ROPAA & BIOMETRIC DATABASE: RIGHT TO VOTE AND RIGHT TO BE LEFT ALONE; IS THERE ANY UNINTENDED DOWNSIDE TO THE DATA SUBJECT IN THE DIASPORA?


Introduction

As the world keeps on evolving especially with the age of technological advancement, there is the need for the citizenry to become well-informed about this dynamism in all aspects of their affairs particularly when it comes to matters of biometric database.

Biometric databases generally refers to storing digitized templates of biological information unique to an individual such as retina or iris, fingerprints, voice prints, and of face geometry which is matched with what is produced when a person physically presents herself as a reader.  There are basically two ways of storing such digitized templates, on a card which is under the control of owner (data subject) and centralized which is under the control of the one collecting the information (data controller). 

Although the benefit of biometric database is unquestionable, there is the downside of abuse of the database. Once it is set up, there can be uses for it without boundaries. The functionality of the biometrics are with respect to either verification (a one-to-one search or comparison to determine if Anokye is who he claims to be and for this whether he is entitled to enter a building or entitled to vote, thereby seeking to answer the question : Are you who you claim to be?) and identification (a one-to-many search or comparison to determine if Anokye’s biometric characteristics is in the central database or his biometric characteristics collected independently can be matched to a name in the database, thereby seeking to answer the question: Do I know who you are?).

In an article I wrote in 2011, I looked at the general risks in holding biometric database and what we can do to legally protect them. This time I intend to look at the unintended dangers of what is called function creep as the Electoral Commission (EC) in particular holds such biometric database for registering those of us in the diaspora for the good course of our right to vote.
Function creep is where a technology is introduced to do one popular cool thing (function) but later used to do other things which may be unpopular un-cool things (functions), meaning the original function has “crept” into another unrelated function. These could be both planned and unplanned and with the way the world is going one can never tell whether the actual function of the need for our biometrics is the voting as in the Representation of the Peoples Amendment Act (ROPAA) or some “invincible hand” is telling us that it is the way to go which looks credible on the face of it and harmless hence ready to even fund it but later collect data for other reasons.

Unintended Risks in Implementation of ROPAA

Fortunately, our two strong political parties want those of us in the diaspora to be voting as part of our Constitutional and Fundamental Human Right so I guess we have no choice but to allow our biometrics to be collected. How secured is the centralized database which is to be held by the EC for those of us in the Diaspora; especially those of us who have no “papers” (legal documents to live in abroad) and are oblivious of the unintended implications. For us in the name of emotional politics which makes us want to either kick out a party or maintain a party, this makes us focus on only the positive aspects of this process forgetting that, there is a possibility that;  just “one day one day” we may suffer when  “the big brothers” says “if they do not get a copy of the database used for the ROPAA voting they will not give Ghana aid or threaten to stop certain on-going projects that is really executing a ruling party’s manifesto”. Hmmmmm, I wonder what a ruling government’s response may be. Would we even know if the database has been compromised?  “Hmmmmm!!! yoooooooo!!!!”.

If the politicians want those of us in the diaspora to vote, they should assure us that we will be safe and protected. One may ask the important question of where will the databases be kept? If in the foreign countries, do they have Data Protection Laws; will our EC register under their law? If it is to be kept in Ghana, has the EC considered issues to do with trans-border dataflow regulations?  How strong is our Data Protection Authority to stop or sanction the EC should there be any function creep?   
We also must consider that some of us in the diaspora do not work with our real names, hence we use pseudo names. Link a seemingly harmless independent biometric databases of a voters register to an immigration database or a finger print collected at our work place for whatever purpose and lace it with google mapping of our houses (digital address to be used for the Ghana card if those in the diaspora must also produce it) and see what dangerous cross breed or cocktail of databases we have created. For immigration related issues this might sound interesting for “big brother”. Our “digital persona” as data subjects must be protected before we create a digital monster that cannot be controlled or killed.

Once the EC is collecting our biometric characteristics together with our personal details (residence, place of work, age etc) for identification purposes there is the need for our right to privacy or “right to be left alone” (also our human rights) to be protected. For example; I go to a bar, crime is committed after I have left, when finger prints are taken on the glasses at the bar, it is suspected that some Ghanaians are involved, “Big Brother” may find a way to get access to a compromised ROPAA biometric voters register for an identification and if it matches my name, even if I was not at the crime scene when it was committed, my home may be invaded since it was easy for them to track using that database. If I have papers no problem but just in case I do not have “wahala”. Even if I have, imagine the inconvenience of being part of investigations and the embarrassment and possible effect on my employers. Now what if there is someone living with me who does not have “papers” but working and remitting funds home.  

This is worrying and all that is needed legal and political assurance. Basically, data protection principles require that data collected must:
                                i.            be obtained and processed fairly,
                              ii.            have been obtained for specified or explicit and legitimate purposes ,
                      iii.            not be further processed in a manner incompatible with that purpose or those purposes,
                         iv.            be retained subject to appropriate security measures against unauthorized access, and 
                           v.            be processed in accordance with the rights of data subjects.

