The proposal to create a Scottish National Identity Database has profound implications, but these are barely discussed in the Scottish Government’s consultation document. Here we set out the concerns.
Is this really a national identity database?
The Scottish NHS registry already exists and is relatively benign while it is used just for the NHS. However the new plans are a massive expansion of its use without safeguards or consideration of the risks.
Although the consultation says it is about changes to the NHS registry, the registry would be national and nearly universal as the vast majority of Scots would be registered. It would be used by most of Scottish government, so would be a national government registry, even if the NHS continued to administer it.
The national identity registry would give nearly every Scot a personal identifier called a “Unique Citizen Reference Number”, or UCRN, linked to their address, and then allow up to 100 Scottish authorities and local government services to derive address data from the national registry.
The effect would be to link everyone’s data throughout government, and enable huge data sharing.
Why is everyone assigned a personal identifier?
There are many ways to match data, such as by name, address or NI number. There is only one reason to use a consistent personal identifier such as the UCRN across databases, which is to guarantee extreme accuracy while making vast bulk, automated searches. Thus we have to conclude that assigning every Scot a UCRN is primarily about data mining, profiling or other techniques that would require the whole population’s personal information to be examined more or less simultaneously.
Surely government data sharing is a good idea?
Data sharing is not always bad. But when you share personal information, it must be done carefully, considering the purpose of sharing and the safeguards needed. If personal data is shared in an open ended way, it is impossible to spot the uses and abuses, so agencies will fail to anticipate and prevent privacy breaches.
For these reasons, the Scottish government is officially opposed to such widespread data linking and wants strong safeguards against privacy abuse. In 2005 and 2014 they agreed to “Identity Management and Privacy Principles” which say:
Public service organisations should not share personal information unless it is necessary. If a public service organisation needs to link personal information from different systems and databases (internally or between organisations), it should avoid sharing persistent identifiers; other mechanisms, such as matching, should be considered. If a public service organisation believes that persistent identifiers should be shared, it must publicly explain why. …
Despite this, they decided that this general prohibition on persistent identifiers would be ok to ignore if a single persistent identifier, the UCRN, would be used across up to 100 Scottish authorities, backed up by use of the NHS Register to form a national identity database.
Isn’t the SNP opposed to national identity schemes?
Yes, the SNP opposed the UK’s identity scheme. We believe the consequences of this current plan are not being explained to them.
Do we need a Scottish identity scheme then?
No. All the plans the Scottish government has for web-based log-ins and Entitlement Cards can be delivered by much more privacy friendly means. The “one database to rule them all” approach is both dangerous and out of date. We look at the reasons for this scheme stated in the consultation one by one below: they are income tax, missing payments, missing persons, and the “myaccount” web log in system.
Don’t they need this register to chase for income tax?
The Scottish government are being told by the Improvement Service that it will help chase Scottish people for the Scottish income tax, despite the fact that the vast majority of income tax is handled through employers, not individuals. Compliance for income tax needs to be sought through all UK employers and HMRC’s relationship with them.
There may be a significant number of people who live in both England and Scotland, and who move between both. If HMRC start using a Scottish register to chase down individuals who might be paying the wrong rates then they will want a similar identity register for the rest of the UK sooner rather than later. We will be back to resisting the UK National Identity Register that we killed in 2010.
Isn’t it about chasing fraud such as missing NHS payments?
You don’t need a single database of everyone, linked across 100 authorities, to chase a small number of missing NHS payments. The cost would be likely to vastly outweigh the benefit.
Isn’t it about finding missing persons?
While the data could be used for missing persons, the scheme to link data across government through assigning everyone a UCRN is superfluous for this purpose.
Isn’t it about web log ins?
Web log ins can be created without massive data linking. The UK government, for instance, is creating a system based on identity assurance that does not rely on a single source of personal data.
Authentication is not the same thing as identity. An authentication system can be created that doesn't automatically link to everything the government knows about you.
