Scottish elections: Privacy and digital identity

Ahead of the Scottish elections, Open Rights Group Scotland has selected three areas of focus for our digital rights campaigning. The first area is privacy and digital identity, specifically in the context of Scottish Government initiatives on Scotland-wide identity verification programmes. And while our advocacy focus looks ahead to the next five years of policy, we would be remiss if we did not discuss the very topical issue of vaccine passports.

Digital identity

The Scottish Government has committed to an ambitious Digital Strategy which aims to ensure that Scotland will fulfil its potential in a constantly evolving digital world. Unlike the plans released by the UK-wide government for its own Digital Strategy, the Scottish strategy is grounded in a focus on ethics, inclusion, and public engagement. This gives groups like ORG an easier starting point to work from on the potential risks to digital rights inherent in any government strategy. This includes the plans for the rollout of a digital identity system.

Scotland’s planned digital identity system would not be an identity card or a central register. The intention is to establish a trusted and secure service for users to prove who they are when they are applying for, or engaging with, a public service. If deployed correctly, this would reduce time, bureaucracy, friction, and costs for both the public sector and for service users. The system would be optional, and the user would remain in control over their data and its uses. ORG, and many other civil society groups, have engaged with the Scottish Government as a part of its open government approach, and while we are optimistic about the progress made thus far, we know there is more work to be done.

In any digital identity system there are always risks. Systems developed for one purpose can be abruptly repurposed for another – also known as “mission creep” – without a focused approach on mitigating the risks of the new usage. In the era of our pandemic, when solutions are needed quickly, that oversight, scrutiny, and transparency can be written off as red tape. Additionally, private sector vendors are always keen to access public data for commercial purposes, or even outright exploitation, and do not hesitate to lobby for watered-down privacy safeguards which would support their business models.

We want to see the Scottish Government continue along the path it has taken so far, with a person-centred approach which places user control and privacy first, and to restate its commitment to not rolling out a central, unified, and/or mandatory identity database system.

Vaccine passports

Recent comments from Scottish health officials suggest that vaccine passports may have a role to play in the easing of Scotland’s lockdown. While they are being actively discussed in England and Wales, the pre-election period means that no decisions can be made here until after the election. This provides a critical opportunity to address the legal and ethical questions around them.

While we would prefer no vaccine passports at all, the fact is they are inevitable. For us, this raises questions of whether they would be used for obvious purposes like international travel, or whether they would become a form of internal travel passport, one required to access leisure and retail as well as essential public services. The risks of creating a two-tier society are clear, as is the potential for vaccine passports to exacerbate social and technological exclusion. Further questions also arise about interoperability across the English and Northern Irish borders, as well as what could happen if different nations choose to use vaccine passports for different purposes.

At the beginning of the pandemic, Open Rights Group strongly supported the use of primary legislation, which would stand alongside and supplementary to existing data protection regulations, to provide human rights safeguards and accountable oversight over any uses of technology related to Covid-19. If vaccine passports are now in active consideration here in Scotland, primary legislation – as well as a robust discussion of ethics – must precede any technical solutions.

Our policy positions

We are calling for parties and candidates to commit to the following principles:

• The Digital Identity Scotland system will maintain its privacy-by-design approach, and keep the rights of people first and foremost.
• The Digital Identity Scotland system will not be repurposed into a centralised and/or unified identity card database.
• There will be no data matching and/or tracking of individuals across datasets by local authorities, Scottish Government, or commercial partners.
• Digital Identity Scotland will maintain its commitment to an open government approach, one which welcomes, invites, and involves scrutiny and comment from across Scottish civil society.
• Any rollout of vaccine passports must be preceded by primary legislation which protects human and privacy rights, upholds data protection standards, and provides accountable oversight and recourse for people whose rights will be diminished as a result of the technology.

Ask the candidates

ORG Scotland will be holding a joint human and digital rights hustings with our friends from Amnesty Scotland at 7 PM on Tuesday 20 April. We’ll be putting questions about these topics and others to the candidates. The event is online and free to view.