Comments on the National Identity Management Systems Act (2021)

Dr. Ronnie Yearwood and I (Niel Harper) recently collaborated to provide expert comments on the National Identity Management System Act (2021) just passed by the Government of Barbados. Given that this piece of legislation was quickly passed with no opportunities for public debate or feedback, we felt it necessary to articulate and ventilate some of our key concerns with the statute in its current form.

GENERAL COMMENTS

Disability and Accessibility

  • In line with the obligations under the United Nations Convention on the Rights of Persons with Disabilities, there are no provisions in the Act for mandatory accessibility features in the digital ID and related services. As such, persons with disabilities may be excluded.

Oversight and Liability

  • There is no mention of a supervisory and oversight body that ensures the digital ID system is used for its intended purposes (to prevent abuse and misuse), to audit and certify the digital ID provider and third-party trust services, to address complaints, and ultimately provide redress.
  • There is no mention of the liability to be assumed by the government or trust services providers to ensure due diligence, transparency and accountability of their operations and services related to the digital ID. The digital ID service provider (Government) and trust services providers should be liable for damage caused to any natural or legal person due to failure to implement robust privacy and security controls or otherwise disadvantage individuals via the delivery of the digital ID system.

Breach notification

  • The Act does not speak to data breach notification and the relationship between this statute and the Data Protection Act (2019) which is critically important.  Furthermore, the Office of the Data Commissioner does not have the staffing or capabilities to oversee the various activities related to large scale data collection and processing.

Comprehensive digital ID ecosystem

  • The Act does not comprehensively cover electronic signatures, electronic seals, time stamps, electronic documents, and website authentication. The legal effect of the above needs to be clearly defined to avoid confusion. Existing practices, standards and legislation exist that can be built upon to address these matters which are integral to a functional digital ID system. Without those features, the Government will essentially be replacing the existing physical ID cards and not truly realizing the value of a digital ID ecosystem that delivers identity, authentication and trust services.

Interoperability

  • The Act does not speak to an interoperability framework that guarantees the digital ID system is built using open standards and can be seamlessly integrated into national and cross-border digital identity ecosystems.

SPECIFIC COMMENTS

Discrimination and equality before the law

Section 5 (9) “A person who is a visitor shall not be eligible for registration in the National Register unless that person is a person to whom subsection (1) applies.

(Section 5(1) covers persons, for example born in Barbados or citizens of Barbados who “shall be registered in the National Register.”)

  • The point is that a person who is a visitor to Barbados shall not be eligible for registration in the National Register unless section 5(1) applies.
  • Is it that only Barbadians and persons resident in Barbados must register to gain access to public services (see section 5(10)) regarding the fact that if you are not registered under the Act you cannot get a national registration number, cannot be added to the electoral register to vote, cannot obtain a permit to drive, or qualify to access any goods or services requiring presentation of the ID?
  • This looks somewhat discriminatory because the same requirement does not seem to be placed on foreigners for any access to services. I have not seen a reason for this proposed by the government.

(Also see section 12(1) reads: “A person who is issued an identification card may be required to produce his identification card (c) for the purpose of voting in an election in Barbados; (d) for the purpose of accessing goods or services provided by the Government or the private sector… and that identification card shall be prima facie evidence of the identity of the person shown on the identification card…”)

Voter’s rights, registration and identification

Section 5(10)(d) “A person who is not registered under this Act shall not qualify to be added to the register of electors or the revised register of electors prepared under the Representation of the People Act, Cap. 12

Section 34(1) An identification card authorised under section 25 of the Representation of the People Act, Cap. 12 or under the Statistics Act, Cap. 192 shall remain valid for a period of 12 months from the date of the commencement of this Act.

  • Therefore, section 34(1) provides that an ID card under the Representation of the People Act shall only remain valid for 12 months from the commencement of the new ID law. When has the Act been commenced?

Section 12(1)(c) “A person who is issued an identification card may be required to produce his identification card for the purpose of voting in an election in Barbados.”

  • This needs clarification as there should be more than one valid piece of identification to enable voters’ rights.

Section 12(2) “Where a person is unable to produce his identification card for the purposes mentioned in subsection (1), the person authorised to require such identification shall, unless another form of identification is authorised by law, defer consideration of the person or refuse access until such time as the relevant identification card is produced.”

