Grab a coffee and run through these data protection and privacy rules...
Privacy & Security involves a comprehensive approach to system design that incorporates legal, administrative, and technical protections.
To begin with, ID systems should be underpinned by legal frameworks that guarantee individual data security, privacy, and user rights. Many nations have established general data protection and privacy laws that apply not just to the ID system, but also to other government or private-sector activities that involve the processing of personal data. These laws, by worldwide standards on privacy and data protection, generally include broad clauses and concepts specific to the collection, storage, and use of personal information, such as:
- Purpose limitation. Personal data should only be collected and handled for purposes: (1) that are expressly authorized by law, and so can be known to the individual at the time of collection, or (2) for which the individual has given permission.
- Proportionality and minimization. The amount of data gathered by electronic medical records (EMR) systems with data collection should be limited in proportion to the system's objective to avoid excessive data gathering and "function creep," both of which might raise privacy issues. This is often expressed as requiring that only the "required" data—including transaction metadata—should be collected to fulfill the stated goal.
- Lawfulness. Personal data should be collected and used in a legal manner, such as with consent, contractual need, government regulation, protection of significant interests, public interest, or legitimate interest.
- Fairness and transparency. Personal data should be collected and used fairly and transparently.
- Accuracy. Personal data should be correct and up-to-date, and errors should be promptly fixed.
- Storage limitations. Personal information, such as transaction data, should not be kept for longer than is required for the purposes for which it was collected and processed. People can be given the option of how long they want transaction metadata kept.
- Privacy-enhancing technologies (PETs). Use technologies that safeguard privacy (e.g., tokenization of unique identification numbers) by stopping or lowering the collection of personal data, hindering unneeded or unwanted data processing, and enabling compliance with data protection regulations.
- Accountability. Personal data should be processed by the aforementioned principles by an independent oversight authority and by data subjects themselves.
In general, personal information should be lawfully acquired (usually through freely given consent) for a specific goal and should not be used for the unauthorized surveillance or monitoring by governments or outside parties, nor utilized for unrelated activities without permission (unless otherwise authorized under the law). Finally, users should be able to exercise control over their data and have access to methods for exercising that control.
The sections below detail several data protection measures about institutional control, data security, data sharing, cross-border data transfers, and consumer consent.
EU General Data Protection Regulation (GPDR)
In terms of existing frameworks, the European Union's (EU) 2016 General Data Protection Regulation (GDPR), which is set to take effect in May 2018, is the most recent example of comprehensive data protection and privacy regulation. It is a major reference point for worldwide work in this area, building on previous concepts (such as the OECD Privacy Principles). The GDPR's Article 5 establishes the fundamental principles stated above, which must be followed:
- processed lawfully, fairly, and in a transparent manner about the data subject;
- collected for specified, explicit, and legitimate purposes;
- adequate, relevant, and limited to what is necessary about the purposes for which they are processed;
- accurate and, where necessary, kept up to date;
- kept in a form that permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; and
- processed in a manner that ensures appropriate security of the personal data.
Furthermore, each EU Member State must set up a supervisory authority to oversee the implementation of the regulation (Article 51(1) of the GDPR). However, many States had previously established their supervisory authorities under Directive 95/46/EC; the existing EU data protection framework.
Some of the newer rights and responsibilities introduced when the GDPR went into effect in 2018 are still a topic of debate in policy circles, and there are still a few legal issues to be resolved. However, the framework's most significant principles have their roots in prior European legal tradition and are not unique to Europe or the GDPR. They are reflected in one form or another in numerous national data protection and privacy regulations throughout the world, owing to a general appreciation of their value.
Institutional oversight
An independent supervisory or regulatory authority is often used to monitor data protection and privacy in general, as well as ID systems, to ensure that they adhere to privacy and data protection law, including safeguarding individuals' rights. A supervisory authority can be a single government official, an ombudsman, or a group of individuals.
Genuine independence of such an authority is a key factor, The United Nations Framework Convention for the Protection of Cultural Property in the event of Armed Conflict is a multilateral treaty that protects cultural property during armed conflict.
Even though each person whose data is being collected has the option of going through an external binding legal procedure and, ultimately, the courts at least on matters of law, the supervisory body may handle public complaints. The agency may order the ID system to correct, delete, or destroy incorrect or illegally gathered data as a remedy.
The powers and duties of such authority may include: - The power to access any data it is entitled to obtain, possibly on a real-time basis.
- personal information and data protection laws, standards, and rules; responsibilities to monitor, investigate, and enforce compliance;
- duties to monitor developments and their impact on individual privacy and data protection rights;
- powers to receive complaints and conduct investigations of potential violations of individual privacy and data protection rights;
- powers to issue decisions on violations of such rights and order remedial action or meaningful sanctions;
- duties to promote public awareness of the rights of individuals and the responsibilities of those entities holding and processing personal data; and
- a duty to give specific attention to the data protection rights of children and other vulnerable individuals.
