Pounder Chris on 20 December 2004 at 13:13 said:-
> Can I comment that "the audit trail could
> keep a record
> of these checks if a card reader is used" (e.g. Joe Bloggs
> record could
> include in the record that Blockbuster video checked his ID Card on
> 12/5/2014). So the ID Card database won't keep the actual
> transaction -
> it will point to where one could find out these details
>
Part of the thrust of many legal arguments promotes the retention of audit
trails as a means of achieving evidential certainty.
Why would a national ID card database be any different?
Ian W
> -----Original Message-----
> From: This list is for those interested in Data Protection
> issues [mailto:[log in to unmask]] On Behalf Of
> Pounder Chris
> Sent: 20 December 2004 13:13
> To: [log in to unmask]
> Subject: Re: LEGAL BRIEFING & QUESTIONS ON PRIVACY AND ID CARDS
>
>
> The contents of this email and any attachments are
> confidential to the intended recipient and may be legally
> privileged. Please see the important conditions below.
>
>
>
>
> You might have seen the Guardian which has a slight
> misinterpretation.
>
> I have attached a briefing I have prepared - plus an
> explanation of the error
>
>
> Charles Clarke says in his Times Article "However, I
> believe that - quite apart from the security advantages -
> there will be
> enormous practical benefits. ID cards will potentially make a
> difference
> to any area of everyday life where you already have to prove your
> identity - such as opening a bank account, going abroad on holiday,
> claiming a benefit, buying goods on credit and renting a video. The
> possession of a clear, unequivocal and unique form of
> identity - in the
> shape of a card linked to a database holding biometrics - will offer
> significant benefits.
>
> Can I comment that "the audit trail could
> keep a record
> of these checks if a card reader is used" (e.g. Joe Bloggs
> record could
> include in the record that Blockbuster video checked his ID Card on
> 12/5/2014). So the ID Card database won't keep the actual
> transaction -
> it will point to where one could find out these details
>
> C
>
> -----Original Message-----
> From: Pounder Chris
> Sent: 20 December 2004 10:56
> Subject: LEGAL BRIEFING & QUESTIONS ON PRIVACY AND ID
> CARDS
>
>
>
> BACKGROUND BRIEFING ON PRIVACY AND ID CARDS
>
> Pinsent Masons, a law firm that specialises in Data
> Protection has prepared a press briefing (see below) on the privacy
> issues relating to the ID Card Bill, outlining several key questions
> relating to the implementation of the a national ID Card system.
>
> In addition, Pinsent Masons has spokespeople
> on hand to
> offer informed, independent comment and explanation on the privacy and
> data protection elements of the ID Card Bill.
>
> Our press officers (listed below) are
> available 24/7 if
> you need any comment or advice regarding the Act and the issues
> surrounding it. If we can help in any way please do not hesitate to
> contact us on 01865 725 269.
>
>
> --------------------------------------------------------------
> ----------
> ----------------------
>
> BACKGROUND BRIEFING ON PRIVACY AND ID CARDS
>
> Prepared by Data Protection and Privacy Practice,
> published by Pinsents Masons
>
>
>
> Key privacy issue
>
> The main privacy concerns of the proposed National ID
> Card system arise from the records contained in the database of
> registrable facts. This ID Card database will have an entry for each
> cardholder (55 million UK residents), and will contain up to
> 50 items of
> personal data which can be accessed by numerous public authorities
> either by consent of the cardholder or, in the case of certain
> authorities, by law. Not all public authorities or other bodies who
> access the database will have access to all 50 items of personal data,
> it will depend on the nature of the public authority. Many
> organisations
> will be only able to access details which check whether ID
> Card holders
> are who they say they are. Who has access to the database, to
> what items
> in the database and for what purpose are therefore the key privacy
> issues.
>
>
>
> The audit trail
>
> The original ID Card consultation document
> ("Entitlement
> Card and Identity Fraud") stated that "it is most unlikely that
> entitlement information relating to specific services would be held on
> the central register". Paragraph 3.29 of this document also
> suggested to
> the public that access to the register by authorities could be subject
> to warrant arrangements or judicial approval. The ID Card
> Bill proposes
> an audit trail which can record access to specific public services.
> Access to the audit trail is not subject to warrant arrangements.
>
> The audit trail is a double-edged sword. If one is to
> prosecute misuse of the ID Card database, then one needs a record of
> accesses. On the other hand, such an audit trail will contain a record
> of whenever the ID Card was checked by an organisation against the ID
> Card database. So, for example, if a card holder registers
> with a GP or
> attends an out-patient clinic for the first time - to use two examples
> provided by Ministers - then the fact that the check is made is most
> likely to be retained in the database.
>
> Note that in this case, the audit trail does
> not contain
> the content of the actual medical record. It will however point to a
> specific clinic or GP who is likely to possess the
> cardholder's medical
> record. The same implication arises for all services which
> use the card
> and check the card against the database.
