E-NICs: FR petition on alleged invasion of privacy
The procedure for the issue of Sri Lanka’s new electronic national identity card ( e- NIC)-- introduced in the absence of privacy or data protection laws--grants wide powers to the Commissioner General of the Department of Registration of Persons, officials and other authorities to collect and record any personal details from public and, potentially, private databases.
“If we are to embrace technology, we must do so only with the soundest of legal safeguards in place,” said Ravi Ratnasabapathy, a management accountant who has challenged the Government’s e- NIC regulations in the Supreme Court. “Without proper data protection laws in place the e-NIC project should not go ahead.”
The greatest concern with Sri Lanka’s proposed system is the possibility it could be used as a ‘general purpose surveillance system’. While the relevant legislation specifies it will be applied for reasons of establishing identity, clear limitations on use are not in place. Published reports point to the e- NIC and database being an overarching solution for tax, property, banking as well as national security.
“If allowed, any identification system that maintains
location or transactions may allow police or other government agencies to track individuals,” Mr Ratnasabapathy says. “Any identification system runs the risk of becoming a general purpose surveillance system in the absence of clearly defined limits.”
Mr Ratnasabapathy’s fundamental rights petition warns that the e-NIC regulations grant “virtually unrestricted access to any information concerning any citizen recorded with any public authority”. Up to now, privacy was protected (despite the absence of laws) by most data being held either in manual form or on isolated computer systems. Information was not shared. If needed for investigative or other purposes, it was provided through court order.
This will no longer be the case. And the use of biometrics in the new e-NIC poses new threats to privacy and security which can only be addressed through a strong legal framework based on ‘ Fair Information Practices’ (FIP) principles.
Drafted by the Organisation for Economic Co-operation and Development, the FIPs offer guidance on how to manage privacy implications of the e-NIC. They have become the foundation for most national laws governing data protection. In Sri Lanka, by contrast, they are being flouted openly.
The principles call for limits on the collection of personal data; for any such data to be obtained by lawful and fair means; and, where appropriate, with the knowledge or consent of the data subject. The less information is recorded the better. Each data element collected should be evaluated and debated. The casual inclusion of information that ‘might be useful someday’ should be resisted.
The Sri Lankan e-NIC blatantly violates this. Citizens must provide name, date of birth, gender, address, family details and numbers of national identity cards of parents, guardian, spouse, children and siblings. Divorcees are even required to specify the date of decree, case number and court in which the divorce decree was entered.
“Instead of limiting the data to the indi- vidual, the system collects detailed information on an individual’s family enabling the construction of complete family trees along with emails and phone numbers,” Mr Ratnasabapathy said. “If the system is about establishing ID, family details are unnecessary. An individual’s identity is independent of the family. Our current IDs and passports carry no family details. Why is this necessary in the E-NIC?”
The FIPs include principles under which personal data should be relevant to the purposes for which they are to be used; and be accurate, complete and kept up-to-date. Data which are not necessary for-- or relevant to--a biometric identification system should not be collected or maintained. The purposes for which personal data are collected should be defined not later than at the time of data collection. Personal data should not be disclosed, made available or otherwise used for purposes other than those specified, except with the consent of the data subject or by the authority of law.
The general policy is that data collected for one purpose should not be used for another purpose. “And this is how the present manual systems in Sri Lanka work,” Mr Ratnasabapathy said. “We provide information to the Land Registry, Registrar of Motor Vehicles or Employees’ Provident Fund for a particular purpose. They use it for internal purposes only and do not share the data with other agencies, except when ordered by court.”
But the proposed central database to be set up under the e- NIC initiative will share information with other agencies for a variety of purposes, including prevention or detection of crimes, without a court order. A biometric identification system can be used for a wide variety of identification activities. However, using an identification system for other unrelated purposes would likely violate the principles.
The FIPs state that personal data should be protected by reasonable security safeguards against such risks as loss or unauthorised access, destruction, use, modification or disclosure of data. There should be a general policy of openness about developments, practices and policies with respect to personal data. It should be possible to readily establish the existence and nature of personal data and the main purpose of their use, as well as the identity and usual residence of the data controller.
Under the openness principle, any person from whom data is needed must be able to learn of the existence of a processing operation; who is the data controller for that processing; and what personal data is being processed.
“Sri Lanka’s system is shrouded in secrecy and even attempts to obtain basic information through Right to Information requests have not yielded results,” said Mr Ratnasabapathy. “Data may be shared amongst different agencies without the knowledge or consent of citizens.”
An individual should also have the right to obtain data from a data controller or, otherwise, confirmation of whether or not the data controller has data relating to him; to have communicated to him data relating to him within a reasonable time; to challenge data relating to him and, if the challenge is successful, to have the data erased, rectified, completed or amended. A data controller should be accountable for complying with measures which give effect to such principles.
A position of a data controller--in Sri Lanka’s case, the Commissioner General-is usually created under privacy and data protection legislation. He is then held accountable for complying with measures which give effect to the FIP principles. Civil or criminal penalties, administrative enforcement, arbitration, internal or external audits, complaint processing, a privacy office and more could be used to guarantee accountability.
But in Sri Lanka, Mr Ratnasabapathy said, the project is going ahead with no public consultation. “Individuals don’t have the right to know what data is held and to challenge incorrect data,” he pointed out. “There is no central authority to hold accountable for loss or misuse of data.”
The legal system has just not kept pace with advances in technology and the extent of the gap is now self-evident.