  • This does not appear to make sense because what other forms of ID are relevant if every other ID is being subsumed by the digital ID based on the Government’s argument that the digital ID is to prevent fraud and bring efficiency in one form of ID.
  • In the alternative if we consider that other forms of ID can be considered as noted in the law, it is not stated what these forms of ID are and section 5(10) it states that a person not registered under the law shall not, “qualify to access any service or goods which require the presentation of an identification card to obtain such services or goods.” So, in effect the digital ID becomes the only way to access public services.
  • Overall, sections 12 (1) and 12 (2) links the provision of universal public services to the digital ID and denial of such services for failure to produce the digital ID. Section 18 also links the ID to access of public services.
  • If the point of the digital ID is to confirm a person is who they are to access the service, then how it is rational to exclude other forms of ID, while someone is denied access to vital public services, (which we assume to be health, welfare, education as the Act does not define or specify these services).
  • Section 12 does not define these goods and services.
  • Is section 12(d) proportionate? Does it achieve what Government claims the law should address, i.e., identity theft? However, what identity theft occurs if someone presents themselves for universal public services such as medical treatment or other related public services?
  • Can the Government realistically transition the entire population off the existing ID cards in 12 months? What contingencies are in place if this is not achieved? Most importantly, this appears to suggest that after 12 months the only valid form of identification to vote will be the digital ID card. Can this lead to voter disenfranchisement and violation of the individual’s constitutional rights? Should not other forms of identification such as a verified passport or driver’s license be satisfactory to allow an individual to vote?

Driver’s licence

5(10)(e) “A person who is not registered under this Act shall not (e) qualify to obtain a driver’s permit or licence”

  • Is this disproportionate, and could harm chances for employment as well as affect mobility?  What is the justification?

Access to Goods and services

5(10)(f) “A person who is not registered under this Act shall not qualify to access any service or goods which require the presentation of an identification card to obtain such services or goods.”

  • This is exclusionary in nature and also does not take into consideration that other forms of identification are valid.
  • Also, there is no definition of goods and services.

Fingerprinting – Optional, as a “refusal”

Section 7(5) Where a person refuses to consent to submitting fingerprints, that refusal shall be indicated in the applicable field set out for that purpose in the National Register

(a) by affixing his name, signature or mark; or

(b) where a person is unable to affix his name, signature or mark the registering officer shall indicate on the Certificate of Registration that the person is unable to sign,

and the person shall not be subject to any penalty, fine or term of imprisonment.

  • Fingerprinting is framed as a “refusal” which is indicated in the Register as some sort of mark against a person for not wanting to have their fingerprints taken, and in that the individual is not subject to penalty. However, how is it an individual would be subject to penalty for something that is optional?

Privacy & Security

Section 19(1) “The Commission shall ensure the security and confidentiality of the records of a person registered.”

Section 19(2) Commission shall take measures including security safeguards to ensure that the information in the possession or control of the Commission, including information recorded in the National Register or embedded in the chip of the identification card or the national identity credential, is secured and protected against any loss, unauthorised access or use or unauthorised disclosure thereof.

  • These sections need more robustness. Evaluation of security and privacy controls should be based on international standards. It should not be left up to the Commission to determine the adequacy and effectiveness of the controls around security and privacy. Standards such as ISO 15408, ISO 27001, ISO 27701, and others are worthwhile mentioning.

Data disclosure

Section 20(1)

A Commissioner, an officer or an employee of the Commission or an expert retained to assist the Commission shall comply with the provisions of the Data Protection Act, 2019 (Act 2019-29) and shall keep confidential all information coming to his knowledge during the performance of his functions under this Act or any enactment which relates to the private affairs of a person except insofar as disclosure is necessary for

(a) the administration of this Act or any regulations made thereunder;

(b) compliance with the provisions of any enactment; or

(c) compliance with an order of a court.

