thereby changes the nature of the link between the UK_GDPR and A.8 of the European Convention of Human Rights (right of respect for private and family life etc).
In general, the Bill of Rights changes the ultimate arbiter of what data sharing is “proportionate”, “necessary” or “in the public interest”. These terms are to be specified by Ministers; so if Ministers says certain data sharing with HMRC is “necessary”, then it is necessary and almost impossible to challenge (see references).
For clarity, I am not picking on HMRC. I am using HMRC to show that the proposed changes in data protection and human rights law fundamentally alters the data protection analysis presented to the public by this Consultation.
Concluding comment
I am convinced the Consultation has little to do with protecting the data subject; it is designed to assist data sharing between public bodies at their convenience. The omissions in the Consultation means that it should be reworked, with the Nine Identity Assurance Principles at their heart.
Data Protection Courses (Early Spring 2023)
Because of the uncertainty (e.g. transport, strikes etc), the following BCS Practitioner or Foundation courses can be attended in person, or via Zoom, or as a mixture (i.e. part Zoom, part attendance just in case “stuff happens on the day”).
- The next Data Protection PRACTITIONER Course is in London on Monday, 27 March 2023 to Friday, 31 March 2023 (5 days: 9.30am to 5.30pm).
- The next Data Protection FOUNDATION Course is in London on Tuesday April 18-20, 2023 (3 days: 30am to 5.30pm).
Full details on the new Amberhawk website (www.amberhawk.com) or obtained by emailing info AT amberhawk.com.
References
Consultation on draft legislation to support identity verification . https://www.gov.uk/government/consultations/draft-legislation-to-help-more-people-prove-their-identity-online/consultation-on-draft-legislation-to-support-identity-verification
Tony Blair’s Institute report which suggests for digital ID for everyone as a consequence of a push for growth: https://institute.global/policy/new-national-purpose-innovation-can-power-future-britain
The Nine Identity Assurance Principles: https://www.gov.uk/government/publications/govuk-verify-identity-assurance-principles/identity-assurance-principles
Blog post: Voluntary disclosure to HMRC? Always lawful and always compatible: https://amberhawk.typepad.com/amberhawk/2022/08/voluntary-disclosure-to-hmrc-always-lawful-and-always-compatible.htm
Blog post: UK Bill of Rights set to undermine UK_GDPR : https://amberhawk.typepad.com/amberhawk/2022/07/uk-bill-of-rights-set-to-undermine-uk_gdpr-and-adequacy.html