Mauritius National Identity Card Central Population Database

29 November 2015 by S. Moonesamy

Central Population Database

In 1998, the National Information Technology Committee prepared a deployment planning report for the Mauritius National identity Card (MNIC) project. According to the report, one of key initiatives was to develop a Central Population Database. The vision was that the Central Population Database would pave the way for various applications "dealing with common people information". The rationale for having a centralized database was that it would be easier to maintain one repository of accurate information about citizen records from their creation up to termination. The report does not mention privacy.

Fingerprints retention

One of the controversial aspects of the Central Population Database was the retention of the fingerprints of the citizens of Mauritius in a central location. In a Supreme Court of Mauritius judgement (2015 SCJ 177), it was determined that "fingerprints are collected and retained to allow identity authentication and to prevent usurpation of identity". The judgement discussed about the right to privacy by stating that "as opposed to those countries where the right to privacy or the respect for one’s private life is constitutionally entrenched, in Mauritius the right to privacy is not provided for in the Constitution, but in article 22 of the Civil Code" and that "it is also secured through the Data Protection Act". It was also stated that "the coercive taking of fingerprints from the fingers of a person and the extracting of its minutiae would thus clearly fall within the scope of the protection afforded to the integrity and privacy of the person under Section 9(1) of the Constitution". One of the conclusions in the judgement was that "the provisions in the National Identity Card Act and the Data Protection Act for the storage and retention of fingerprints and other personal biometric data collected for the purpose of the biometric identity card of a citizen of Mauritius are unconstitutional".

The retention of fingerprints on a large scale is a security nightmare as fingerprints are immutable characteristics of a person. It is not possible for the person to change that "information" if the Central Population Database is compromised. It could be argued that having a database of fingerprints would allow for the quick identification of criminals. The counterargument is that it is trivial for a burglar to foil that type of identification by wearing gloves.

Facial image retention

It is common to recognize another person by looking at person's face. One of the identity documents used in Mauritius is the National Identity Card; it contains a photograph. A person can verify the identity of another person by looking at that photograph and comparing it with the face of the holder of the National Identity Card. The facial image of the citizen is also stored in the Central Population Database. There wasn't much discussion about the storage of facial images in the two Supreme Court judgements (2015 SCJ 177 and 2015 SCJ 178) about privacy concerns in respect to the National Identity Card.

Privacy

According to the Data Protection Commissioner, "developing countries are emerging as some of the world’s worst privacy violators: spying on their citizens, conducting extensive surveillance without a legal basis, actively censoring the internet, and failing to protect the privacy of personal data and digital communications". It was also stated that "Governments also collect and share excessive amounts of personal data in the name of development, security and the modernisation of public administration". The Central Population Database could be viewed as a case of modernisation of public administration in Mauritius.

The Data Protection Act 2004 came into operation on 16 February 2009. According to a report of the Centre de Recherche Informatique et Droit (CRID) of the University of Namur, Belgium, the "Mauritian Data Protection Act contains (too) many examples of poor drafting and contradictions. Although inspired from other Acts (e.g. the UK Act), the ideas that were taken up have very often been misunderstood or too broadly interpreted at the time of including them into the Act. As a result, many parts are difficult to understand sometimes even have no sense-or are difficult or even impossible to apply ..." In October 2014, the Republic of Mauritius expressed its wish to accede to Convention 108 of the Council of Europe. In an opinion, the Consultative Committee of Convention 108 (T-PD) noted that the scope for exemptions for national security in the Data Protection Act appears broader than the one required by Convention 108. It was also noted that the modalities for the designation of the Data Protection Commissioner may need some clarifications on whether or not the Data Protection Commissioner "can receive instructions, which would prevent her or him to act in complete independence".

According to a news report published on 16 July 2014 on www.lexpress.mu, the birth certificate of a person requesting the new version of the National Identity Card is compared against the birth certificate database of the Civil Status Office; however, in his testimony, the data controller of the Civil Status Office, who is the Registrar of Civil Status, stated that the personal data of an individual cannot be accessed without a court order or without the person's consent except in exceptional circumstances. According to a news article published on www.lemauricien.com on 17 July 2014, the Project Manager and Head of Operations of the Mauritius National Identity Card testified that he wasn't fully conversant with the Data Protection Act.

Conclusion

On one hand, having a central repository of information about citizens, such as a Central Population Database, facilitates the provisioning of social, education, health, and other public services. On the other hand, if the Central Population Database contains the facial images of the the population of Mauritius, it could be enhanced with a face recognition system for surveillance purposes. The broad scope for exceptions in the Data Protection Act 2004 and the lack of understanding of the privacy impact of a Central Population Database are far from reassuring. The blanket collection of fingerprints raises the question of whether the technology was used as a matter of convenience or whether there has been some research to find a less unseemly means to verify the identity of a citizen. According to a news article published on defimedia.info on 27 November, it took 25 years for a citizen to get the Civil Status Office to amend his name which was written incorrectly on a copy of his birth certificate. It would be even more onerous for a person to prove his or her identity if the person's fingerprints do not match the fingerprints on record in a Central Population Database.

1. http://s3.amazonaws.com/zanran_storage/www.gov.mu/ContentPages/643647517.pdf, "Mauritius National Identity Card Project: Deployment Planning Report", National Information Technology Committee, 1998

2. https://www.opm.gov/news/releases/2015/09/cyber-statement-923/, "Statement by OPM Press Secretary", United States Office of Personnel Management, September 2015

3. http://www.privacyconference2014.org/media/17061/Plenary3-Mrs-Madhub-Privacy-and-Data-Protection.pptx, "Privacy and Data Protection in the Developing World", Data Protection Commissioner, October 2014

4. "Analysis of the Adequacy of the Protection of Personal Data provided in Mauritius", Centre de Recherche Informatique et Droit (CRID) of the University of Namur

5. https://www.coe.int/t/dghl/standardsetting/dataprotection/TPD_documents/T-PD%282014%2910%20Draft%20Opinion%20on%20the%20accession%20of%20Mauritius.pdf, "Draft opinion on the request for the accession of the Government of Mauritius", Consultative Committee of the Convention for the Protection of Individuals with regards to automatic processing of personal data (T-PD), November 2014