  • Data can be disclosed not only to a Commissioner but to an officer or an employee of the Commission overseeing the register, or an expert retained by the Commission. An individual’s information can be disclosed to a third party. This is in the administration and compliance with the law, and compliance with a court order. But how does an individual challenge such disclosure or have a right to be heard on the disclosure? Is the individual made aware? What about issues of privacy and procedural fairness?
  • What about obtaining informed consent from data subjects if their information is being shared with a third-party? This is in contradiction with the Data Protection Act and other global data protection laws such as GDPR (EU), CCPA (California), PIPA (Canada), and others.

Section 22(1) A person who is aggrieved by an act performed or a decision made by the Commission may make a complaint to the Data Protection Commissioner within 14 days of the act performed or the decision made by the Commission.”

  • The Electoral and Boundaries Commission and Office of the Data Protection Commissioner are both Government entities. Adequate oversight for the digital ID system cannot be achieved with this insufficient segregation of authority. There should be a collegial body in place to oversee this critical function. The body should consist of representatives from the government, private sector, academia, technical community, and civil society, with power vested equally to each member.
  • The complaints provision in section 22(1) does not appear to make sense in connection with section 20(1) on disclosure, if it is not clear that an individual or data subject does not know that their information was disclosed to a Commissioner or a third-party.

Section 23 “A person who is aggrieved by the decision of the Data Protection Commissioner pursuant to section 22 shall appeal to the High Court within 14 days of the decision.”

  • Processes for efficient redress in the High Court are not in place. This should be performed by an independent arbitration body with sufficient authority. The High Court is not the venue for dispute resolution (arbitration), and this should be addressed in the Act in a clear manner.

Penalties

Section 26(a-i)

  • This appears to be currently addressed in the Computer Misuse Act 2005. Why not just refer back to this statute as opposed to creating offence/sentencing fragmentation?
  • The Act imposes a fine of $100,000 and/or 3 years in jail and the Computer Misuse Act imposes a fine of $50,000 and/or 5 years in jail for basically the same crime.

Sections 27 and 28.  Same as above.

Data minimisation

  • First Sch, number 25 “Other relevant information required by the Commission”

This appears to point to mission or data creep, so that different kinds of information can be added and centralized, but where is the consultation/oversight for this broad category?

Too Many Unanswered Questions: The Barbados National Digital Identification (DID)

In September 2020, it was widely publicised that the Government of Barbados would be introducing a national digital identification (DID) card. As expected, the announcement and subsequent reports have included the usual public service rhetoric about shifting to a digital economy, delivering social benefits, increasing the efficiency of doing business, and transforming the country into an innovation hub. Putting this flowery political language aside, there are a number of questions that remain unanswered regarding the delivery of the DID project. Questions around clear policy objectives, economic value capture, social impact, technology standards and legal requirements that need to be addressed if Barbadians at-large are to truly profit from this initiative.

To be fair, a DID system represents innumerable benefits to the nation. It will serve as a key foundational element in transitioning to more accurate and efficient online delivery of government services (e-government), enhancing poverty alleviation and welfare services, reducing fraud, increasing financial inclusion, and serving national security interests.

However, without proper implementation, oversight and control, DID can inflict great harm on society, including the government or corporations profiting from the collection and storage of personal data, political manipulation of the electorate, social control of particular groups through surveillance, and restriction of access to uses such as payments, travel, and social media. Additionally, in the absence of a qualified and experienced project management team, it will most definitely be a ‘white elephant’ – a massive waste of public funds that does precious little to improve the lives of citizens. In the ensuing sections, I will provide a detailed analysis of critical risk areas that pertain to digital ID systems and what must be done to successfully alleviate them. 

To read the full article, please click on this link.

2021 ISACA Technology for Humanity Award

I have been selected as the recipient of the 2021 ISACA Technology for Humanity Award, with the citation:

“For contributions to capacity building across the world towards the development of affordable, open and user-centric Internet infrastructure.”

Since 2010, I have worked with organizations such as the Internet Society, Internet Engineering Task Force, Branson Centre for Entrepreneurship, United Nations, TEN Habitat, Google, NBCUniversal, IETF, European Commission, and others to lead, implement and/or support capacity building programs towards the implementation of open, affordable, secure and user-centric Internet infrastructure and applications in Africa, Asia-Pacific, Latin America & the Caribbean, and Europe.

This award recognises these contributions.

Hearty congratulations to all of the 2021 ISACA Global Achievements Award recipients!!!!