« 13 Invalidity and surrender of ID cards | Main | 15 Power to make public services conditional on identity checks »
December 07, 2004
14 Use of information for verification or otherwise with consent
Provision of information from Register for verification purposes etc.
14 Use of information for verification or otherwise with consent
(1) The Secretary of State may provide a person with information recorded in an individual’s entry in the Register if—
(a) an application for the provision of the information to that person is made by or with the authority of that individual; or
(b) that individual otherwise consents to the provision of that information to that person.
(2) The only information about an individual that may be provided to a person
under this section is—
(a) information about that individual falling within paragraph 1, 3 or 4 of Schedule 1 (name, date and place of birth, gender and addresses, residential status, identifying numbers and validity of identifying documents);
(b) the information contained in any photograph of that individual recorded in the Register;
(c) the information about the individual’s signature that is so recorded;
(d) information about whether an ID card issued to the individual is in force and, if not, why not;
(e) information which, by virtue of section 3(2), is recorded in the Register at that individual’s request;
(f) the questions recorded by virtue of paragraph 8 of Schedule 1 for use for the purposes of applications for information about that individual;
(g) information confined to the grant or refusal of confirmation that information falling within subsection (3) that has been submitted to the Secretary of State coincides with information so falling that is recorded in the individual’s entry in the Register; and
(h) information confined to the grant or refusal of confirmation that the individual’s entry in the Register does not contain information of a particular description falling within that subsection.
(3) The information falling within this subsection is—
(a) information comprised in a fingerprint;
(b) other biometric information;
(c) the number to be used for the purposes of applications for information about the individual in question;
(d) the password or other code to be so used; and
(e) the answers to the questions to be so used.
(4) The Secretary of State may—
(a) by order modify subsections (2) and (3); and
(b) by regulations impose restrictions in addition to those contained in this section on the information that may be provided to a person under this section.
(5) The Secretary of State may also by regulations make provision as to—
(a) how an authority for the purposes of subsection (1)(a) is to be given;
(b) the persons by whom, and the circumstances in which, an application for those purposes may be made; and
(c) how such an application is to be made.
(6) The Secretary of State may by regulations make it a condition of the provision of information under this section—
(a) that the person to whom it is provided has registered prescribed particulars about himself with the Secretary of State;
(b) that that person and the applicant for the information (where different) are for the time being approved by the Secretary of State in the prescribed manner; and
(c) that apparatus used for the purposes of the application, and apparatus that it is proposed to use for the receipt and storage of the information, is for the time being approved by the prescribed person in the prescribed manner.
(7) The Secretary of State must not make an order containing (with or without other provision) any provision modifying subsection (2) or (3) unless a draft of the order has been laid before Parliament and approved by a resolution of each House.
(8) The restrictions imposed by or under this section on the information that may be provided to a person do not affect any right apart from this Act for an individual to be provided with information about the contents of his entry in the Register.
EXPLANATORY NOTES
Provision of information from Register for verification purposes etc.
Clause 14: Use of information for verification or otherwise with consent
89. This clause enables the provision of an identity verification service which operates with the consent of the individual, including an accreditation requirement for user organisations and their equipment.
90. Subsection (1) gives the Secretary of State the power to provide a person with certain information recorded in an entry about an individual provided that individual concerned consents. Provision of information includes confirming that the information is or is not recorded in his entry (clause 43(7)).
91. Subsection (2) provides that only a limited part of the individual's entry on the Register may be provided to a person under this section. This includes information within paragraphs 1, 3 and 4 of Schedule 1, the photograph, signature, information concerning whether the ID card is valid, voluntary information, security questions, the grant/refusal of confirmation that submitted information falling in subsection (3) matches that which is held on the Register and the grant/refusal of confirmation that the individual's entry does not contain information of a particular description within that subsection. This might be necessary for example to verify the identity of an individual whose biometric could not be recorded at the time of enrolment (e.g. because of a medical condition). This limitation on the information that may be checked means that information falling in other parts of Schedule 1, for example the records of provision of information and validation information, may not be provided to organisations verifying identity under this clause.
92. Subsection (2) also allows the confirmation of information (as opposed to the provision) falling in subsection (3). This information includes biometric information (including fingerprint), passwords, codes, security numbers and security answers.
93. Subsection (4) enables the Secretary of State to amend by affirmative order subsection (2) and (3), and further allows regulations to be made further restricting the information that may be provided under clause 14. This could be used for example, to ensure that certain categories of people do not have certain information about themselves provided to other organisations, for example where it might be sensitive as in the case of previous names of transsexual people. This power may also be used more broadly to restrict further the information that is provided to specific types of organisations where all the information falling under 14(2) is not necessary for their verification purposes. These regulations would be subject to the affirmative resolution procedure.
94. Subsection (8) ensures that the restrictions on the provision of data under clause 14 do not interfere with rights to be provided information under other Acts, for example subject access rights under the Data Protection Act 1998.