Now how can the EC legally and technologically (both physical and virtual) assure those of us going to register with our biometric in the diaspora that they have the capacity to abide by the data protection principles and what can the Data Protection Authority do to also assure us that they have our backs.
Who for example gave the Electoral Commission the right to give access to our voters register to the banks to do verification for financial transactions? It is good to detect fraud but was it part of the original plan of collecting our information electronically or a “function creep”. In filling the forms were we told?  Will they likewise give access to the biometric database to international bodies in the name of fighting crime and terrorism? If yes, let us all agree by way of legislation on how the biometric database should be used so we take informed decision. After all that is our individual right. Aloooo!      

Conclusion

The IT guys will always want to look at the efficiency and “coolness” of applying technologies and playing on the benefits to the organization (private or government) without necessarily considering the security of the data subject. It is the responsibility of the managers, administrators and legislators to ask informed questions concerning the technology being used to protect the individual Ghanaian.
I have no doubt whatsoever that the use of biometrics identifiers may eventually make society safer and possibly enhance our privacy in certain ways but like firearms that people legitimately buy and license to protect themselves, others also illegally acquire them for armed robbery and killing innocent people.

Whether we like it or not, it is the inward remittances of those in the diaspora that is sustaining and supplementing most family incomes here in Ghana. Yes they have the right to vote and they also have the right to be left alone by way of their privacy from any “invisible Big Brother” lurking around in the name of helping us to deepen our democracy to later economically cripple our source of inward remittances in the name of protecting their economy and citizens for whatever reason.

The EC as a data controller must be checked regarding the acquisition, storage and possible exchange of sensitive data in the form of biometric database to be held on those of us in the diaspora. How many votes “koraaaa” will the two major political parties add to their domestic votes to want to risk a potentially unknown function creep of capturing the biometrics of Ghanaians in the diaspora. We are doing “Big Brothers’” job. He will come for it. One day He can pass a law that a copy of all databases held on people living in His country be kept with Him. Not impossible. What is the net benefit of the Right to Vote (political benefit) with the Right to be Left Alone ( economic benefit)? Time will tell.

People, lets Shine Our Eyes as they say.


The author Dr. Kofi Anokye Owusu-Darko, holds an EMBA (IT Management) and an LLM (IT & Telecommunication). Email: kofianokye18@gmail.com or visit kofianokye.blogspot.com


Comments

Post a Comment

Popular posts from this blog

LEGAL ISSUES IN E-COMMERCE WEBSITE DEVELOPING IN GHANA: OWNER BEWARE

Introduction Website presence in the new global village will become a “sine qua non” in conducting business if Ghanaians want to take advantage of the digital platform.   The first point of call in wanting to do this is to approach a website designer with some ideas on how you want the site to look like and the features you expect to see. Design functionality and aesthetics most invariably are the issues the developer becomes pre-occupied with but there are legal issues to contend with especially more so when the website is accessible to anybody, anywhere and at anytime. The Electronic Transactions Act 2008(Act 772) however gives directions as to how website developers can resolve these legal issues. I intend to raise the legal issues in website designing and attempt to give some indications as to what functionalities and best practice may be needed to satisfy the law   Legal Issues in Trading Through A Website There are a lot of legal considerations when designing a website and th
Read more

IMPLEMENTING THE FREEDOM OF INFORMATION ACT: ARE WE EXPECTING TOO MUCH TOO SOON?

INTRODUCTION Information flow between government and its citizens was deemed by Rt Hon Jack Straw (a UK MP) to not only empower the people but to promote a “vigorous and robust democracy”.   The Right to Information Act, 2019   except under certain exemptions is intended to give the public the “right to know” the type of information held by public bodies. It is an attempt for “greater transparency, accountability and engagement” in government business and should “transform the culture of Government from one of secrecy to one of openness ” . In the UK for example, it led to the resignation by Michael Burgess as coroner for the late lady Diana’s inquest; it led to the disclosure of detailed breakdown of MPs travel expenses after an initial plan by ministers to exempt such disclosure; it led to World Development Movement (WDM) getting information relating to the biggest carbon dioxide polluters in the UK which before the Act would not have been readily available. There is the argu
Read more

ELECTRONIC SIGNATURES AND DIGITAL SIGNATURES: HAS GHANA GOTTEN IT MIXED UP UNDER THE ELECTRONIC TRANSACTIONS ACT 2008 (ACT772)?

INTRODUCTION In my opinion there is a distinction between an “electronic signature” and a “digital signature” and I stand to be corrected but Act 772 seems to be referring to “electronic signatures” whilst talking about “digital signatures” or vice versa and this gets me confused. My understanding of “electronic signature” is that it is data in electronic form which can be attached to, or logically associated with other electronic data and which serve as a method of authentication. This therefore means that the following may fall under electronic signatures: A hand signed signature in ink, scanned and electronically delivered Electronically typed (Computer) signature and electronically delivered An electronic typed name and electronically delivered An electronic symbol that is electronically delivered The above attached to an electronic document may not be a safe way of authenticating a document but acceptable as long as the signatory accepts having signed the document. After a
Read more