Who’s looking at your digital information?

Photo by ConvertKit on Unsplash

Should we have Covid-19 vaccination passports? Former Prime Minister Tony Blair thinks we should. Others are less convinced.

Earlier this year, the issue of allowing vaccinated people to buy digital ID Covid-19 passports was rejected as unethical and divisive in Germany, but seen as probably inevitable in France. Here in the UK, the question is seen as setting up oldies against younger people awaiting vaccination. But this issue has detracted attention from the government’s latest scheme on electronic identity documents, which is of far greater significance and concern.

Last week, the government published its draft on the future use of digital identities. Most of us have one in some form or other – a bank card, a travel card complete with a digital photo, driving licence, a photo ID on our phone (sometimes complete with a fingerprint and voice biometric). These are issued by private companies, sometimes on behalf of government departments. They are lucrative sources of business around the world.

Digital identity cards are supposed to confirm who we say we are in specific contexts.

Now the government wants to revise its guides and link up our personal information in ways that allow information to be shared by various organisations wanting to check our personal details. For example, a digital health card might be linked to our credit record, tax, passport and driving licence records. Many countries try to do this and tiny Estonia has led the way in making it easy for people to limit the number of times they have to put the same information in online to access government services.

All countries have regulatory frameworks that are designed to ensure that anyone creating such digital identities and storing them does so in ways that comply with the law, are secure against hacking, and are accurate. But we all know that they do not always work: banks have previously been targeted, as has the NHS. It’s possible for criminals to steal our personal information, and sometimes it’s the people inside a ‘trusted’ organisation who are responsible for not keeping our information secure.

In the UK, most of us will have seen or used GOV.UK verify, which the website says is “a secure way to prove who you are online. It makes it safe, quick and easy to access services on GOV.UK”. It also lists two companies called “certified companies” that it has “approved to verify your identity”. These are Digidentity and the Post Office. The Post Office site lets you check your tax statement, view your universal credit claim account, apply for a basic disclosure and barring service (DBS) check to get a copy of your criminal records, view your driving licence and share information with your employer or DVLA, and a few other things, like view your state pension.

The government’s digital service guides companies and others wanting to check or provide your identity card. Various private and public sector organisations contributed to what is known as the good practice guide, including Barclays, Experian, the Home Office, DVLA, HMRC, and Department for Work and Pensions.

The digital infrastructure minister Matt Warman has said that government wants industry, civil society groups and the public to make their voices heard. Comments on the proposed new guidance have to be in by 11.59pm on 11 March 2021. All this is to result in a new ‘trust framework’.

Accordingly, the Department for Digital, Culture, Media and Sport is to develop proposals for laws on the digital identity market. While civil society organisations have concerns that linking all this kind of information is problematic and smacks of Big Brother, Cabinet Office minister Julia Lopez believes this is needed so that we can learn to trust the technology and be confident that our personal data and privacy will be protected. Not everyone is convinced.

This is nothing new. In the EU, the UK and its partners agreed on and updated data protection and privacy laws which were among the strictest in the world, and all use data protection offices to monitor and enforce them. The UK’s Office of the Information Commissioner regularly publishes fines on, and notes about, organisations that have failed to keep our personal data safe. It also offers guidance on ensuring data protection during the pandemic.

The pandemic has led to more people working from home, often without adequate cyber security in place. So employers are increasingly worried about who is liable for any data losses, any compensation claims, and just what the rules are – or should be – with the UK outside the EU.

You are supposed to be able to get wrong data or misinformation linked to your records deleted under the EU’s ‘right to be forgotten’. But information is not necessarily erased, even when the law says it should be after a certain number of years have passed. The UK police kept more DNA samples than any other country until relatively recently.

So, if there are to be new laws on this to do what we think would be useful, we have to make sure the government knows what we want. Do you want a covid passport? Who should make it? What kind of information should be on it? Should you provide it or should the company making your card get it (after asking you, or automatically without your consent) from your NHS records and bank or insurance company? What constitutes good practice regarding anyone accessing bits of your personal information stored by companies and government departments all over the place?

Making things happen in a way that we want them to depends on us telling the government what we want.

If you want your say, maybe log onto the website.

Can you help us reach more readers?