People will have to give explicit permission for the government to access their personal details held on various databases before they can get a national identity card, ID card minister Meg Hillier told MPs this week.
Hillier was giving evidence to the House of Commons' Home Affairs select committee on the security arrangements for the controversial national identity register and associated national identity card.
There would be two databases, one for biometric data (fingerprints, facial images and possibly later, iris scans) and biographic data (name, address history, National Insurance number etc), Hillier said.
A Home Office spokesman said that when a person applies for an ID card, any information to be recorded in the National Identity Register will be checked against a number of public or private sector data sources to help verify the person's identity. "This will build on existing best practice in processing passport applications," he said.
Just over a year ago the government dropped plans to build the NIR from scratch. It opted to use Immigration computer systems to store biometric data and the Department of Work & Pension's National Insurance database to store biographic data.
Hillier said fewer than 100 people will have access to the entire dataset of a NIR record. Each access to a record would have an audit trail, and access to some data fields in the record would require two simultaneous authenticated and credentialed users.
All transfers of data would be encrypted, she said. "There will be no discs flying around (with unencrypted data on them)," she said. This was a reference to the loss by HM Revenue & Customs last year of two compact discs containing the personal and banking details of 25 million child benefit claimants. Hillier admitted that the incident had "dented" people's confidence in the government's ability to protect sensitive personal data.
Hillier said she expected most external use of the NIR would be to confirm that a person's identity was registered. Very rarely, and then only to agencies IPS audited for security, would further details be given, she said.
People would be entitled to ask the "identity custodian" who had looked at their records, she said. There were no plans to follow committee chairman Keith Vaz's suggestion that IPS provide a "Google Alert" to warn people when someone looked up their data.
She said people don't expect the credit vetting agencies to tell them when someone checks up on them, nor did the Passport Office when someone verified a passport's validity. IPS was taking the same approach.
Duncan Hine, who is in charge of security arrangements for the NIR and ID card, said security on the biometric database would be the highest possible and certified by government, but security around the biographic data would be less stringent.
Hillier said that the procurement process now underway should be completed by the end of the year with roll-out of ID cards starting early in 2009.