Finally, the national identity card scheme is set to take off in September 2017 with the beginning of issuance of cards to citizens who have registered onto the scheme. This is a positive development considering how this scheme will go a long way to promote economic, political and social activities in the country, by formalising the Ghanaian economy.
The scheme with all its positive intents and purposes, however raises some potential data security and privacy challenges which need to be looked at critically by government and the entities engaged to deliver the national database, and also issue out ID cards.
First of all, any ID infrastructure requires the existence of a central database. This will have an immense database of personal and sensitive data of all citizens registered. The breakdown of this data includes biometric and other critical data. In the Ghanaian instance it looks like the databases of several entities such as Driver and Vehicle Licensing Authority (DVLA), Ghana Revenue Authority (GRA), National Health Insurance Scheme (NHIS), Social Security and National Insurance Trust (SSNIT) and the Ghana Police Service will be utilised to form the core of this central database.
The potential security and privacy encroachments are enormous such that when this central database, whether compromised by outside hackers or the many insiders trusted to work with such data, leaves critical citizens data in the hands of untrusted and malicious actors. This compromised data can be used in a myriad of negative ways such as fraud, targeted telemarketing, etc. — and this goes to impact on the security and privacy of the citizen’s data compromised.
Some of the pertinent questions regarding the security of this data includes location of storage; in Ghana or outside, are there security regulations (e.g. ISO27001) in place in the datacentres where the data will be stored, who has access to the data, what precautions are in place against misuse of the data, etc.
A second challenge worth noting is the possibility of the private sector to exploit the national ID system to invade privacy. If the private sector would be allowed not only to rely on the information on the face of the ID card but also scan or swipe it when a citizen presents their card during the provision of service, this enables the service provider to collect personal data on customers. How this customer data would be processed and stored is not known if they are not registered either as a data processor or controller with the Data Protection Commission of Ghana.
Relating to the above challenge is also a challenge around the possible use of the national ID scheme by the government as a surveillance system that creates risks to privacy and anonymity. Basically this puts citizens in a place where they contribute in their own surveillance and social control.
Another problem is the ID card itself. How assured are we that the cards would be unforgeable? Even if to assume they are unforgeable, how about the worse case of people legitimately acquiring national ID cards with fraudulent names or identities?
The requirements for a national ID system is essential, however are the security safeguards contained in the National Identification Legislation enough to provide protection for the citizenry?
Looking at the poor data keeping and security culture within government and most of private sector, calls for tougher sanctions against people who allow lose or misuse of information is encouraged. With the rapid evolving of the cyber security landscape currently even with improvements, breaches of databases will be inevitable, but measures to ensure that such problems are dealt with swiftly must also be adequate by all security standards necessary.
Name: Hector Dotse
Speciality: Technology Security Assurance Specialist