LALIT sent the following letter to the Data Protection Commissioner, Mrs Drudeisha Madhub early on Monday morning, 31 August. Once again, the Minister hurriedly held a press Conference on the same day, with “witnesses” (all employees of the ID Card scheme or Ministries) to show that the data was destroyed. He has still not announced whether “minutiae” will still be taken for stocking on ID Cards that will be issued from now on.
Here is the content of LALIT’s letter.
30 August, 2015
The situation has radically changed regarding the ID card system from the time we met you on Wednesday 19th August.
At around the same time as we were gathering to meet you on the 19th of August at 14hrs in Port Louis, the Minister of Technology, Communication and Innovation hastily issued a press communiqué to announce that “ID Card Conversion centres” would be closed between Monday 24th August and 11th September 2015 to get biometric data in the ID card database destroyed. We used the word “hastily” as this announcement was made only two working days before the closure of the “Conversion Centres”. Given the change in the whole situation, we believe that you, as Data Protection Commissioner should intervene to ensure that the personal biometric data of all citizens who have, or who might in future, take out new identity cards, that is, the whole adult population of Mauritius, is protected.
We note that under Section 5 of the Data Protection Act, your functions as Commissioner include that you:
(d) exercise control on all data processing activities, either of its own motion (sic) or at the request of a data subject, and verify whether the processing of data is in accordance of this Act or regulations made under the Act;
(j) do anything incidental or conducive to the attainment of the objects of, and to the better performance of his duties and functions under this Act.
We further note that Section 12 of the Data Protection Act empowers you “where the Commissioner is of opinion that a data controller or a data processor has contravened, is contravening or is about to contravene this Act” to “serve an enforcement notice on the data controller or the data processor, as the case may be, requiring him to take such steps within such time as may be specified in the notice”.
Given that the Data Protection Act gives you relatively wide powers of inquiry and action, given that the national ID card system concerns the whole adult population of Mauritius, and given that the Data Protection Commission can institute inquiries and act “of its own motion”, we are formally asking for your intervention to protect peoples' personal and biometric data in this period when ID card system is being reviewed.
In addition, we draw your attention to the fact that no bill to amend the National Identity Act and other related Acts has been announced up to now and that consequently, there is a need to review the law given that the government has announced a change in the aim of the National ID Card system from that of “identification” to that of “verification”.
1. Risk of and damages caused by possible data leakage
No further information has been given to the public by the concerned authorities on where biometric data of over 800,000 people who have taken out biometric ID cards was being retained or stored. It had been announced in 2013-2014 that such biometric data would be securely stored in a databank in Ebene. No information has been given on:
Such information is vital given the risk of data leakage that the Supreme Court on the ID Card systems recognised when it proclaimed storage and retention of fingerprints and other personal biometric data of a citizen of Mauritius unconstitutional. We quote from Madhewoo M. v The State of Mauritius and Anor 2015 SCJ 177, Record No. 108696: “On the other hand, witness Sookun has said enough to impress upon us the risks and damages which the storage and retention system adopted by the defendants would entail.”
We call on you to:
2. Fingerprint minutiae still on the card?
The Minister of Technology, Communication and Innovation, Hon. R. Bhadain announced on the MBC Journal of 19.30 hrs on the 19th of August that the thumbprint minutiae on the new identity cards would be retained for “verification” purposes (although it is still unclear whether the new card system will contain such biometric data such as fingerprint minutiae for verification purposes). For your information, the Mauritius Broadcasting Corporation Journal can be viewed as from 6minutes and 12 seconds in the MBC Youtube channel: https://www.youtube.com/watch?v=SnMcryOVKwo
Biometric data on the ID card will continue to put citizens at risk given that the new identity card can even be read at a distance with available technological devices as demonstrated by Expert Witness Ish Sookun. This means that thumbprint minutiae can be accessed by anyone with the technological means, hacked and copied.
We call on you to ensure that the newly reviewed ID card system does not include fingerprint minutiae, other biometric data, or any other personal data on the card itself or alternatively, that giving such data is not made compulsory for people taking out new ID cards.
We draw your attention to the National Identity Act of 2013 that makes it possible for “such other particulars as may be prescribed” to be included in the ID card microchip. We call on you to ensure that the addition of “other particulars” be repealed.
3. Who will “verify”?
Section 7 of the National Identity Card Act of 2013 states that “Every person may in reasonable circumstances and for the purpose of ascertaining the identity of another person request that other person to produce his identity card where that person is a citizen of Mauritius.” This means almost anyone who can potentially assist in allocating employment, credit, goods or services will be in a position to request a person to produce his/her identity card for “verification”, presumably including on a “machine” to compare minutiae with actual fingerprint on the spot.
It has become common practice for private sector employers, shops, banks, credit providers, almost anyone offering goods or services to insist on people who need employment, goods or services to present their ID card, or even more dangerous for the ID card holder, to get someone else to present the card for them for “verification”.
4. Amendments to the National Identity Card Act
No amendments to the 2013 National Identity Card Act have been announced yet. Now that the whole logic behind the Act has changed from that of the need to “identify” to administrative “verification”, it is highly questionable whether it is “excessive” to make such a card mandatory, to make it obligatory to “present the card” for “identification” purposes, or to have up to 5 year prison sentences or even heavy fines for not holding a card. We note that the third principle of the “Data Protection Principles” in the First Schedule of the Data Protection Act states that “Personal data shall be adequate, relevant and not excessive in relation to the purpose for which they are processed”.
We note that your Functions include that you “(i) examine any proposal for data matching or data linkage that may involve an interference with, or may otherwise have adverse effects on the privacy of individuals and, ensure that any adverse effects of such proposal on the privacy of individuals are minimised”.
We call on you to ensure that adequate amendments to the National Identity Card Act are made in proportion with the change in the aim of the Act from “identification” to “verification”.