Limit Who Can Access A Person's Data

Put in place stricter controls for how any information about an enrollee — not just their identity information — may be revealed, used, and stored.

The NIDS bill must establish safeguards to limit data sharing with third parties, to ensure safe storage and processing when it is shared, and to give persons notice about why and to whom their information is being disclosed.

Under the current bill, the Authority can release information to a third party without the consent or knowledge of the enrolled individual, with certain conditions only when it comes to identity information. The Bill should also describe how other enrollee information may be revealed, and how revealed information should be protected. In this case, the Data Protection Act does not provide enough protection.

What This Could Look Like in Real Life

01. James and His Identity Information

James recently used his NIDS card to access a loan. During the process, James consented to have NIRA disclose his identity information to the bank. Based on a later communication from the bank, he now suspects that they may be using his data in a way that was not initially communicated.

James logs into his NIRA interface to confirm what data has been disclosed to the bank. He is correct that the identity information in question was released to the bank. He then reaches out to the bank to request clarity on how the data is being used. The bank does not respond.

With no Data Protection Act in force, it would be legal for the Bank to change how it uses or processes data that NIRA has disclosed to it after the fact.

Details

At every point where an individual’s information is shared a risk is created. This risk must be managed to guard against breaches of privacy and security as well as to hold individuals accountable for any such breach.

The Bill prohibits the disclosure of Identity Information, except under particular circumstances, but will collect and store other information that is not identity information. There is presently no safeguard against the Authority disclosing information not considered “identity Information”.

The exceptions to the general rule against disclosure are:

Where an enrolled individual requests that disclosure
Where the police request it and the court grants permission
In any other circumstance enabled under the Act or any other law

Due to the risk involved in disclosure of a person’s information, such disclosure that the person did not request should only be done when ordered by the Court and clear parameters must be set as to how disclosure can occur lawfully.

Recommendations

Section 24 to create clear guidelines for the method of disclosure. These guidelines can explain how disclosure can occur lawfully. They can also explain the actual form that disclosure can and cannot take as well as how the process can and cannot be managed
Section 24 is to establish a protection mechanism around the use, processing and storage of information by third parties to whom information has been disclosed, including the police.
Section 24 to be amended to require any disclosure of a person’s information that that individual did not request only occur when ordered by the Court
Section 24 to be amended to read “any information” not only “any identity information”, to clarify that it is not just a person’s identity information the Authority is prohibited from disclosing but all information held by the Authority about them.

Status: Pending

Watch this space! We will provide an update once the Joint Select Committee has made a decision on this issue.

Last updated 2021-05-27

Talk Up!

If this issue matters to you, talk about it. Share this page (and your questions or suggestions) with friends or government representatives.

Comments, Questions?

Is there something we overlooked with this issue?
Have questions? Let us know!