Surely the National Identity Database would just be used for narrow purposes?
There is a serious danger of mission-creep. Once this UCRN and register is created, it will start to be used for other purposes, in both public and private sector (rather like the US Social Security Number), which might include credit reference agencies.
Surely the data will be kept very safely?
Keeping data safe is hard, especially if you put it all in one place. There will be risks of the database being used to facilitate identity theft through individual or bulk leaks or data compromises.
Government is often very bad at data security. There are many reasons for this. The systems they develop can be complex and vast, which makes security very difficult. Systems designed for one thing become used for another, and the security measures that become necessary can be hard to retrofit. Many individuals end up with access, which makes it very difficult to restrict usage.
Wouldn’t a single national identity database be more accurate?
Perhaps, but there are new risks that inaccurate data could cross-contaminate databases.
Think of it as the ‘Buttle or Tuttle’ problem from the movie "Brazil". Every central data repository creates a single point of failure for accuracy. If one institution gets the facts wrong about you then everyone with access gets it wrong about you, rather than just one institution. That makes it much harder to correct.
Obsolescent information could easily be retained in linked databases which could then violate people’s privacy. Equally, apparently innocent facts could be abused by an incoming administration with a different view of its relevance – such as religion, health conditions or gender changes.
Why is an identity database potentially dangerous?
The effect of this single database will be to open up highly accurate data sharing across the Scottish state. This opens up the possibility of one agency being able to get information about your activities from another agency. So the benefits agency could check your bus journeys, for instance. Your criminal record could be easily available to another agency. At an extreme, one civil servant could see all of your data all of the time from a single computer.
Perhaps just as realistic is the idea of profiling of people to look for people who don’t deserve benefits, or people whose data profile suggests they should be visited by the social services. Equally it will be hard to stop calls for data profiling to be used to reduce small infractions of benefit arrangements, for instance because travel details suggest an individual is cohabiting or failing to spend enough time job seeking.
While it may be alright for politicians to enable such approaches, the least they should do is be honest and discuss what a national identity register might bring. The civil servants will of course be highly aware of the possibilities, if they are given the right people in government to advance such plans.
Who is pushing this?
The plans for a state-wide identity management scheme has been on the books since 2005. The plans are managed and put forward by the Improvement Service of the Scottish civil service.
The plans have advanced under both Labour and SNP administrations. It is fundamentally a civil service policy, rather than a party policy.
How has this happened?
Since 2005, a Scottish Identity system has grown to include:
Assignation of a “Unique Citizen Reference Number” to every person born in Scotland
Assigning a UCRN to users of specific services, such as local library members or free bus card users
Linking Entitlement Card users to their UCRN
Creating a single log in to Scottish online services linked to the UCRN – called “myaccount”
The plan is to link everyone’s identity all of the time to all services in Scotland. Once all the elements are in place, it will be very difficult to see any difference between this scheme and Labour’s abandoned Identity Database plans that the SNP opposed.
Is there an alternative?
Yes, there is a better way to do this. We could have an opt-in authentication service. No personal data need be stored, but it would allow the user to prove their identity to public and private bodies without the rigmarole of providing passports and utility bills; it would thus reduce the scope for identity theft/fraud and make life easier for users without providing a single point of failure for personal information leakage. Such plans are in train for the UK through the Cabinet Office. They were designed to be very privacy-friendly in the wake of the problems with the abandoned UK Identity database.
So what do we want right now?
We simply want some honesty. We want the Scottish government to recognise that the current consultation would create a national identity database, to consider if that is desirable, and if it really thinks it is, to have the courage to introduce primary legislation for it. The Scottish government should abandon plans to sneak it in through rubber-stamped secondary legislation. That way a national debate can take place and we can decide if this is a good idea or not.
You can respond to the consultation quickly and easily via our form here. The consultation closes on Wednesday 25 February.