The CoE has gone on to say that, in addition to supervisory authorities' responsibilities and powers, they could have other capacities and obligations:
- issuing opinions before the implementation of data processing operations;
- advising on legislative or administrative measures;
- recommending codes of conduct or referring cases to national parliaments or other state institutions;
- issuing regular reports, publishing opinions, and other public communications to keep the public informed about their rights and obligations and data protection issues in general.
Examples of data privacy and protection oversight agencies
The Estonian Data Protection Inspectorate, established in 1999, is a supervisory body empowered by the Data Protection Act, Public Information Act,, and Electronic Communication Act. The inspectorate must safeguard the following rights guaranteed under the Estonian Constitution:
- right to obtain information about the activities of public authorities;
- right to inviolability of private and family life in the use of personal data; and
- right to access data gathered regarding yourself
In South Africa, the Protection of Personal Information Act 4 of 2013 established the Information Regulator, a government body that is above the law and subject only to the constitution. The National Assembly appoints the president on its recommendation, after which he or she is recommended by a committee of members from all of South Africa's political parties. It ultimately reports to the National Assembly. It has a wide range of supervisory responsibilities, including the duty to: educate the public, monitor and enforce compliance with the law, engage stakeholders and mediate between opposing parties, handle individual complaints, conduct relevant research, create codes of conduct and guidelines, and foster cross-border cooperation. The KP Organization likewise has a system of monitoring that includes the periodic evaluation and monitoring of public and private organizations engaged in the processing of personal data, as well as monitoring the use of unique identifiers. The Act has not yet been fully implemented as of August 2018.
In the Philippines, the National Privacy Commission was established under the Data Privacy Act of 2012. The Privacy Commissioner of the Commission, which is affiliated with the Department of Information and Communications Technology, is assisted by two Deputy Privacy Commissioners. (The department in charge of Data Processing Systems is also the one in charge of Policies and Planning.).
The three Privacy Commissioners are required to be knowledgeable in the area of information technology and data privacy, and all are selected by the President for three-year terms with the option for reappointment. The Commission has its administration department. The Commission's numerous responsibilities include assuring data privacy compliance; receiving and investigating complaints, and publishing a manual that summarizes all data protection laws; Determining whether a change in privacy safeguards is appropriate and necessary - for example, reviewing and validating privacy codes voluntarily implemented by personal information managers; offering views on the data privacy implications of forthcoming national or local legislation, legislation, or procedures; and liaising with data privacy regulators in other nations (See Philippines Data Privacy Act of 2012, Chapter II.)
In the United Kingdom, the Data Protection Act 1984 created the position of Information Commissioner (formerly known as the Data Protection Registrar), although the powers given to that role have grown under each subsequent version of the Data Protection Act. The Information Commissioner is a government official who works for the UK Information Commissioner's Office (ICO). The ICO is a government body that reports to Parliament. It's an autonomous regulatory organization dedicated to monitoring, investigating, and penalizing any breaches of data protection and privacy law in the UK (including Scotland).
Data security
Personal information should be kept and handled securely and prevented from being stolen or corrupted. Given the risk of cyberattacks, this notion becomes increasingly vital for digital identification systems. The need to meet this standard is becoming increasingly significant given the potential for cyber assaults. These are some of the basic security measures that might be required under a legal framework—some of which are detailed in Section III, Privacy & Security—including:
- Encryption of personal data
- Anonymization of personal data
- Pseudonymization of personal data
- Confidentiality of data and systems that use or generate personal data
- The integrity of data and systems that use or generate personal data
- Ability to restore data and systems that use or generate personal data after a physical or technical incident
- Ongoing tests, assessments, and evaluations of the security of systems that use or generate personal data
Data controllers in many countries are required by international norms to inform data subjects of significant data breaches affecting their nation. Furthermore, countries may have legislation in place to identify and counteract cyber threats as well as penalize unlawful data access, use, or modification. Finally, legal frameworks should include adequate penalties for unauthorized data access, usage, or modification by data administrators and third parties, including the criminalization of:
- Unauthorized access to ID systems or other databases holding personal data
- Unauthorized monitoring/surveillance of ID systems or other databases holding personal data or unauthorized use of personal data
- Unauthorized alteration of data collected or stored as part of ID systems or other databases holding personal data
- Unauthorized interference with ID systems or other databases holding personal data
Here are some examples of security breach warning laws:
Unless the incident "is unlikely to result in a risk to the rights and freedoms of natural persons," any personal data breach must be reported to the supervisory authority without delay and, where feasible, within 72 hours. Under Article 33 of the GDPR, companies must notify consumers within 72 hours after discovering a security breach. The notification must include specific details about the incident, such as the categories and an approximate number of people involved, as well as potential consequences (Article 33). Furthermore, if the breach is expected to result in a significant risk to natural persons' rights and freedoms, the notification must be provided "without undue delay" if such notice is required by law. The same information that has to be given to the supervisory body must also be supplied (article 34).
