Address Data-Sharing and Profiling Head On

The Government needs to be open about how different actors will share data within the NIDS system, and how the risk of leaks, profiling and surveillance will be avoided.

NIDS is designed to allow for data-sharing between different databases — this is called interoperability. There are benefits to interoperability, like having one ID number to use for access to many different kinds of services. There are also risks: a major risk is that those with access to the system could track data to establish a detailed profile of individual users. The NIRA Act does not mention the word interoperability or provide for any tools for Jamaicans to have control over how their personal information is used.

What This Could Look Like in Real Life

These are examples of what the NIDS Bill allows. These examples may not necessarily reflect the intention of the Bill, but are possible based on how the Bill was worded when it was tabled in 2020.

Details

In order to enjoy the potential benefits of creating a system like NIDS, the right safeguards must be in place. Digital ID is a new technology and the current NIRA bill doesn’t confront some of the most obvious and longer-term risks. These risks relate to the new capability that NIDS provides: to link many large databases filled with personal information together. This is called interoperability. The risks connected to interoperability are amplified by the fact that because NIDS will provide authentication of identity (See Position 6: Authentication and Verification), the system could track detailed information down to the time and place of every transaction connected to your ID. This information is called “metadata” relating to those transactions. The NIRA bill also leaves us guessing about which personal data are really needed in order to perform its core function of providing identification (See Position 2: Make Non-Essential Information Optional). That means that in order to use NIDS you might be required to give more information than is absolutely necessary to identify yourself and that information could be shared widely with other agencies and the private sector and that information could be connected with other data generated in real time, like your transactional metadata.

 

Up until now, the personal information collected by healthcare providers, the education system, social welfare agencies, and private sector entities like banks, was housed separately. What we don’t know yet is how connected this information will be once NIDS is fully operational, and how metadata on individual transactions will be handled. That’s because there are no provisions in the NIRA bill that address this central question around interoperability at all. Because the Data Protection Act is not yet in place, we cannot even rely on its protections and we have no way to judge if those protections are sufficient to remedy the risks. That’s why the government must fully implement the Data Protection Act before moving forward with the NIRA bill and the implementation of NIDS (See Position 3: Data Protection Act).

 

The best way for the government to address this concern is by conducting what is called an impact assessment, releasing the results to the public, and allowing for further consideration of the NIRA bill in light of the results. An impact assessment is a process that is done before a major information system like NIDS is ever built. The purpose of an impact assessment is to share detailed information about the design of the system, identify risks that it poses to individuals, communities and the public, and talk about how those risks can be addressed. These impact assessments are routinely conducted in other countries and are increasingly common when it comes to digital ID projects.

Recommendations

  • Take steps to share detailed information with the public about how data-sharing will work, including by conducting formal studies on the risks and impacts of the NIDS system
  • Based on those results and public consultation on them, revise  the design of NIDS and the NIRA Act to fully address the risks posed by interoperability
  • Link to Recommendations for Position 2: Strictly Minimal Data Collection; Recommendations for Position 3: Data Protection; Recommendations for Position 6: Clarity on Authentication and Verification; Recommendations for Positions 4 & 5: Safeguards & Transparency on Disclosures to Third Parties

Status: Pending

Watch this space! We will provide an update once the Joint Select Committee has made a decision on this issue.


Last updated 2021-05-27

Talk Up!

If this issue matters to you, talk about it. Share this page (and your questions or suggestions) with friends or government representatives.

Share

Comments, Questions?

Is there something we overlooked with this issue?
Have questions? Let us know!