This is a positive development considering how this scheme will go a long way to promote economic, political and social activities in the country, by formalising the Ghanaian economy.

The scheme with all its positive intents and purposes, however raises some potential data security and privacy challenges which need to be looked at critically by government and the entities engaged to deliver the national database, and also issue out ID cards.

First of all, any ID infrastructure requires the existence of a central database.

This will have an immense database of personal and sensitive data of all citizens registered.

The breakdown of this data includes biometric and other critical data. In the Ghanaian instance it looks like the databases of several entities such as Driver and Vehicle Licensing Authority (DVLA), Ghana Revenue Authority (GRA), National Health Insurance Scheme (NHIS), Social Security and National Insurance Trust (SSNIT) and the Ghana Police Service will be utilised to form the core of this central database.

The potential security and privacy encroachments are enormous such that when this central database, whether compromised by outside hackers or the many insiders trusted to work with such data, leaves critical citizens data in the hands of untrusted and malicious actors.

This compromised data can be used in a myriad of negative ways such as fraud, targeted telemarketing, etc. — and this goes to impact on the security and privacy of the citizen’s data compromised.

Some of the pertinent questions regarding the security of this data includes location of storage; in Ghana or outside, are there security regulations (e.g. ISO27001) in place in the datacentres where the data will be stored, who has access to the data, what precautions are in place against misuse of the data, etc.

A second challenge worth noting is the possibility of the private sector to exploit the national ID system to invade privacy. If the private sector would be allowed not only to rely on the information on the face of the ID card but also scan or swipe it when a citizen presents their card during the provision of service, this enables the service provider to collect personal data on customers. How this customer data would be processed and stored is not known if they are not registered either as a data processor or controller with the Data Protection Commission of Ghana.

Relating to the above challenge is also a challenge around the possible use of the national ID scheme by the government as a surveillance system that creates risks to privacy and anonymity. Basically this puts citizens in a place where they contribute in their own surveillance and social control.

Another problem is the ID card itself. How assured are we that the cards would be unforgeable? Even if to assume they are unforgeable, how about the worse case of people legitimately acquiring national ID cards with fraudulent names or identities?

The requirements for a national ID system is essential, however are the security safeguards contained in the National Identification Legislation enough to provide protection for the citizenry?

Looking at the poor data keeping and security culture within government and most of private sector, calls for tougher sanctions against people who allow lose or misuse of information is encouraged. With the rapid evolving of the cyber security landscape currently even with improvements, breaches of databases will be inevitable, but measures to ensure that such problems are dealt with swiftly must also be adequate by all security standards necessary.

–

By: Hector Dotse

Speciality: Technology Security Assurance Specialist

Website: www.heconsecurity.com

The post National ID: Data security, privacy and our civil liberties [Article] appeared first on Citi 97.3 FM - Relevant Radio. Always.

The law, due to come into effect on 1 June, bans the collection and sale of users’ personal information.

Firms will also have to store user data on servers inside China, and people will be given the right to have their information deleted.

International business groups have appealed against its implementation.

‘Uncertainties’

In a letter to the Cyberspace Administration of China (CAC) seen by the Reuters news agency, a group representing European business interests warned that it would lead to “great uncertainties and compliance risks”.

The European Union Chamber of Commerce in China told the CAC that the law was “fraught with weaknesses” and called for its introduction to be delayed to “allow sufficient discussion”.

But the CAC said the law would come into force this week as planned.

“The purpose is to safeguard [China’s] national cyber-space sovereignty and national security… rather than to restrict foreign enterprises,” it said in a statement on its website.

“It does not restrict foreign companies or their technology and products entering the Chinese market, neither does it limit the orderly, free flow of data in accordance with the law.”

‘Orderly development’

The legislation comes in at the same time as tighter regulations governing online news content.

Companies that publish, share or edit news will need government-issued licences to operate, and senior staff must be approved by the authorities.

Organisations that do not have a licence will not be allowed to post news or commentary about the government, economy, military, foreign affairs, and “other areas of public interest”.

When those measures were announced, the CAC said they would “promote the healthy and orderly development of internet news”.

–

Source: BBC

The post China tightens data security laws appeared first on Citi 97.3 FM - Relevant Radio. Always.