Establish safeguards for the storage, processing and use of information by third parties to whom information has been disclosed and ensure that persons know to whom their information is being disclosed.
Under the act of disclosure the Authority can expose information that is otherwise protected. This disclosure can be made to a third party without the consent or knowledge of the enrolled individual. As a general rule the authority should not disclose a person’s identity information. However, there are exceptions to this rule. The prohibition on disclosure should not be limited to “identity information” but should extend to all information held by the Authority about an individual
These are examples of what the NIDS Bill allows. These examples may not necessarily reflect the intention of the Bill, but are possible based on how the Bill was worded when it was tabled in 2020.
James recently used his NIDS card to access a loan. During the process, James consented to have NIRA disclose his identity information to the bank. Based on a later communication from the bank, he now suspects that they may be using his data in a way that was not initially communicated.
James logs into his NIRA interface to confirm what data has been disclosed to the bank. He is correct that the identity information in question was released to the bank. He then reaches out to the bank to request clarity on how the data is being used. The bank does not respond.
With no Data Protection Act in force, it would be legal for the Bank to change how it uses or processes data that NIRA has disclosed to it after the fact.
At every point where an individual’s information is shared a risk is created. This risk must be managed to guard against breaches of privacy and security as well as to hold individuals accountable for any such breach.
The Bill prohibits the disclosure of Identity Information, except under particular circumstances, but will collect and store other information that is not identity information. There is presently no safeguard against the Authority disclosing information not considered “identity Information”.
The exceptions to the general rule against disclosure are:
Due to the risk involved in disclosure of a person’s information, such disclosure that the person did not request should only be done when ordered by the Court and clear parameters must be set as to how disclosure can occur lawfully
Watch this space! We will provide an update once the Joint Select Committee has made a decision on this issue.
Last updated 2021-05-27
Is there something we overlooked with this issue?
Have questions? Let us know!
NIDS Focus is a coalition of civil society groups and individuals collaborating with the GOJ to develop a rights-based, people-centric national ID project. Learn more
We would love to hear from you.
© NIDS Focus Coalition 2021