Every state in the United States has a breach notification law, which typically requires private or government organizations to notify individuals of data security breaches and sets out what constitutes a security breach, notice requirements (such as when and how things must be delivered), and exemptions (like for encrypted information).
The Information Regulator, South Africa's national supervisory authority, is required by the Protection of Personal Information Act 4 of 2013 to notify data subjects as soon as possible after they discover a breach (most of which were not yet in force as of August 2018) – The authorities in the jurisdiction where the information system is physically located have primary responsibility for the security of that information system, as described by their laws and regulations. The US Department of Homeland Security has identified several criteria in its XML standards policy. The notification must contain enough information for the data subject to take protective measures in case of a data breach, such as. The Information Regulator has the authority to instruct the responsible party to make public information about a security breach if this will protect those who might be affected (South Africa Protection of Personal Information Act 4 of 2013, section 22).
Data sharing
Because the connection of data across databases raises privacy and data protection issues, legal rules can limit risks by detailing all of the reasons personal information in an ID system is shared by both government and non-government organizations. Public authorities, on the other hand, may be restricted in their ability to collect data for legitimate reasons such as their responsibilities (the "need-to-know" principle).
The following are some of the potential advantages of information sharing:
- convenience for both government and citizens;
- better government service delivery;
- seamless service transfer when data subjects change address;
- improved risk management;
- cost savings as duplication of effort is eliminated; and
- improved efficiency through more effective use of data
However, if government agencies do not properly regulate information sharing, it could develop into a "back door" that circumvents individual privacy and data protection rules. Police have a powerful incentive to gather and collect data from comprehensive population databases, such as those established as part of ID systems. Specific worries arise in the context of DNA data, which like other biometric information might be utilized not just to identify a person but also as evidence in the investigation of whether he or she has committed a crime.
Even if two agencies' systems aren't compatible, information sharing can still occur. For example, police could contact ID authorities and request that their record of a specific person be pulled, along with fingerprints, a photo of the face, address, or names of family members.
The right balance between protecting registrants' privacy and assisting criminal investigations is something that policy-makers and judges struggle to achieve. One approach to such issues may be to follow the same rules that apply to other types of searches and seizures in the nation, such as a requirement for a search warrant.
This may be useful in situations where a balance has already been reached on the subject of personal privacy versus public benefit.
Here are a few examples of data-sharing agreements
Article 4(2) of the EU 2016 Police and Criminal Justice Data Protection Directive stipulates that personal data collected for one purpose must not be used for another—ID system might be used for anything, including a driving license or personal identification.—in no way, however, can these data be used for non-crime-related reasons: (a) there is legal authorization for this and (b) such processing is necessary and proportionate to the purpose for which the personal data was collected.
In India, the Aadhaar Act 2016 permits information to be revealed only after the Unique Identification Authority of India (UIDAI) has been consulted and its input is taken into account. In the interest of national security, information may be disclosed, including "essential biometric data," on the order of government officials at or above a certain rank when this has been authorized by an order of the central government and reviewed by an Oversight Committee consisting of the Cabinet Secretary and Secretaries to the Government in the Department of Legal Affairs.
The federal Privacy Act 1988 (as amended) in Australia includes as one of its "Privacy Principles" the requirement that personal information about an individual gathered for a specific purpose should not be used or disclosed for another purpose without their consent. However, there is an exemption for uses and disclosures that are "reasonably required" for enforcement-related activities carried out by or on behalf of an enforcement body, such as prevention, detection, investigation, prosecution, or punishment of criminal acts - as well as uses and disclosures authorized by law or court order. The enforcement manager should document in writing the procedure for carrying out enforcement-related activities to encourage responsibility.
Cross-border data transfers
One of the drivers for worldwide agreement on basic principles for the protection of personal data has been the need to safeguard personal information as it travels across national borders. For example, the OECD Privacy Framework's principle on transborder data flows stipulates that a data controller "remains responsible for personal data under its control regardless of location" (adopted in 1980 and revised in 2013, Article 17).