>
> ID Cards can be used in relation to private sector
> service provision with the consent of the cardholder. According to the
> Regulatory Impact Assessment issued by the Home Office in relation to
> the ID Card, the financial services industry will be encouraged to use
> the ID Card for identifying purposes, for example. when opening a new
> account. The use of an ID Card check against the database
> could trigger
> a record in the audit trail which identifies contact with a particular
> financial service.
>
>
>
> Privacy problems with the audit trail
>
> The Government has said that their intention
> is to keep
> the records of individuals beyond their life time. Thus the
> audit trail
> will eventually comprise a summary of a person's interaction
> with public
> and private services where identity and/or entitlement needs to be
> checked against the ID Card database - and it will point to the key
> relationships between the individual card-holder and public
> and private
> services used by that individual for the duration of the cardholder's
> adult life.
>
> However, the ID Card Bill does not require that all
> accesses to the ID Card database to be recorded. The Home
> Affairs Select
> Committee which reported on ID Cards was very concerned about the
> possibility that audit trail data could be accessed by the security
> services and police without leaving a trace in that audit trail.
>
>
>
> Human Rights Act 1998 (Article 8 - respect for private
> and family life)
>
> The ID Card Bill provides wide powers to Ministers in
> order to enact regulations dealing with important details about the
> processing of personal data. Order making powers are usually reserved
> for those uncontroversial elements which do not need detailed
> Parliamentary consideration.
>
> In the Children Bill, the same mechanism was used in
> relation to the detail associated with the processing of personal data
> linked to childrens' databases. In this case, the Joint Committee on
> Human Rights, a Parliamentary Committee of MPs and Peers,
> concluded that
> it is "impossible for the Committee to make any judgment about the
> proportionality of what will undoubtedly constitute an
> interference with
> Article 8". As access to the ID Card database is subject to
> the detail
> being in regulations, the same issue will arise in relation to the ID
> Card Bill. Compatibility with the Human Rights Act therefore is an
> issue.
>
> It is interesting to note that the ID Card
> Bill carries
> a statement on its first page of compatibility with the Human Rights
> Act. There was nothing published with the Bill to substantiate this
> statement.
>
>
>
> Disclosures from the ID card database
>
> If a disclosure of personal data from the database is
> sanctioned by law this kind of disclosure can qualify within the
> "exemption from the non-disclosure provisions" under the Data
> Protection
> Act (DPA). This, in effect, means that most of the Data Protection
> Principles in relation to such a disclosure do not apply.
>
> Most of the disclosures to the police,
> national security
> agencies, tax officials from the ID Card database will follow this
> route. The Bill requires such a disclosure has to be in "connection
> with" the duties of the Inland Revenue Commissioners, police, security
> services etc. By contrast, the Regulation of Investigatory Powers Act
> uses a test of "necessity" in connection with disclosure of
> communications data to these authorities, whilst the DPA
> itself requires
> a test of failure to disclose causing "prejudice". The test of
> "connection with" is not as high as in other legislation.
>
> As is well known the police and security services have
> wide ranging exemptions from data protection, human rights and freedom
> of information legislation. The issue of supervision of such bodies is
> therefore important. The Bill provides for a Commissioner who
> reports to
> the Home Secretary in relation to this function. Supervision of the
> national security use of the database is separate to these two.
>
>
>
> Data Protection Act 1998
>
> In its original consultation, the Government
> stated that
> ID Card was about establishing identity and entitlement to services.
> These original purposes are in the ID Card Bill, and have
> been augmented
> with a new purpose: the "purpose of securing the efficient
> and effective
> provision of public services" (i.e. any public service), where the
> purpose may not be limited to the public service which
> requires the Card
> to be checked.
>
> Most of the Data Protection Principles are phrased in
> terms of "purpose". So for example, if a problem relates to personal
> data which is "relevant for the purpose of immigration" (the Third
> Principle) this can be assessed to see whether a particular
> item of data
> is indeed relevant to a precise purpose. Note that the broader the
> purpose, the more difficult this assessment becomes - for instance, a
> broad purpose such as "purpose of securing the efficient and effective
> provision of public services" would make it difficult for the
> Information Commissioner to enforce the relevant Principle
> dealing with
> relevance.
>
> The issue in respect of the Data Protection
> Act, is not
> whether the Act applies, it is how the Act applies. Further details of
> the data protection problems associated with the ID Card scheme can be
> obtained from the web-site of the Information Commissioner
> (www.informationcommissioner.gov.uk
> <http://www.informationcommissioner.gov.uk/> ).
>
>
>
> The future
>
> Once the ID Card database is established, its use for
> other purposes will arise. For instance, the Office of National
> Statistics is currently considering whether a population
> register can be
> assembled from the ID Card database and the databases of all children
> which are established under the Children Bill. This
> population register
> could then be available to help public authorities in general - for
> example to secure the efficient use of public services. The Department
> of Health has announced that it is considering the
> relationship between
> the card which is to replace E111 (the form you fill in for access to
> health services within the European Union) and the ID Card. Most
> organisations want to exploit their data assets - it is reasonable to
> assume that the ID Card database will be no different.
