Change of plan on ID Cards biometrics database?

The Identity and Passport Service may scrap plans to use the Customer Information System as the database for ID Cards biometrics.

The CIS is run by the Department for Work and Pensions and is the government’s main citizen database. Its security has been compromised by local council staff who’ve been snooping on data held on celebrities and acquaintances. Nine were sacked.

In December 2006, the Home Office made clear its plans to use CIS forthe ID Cards scheme. The Home Office’s “Strategic Action Plan for theNational Identity Scheme, Safeguarding your Identity, said:

“… for NIR [National Identity Register] biographical information, weplan to use DWP’s Customer Information System (CIS) technology, subjectto the successful completion of technical feasibility work.

“DWP’s CIS technology is already used to hold records for everyone who has a National
Insurance Number – i.e. nearly everyone in the UK.”

Butthe CIS does not meet the Cabinet Office’s latest securitystandards. The new rules were written after the loss by HM Revenue andCustoms of 25 million child benefit records.

The National Audit Office said in a report on the DWP’s computer schemes in November 2008:

“TheCustomer Information System has not yet received full data securityaccreditation under the new Cabinet Office rules for personal data.Work is underway to reach the necessary level.”

Today,nearly a year later, the CIS still hasn’t received accreditation – andthe system is used by 200,000 civil and public servants, said the NAO.

The new Cabinet Office rules included a provision that:

“newsystems containing protected personal data will be subject to mandatedaccreditation”. This involves, in part, CESG, the commercial arm ofintelligence centre GCGQ.”

A spokesman for DWP told Computer Weekly:

“CISis authorised for use and has robust security measures in place.Accreditation provides additional assurance through a comprehensivereview of risks and measures. The process of upgrading CIS’s securityaccreditation is underway and is expected to be completed in 2010.”

Aspokesman for the Identity and Passport Service, which runs the IDCards scheme, said that the use of CIS for ID Cards biometrics data isonly an “option for the future”. He said :

“There are no plansfor the CIS to be used as the National Identity Register. All of theinformation relating to people issued with the first identity cards forBritish citizens will held securely by the Identity and PassportService on a system provided by IPS contractor Thales.

“In thelonger term we will put in place new systems for issuing bothfingerprint biometric passports and identity cards. One option is tohold biographic information independently, but on the same technologyused to hold biographic information by DWP for its CIS. However, IPSwill only hold personal information in a way which is both secure andreliable.”


Officials back away from scandal-hit database –

New Cabinet Office rules on personal data – Cabinet Office website

DWP Customer Information System – DWP website

NAO report on DWP systems including the CIS – NAO website

Glyn Moody

ID Cards security a problem? – well I never – No2ID Birmingham