However, due to concerns about data protection regulations in foreign countries, many nations have restricted extraterritorial data transfers. Transfers may be allowed under specific circumstances or when the data protection standards of a third country are judged adequate. This is particularly sensitive in the case of personal data for national ID systems, civil registration, and voter registration systems. In addition to transferring data across borders, legal frameworks may also include arrangements for regional or international interoperability or mutual recognition of their ID systems.
GPDR limits on data transfers
Except in certain cases, the EU's GDPR restricts data transfers outside of the European Economic Area. If the European Commission decides that the receiving country provides "adequate protection," transfers are permitted (Article 45). A country's data protection framework must be carefully evaluated, including personal data protection and oversight and redress procedures. Concerning 12 countries, adequacy judgments have been made, including Canada (for commercial organizations), Israel, Switzerland, and the United States (only for Privacy Shield).
In July 2018, the European Commission announced that it had opened a formal adequacy review for Japan's data protection system. The United Kingdom, like other European nations, is attempting to win an acceptable status decision from the European Commission to apply after the UK leaves the EU (Brexit). In certain cases, such as when the transferor has established “appropriate safeguards” through a variety of methods, including a legally enforceable agreement between public authorities, certain contract clauses (e.g., the EU Commission's Model Clauses),or the existence of an approved and effective code of conduct, among others (GDPR Article 46).
User consent and control
Unless there is another basis in law for such collection and use, an individual's data should only be acquired and utilized with his or her consent. For consent to be meaningful, clear notification to the individual regarding the nature of his or her data collected and intended uses must be provided.
In many cases, international and regional standards and national legislation provide exemptions to the consent requirement for data collection and use when the government collects data lawfully, such as through ID systems (see, for example, the EU Commission's model contracts for international data transfers). Transparency may at least provide clear and accessible explanations to assure public trust and prevent misunderstandings where no consent is needed or obtained. Individuals can be informed of which information is considered public and which will be kept private.
Some nations have a "privacy policy" in the form of an easy-to-understand paper that explains how personal information is collected and used. However, to raise public awareness of personal data collection and usage, educational campaigns are also required. These may be used to dispel misconceptions and address worries, as well as identify locations for queries and complaints.
Laws on user consent
The GDPR requires explicit consent for the processing of special category data (for example, biometric data). One of the conditions imposed by the GDPR is that additional criteria must be met, one of which is obtaining the individual's "explicit" consent to the processing (GDPR Article 9). The distinction between explicit and informed consent, as well as the meaning of non-binding express consent in English law, is not clear (since special, informed, and affirmative action is all required). However, given that the GDPR has only been implemented recently, it is probable that further information will be provided to clarify this.
The California Consumer Privacy Act of 2018 applies to certain organizations that collect the personal information from California residents and will become effective in 2020. Unlike the GDPR, which strictly mandates consent before personal information is collected, the Act usually does not. However, at the time of data collection, consumers must be informed "as to the classes of personal information to be acquired and for what purposes those categories of personal data will be utilized." (Cal. Cov. Code §178.100(b). In addition, it is necessary to include additional information in an online privacy policy or a website and update it every year. (Cal. Cov. Code §178.130(a).
The federal Privacy Act 1988 (as amended) in Australia includes as one of its "Privacy Principles" the requirement that personal information about a person collected for a specific purpose must not be used or disclosed for another purpose without the person's consent. There is, however, an exemption for purposes of enforcement-related activities—such as prevention, detection, investigation, prosecution,, or punishment of criminal acts—as well as uses and disclosures authorized by law or court order. For enforcement-related activities, a record must be kept to promote accountability.
In addition to user agreement, many legal and regulatory systems—such as the OECD Privacy Framework, Chapter 3 (OECD 2013), the International Covenant on Civil and Political Rights, General Comment 16 on Article 17 (UN 1988), the Council of Europe's Convention 108+, and APEC's Article 23c (APEC 2004)—define privacy—individual's rights to access, review, correct, and erase personal data about them. Even in a compelled ID framework, the “right of erasure” or “right to be forgotten” might apply to specific pieces of personal data, such as biometric data (particularly genetic material), a prior married surname, or the birth parents' names of an adopted child (Kelly & Satola 2017, Kindt 2013). Clear administrative processes and technological methods for personal oversight and complaint redress should be utilized to guarantee that individuals have the right to access, review, update, and erase their personal information.
Finally, certain legal and regulatory systems guarantee data portability as a fundamental right. Data mobility refers to the ability of an individual to easily move, copy, or transmit their data from one technology environment to another. Individuals may use their collected data in new ways as a result of this portability. Concerning commercial enterprises, such mobility reduces the danger that consumers will be trapped into a single service provider who has an edge over competitors who don't have immediate access to such data. Such a right opens up possibilities for individuals to utilize personal data collected by the system for other technological purposes, preventing consumers from "locking in" to services.