Government begins to ponder how to keep our ID data safe

THE IDENTITY and Passport Service is still working out how it will avoid embarrassing and harmful losses of personal data from its Identity Cards Scheme even as it finalises tender negotiations with suppliers.

The IPS had made inadequate provisions to mitigate the risks of data loss, it was told yesterday by the Independent Scheme Assurance Panel (ISAP).

Having read the ISAP report before its publication, IPS chief executive James Hall had already written a response to its criticisms.

He sent ISAP panel chairman Alan Hughes a letter this bank holiday Monday saying that the IPS had started trying to work out how he could prevent citizen's personal data being leaked from the ID Scheme. But it was still early days.

ISAP had warned that the IPS needed not only to sort its own act out, but to address the problem of data governance across the whole of government before it proceeded any further with the procurement of the scheme.

Hall said the IPS had "agreed an approach to developing strategy in this area".

The government's ID scheme, which will be integrated with systems and people across government, has come under fire since the government's lax data governance was revealed by string of high-profile data losses such as the HMRC's loss of 25 million child benefit records.

Hall said how important data governance was to the scheme: "I agree with the Panel that our work towards the harmonisation of identity management across Government, which promises to allow more constructive and customer-focused use of identity data across the public and private sector, is important to the policy framework which will support the Scheme".

He also said that many of the scheme's data protection measures were already "mandated by Government policy".

But the IPS ignored repeated requests by the Information Commissioner, the UK guardian of the data protection act, for a proper assessment of the risk posed by the ID Scheme's to people's privacy. The IPS did eventually ask the IPS to conduct such an audit - a privacy impact assessment - last summer. But the ICO said it was too late because data protection had to be built into the very foundations of an IT project for it to be successful.

"Beyond this," said Hall of the mandated data protection measures, the IPS " is ensuring" that it got on top of the problem.

The IPS would conduct risk assessments, he said. It would develop a basic system architecture. It had recognised the "significant challenge" of technical systems integration with other government departments and would ask suppliers to address it.

It had just launched a recruitment programme to acquire the IT management skills to ensure it did the job properly. And it had just decided to contract three large suppliers to do the work instead of a bunch of little ones.

It had established a cross-governmental Scheme Management Board to deal with the "significant issue" of governance of the ID programme. It had made other changes to its governance arrangements, but did not specify what they were. It had also just worked out what the scheme's priorities were.

And the IPS had a change of heart about how it should sell identity cards to the British people and so, "build the trust of the general public in the Scheme ". This appeared to involve ceasing to stoke and play on people's fears and taking instead a "customer-focused" approach.

All mentions of terrorism, fraud and foreigners had been dropped. The ability of the ID scheme to tackle this triumvirate of modern bogeymen has been widely criticised anyway.

The scheme would instead be sold to citizen's on the basis of how it would make their lives more convenient.

The first of these "benefits" was that "employment checks" would be easier. This was only a veiled reference to the xenophobia the government wants to enshrine in a law that would send employers to prison for giving work to people who don't hold a government permit.

The other way the IPS was planning to sell the benefits of ID cards was by saying it would "make it easier for young people to prove their identity to get started in independent life". The IPS has failed to specify how much a problem this would be unless organisations started refusing to deal with people who didn't present an identity card.

The IPS had started working with unspecified "organisations" to introduce " new services for young people driven by acceptance of the identity card". In other words, it was encouraging companies to introduce irresistible new services they would deny to people who failed to present an ID card. µ

See Also
Data fear haunts ID card scheme

ID card challenge batted back

UK national ID database tested with FBI criminal data

Opposition to UK ID card scheme grows