I ‘m quite sure it _IS_ the intention, at least in some quarters

· You might like to point out to readers that the first substantive treatment of this issue was in the much maligned LSE report (it was in the 1st report of March 2005 – http://www.csrc.lse.ac.uk/idcard/InterimReport.pdf pp.60-65 – recommend read the whole thing)

o “From the point of view of protection of the individual, the audit trail of Register access events, of which they are not aware or for which their consent is not required, should be maintained for a sufficient period to allow redress of abuse, but there is no such compelling reason in the interest of the individual to retain a trail of consented/aware access events indefinitely. The design implications of fixing this problem are relatively simple. There is no technological reason why an individual should not exercise their right of subject access to their audit trail by periodically “downloading” a copy to a personal computer from an online portal to the Register provided for this purpose. The evidential integrity of this audit trail data could be guaranteed by certifying it with a digital signature affixed by the Register, (in accordance with the Electronic Communications Act 2000). There is then no necessity to require the Register to maintain an original copy of the data, and it could be deleted if the individual wishes. Of course the Register would create a new audit trail from that time going forward, until again downloaded and deleted. Any subsequent claim and investigation of abuse could rely on audit data in the individual’s custody (and if necessary cross-checked with decentralised secondary records held by public or private organisations empowered to make use of the Register).

o It may be argued that it would be useful for the Register to keep a copy of the trail in case the behaviour/whereabouts/activities of the individual subsequently needed to be investigated for some official purpose. But such retention would need to be justifiable under the provisions of the Data Protection Act and ECHR Article 8 tests of necessity and proportionality.

o It may also be argued that the idea of downloading and then erasing trails of the consented/aware events will only be of interest to an technophile elite, but the design and operation principles established through primary legislation should be durable, and it is only in the past decade that most people have had access to personal computers and the Internet.

o There is therefore overall a strong case for differentiating between audit trails events pertaining to Register access and identity verification of which the user is aware or to which they have consented, and other types of event. It is not in the interests of the individual for a comprehensive trail to be retained indefinitely – the cumulative threat to privacy will at some point outweigh the risk of ancient abuse claims incapable of pursuit. Furthermore the Investigatory Powers Tribunal imposes a one year time-limit on their acceptance of complaints, which would apply equally in relation to complaints about the conduct of Agencies in relation to the ID scheme. At any rate, the residue of trails left after deletion of consented/aware events (at the individual’s discretion) would logically be those occasions when the Register was checked without the knowledge or permission of the individual. The former category constitutes a dossier of life events and behaviour about the individual and is therefore highly privacy-invasive, but the latter are predominantly information about the behaviour of organisations using and accessing the Register. There is thus a compelling rationale to distinguish and clearly separate requirements and policies for the recording of these two types of events in any audit trail.”

· Read Amendment 33 debate at http://www.publications.parliament.uk/pa/ld200506/ldhansrd/vo060116/text/60116-31.htm – the govt. had the opportunity to defuse this issue completely, but they rejected the amendment. Here’s the WIBBI

o Lord Phillips

§ What the amendment seeks to do is, in its first part, relatively simple. It says that there must be two consents if there is to be a data trail captured on our file in the national identity register. The first consent, under Clause 14, will be for use of our card to verify our identity. Fine, no problem; but there must be a second consent which must be given at the time when the card is used—and I am assured by those who know much more about this than I do, including the noble Earl, Lord Erroll, that it is relatively straightforward. On every occasion on which the card is used for identification purposes, there would be a button to be pressed which would consent to the storing of the information as to the circumstances of use of the card—the audit trail information. We say that in order to satisfy the concerns of the committees I have mentioned, the Information Commissioner and indeed our views on all this—and I think I speak for

16 Jan 2006 : Column 534

the Conservative Benches as well—we can deal with it by the amendment given here, which would require at least a double consent: one consent for the verification, but a second consent for the capture of the audit trail information.

§ The second part of the amendment, paragraph (b), is almost counter-intuitive: when our information is being accessed by, for example, the security authorities or the police, then they shall record the occasion of accessing our data, because that will not be an occasion to which we have consented. If the Government are inclined to say, “We can’t have that, because it would blow apart the security operation or police operation, because it would allow us to require under the Data Protection Act the details of the accessing of that information”, the answer is that there are many protections under the Data Protection Act 1998, particularly Sections 28 and 29, the first of which exempts national security information and the second of which exempts from disclosure information that would be prejudicial to the prevention or detection of crime.

Ms Kennedy, you write:

“WIBBI every effort was made from now on to remove from citizens’ minds any reason to suppose that the govt could be interested in setting up a system with the capability to track indidvidual purchases like this and hold that data in a personally identifiable way.”

WIBBI the legislation was amended so that such a system could not be setup without primary legislation.

WIBBI the public was made aware of all the public sector databases, how they could be tied together into a meta-database by the National Identity Register, what uses could be made of this (such as tracking alchohol purchases), and whether this is a road that we want to go down as a society.

Absolutely agree, UK Liberty!

It’s actually a different, but just as interesting, story behind this. The machine shown in the picture is nothing to do with ID card or any description, euro or otherwise. The German e-purse Gledkarte had no traction in the marketplace, so they came up with the idea of making it compulsory in cigarette and alcohol vending (on the grounds that children could buy booze and fags with cash, but not with the e-purse) and persuaded the government to pass the relevant legislation. So now, even if you want to buy fags with cash in a German machine, so still have to present your Geldkarte (almost everyone in Germany has the Geldkarte application on their bank card — this is the “ec card” mentioned in the picture) first.

Mr Birch, thank you for that information. Is the GeldKarte similar to a pre-pay Oyster card in that you can ‘load’ it with money?

Yes, it is. See http://www.geldkarte.de/_www/en/pub/geldkarte/geldkarte_users.php

I agree, Ruth, and I’m pretty sure that information is not only stored in your personal purchasing history, but it could be used against you any time it would be necessary, and I’m talking police records and taxes here.