Tuesday, February 22, 2005

ID card database won't meet DPA standard

No2ID pointed me at a nice opinion piece in the Lawyer

"The Data Protection Act 1998 imposes a requirement on a data controller to adequately manage information security, and yet the bill does not adequately recognise these obligations.

It appears from the bill that, despite it being the Government that requires the implementation of an identity card system, it has no liability for failures in the system. It is intended to be a criminal offence for an individual not to notify the authorities of any changes of information, such as address, yet where an individual does notify the authorities of errors in information, there is no requirement that the Government 'must' correct such information, but only that it "may" correct it. What is more, the creation of a centralised identity database is akin to an electronic Doomsday and, given the Government's record on failed or flawed IT projects, the fact that the bill does not give an individual any rights to compensation where that individual's identity is misappropriated through no fault of their own is a big concern."

No comments: