BIOMETRIC DATABASES: WHAT ARE THE LEGAL IMPLICATIONS FOR THE GHANAIAN AS A DATA SUBJECT?

Introduction
In Ghana, biometric is currently being used in the workplace for access control to sensitive areas, financial e-transactions such as the e-zwich (charge cards) and by the government for passports, national ID and hopefully to be deployed in e-voting. This article intends to look at the dangers of holding such biometric database and then bring to fore what we may have to do to protect the Ghanaian as a data subject. As much as possible this article will be limited to provoking some of the legal implications for reflection.
Biometric databases generally refer to storing digitized templates of biological information unique to an individual such as retina or iris, fingerprints, voice prints, and of face geometry which is matched with what is produced when a person physically presents herself at a reader.  There are basically two ways of storing such digitized templates, on a card which is under the control of owner (data subject) and centralized which is under the control of the one collecting the information (data controller).  
The functionality of biometrics are with respect to either verification ( a one-to-one search or comparison to determine if for instance Kofi is the same person as he claims to be and for example is entitled to enter a building or entitled to vote. Basically the biometric seeks to answer the question : "Are you who you claim to be?) and identification ( a one-to-many search or comparison to determine if Kofi’s biometric characteristics is in the central database or his biometric characteristics can be matched to a name in the database, identification seeking to answer the question: “Do I know who you are?).
The use of biometrics has become the newest jargon in Ghana and as usual thanks to politics, even the less educated  Ghanaian seems to know about biometrics. My concern is on the centralized databases used for identification and whether the politicians have considered the legal implications of what we want to get into so they put in place a legal framework to protect the ordinary citizen whose biometrical data is being fought over or just interested in how it can be used to gain political power or facilitate business.
The benefits in terms of unique identification is unquestionable but so is the downside of abuse of the database which may lead to permanent damage to our “digital persona” if clear legal guidelines are not put in place to protect such a sensitive data. Initially, yes it is for a good cause, national identification, voting and e-business but once set up there can be uses for it without boundaries. 
We must first pass the Data Protection Act to cover sensitive data such as biometrics or if not ready for the big show, pass an emergency Biometrics Act for such centralized database with respect to the collection, use, storage, retention, and destruction of biometric information else we will all be at grave risks.
The Risks and Associated legal Issues
The associated risks will depend on the functionality or purpose of the database by way of either verification or identification. It is the identification functionality that poses high risk of abuse and in my opinion should be of great concern to all of us. Once the government is collecting our biometric characteristics together with our personal details (residence, place of work, age etc) for identification purposes there is the need for the ordinary citizen’s privacy and human rights to be protected by law more so when other organizations are also collecting such information to facilitate financial transactions. Some of the risks and its associated legal issues are with respect to the following:
  • Collection of the Data
The collection of the initial data to be linked to the biometric data is most crucial. Is it possible to give my name as someone else, use his identity but link it to my finger print? What initial identity verification is going to be used? The integrity of the database will be as good as the integrity of the initial identity verification made on capturing the biometric data in the first place. Who sets the rules, when and how it must be set certainly needs some regulation
  • Privacy and Human Rights Concerns
Under Article 17, International Covenant on Civil and Political Rights 1966:         
“Everyone has the right to life, liberty and security of person” and
“No one shall be subjected to arbitrary or unlawful inference with his privacy, family, home or correspondence, nor to unlawful attacks on his honour and reputation” and
 “Everyone has the right to the protection of the law against such interference or attacks.
Now just asking? Is it technologically possible using biometric (finger print) e-voting to know who voted for which party? If so, is it likely that one day it could be used to find out who voted what? There goes our privacy. In the traditional paper voting it is almost impossible to know who voted for a particular person but using biometric is it possible for a match to be done in seconds to know who voted for which person ?  On a lighter note, may be it will weed away those who go “chopping” monies from politicians and promising them that they will vote for them and rather end up voting for others, This will be interesting to find out! Isn’t it??  On a serious note, can you see a desperate government asking for such matching to be done to pay back certain businessmen hence wanting to know who they voted for? Or a journalist doing everything to know who Otumfuo voted for. The technologist can say this will not happen but again this is not the point. Shouldn’t we protect our privacy so such things cannot be done or if done becomes unacceptable and criminal like we culturally abhor homosexuality? Don’t you think we should have a legislation for example giving the Electoral Commission a retention period to expunge all the votes to make sure we do not have “digital footprints” that can be abused? Our safety should be enshrined legally so we can take the technologist on when their system fail.
I do know that the technology exist to decouple the identity of the voter from the vote and even encrypt the vote before processing hence eliminating the fears I have just raised but does the technology too exist to reverse all that? Ghanaians have to be told what voting technology will be used now and how it will work. It will not take a rocket scientist to perceive that the technology to be adopted will be safe or not once explained. All that is needed is to follow the logic of the architecture. This must be now and not after the biometric database has been put in place. The issue is about perception of privacy which has to be legally assured not the technology. Just what if our data becomes compromised?
  • Proportionality and Transparency  
The loss of biometric data is irreversible hence there needs to be a balance between the rights of the Ghanaian citizen by way of interfering with our private lives and the envisage benefits of the government or any private organization collecting such databases. Now granted that the benefits outway the privacy concerns by way of proportionality, what about how the data will be used. Shouldn’t there be transparency?
  • Surveillance
Certain biometrics such as retina and hand geometry need to be captured with the cooperation of the data subject but others such as facial, voice and even the most common fingerprints can be captured without the subject knowing. Shouldn’t we know why, when and how such covert collection can be made and if made what rights we as data subjects have to check such records and our right to seek correction if inaccurate data is being held?
Without biometric databases you can have a picture of people sitting in a bar and it will just be images but link it with a facial database which is linked to other databases about the individual and you can imagine what can be done with it. Even with digital finger prints holding the glass at the bar is a risk since this can easily be checked against a compromised database in seconds. A criminal can go wait for you at your house. We need a redress, a legal system to hold someone (data controller) responsible for any such compromises should it occur.
  • Reliability
Other personal data linked to biometrical data such as residential address are dynamic in nature and may need updates to maintain reliability. What rights do we have to make sure this has been done or even know the associated personal data that has been linked? Do we have the right to request for deletions, amendments or corrections? What mechanisms do we have to irreversibly destroy all existing copies of biometric data held on us once the purpose for which it was collected is no more relevant?

Way Forward
  • Protecting The Data
As  Prof' Adi Shamir a well known cryptographer puts it and I quote "The government will give you full privacy, until they want information on you."  Well, if a biometric database has to be held on us this is the least we must expect and trust the government to do for us Ghanaians due to the irreversibility of the loss of a biometric data.
If an ATM card is lost, it can be canceled and a new one issued, making the old card not useable. Try canceling your fingerprints (not possible) and you will realize why we need an omnibus Data Protection Act (DPA) now more than ever.  In my opinion, the trust in the government can only be demonstrated by way of an omnibus DPA covering both personal and sensitive data. Basically a DPA will address the following principles, that data held on us must:
                                i.            be obtained and processed fairly,
                              ii.            be complete and accurate and, where necessary, kept up to date,
                            iii.            have been obtained for specified or explicit and legitimate purposes ,
                            iv.            not be further processed in a manner incompatible with the original purpose(s) ,
                              v.            be adequate, relevant and not be kept for longer than it is needed,
                            vi.            be retained subject to appropriate security measures against unauthorised access, and 
                          vii.            be processed in accordance with the rights of data subjects.

In recent times countries such as  Korea, USA, Russia etc who do have existing laws regarding data protection are even enacting new laws to cater for the limitation of their DPA in covering other forms of “sensitive data” such as biometrics data, in light of the challenges of new technologies. The European Commission has also announced strategies for revising the EU Data protection rules for the same reasons.
I only hope that when Ghana decides to have a DPA we will not start from where others are moving away from but leap frog with them. Any already drafted bill may be out of date with current trends and need amendments else by the time it is passed it may not be that useful for the biometric technology.
Is it remotely possible that some “invincible hands” wanting information on those of us living in Africa for their home security are not so keen in promoting the protection of our data especially with respect to trans-border data flows but much more interested in we passing a Freedom of Information Act so they can have more access in a weak data protection environment (data haven) ?  In any case why blame “invincible hands”, of course they have to do what is in their interest but what are we Ghanaians doing to protect our own citizens.  
As far back in 1998 in the US, the congress held hearings on the topic “Biometrics and the future of money”. Similarly, our legislators should hold hearings for such new technologies to be introduced. It is imperative to start getting the technocrats to discuss  what Ghana will be looking like with respect to the social impact of ICT on different sectors of our economy 10 years from now (especially financial services, the most innovative sector for ICT) and then envisage what legislation will be required to not only support it but make it safe. Our legislators are not really supposed to know the technologies but with these interactions will have to be intelligent with the impact and implications.
In my opinion, the way to go about it is to first ignore the legal implications and impact of the deployment of the technologies in other jurisdictions and do our own analysis. Secondly, we can then go find out how others have resolved our fears (no point reinventing the wheel) from our own analysis and those that they have not we resolve them ourselves because they would have no solutions to what they have not envisaged and thirdly, consider what they have thought of that we did not and adapt. If we just go copying and pasting, we will only update our legislation when those we copy from get theirs updated amidst new revelations because we are not thinking for ourselves.   
·         Rights of Data Subjects
For the private sector, assuming you decided to hand over your e-zwich card to your bank, you should as a data subject be able to insist that the biometric data collected is permanently expunged from the database with GhiPPS (Ghana Interbank Payment and Settlement Systems). Also we should be able to insist that private institutions collecting biometric data make available to the public their internal policy on protection, use and retention of such sensitive data. There should be something protecting data subjects and not just allow anybody to collect such sensitive information for enhancing either their internal security, develop products or improve their service.
