Questions remain over ID cards data

The government is pushing on with its identity cards plan, sustained by a constant stream of rhetoric about terrorism, immigration and identity fraud.

This makes a review of its database policy, and hard questions about the practicality of the scheme, more important than ever.

The discussions fuelled by the publication of the government's draft ID cards Bill this week are focusing on biometric technology and civil liberties, but glossing over the issue most critical to the scheme's success - the database.

The Home Office plans to build the National Identity Register from scratch, at a cost of around £183m, to create a 'gold standard' of identity and avoid the data quality issues facing other government databases such as those run by the Passport Agency and the DVLA.

Computing's Data Debate campaign is calling for a review of the government's multiple, overlapping database projects to avoid confusion, wasted money and future data protection issues.

The Home Secretary talks of a 'new clean' database for ID cards as if that answers all the questions.

Creating a new system is not a problem. But maintaining the reliability of that data presents challenges never yet met by a public sector database and the newly-collected information will be accurate only until one person out of the UK's 40 million adults moves house, or marries and changes their name.

'You can take all the problems they have with the current databases like the DVLA and multiply them several times over to understand the complexity of this database,' said Liberal Democrat IT spokesman Richard Allan.

'There is no reason that just because it is starting from scratch it will be any more accurate than any other system, and the risks inherent in getting it wrong are potentially far more serious,' he said.

The list of personal information to be held on the register has already grown significantly since it was first discussed late last year. Originally it was to hold a name, date of birth, biometric and unique number. But possible additions listed in the draft Bill include present and past addresses, reference numbers such as National Insurance, and security information such as a PIN.

It is not clear how the new register will avoid the problems plaguing other major public sector databases, says IT security expert Peter Sommer.

'ID cards has all the standard indicators of a large-scale computer disaster - all the signs that this will cost huge sums of money and is not going to deliver are already present,' he said.

'What is bizarre is that the area of most experimentation is looking at the effectiveness of biometric techniques when the area we need to look at is how to maintain a very, very large database holding very sensitive information.'

The government appears unwilling to recognise the importance of the database, says Eric Woods, government practice director at analyst Ovum.

'I am aghast that the database issues aren't being addressed because they are absolutely critical and can't be seen as a secondary technical issue.The government has to take a broader view both for the ID cards scheme and the links to various other initiatives such as the NHS plan for electronic patient records,' he said.

Suppliers say the scheme is technically feasible.

'The challenge will be the change management - modifying business processes to be able to accommodate 40 million people having to show up in person,' said Carl Gohringer, business development manager at fingerprint technology specialists NEC UK.

John Newton, government consultant for Fujitsu Consulting said: 'The interesting thing will be how the process is going to work because it needs 40 million people securely registered to a gold standard and the ability to manage it as changes take place in people's lives. But if we can get those things right there's no reason the scheme shouldn't work.'

According to the timescales set out in the draft Bill, the procurement will start in 2005, to be concluded in 2006, implementation will run from 2006-7 and the first cards will be issued towards the end of 2007 or early 2008.

Passport Agency biometric trials

The UK Passport Agency (UKPS) trials starting this week will use 10,000 volunteers across the country to test the practicalities of biometric technology, the enrolment process and the creation of a database for both one-to-one and one-to-many verification.

UKPS is already planning the introduction of passports carrying a facial recognition biometric from mid-2005. The new pilot will test the enrolment of fingerprint and iris data as a possible secondary biometric for inclusion on upgraded passports.

The pilot feeds into the ID cards scheme because the government plans for the majority of citizens' ID cards to be incorporated into one of a range of biometric documents, such as passports and driving licences. Only citizens without a passport or driving licence will obtain a specific 'plain' ID card.

The objectives of the UKPS pilot include:

• testing the use of biometrics
• measuring the process time and estimate costs
• assessing customer perceptions and reactions
• assessing the practical aspects of creating a biometric database
• trialling the use of biometrics to prevent duplicate identities
• identifying risks and producing an outline implementation plan.

Volunteers for the scheme will register their biometric details and receive a demonstrator smart card carrying printed details and electronic information on a chip.