E-NICs: FR pe­ti­tion on al­leged in­va­sion of pri­vacy

Sunday Times (Sri Lanka) - - FRONT PAGE -

The pro­ce­dure for the is­sue of Sri Lanka’s new elec­tronic na­tional iden­tity card ( e- NIC)-- in­tro­duced in the ab­sence of pri­vacy or data pro­tec­tion laws--grants wide powers to the Com­mis­sioner Gen­eral of the Depart­ment of Regis­tra­tion of Per­sons, of­fi­cials and other au­thor­i­ties to col­lect and record any per­sonal de­tails from pub­lic and, po­ten­tially, pri­vate data­bases.

“If we are to em­brace tech­nol­ogy, we must do so only with the sound­est of le­gal safe­guards in place,” said Ravi Rat­nasaba­p­a­thy, a man­age­ment ac­coun­tant who has chal­lenged the Gov­ern­ment’s e- NIC reg­u­la­tions in the Supreme Court. “With­out proper data pro­tec­tion laws in place the e-NIC project should not go ahead.”

The great­est con­cern with Sri Lanka’s pro­posed sys­tem is the pos­si­bil­ity it could be used as a ‘gen­eral pur­pose sur­veil­lance sys­tem’. While the rel­e­vant leg­is­la­tion spec­i­fies it will be ap­plied for rea­sons of es­tab­lish­ing iden­tity, clear lim­i­ta­tions on use are not in place. Pub­lished re­ports point to the e- NIC and data­base be­ing an over­ar­ch­ing so­lu­tion for tax, prop­erty, bank­ing as well as na­tional se­cu­rity.

“If al­lowed, any iden­ti­fi­ca­tion sys­tem that main­tains

lo­ca­tion or trans­ac­tions may al­low po­lice or other gov­ern­ment agen­cies to track in­di­vid­u­als,” Mr Rat­nasaba­p­a­thy says. “Any iden­ti­fi­ca­tion sys­tem runs the risk of be­com­ing a gen­eral pur­pose sur­veil­lance sys­tem in the ab­sence of clearly de­fined lim­its.”

Mr Rat­nasaba­p­a­thy’s fun­da­men­tal rights pe­ti­tion warns that the e-NIC reg­u­la­tions grant “vir­tu­ally un­re­stricted ac­cess to any in­for­ma­tion con­cern­ing any cit­i­zen recorded with any pub­lic authority”. Up to now, pri­vacy was pro­tected (de­spite the ab­sence of laws) by most data be­ing held ei­ther in man­ual form or on iso­lated com­puter sys­tems. In­for­ma­tion was not shared. If needed for in­ves­tiga­tive or other pur­poses, it was pro­vided through court or­der.

This will no longer be the case. And the use of bio­met­rics in the new e-NIC poses new threats to pri­vacy and se­cu­rity which can only be ad­dressed through a strong le­gal frame­work based on ‘ Fair In­for­ma­tion Prac­tices’ (FIP) prin­ci­ples.

Drafted by the Or­gan­i­sa­tion for Eco­nomic Co-op­er­a­tion and De­vel­op­ment, the FIPs of­fer guid­ance on how to man­age pri­vacy im­pli­ca­tions of the e-NIC. They have be­come the foun­da­tion for most na­tional laws gov­ern­ing data pro­tec­tion. In Sri Lanka, by con­trast, they are be­ing flouted openly.

The prin­ci­ples call for lim­its on the col­lec­tion of per­sonal data; for any such data to be ob­tained by law­ful and fair means; and, where ap­pro­pri­ate, with the knowl­edge or consent of the data sub­ject. The less in­for­ma­tion is recorded the bet­ter. Each data el­e­ment col­lected should be eval­u­ated and de­bated. The ca­sual in­clu­sion of in­for­ma­tion that ‘might be use­ful some­day’ should be re­sisted.

The Sri Lankan e-NIC bla­tantly vi­o­lates this. Cit­i­zens must pro­vide name, date of birth, gen­der, ad­dress, fam­ily de­tails and num­bers of na­tional iden­tity cards of par­ents, guardian, spouse, chil­dren and sib­lings. Divorcees are even re­quired to spec­ify the date of de­cree, case num­ber and court in which the di­vorce de­cree was en­tered.

“In­stead of lim­it­ing the data to the indi- vid­ual, the sys­tem col­lects de­tailed in­for­ma­tion on an in­di­vid­ual’s fam­ily en­abling the con­struc­tion of com­plete fam­ily trees along with emails and phone num­bers,” Mr Rat­nasaba­p­a­thy said. “If the sys­tem is about es­tab­lish­ing ID, fam­ily de­tails are un­nec­es­sary. An in­di­vid­ual’s iden­tity is in­de­pen­dent of the fam­ily. Our cur­rent IDs and pass­ports carry no fam­ily de­tails. Why is this nec­es­sary in the E-NIC?”

