Notes for a Presentation by
David H. Flaherty
Information and Privacy Commissioner for the Province of British Columbia
Victoria, September 26, 1995
"Provincial Identity Cards: A Privacy-Impact Assessment"
This presentation might not have been necessary if the government and the public service had been willing to comment publicly about its plans for multi-purpose identity cards, including participation in this session. My queries began last spring when rumours of such potential applications emerged from the Ministries of Social Services and Health and the Motor Vehicle Branch of the Ministry of Transportation. One or two briefings of my staff did occur then.
I am also speaking out at this point because of the current rage for identity cards in such diverse locales as Denmark, the United Kingdom, Quebec, Ontario, and, it would appear, British Columbia.
I believe that the Privacy Commissioner of British Columbia is the watchdog for the privacy interests of individuals living in this province and should pursue this role aggressively. This requires me, in my judgment, to advise government as it makes policy choices and, just as importantly, to stimulate education on a specific issue and to encourage public debate. That is a major purpose of my presentation today. I advised the government over an eighteen-month period about the privacy implications of the Pharmanet prescription profile system that is now in full effect. About six months into the process of consultation, I made a public speech on the issue in Vancouver on March 17, 1994. The government then engaged in its own process of public consultation that same summer.
In the summer of 1995 I have received a number of complaints from the general public finally awaking to the privacy implications of having their prescription profiles available in every community pharmacy in the province, unless they take measures to restrict their information to one specific pharmacy and use a password to control access. My hands are now relatively tied on Pharmanet, since the legislature has approved the legislative changes necessary to implement it. I can listen to complaints, encourage individuals to complain to members of the Legislature as well as to me, and continue to monitor the implementation of the protective measures that are in place. I intend to do so.
The Pharmanet experience and that with criminal record checks legislation has encouraged me to try to get out in front of policy makers in the bureaucracy on what the Minister of Government Services has called "super" identification cards. If I wait till the public service has shaped options for its political leadership, and a Cabinet committee has made a choice, it is my experience, and that of my colleagues in other provinces, that my capacity to effect change only exists at the margins. It is my intention to stimulate education and public debate at a time when identification cards are being considered for multiple purposes in the public sector with considerable potential ramifications for practice in the private sector as well.
I begin with some very bold summary statements about identity cards, which I expand on below. The best précis of my overall arguments is the conclusion. My interest in the subject matter derives from my sense that the prospect of multi-purpose identity cards is the most fundamental privacy issue at the moment in Canada and in this province.
1. I begin with the recognition that there is a pressing need for unique personal identification in the public and private sectors. My response to this situation is as follows:
) Multipurpose identity cards should not include a unique personal identifier (PIN) in the form of a number. However, such a card would likely contain a digitized photograph of the bearer. I find the latter practice an acceptable form of unique personal identification.
) What is wrong with current systems of positive identification? For example:
· addresses: a significant number of Canadians change residence on a regular basis
· telephone numbers: unlisted numbers are increasingly popular; many do not identify other parties living at the same address
· Social Insurance Numbers: not a reliable system of unique personal identification, although they are in common use. The problem is that too many persons have more than one card and one number. Further, their use is already a source of anxiety and paranoia among Canadians, because their collection is not regulated by law.
· Personal Identification Numbers: I have identified PINs in various writings as the key to a surveillance society. I am especially insistent that ID cards in British Columbia not be tied to numbers other than ones used to identify a specific card issued, rather than a specific user of the card. Thus lost cards would be replaced with a new card with a sequential number in my scheme of things.
· retina scans: are reliable but expensive to implement as a unique identifier
· fingerprinting: an available technology, even for smart cards, but fingerprinting encounters resistance from individuals who associate the process with serious criminality. Same for palm prints.
· photographs: currently exist on drivers' licenses; are in increasing use on current credit cards
· digital photographs: proposed for use with new ID cards in B.C.; are acceptable if databanks of digital photographs are not used for other purposes without the explicit consent of the legislature expressed in an act or a regulation.
