Privacy at risk

By Easwaran Rutnam

A proposal to implement a common data collection system has placed the privacy of individuals at risk.

The proposal, if not carefully implemented, could see private details of individuals being accessed by hackers and others with vested interests.

Last week, President Gotabaya Rajapaksa had proposed that all personal information, including the National Identity Card (NIC), driving license, immigration and emigration documents, and registration of birth (and death) be brought under one data collection centre.

President Rajapaksa had said that the move will be instrumental in reducing time, effort, and money spent on such services at present.

He had expressed these views during a discussion with officials of the Ministry of Information and Communication Technology held at the Presidential Secretariat last week. He said that if this can be brought under one umbrella organisation, it will greatly reduce delays and ensure efficiency.

A similar proposal was made last year when the United National Front (UNF) was in office.

Obvious shortcomings

It was noted that a common, shared digital architecture and platform will enable various digital systems of the Government to interoperate on the basis of a unique digital identifier for citizens and other users to prove their identity without compromising personal information, while enabling the Government and businesses to authenticate in a safe and secure way. All government digital systems will be compatible with the digital architecture and platform.

However, while the idea is good, concerns have been raised over its implementation and lack of privacy protection and data protection laws.

Public policy expert Thisuri Wanniarachchi told The Sunday Morning that among the concerns is the lack of robust regulations and laws to stop the State from selling data or misusing it.

“I think his idea is in the right place; it’s just that we don’t have the laws and regulations to protect and ensure the anonymity of citizens. There’re also no robust regulations and laws to stop the State from selling that data or misusing it. Without getting the legal language right on these fundamental citizen protections, such a move could be a serious danger to individual privacy and rights and will serve more as a registry than a platform for greater access to public services,” she said.

State Minister of Information and Communication Technology Lakshman Yapa Abeywardena said that data protection laws will be enacted to protect the privacy of the public. He said the law will be enacted as the new Government moves ahead with plans to digitalise most state services.

The Information and Communication Technology Agency of Sri Lanka (ICTA) has been tasked with handling the whole operation to bring all public information under one data collection centre.

Assurances from ICT leaders

Technology expert Dr. Sanjiva Weerawarana said that since the process to create a solution is in the hands of ICTA and not a private company, the risk factor is very low.

Weerawarana, who is also a board member of ICTA, told The Sunday Morning that the system can work if there is no vendor control.

“The wrong way is to put all this data into databases with a common primary key. The right way to do it is the way designed in the National Digital Information Infrastructure and Preservation Programme (NDIIP): Data stays at custodians with unique primary keys, shared with consent and logging.”

He said that data can be made available to anyone with the consent of the individual, unless otherwise it is required by the law enforcement authorities.

The final draft of the Data Protection Bill tabled by the former Government last September had noted that every data subject shall be entitled to withdraw his consent to share data at any time, if such processing is based on certain conditions, provided that the withdrawal of such consent will not affect the lawfulness of any processing taken place prior to such withdrawal.

“Every data subject shall have the right to request the controller in writing to refrain from further processing personal data relating to such a data subject, if such processing is based on the grounds specified in certain sections of the Bill, unless such grounds outweigh the rights and freedoms of the data subject guaranteed under any written law,” the draft stated.

Although the original framework had provisions for the mandatory registration of controllers, the requirement was removed in the last version. Instead, the Drafting Committee had deliberated and introduced specific and comprehensive transparency and accountability obligations on controllers.

The accountability obligations would require the controllers to implement internal controls and procedures, known as a “Data Protection Management Programme”, in order to demonstrate how it implements the data protection obligations imposed under the Act.

The Drafting Committee had also taken into account international best practices, such as the Organisation for Economic Co-operation and Development (OECD) Privacy Guidelines, Asia-Pacific Economic Cooperation (APEC) Privacy Framework, Council of Europe Data Protection Convention, European Union General Data Protection Regulation, and laws enacted in other jurisdictions such as the UK, Singapore, Australia, and Mauritius, and laws enacted in the State of California as well as the Indian Bill, when formulating the draft Legislation.