The FIPs in­clude prin­ci­ples un­der which per­sonal data should be rel­e­vant to the pur­poses for which they are to be used; and be ac­cu­rate, com­plete and kept up-to-date. Data which are not nec­es­sary for-- or rel­e­vant to--a bio­met­ric iden­ti­fi­ca­tion sys­tem should not be col­lected or main­tained. The pur­poses for which per­sonal data are col­lected should be de­fined not later than at the time of data col­lec­tion. Per­sonal data should not be dis­closed, made avail­able or oth­er­wise used for pur­poses other than those spec­i­fied, ex­cept with the consent of the data sub­ject or by the authority of law.

The gen­eral pol­icy is that data col­lected for one pur­pose should not be used for an­other pur­pose. “And this is how the present man­ual sys­tems in Sri Lanka work,” Mr Rat­nasaba­p­a­thy said. “We pro­vide in­for­ma­tion to the Land Registry, Reg­is­trar of Mo­tor Ve­hi­cles or Em­ploy­ees’ Prov­i­dent Fund for a par­tic­u­lar pur­pose. They use it for in­ter­nal pur­poses only and do not share the data with other agen­cies, ex­cept when or­dered by court.”

But the pro­posed cen­tral data­base to be set up un­der the e- NIC ini­tia­tive will share in­for­ma­tion with other agen­cies for a va­ri­ety of pur­poses, in­clud­ing pre­ven­tion or de­tec­tion of crimes, with­out a court or­der. A bio­met­ric iden­ti­fi­ca­tion sys­tem can be used for a wide va­ri­ety of iden­ti­fi­ca­tion ac­tiv­i­ties. How­ever, us­ing an iden­ti­fi­ca­tion sys­tem for other un­re­lated pur­poses would likely vi­o­late the prin­ci­ples.

The FIPs state that per­sonal data should be pro­tected by rea­son­able se­cu­rity safe­guards against such risks as loss or unau­tho­rised ac­cess, de­struc­tion, use, mod­i­fi­ca­tion or dis­clo­sure of data. There should be a gen­eral pol­icy of open­ness about de­vel­op­ments, prac­tices and poli­cies with re­spect to per­sonal data. It should be pos­si­ble to read­ily es­tab­lish the ex­is­tence and na­ture of per­sonal data and the main pur­pose of their use, as well as the iden­tity and usual res­i­dence of the data con­troller.

Un­der the open­ness prin­ci­ple, any per­son from whom data is needed must be able to learn of the ex­is­tence of a pro­cess­ing op­er­a­tion; who is the data con­troller for that pro­cess­ing; and what per­sonal data is be­ing pro­cessed.

“Sri Lanka’s sys­tem is shrouded in se­crecy and even at­tempts to ob­tain ba­sic in­for­ma­tion through Right to In­for­ma­tion re­quests have not yielded re­sults,” said Mr Rat­nasaba­p­a­thy. “Data may be shared amongst dif­fer­ent agen­cies with­out the knowl­edge or consent of cit­i­zens.”

An in­di­vid­ual should also have the right to ob­tain data from a data con­troller or, oth­er­wise, con­fir­ma­tion of whether or not the data con­troller has data re­lat­ing to him; to have com­mu­ni­cated to him data re­lat­ing to him within a rea­son­able time; to chal­lenge data re­lat­ing to him and, if the chal­lenge is suc­cess­ful, to have the data erased, rec­ti­fied, com­pleted or amended. A data con­troller should be ac­count­able for com­ply­ing with mea­sures which give ef­fect to such prin­ci­ples.

A po­si­tion of a data con­troller--in Sri Lanka’s case, the Com­mis­sioner Gen­eral-is usu­ally cre­ated un­der pri­vacy and data pro­tec­tion leg­is­la­tion. He is then held ac­count­able for com­ply­ing with mea­sures which give ef­fect to the FIP prin­ci­ples. Civil or crim­i­nal penal­ties, ad­min­is­tra­tive en­force­ment, ar­bi­tra­tion, in­ter­nal or ex­ter­nal au­dits, com­plaint pro­cess­ing, a pri­vacy of­fice and more could be used to guar­an­tee ac­count­abil­ity.

But in Sri Lanka, Mr Rat­nasaba­p­a­thy said, the project is go­ing ahead with no pub­lic con­sul­ta­tion. “In­di­vid­u­als don’t have the right to know what data is held and to chal­lenge in­cor­rect data,” he pointed out. “There is no cen­tral authority to hold ac­count­able for loss or mis­use of data.”

The le­gal sys­tem has just not kept pace with ad­vances in tech­nol­ogy and the ex­tent of the gap is now self-ev­i­dent.

Newspapers in English

Newspapers from Sri Lanka

© PressReader. All rights reserved.