3. ID cards are a technology in search of an application in advanced industrial societies; but do we really need ID cards, or are they being imposed on us because of the modern-day urge to worship new and better technology? Should we choose claims of enhanced efficiency at all costs? Current technologies of cards and of identification that are in place already include:
· digital cameras and photographs
· smart cards
· tamper-proof ID cards
· fraud will reoccur, despite ID cards, because the incentives to defraud government are so great and the creativity of individuals in law-breaking is so substantial;
· the history of Social Insurance Numbers ensures that novel and multiple uses of ID Cards will clearly emerge, because of the pressures in our society for efficiency and to prevent fraud, to ensure convenience, and the insensitivity on the part of many to invading the privacy of others. Most people do not become concerned about measures that invade the privacy of others until it happens to them.
· resistance to forced identification and numeration of the general public will occur. Such resistance has its origins in the Old Testament cautions against numeration and the history of abuses by the Nazis and Stasis in this century.
1. As a privacy advocate, my particular emphasis is on the substantial extent to which the introduction of provincial identity cards would further facilitate the operation of a surveillance society. More explicitly, I am concerned that provincial identity cards would subject individuals to increased surveillance in all aspects of their lives.
2. Should ID Cards be issued by the government for multiple purposes? From a privacy perspective, I answer this query with a provisional yes, subject to the requisite protections and controls being put in place as an integrated package.
3. What protective mechanisms and practices can be incorporated to protect personal privacy? I answer this question in detail below by identifying appropriate and essential fair information practices.
III. CHOICES FACING PRIVACY ADVOCATES
1. The Choice of An Approach
All privacy advocates have a fundamental inclination, if not drive, to resist the imposition of identification cards as a fundamental invasion of personal privacy and a threat to human rights, especially in the English-speaking world. Resistance to identity cards has also been articulated internationally. For example, Australian privacy advocates soundly defeated a proposed national identification card in the mid-1980s. Earlier in the decade Germans, and French Socialists, also defeated comparable proposals.
The instinctive option for a privacy advocate is all out resistance to the idea of requiring citizens to carry identification cards. I expect that some people in British Columbia, especially libertarians and left-wingers, will adopt this strident position. For various reasons, I believe that such a stance no more sits well with my role as Privacy Commissioner than does an approach of passivity, an attitude inspired in part by my inability to influence comparable government decision making in this province in the past year. I am not especially interested in the role of a Jeremiah crying in the wilderness, although my lifelong study of the Puritans has given me some preparation for it.
2. Sources of Criteria for a Privacy-Impact Statement
As a proponent of data protection along with the privacy protection community in this province, it is an ongoing struggle to fashion a responsive privacy-impact statement on ID cards and the philosophical bases for it. Expecting a new technology or data practice to conform to what are called fair information practices (FIPS) goes back to the beginning of data protection in advanced industrial societies in the early 1970s. In what follows, I propose to apply FIPS to various aspects of identification cards before reaching some conclusions. The basic notions are derived from my book, Protecting Privacy in Surveillance Societies (1989), the B.C. Freedom of Information and Protection of Privacy Act (the Act), and the 1995 European Union Directive on Data Protection, the latest effort to fashion a comprehensive set of FIPS for the public and private sectors. Canadians intending to move personal data from Canada and its provinces into and out of the eighteen member nations of the European Union now have until 1998 to demonstrate that we have equivalent and/or adequate data protection measures in place. In my view, only Quebec in North America can make such claims at present.
Debates about the use of identity cards raise issues about personal interests and human rights. For privacy advocates, the salient values at stake in these debates include:
· the right to control disclosure of one's own identity
· the right to individual autonomy
· the right to be left alone
· the right to limit accessibility
· the right of exclusive control of access to private realms
· the right to minimize intrusiveness
· the right to enjoy solitude
· the right to enjoy anonymity
European data protectors are better than North Americans in requiring full transparency for all personal data flows and technological applications. This is a fundamental principle. The intention is to ensure that members of the general public have available a complete explanation of how an application like identification cards works and what choices they can make. Education about how ID cards can and will be used is in my view required by section 27(2)(a) of the provincial Act.