For the public sector, uses should be explicit, redress for breaches should be transparent and an independent authority must be made to ensure that the rights of the data subject as enshrined in any DPA is not compromised.


·         Function creep
This is where a technology is introduced to do one popular cool thing (function) but later used to do other may be unpopular, un-cool things (functions), meaning the original function has “crept” into another unrelated function. These could be both planned and unplanned and with the way the world is going one can never tell whether the actual function of the need for our biometrics is the voting or some “invincible hand” is telling us that it is the way to go which looks credible on the face of it and ready to fund it but later collect it for other reasons.
Unfortunately both our two strong political parties are for it so I guess we have no choice but my point is let us protect it with legislation now. Especially for our friends in the Diaspora who have no “papers” and oblivious of the implications of a function creep, in the name of emotional politics and wanting to kick out a party or maintain a party will suffer one day when “big brother” says “if I do not get a copy of your database you used for voting I will not give you aid”. This time unlike homosexuality, this does not seem to affect our culture so you can imagine what the response may be. Lets fight to protect it, “Hmmmmm!!! yoooooooo!!!!”. 
 If the politicians want to use it, well they should but they must assure us (not verbally) that we are safe by passing the law. After all that is what they as legislators should be doing and  is it too much to ask from them?  In any case, what is the risk for the ordinary man on the street if his biometric is not protected and compromised, it is the politicians and “significant others” who will suffer most anyway. What use will blackmailing the groundnut seller be?
Link a few seemingly harmless independent biometric databases from financial (ezwich) to political (voters register) and to a database such as the census database as well as information relating to racial or ethnic origin, political opinions, religious or philosophical beliefs, health and lace it with google mapping of our houses and see what dangerous cross breed or cocktail of databases you have created. For fraud detection and national security this might sound interesting but that for me is not the point. Our “digital persona” as data subjects must be protected before we create a digital monster that cannot be controlled or killed.
How did the banks for example get access to the Electoral Commission’s database of  registered voters to do verification of identity for financial transactions? Yes,it is good to detect fraud but was it part of the original plan of collecting our information electronically or a “function creep..  Will they likewise give access to the biometric database to international bodies in the name of fighting crime and terrorism? If yes, lets all agree by way of legislation on how the database should be used so we take informed decision and if no let it be enshrined in law. After all that is our individual right.     
Conclusion
The IT guys will always want to look at the efficiency and “coolness” of applying technologies and playing on the benefits to the organization (private or government) without necessarily considering the security of the data subject. It is the responsibility of the managers, administrators and legislators to ask informed questions concerning the technology being used to protect the individual Ghanaian. Yes, technology can always be said to move faster than the law but we in Ghana have no excuse because the technology has moved from somewhere where the law has caught up with it so what stops us from moving the two at the same time or even moving the law to wait for the technology.
I have no doubt whatsoever that the use of biometrics identifiers may eventually make the Ghanaian society safer and possibly enhance our privacy in certain ways but like firearms that people legitimately buy and license to protect themselves, others also illegally acquire them for armed robbery and killing innocent people. We need a composite Data Protection Act incorporating a Data Protection Authority now to protect all databases holding personal and sensitive data (including biometrics) as well as cross-border data flows or in the least a specific Biometric Act before things get out of hand with the biometric information being held on Ghanaians by both the private and public institutions.
The data controllers must be checked regarding the acquisition, storage and exchange of sensitive data in the form of biometrics and I cannot agree more with the fact that once technology is accepted especially with respect to biometric databases it is difficult to limit its unintended consequences and the time to address it is now.