95. Subsection (5) provides a power to make regulations subject to the negative resolution procedure prescribing how an authority is to be given, the persons who can make an application and in what circumstances an application may be made and how an application can be made.
96. This clause would enable an accreditation scheme to be established so that only those organisations that have been approved would be able to make checks on the ID cards of individuals who have consented to verification checks against the Register. Regulations may include a requirement that to be provided information, the applicant must have first registered certain details with the Secretary of State, that the person and the applicant for information have been approved in the prescribed manner and the equipment being used is also accredited (subsection (6)).
97. Clause 41(6) sets out in more detail what regulations for the approval of a person or of apparatus might include.
Amendments up to and including Friday 14th January 2005 page 3
Mr Richard Allan Mr Alistair Carmichael
Clause 14, page 12, line 35, after 'a,' insert 'prescribed'.
Mr Richard Allan
Mr Alistair Carmichael
*Clause 14, page 12, line 35, after 'with', insert 'all of the'.
Patrick Mercer
Mr Humfrey Malins
Mr Geoffrey Clifton Brown
Clause 14, page 12, line 38, after 'the', insert 'written'.
Mr Richard Allan
Mr Alistair Carmichael
Clause 14, page 12, line 38, after 'the,' insert 'informed'.
Patrick Mercer
Mr Humfrey Malins
Mr Geoffrey Clifton Brown
Clause 14, page 12, line 39, after 'otherwise', insert 'in writing'.
Mr Richard Allan
Mr Alistair Carmichael
Clause 14, page 12, line 39, after 'otherwise' insert 'explicitly'.
Patrick Mercer
Mr Humfrey Malins
Mr Geoffrey Clifton Brown
Clause 14, page 12, line 40, at end insert 'and
(c) authority or consent may extend to part only of information.'.
Amendments up to and including Friday 14th January 2005 page 4
Mr Richard Allan Mr Alistair Carmichael
*Clause 14, page 12, line 41, leave out subsection (2).
Mr Richard Allan
Mr Alistair Carmichael
Clause 14, page 13, line 20, leave out paragraph (a).
Mr Richard Allan
Mr Alistair Carmichael
Clause 14, page 13, line 21, leave out paragraph (b).
Patrick Mercer
Mr Humfrey Malins
Mr Geoffrey Clifton Brown
Mr Richard Allan
Mr Alistair Carmichael
Clause 14, page 13, line 26, leave out subsection (4).
Mr Richard Allan
Mr Alistair Carmichael
Clause 14, page 13, line 31, leave out 'may' and insert 'shall'.
Mr Richard Allan
Mr Alistair Carmichael
Clause 14, page 13, line 36, leave out 'may' insert 'shall'.
Patrick Mercer Mr Humfrey Malins Mr Geoffrey Clifton Brown
Clause 14, page 14, line 6, at end add—
'(9) If an individual applies to the Secretary of State for the provision to himself of all or any information recorded in his entry in the Register, it shall be the duty of the Secretary of State to supply to the individual all such information requested.'
Posted by wtwu at December 7, 2004 05:21 PM
Trackback Pings
TrackBack URL for this entry:
http://www.spy.org.uk/cgi-bin/mt316/mt-tb.cgi/752
Comments
"(3) The information falling within this subsection is—
(a) information comprised in a fingerprint;"
Does this mention of "a fingerprint" mean all 10 fingerprints and thumbprints and palm prints as per other Police Acts, which were mentioned in the Draft ID card Bill but not so far in this one ?
Posted by: wtwu at December 7, 2004 05:27 PM
I'm not sure about how to read subsection 8 does it mean that the secrety of state can block me from finding out whats stored about me?
Posted by: John at December 14, 2004 11:27 PM
The Explanatory Notes claim that subsection 8 allows Data Subject Access requests under the Data Protection Act.
On the face of it this is ok, except that the DPA has lots of exemptions in it for "the detection and prevention of crime", national security etc.
Posted by: wtwu at December 18, 2004 12:44 AM
This whole clause is about verification i.e. checking you and your biometric readings against the ID card and or Database.
But does Section 2 which limits the information you can see or download from the Central Database and/or the internals of the Smart Card also prevent you from seeing or accessing the full audit trail of your own ID Card transactions ?
This transactional audit trail held on the central database systems will show who verified which card, at which location, time and date.
This is potentally extremely valuable personal data, access to which is essential to see if there are stolen or cloned ID cards or compromised ID card reader terminals being used.
All kinds of embarassing or private information can be inferred from this audit trail: visits to medical clinics e.g. Pregnancy, AIDS etc. and also dates of entry and exit to and from Prison or Mental Hospital etc.
If you are not allowed to prove or disprove that your own ID card was allegedly used at a particular time and place, which you dispute, how is Identity Theft via Cloned Smart Cards, Compromised Readers, Insecure Computer Telecomms Networks Corrupt Officials etc. ever going to be detected ?
Posted by: wtwu at December 18, 2004 04:47 PM