Executive Summary

This Privacy Impact Assessment analyses the privacy implications of the proposed all-of-government identity authentication scheme. It looks at compliance with the Privacy Act 1993, but also at wider privacy issues and concerns.

A fairly detailed description of the proposed authentication system (Section 2) has been included in order that readers new to the project can understand the analysis which follows. Readers who are already familiar with the project may wish to go straight to the Analysis (Section 3), or even the Findings and Conclusions (Section 4), and then refer back if necessary.

The relatively early stage of the authentication project at which the assessment has been carried out has both advantages and disadvantages. It allows the assessment to perform its function of potentially influencing both the design and the business case. But because the design is not yet fully developed or stable, it also means that the analysis is to some extent speculative, and must necessarily anticipate 'worst case' privacy implications. It is desirable that further privacy analysis be undertaken as the project develops.

The government's approach to authentication has from the start recognised the importance of privacy and related security issues. The scheme design has attempted to minimise adverse privacy consequences and some of the design features will be privacy enhancing if they can be maintained.

The proposed scheme should be able to operate consistently with the Privacy Act 1993, but this is largely because that law will defer to the more specific authorising legislation that it is assumed will provide the basis for the scheme. While the Privacy Act will require some specific design features and safeguards, compliance with the Privacy Act will not in itself deal with the more significant privacy issues that the scheme raises.

The scheme unavoidably lays the foundation for a national population register. Although it is not currently intended to develop such a register, experience suggests that there will inevitably be increasing pressure for a widening of both the scope and the functions of the scheme.

Some of the design features already test the limits of the constraints placed on the project at the outset to satisfy privacy concerns - including the voluntary 'opt-in' principle; limited information exchange, a minimal role for biometrics and the commitment to no identity card.

Whether public concerns about the privacy impact of the scheme and about the potential for future scope- and function-creep can be managed depends partly on how deeply safeguards and limits are embedded in the scheme. Most of the recommendations in this Report are directed to this end.

Other recommendations suggest a clearer articulation of the need for the scheme (Recommendation 1); and review of the scheme design in relation to multiple Credentials (Recommendation 2); confirmation of identity rather than release of names (Recommendation 3); authentication of roles (Recommendation 4), and the use of the photograph and biometric (Recommendations 8 and 10).

The stated primary purpose of the proposal is to enable individuals to verify their identity for the purposes of accessing government services electronically. One consequence of a central authentication scheme is to raise the stakes in the battle against identity fraud and theft. If successful, it will reduce the incidence of those crimes and enhance one aspect of individuals' privacy, albeit to the detriment of other aspects. However, failures or errors will potentially compound the problem, leading to even more serious consequences for individuals and losses to organisations.

If the scheme is implemented, it is essential that all the possible points of failure be identified in advance and contingency plans be made to deal with them. This must include a strong independent review body with the jurisdiction and powers to provide individuals with real remedies.