News
e-NICs: FR petition on alleged invasion of privacy
View(s):The procedure for the issue of Sri Lanka’s new electronic national identity card (e-NIC)–introduced in the absence of privacy or data protection laws–grants wide powers to the Commissioner General of the Department of Registration of Persons, officials and other authorities to collect and record any personal details from all public and, potentially, private databases.
“If we are to embrace technology, we must do so only with the soundest of legal safeguards in place,” said Ravi Ratnasabapathy, a management accountant who has challenged the Government’s e-NIC regulations in the Supreme Court. “Without proper data protection laws in place the e-NIC project should not go ahead.”
The greatest concern with Sri Lanka’s proposed system is the possibility it could be used as a ‘general purpose surveillance system’. While the relevant legislation specifies it will be applied for reasons of establishing identity, clear limitations on use are not in place. Published reports point to the e-NIC and database being an overarching solution for tax, property, banking as well as national security.
“If allowed, any identification system that maintains location or transactions may allow police or other government agencies to track individuals,” Mr Ratnasabapathy says. “And any identification system runs the risk of becoming a general purpose surveillance system in the absence of clearly defined limits.”
Mr Ratnasabapathy’s fundamental rights petition warns that the e-NIC regulations grant “virtually unrestricted access to any information concerning any citizen recorded with any public authority”. Up to now, privacy was protected (despite the absence of laws) by most data being held either in manual form or on isolated computer systems. Information was not shared. If needed for investigative or other purposes, it was provided through court order.
This will no longer be the case. And the use of biometrics in the new e-NIC poses new threats to privacy and security which can only be addressed through a strong legal framework based on ‘Fair Information Practices’ (FIP) principles. Drafted by the Organisation for Economic Co-operation and Development, the FIPs offer guidance on how to manage privacy implications of the e-NIC. They have become the foundation for most national laws governing data protection. In Sri Lanka, by contrast, they are being flouted openly.
The principles call for limits on the collection of personal data; for any such data to be obtained by lawful and fair means; and, where appropriate, with the knowledge or consent of the data subject. The less information is recorded the better. Each data element collected should be evaluated and debated. The casual inclusion of information that ‘might be useful someday’ should be resisted.
The Sri Lankan e-NIC blatantly violates this, the petitioner says. Citizens must provide name, date of birth, gender, address, family details and numbers of national identity cards of parents, guardian, spouse, children and siblings. Divorcees are even required to specify the date of decree, case number and court in which the divorce decree was entered.“If the system is about establishing ID, family details are unnecessary. An individual’s identity is independent of the family. Our current IDs and passports carry no family details. Why is this necessary in the E-NIC?”
The general policy of the FIPs is that data collected for one purpose should not be used for another purpose. “And this is how the present manual systems in Sri Lanka work,” Mr Ratnasabapathy said. “We provide information to the Land Registry, the Registrar of Motor Vehicles or the Employees’ Provident Fund for a particular purpose. They use it for internal purposes only and do not share the data with other agencies, except when ordered by court.”
But the proposed central database to be set up under the e-NIC initiative will share information with other agencies for a variety of purposes, including prevention or detection of crimes, without a court order. A biometric identification system can be used for a wide variety of identification activities. However, using an identification system for other unrelated purposes would likely violate the principles.
The FIPs state that personal data should be protected by reasonable security safeguards against such risks as loss or unauthorised access, destruction, use, modification or disclosure of data.
“Sri Lanka’s system is shrouded in secrecy and even attempts to obtain basic information through Right to Information requests have not yielded results,” said Mr Ratnasabapathy. “Data may be shared amongst different agencies without the knowledge or consent of citizens.”
The project is going ahead with no public consultation. “Individuals don’t have the right to know what data is held and to challenge incorrect data,” he pointed out. “There is no central authority to hold accountable for loss or misuse of data.”