A second major principle of data protection that is well articulated in European legislation and practice is the idea of finality, which means that legitimate uses of ID cards have to be established in advance of data collection and data sharing. In my judgment, sections 26(a) and 27(2)(b) of the B.C. Act require such controls.
The principle of finality would require the B.C. legislature to prohibit non-specified or other uses of ID cards without explicit statutory authorization. I regard this point of emphasis as a sine qua non. Thus the government, in my view, should forbid the private sector from requiring the production of ID cards, although there would be nothing to stop an individual from voluntarily supplying his or her card. The Legislature should fashion criminal sanctions in the form of fines for the unauthorized requiring of the production of an ID card and make provision for civil damages, of a specified amount, for attempting to deny services to an individual for failure to produce an ID card, if the attempted use is contrary to what the Legislature has approved. The Legislature will also have to establish the time limits for which personal data can be stored before they are destroyed. A data destruction policy is an inherent component of data protection.
The British Data Protection Act of 1984 makes possible criminal prosecutions of individuals who breach certain rules established under its registration system. I am increasingly of the opinion that the absence of explicit criminal sanctions for breach of the B.C. Act is an unfortunate omission that the legislature will need to address in the four-year review scheduled to begin in 1997.
I refer to three specific experiences in Canada in support of the principle of finality, as well as sections 32(a) and 32(b) of the Act. It is now common knowledge that Parliament's failure to limit the use of the Social Insurance Number in 1964 made possible the unintended emergence of a unique personal identifier in Canada. See David H. Flaherty, The Origins and Development of Social Insurance Numbers in Canada (Privacy Commissioner and Department of Justice, Ottawa, 1981, 210 pp.)
In 1989 the Ontario legislature enacted measures to limit the use of the Ontario Health Card Number without specific authorization. The intent was to limit the use of the card to health-related purposes. See David H. Flaherty, "Privacy, Confidentiality, and the Use of Canadian Health Information for Research and Statistics," Canadian Public Administration, XXXV, No. 1 (1992), p. 80. While this was a positive step, it is the judgment of some privacy advocates that the legislature should have included sanctions and specific oversight mechanisms to ensure that these rules were followed in practice. It is also noteworthy that this innovation did not prevent individuals from obtaining multiple cards, despite government assurances to the contrary.
I am also dissatisfied that the B.C. government did not accept my recommendation that unauthorized uses of Pharmanet prescription profiles should be specifically prohibited by law. Despite the protections built into the system, past experience has shown that if personal information exists in an accessible form, it will be used for good and bad purposes. This is the process of "function creep," which means that more and more uses for the database will be dreamt up once it is in place. For example, there is nothing to prevent employers from requiring an individual to produce his or her prescription profile, available on request to Pharmanet, as a condition of employment. The police and other law enforcers may want to use Pharmanet to locate suspects. The Motor Vehicle Bureau may try to argue that access to Pharmanet should determine who holds drivers' licenses. Politicians and campaign workers may seek unauthorized access to the system in order to discredit their opponents. Candidates may be challenged to produce a printout of their drug use profile in order to prove that they are clean. In short, those who claim that they have nothing to hide will have one more source that they can be pressured to release to the public. In my judgment, such practices are breaches of the principle of finality and demonstrate the working out of unintended consequences.
The private sector needs unique identification of individuals as much as the government of B.C. does. But I believe that the private sector has a considerable ability to develop its own unique identifiers. I note, for example, that Citibank's Mastercard now offers clients the possibility of a photocard: "A Citibank Photocard gives you the security of knowing that only one, unique face is on the front of your card." (Advertising, National Geographic, 1995) Although I expect that smart cards issued jointly by the public and private sectors will eventually offer multiple but discrete services, fully controlled by the cardholder, there is no evidence of a political will to offer such multiple service cards at present. Nor, in my opinion, is the Canadian public ready to accept them.