>
> The Bill contains a general order making power for the
> Secretary of State to allow further disclosures without consent of the
> individual cardholder. These could fit in with future plans for the
> database.
>
>
>
> SOME KEY PRIVACY QUESTIONS
>
> 1. How is each Data Protection Principle
> going to apply,
> in practice, to the protection of personal data in the ID
> Card database?
>
>
>
> 2. How does the obligation to respect private
> and family
> life under the Human Rights Act apply to:
>
> * -
> Disclosures from the
> database which are made "in connection with" for specific purposes
>
> * - Disclosures of the
> audit trail to the police or security service which may not
> be traceable
> or recordable
>
> * - The concept of
> consent used in the Bill when the ID cardholder has to obtain
> a Card and
> may be required to produce it to obtain a service
>
>
>
> 3. Is there effective independent supervision of the
> uses of the ID Card Bill when:
>
> * -The ID Card
> Commissioner reports to the Home Secretary
>
> * -The Information
> Commissioner, ID Card Commissioner and the supervisory mechanisms
> associated with national security are all involved in the privacy
> protection business
>
> * -The Information
> Commissioner has no power to audit the ID Card database.
>
>
>
> 4. What are the plans for the ID Card
> database including
> audit trail in relation to wider service delivery and how
> does it fit in
> with other plans (e.g. of the ONS to create a population
> register from
> which all public services can update their records). Should these be
> debated as an integral part of the ID Card Bill goes or are they
> separate matters?
>
>
>
> 5. Did the original public consultation give undue
> prominence to the ID Card rather than privacy concerns over
> the database
> and could this have contributed to the emergence of concern
> over privacy
> matters?
>
>
>
>
>
>
>
>
>
> Pinsent Masons press office contacts:
> Joshua Van Raalte
> Tel: 01865 725 269
> Mobile: 07808 734 622
>
> Richard Leonard
> Tel: 01865 725 269
> Mobile: 07887 568 930
>
> www.pinsentmasons.com <http://www.pinsentmasons.com/>
>
> www.OUT-LAW.com <http://www.out-law.com/>
>
> About Pinsent Masons:
>
> Pinsent Masons has been providing advice and
> training to
> public organisations on the Freedom of Information Act for
> the past four
> years, and has recently become the the first FOI Act training provider
> to be formally offered full accreditation by the Information Standards
> Examination Board. It has also produced an interactive e-learning
> programme to educate and inform public sector employees about the
> implications of the Act, and has developed a training package
> to assist
> Scotland's public authorities in becoming compliant with the
> Freedom of
> Information (Scotland) Act 2002 for the Scottish Executive.
>
>
>
>
>
>
>
> This message has been scanned for viruses by
> MailControl
> <http://www.mailcontrol.com/> , a service from BlackSpider
> Technologies
> <http://www.blackspider.com/> .
>
>
>
>
>
>
>
> Important
>
> If you are not the intended recipient: (1) you must not
> disclose, copy or distribute its contents to any other person
> nor use its contents in any way; (2) please contact Pinsent
> Masons immediately on +44 (0)20 7418 7000 quoting the name of
> the sender and the addressee, and then delete it and any
> attachments and copies from your system. We do not warrant
> that this email or any attachments are virus-free and do not
> accept any responsibility for any loss or damage resulting
> from any virus infection. Pinsent Masons is not responsible
> for any changes made to its documents other than those agreed
> by us or for consequences of same. No contract may be
> concluded on behalf of Pinsent Masons, nor service of process
> accepted, by e-mail. This is not an invitation or inducement
> to engage in an investment activity or advice on the merits
> of investment activity. We may monitor traffic data of both
> business and personal emails. By replying you consent to such
> monitoring. The content and opinions in non-business e-mail
> are not those of the firm and we exclude all liability for
> such. Pinsent Masons is an international law firm with
> offices in London, Birmingham, Bristol, Edinburgh, Glasgow,
> Leeds, Manchester, Brussels, Hong Kong and Shanghai. Further
> information about the firm and a list of partners are
> available for inspection at Dashwood House, 69 Old Broad
> Street, London, EC2M 1NR UK or from our website at
> www.pinsentmasons.com. Each of our offices is regulated by
> the relevant local law society.
>
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> All archives of messages are stored permanently and are
> available to the world wide web community at large at
> http://www.jiscmail.ac.uk/lists/data-protection.html
> If you wish to leave this list please send the command
> leave data-protection to [log in to unmask]
> All user commands can be found at : -
> http://www.jiscmail.ac.uk/help/commandref.htm
> Any queries about sending or receiving message please send to
> the list owner
> [log in to unmask]
> (all commands go to [log in to unmask] not the list please)
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
>
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
All archives of messages are stored permanently and are
available to the world wide web community at large at
http://www.jiscmail.ac.uk/lists/data-protection.html
If you wish to leave this list please send the command
leave data-protection to [log in to unmask]
All user commands can be found at : -
http://www.jiscmail.ac.uk/help/commandref.htm
Any queries about sending or receiving message please send to the list owner
[log in to unmask]
(all commands go to [log in to unmask] not the list please)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