Comments

Post a Comment

Popular posts from this blog

LEGAL ISSUES IN E-COMMERCE WEBSITE DEVELOPING IN GHANA: OWNER BEWARE

Introduction Website presence in the new global village will become a “sine qua non” in conducting business if Ghanaians want to take advantage of the digital platform.   The first point of call in wanting to do this is to approach a website designer with some ideas on how you want the site to look like and the features you expect to see. Design functionality and aesthetics most invariably are the issues the developer becomes pre-occupied with but there are legal issues to contend with especially more so when the website is accessible to anybody, anywhere and at anytime. The Electronic Transactions Act 2008(Act 772) however gives directions as to how website developers can resolve these legal issues. I intend to raise the legal issues in website designing and attempt to give some indications as to what functionalities and best practice may be needed to satisfy the law   Legal Issues in Trading Through A Website There are a lot of legal considerations when designing a website and th
Read more

IMPLEMENTING THE FREEDOM OF INFORMATION ACT: ARE WE EXPECTING TOO MUCH TOO SOON?

INTRODUCTION Information flow between government and its citizens was deemed by Rt Hon Jack Straw (a UK MP) to not only empower the people but to promote a “vigorous and robust democracy”.   The Right to Information Act, 2019   except under certain exemptions is intended to give the public the “right to know” the type of information held by public bodies. It is an attempt for “greater transparency, accountability and engagement” in government business and should “transform the culture of Government from one of secrecy to one of openness ” . In the UK for example, it led to the resignation by Michael Burgess as coroner for the late lady Diana’s inquest; it led to the disclosure of detailed breakdown of MPs travel expenses after an initial plan by ministers to exempt such disclosure; it led to World Development Movement (WDM) getting information relating to the biggest carbon dioxide polluters in the UK which before the Act would not have been readily available. There is the argu
Read more

ELECTRONIC SIGNATURES AND DIGITAL SIGNATURES: HAS GHANA GOTTEN IT MIXED UP UNDER THE ELECTRONIC TRANSACTIONS ACT 2008 (ACT772)?

INTRODUCTION In my opinion there is a distinction between an “electronic signature” and a “digital signature” and I stand to be corrected but Act 772 seems to be referring to “electronic signatures” whilst talking about “digital signatures” or vice versa and this gets me confused. My understanding of “electronic signature” is that it is data in electronic form which can be attached to, or logically associated with other electronic data and which serve as a method of authentication. This therefore means that the following may fall under electronic signatures: A hand signed signature in ink, scanned and electronically delivered Electronically typed (Computer) signature and electronically delivered An electronic typed name and electronically delivered An electronic symbol that is electronically delivered The above attached to an electronic document may not be a safe way of authenticating a document but acceptable as long as the signatory accepts having signed the document. After a
Read more