5. Informed Consent
One of the essential perquisites, in my judgment, for my acceptance of ID cards for multiple uses in this province is that they be made voluntary. I view this as a requirement of section 32(b) of the Act. Individuals in the first instance should decide that they want to use such government cards. I expect that a significant proportion of the population will choose to do so. But it is contrary to the concept of informational self-determination to require everyone to adopt and use such a card. It would be coercive to do so and unnecessarily provoke the kind of resistance already visible in the current Pharmanet debate. One of the major criticisms of the current system is that anyone wanting a prescription, however it is paid for, has to "allow" his or her information to be recorded in a stored profile.
The government should require the production, not the carrying, of ID cards in order to obtain services. Thus someone driving a car, seeking income assistance, or wanting specific health care may have to produce identification in order to obtain services. If some persons choose to carry the ID card with them all of the time, that is their choice. Those who wish to avoid the state asking for identification on demand can make a different choice.
My recommendation is that voluntary ID cards should in fact be smart cards, including a digitized photograph, that only an individual can control the use of, including authorization by means of a unique password, before personal data on one's smart card can be required by anyone offering government services or third parties. An override might be necessary for emergency medical information that someone chooses to carry on his or her card. A smart card allows the person to permit access to one or selected segments of the data incorporated in the card.
Smart cards look like ordinary credit cards, but they contain a micro-processor chip that, in current production models, contain up to 64k of information. Memory capacity will increase year by year. Because certain information locked into the card's memory at the time of production will destroy the card electronically if someone attempts to read it by external means, smart card are almost impossible to counterfeit. The secret data are used to verify that the card is genuine when it is being personalized for a specific card holder. There are two other categories of information on the card: a suitable card reader can access so-called public information, while protected information is only available following the successful entry of a Personal Identification Number (a password), which is known, literally, only to the card holder. (For information in this and the succeeding paragraph, I am indebted to a presentation by Alan Laird of Bull Information Systems Ltd. at Privacy Laws & Business's Conference in Cambridge, UK in July 1995).
The smart card would make an ideal multi-purpose identity card, because it can hold any number of discrete applications, including medical records, identity details, benefit entitlements, and driving license information. A third party would be provided with access only to information that he or she is allowed to see. The card can also be used to encrypt data for further security. A smart card can further be used to create an audit trails for any employee having access to a computer holding personal records, as currently occurs at CNAM, the French National Health Service Administration.
6. Controlling Record Linkages
I especially fear the extent to which the introduction of identity cards for various specific purposes would lead to their widespread use for multiple purposes. Experience has shown that information made available for one purpose is likely to find other applications as well, because of convergent pressures for efficiency.
If not severely restricted by legislation and regulations, the introduction of multiple-purpose identity cards will considerably increase the pressures for record linkages for various reasons, since each recorded use of a card will produce a digital data trail. One solution, of course, is simply to examine a card and furnish a requested service, such as income assistance. But, in my judgment, the pressures for recording access to a card will be enormous. The strong temptation will be to "swipe" a card and thus create a digital record of what evidence was used for identification in a particular case.
Swiping may have especially deleterious effects on personal privacy if not curtailed. Like the use of credit or debit cards today, the system will know where you are or were at a particular time. It may be appropriate for an income assistance office to establish that Mr. X picked up a welfare cheque on a particular date, time, and place in order to prevent fraud. What data protection rules need to establish is how long such personal data can be stored. Limiting duration in order to minimize intrusiveness in the private lives of individuals is the basic principle. Thus a thirty-day rule might be adequate in this instance.
But there are, and will be, strong pressures to create profiles of individuals who are motor vehicle drivers, health care users, or recipients of social assistance. The Pharmanet prescription system is already a profile of most individual members of the population. The current drive to reduce welfare costs in British Columbia with tighter and tighter rules for qualification is a case in point. System designers will face irresistible pressures to profile patterns of individual use for administrative purposes. Simply to mention the possibility is a reminder of the likelihood that a significant proportion of the population would support such initiatives, unthinking of the extent they themselves might at some point be victims of such invasive practices. The further stigmatization of less privileged groups in our society is a likely prospect.
I remind you of the profile of you that would result from the collection and integration of your personal data from your use of the following cards: driver's license, credit cards, debit cards, B.C. Tel, library card, health care card, mileage cards, grocery store cards, video rental cards, building security cards, parking cards, dental insurance cards, SIN cards, and emergency health cards.
