The ICO recently turned down a request by the Identity and Passport Service to use the ID card scheme to test drive Privacy Impact Assessments (PIAs) - a new method for guaranteeing that government ID projects don't trample citizens' right to privacy. It was refused, SearchSecurity UK can reveal, because the ID card project was considered too long in the tooth to do a proper privacy audit.
Jonathan Bamford, deputy information commissioner, said that he had refused to allow the ID scheme to pilot the PIA methodology when he was approached unofficially by the Home Office in the summer. "It's not appropriate to use the Identity Scheme as a test bed for the privacy impact assessment because it's too far developed," he said.
It would have been a public relations coup for the Passport Service if they could have accompanied the ICO's launch of PIAs with the revelation that the ID scheme had been checked and cleared for take-off.
When the IPS approached the ICO over the matter before the summer recess, the IPS was getting demonstrably concerned about privacy. The request coincided with the launch of a £10 million, three-year research project with the DTI and Engineering and Physical Sciences Research Council to decide "how to balance the potentially intrusive nature of identity services and network security with users' expectations of privacy and consent."
SearchSecurity UK understands that even before the IPS requested first dibs at a PIA, it had already run two of its own in-house, small-scale tests of PIAs in an attempt to prepare the plans for a public airing. This exercise had led the IPS to reconsider the method by which it collected information for its controversial data trail (otherwise known misleadingly as an audit trail).
The data trail is a record of every time a person uses their ID card, whether that be to travel, buy alcohol, access a public service, or prove their identity for any one of the likely burgeoning number of private services that it is thought will start demanding to see them.
The test PIAs had led it to look again at how much information it should store about each ID transaction and how long it was kept. At the IPS privacy forum in the summer, Bamford complained that he had made repeated requests since the scheme's inception that the IPS conduct a proper PIA and share it with his office.
At the same forum, Duncan Hine, the IPS' director of integrity, said the data trail would be implemented because it would be useful for police intelligence. Yet it is not certain that the data trail would have survived a full PIA.
Information Commissioner Richard Thomas told the Home Affairs Committee in December: "Data minimisation is a key principle associated with data protection and keeping this massive database with records of every time the card is swiped through a terminal would be distinctly unattractive and would, I think, increase the risks which might occur."
SearchSecurity UK also understands that the IPS' test PIAs considered only whether the system would comply with the Data Protection Act. Yet the ICO has advised that such a test is not enough.
"PIAs are not simply legal compliance checks motivated by the question: 'If we did X, would we be in compliance with the law and the fair information principles upon which the law is based?'," said the ICO's PIA backgrounder. It should use privacy concepts "beyond those entailed in data protection legislation."
A PIA, according to the ICO, ought to ask the most fundamental questions that a project team can face: whether it should be done in the first place or whether its aims could be achieved by other means. They should also be integral, "rather than seen as add-ons". They should also be "transparent and accountable", which are principles that were designed out of the legislation from the outset.