It will be essential, in my view, to prohibit the routine profiling of individuals based on transactional data, unless there is probable cause to do so for law enforcement purposes.
7. The Need for Oversight and Monitoring Mechanisms
It is one thing to require rules of the road in the form of fair information practices; it is another thing to ensure compliance by oversight, audit, and complaint-handling mechanisms. Thus, as would be anticipated under B.C.'s Freedom of Information and Privacy Act, the use of identity cards, from a privacy perspective only, should be fully subject to the oversight of the office of the Privacy Commissioner, as would indeed be the case at present. When the system works as it should, this means that public bodies will consult with the Commissioner in advance of seeking new applications of identity cards. Whatever data protection solutions can be fashioned, the Commissioner's office can then exercise oversight by means of site visits, investigations, and responding to complaints from the public.
8. Methods of Ensuring Unique Identification
For reasons suggested above, my preference is that the holder of an identity card should be identified uniquely by his or her digitized photograph on the card rather than by a unique Personal Identification Number. I have no objection to a serial number on a card that would be attached to the card and not the holder, in the event of having to replace a card for loss or damage. I would then want the replacement card to bear the next assignable number rather than a unique identifier.
Individuals must be able to control access to their own data on their own identity card by means of a password, such as is possible with the Pharmanet prescription profile card in British Columbia at present. (I note however, that the latter process, unwisely in my view, does not permit the holder to input his or her password directly into the Pharmanet system.) In my judgment, the use of passwords should be mandatory if smart cards are adopted as the basic identity card. An override system would be permissible for emergency uses of health information on the card, such as in a hospital emergency room. Again, precedents exist for such practices with the current Pharmanet system (which does not use cards).
IV. CONCLUSION: VOLUNTARY SMART CARDS
My basic recommendation is for a system of voluntary smart cards that permit individuals to choose how to identity themselves at various points in their daily relations in society. In fact, individuals could choose to use the card, freely, for any kind of transaction where identification is normally required today, such as cheque cashing.
The advantage of true smart cards is that they can be adopted for multiple purposes over time, including the following possible applications, each of which would have a separate, segmented portion of the card:
· emergency medical information
· anonymous telephone charge card
· credit card/debit card/charge card
· library card
· drivers' license
V. SUMMARY OF RECOMMENDATIONS
I want to emphasize that what follows is a package of recommendations that need to be accepted, almost in full, as a package. They are intended as a "coherent" whole. Thus rejection of one may cause this particular house of cards to come tumbling down.
) There should be full transparency in the implementation and ongoing use of ID Cards. The public must know how identification cards work and what choices they can make. Education about how ID Cards can and will be used is, in my view, required by section 27(2)(a) of the Freedom of Information and Protection of Privacy Act.
) The principle of finality must be applied to the conception and implementation of ID Cards. This means that legitimate uses of ID Cards should be established in advance of data collection and data sharing. In my judgment, this is required by the Freedom of Information and Protection of Privacy Act.
) The use of ID Cards by the public should be voluntary, which means that they be used by informed consent only. I view this as a requirement of section 32(b) of the Act.
) ID Cards should, in fact, be smart cards, where the individual alone can control its use, including authorization for its use by means of a unique password.
) Individuals must be able to control access to their own data. Therefore, passwords should be mandatory if smart cards are adopted as the basic identity card.
) There should be a prohibition on the routine profiling of individuals based on transactional data, unless there is reasonable and probable cause to do so for law enforcement purposes.
) There should be oversight, audit, and complaint-handling mechanisms in the use of ID Cards. The use of ID Cards, from a privacy perspective, should be fully subject to the oversight of the Office of the Information and Privacy Commissioner. This means that public bodies would be required to consult with the Commissioner in advance of seeking new applications of identity cards.
) The holder of an identity card should be identified uniquely by his or her digitized photograph, rather than by a unique personal identifier. Any serial number on the card would be attached to the card and not the holder. Thus any replacement card would bear the next assignable number, rather than a unique identifier.