Within a matter of weeks, Jamaica will roll out a pilot program for the National Identification System (NIDS) — a voluntary biometric digital identification system created through the National Identification and Registration Act (NIRA). The Jamaica NIDs program is going ahead in spite of the very real privacy and security risks civil society has identified, as well the potential for the new digital ID to enable discrimination or even exclusion of vulnerable communities from government services and benefits.
Before passing the NIRA, the Jamaican parliament failed to resolve all of the concerns that we and our partners flagged. Our hope is that other countries considering implementing similar programs will avoid making the same mistakes.
First, ask: #WhyID?
According to a Caribbean Policy Research Institute research paper “only 25 percent of [Jamaica’s] adult population has a valid driver’s license, 43 percent have a valid electoral ID, and 56 percent have valid passports.” This leaves the rest of the population without any form of legal identification. While the government should address this issue, the Jamaica NIDS program is not necessarily the right solution. Yet in 2020, the Jamaican government issued a new NIDS Policy and the Caribbean Policy Research Institute published a NIDS report, funded by the Inter-American Development Bank, and both recommended creating a digital ID. Just a few months later, parliamentarians introduced the NIRA. To make sure lawmakers addressed privacy and other human rights concerns, Access Now joined the NIDS Focus Coalition, a civil society group in Jamaica aiming to support effective people-centered participation in the digital identification system.
What went right with NIDS
It was encouraging to see legislators consider and include several civil society recommendations. For instance, part of the original plan was to use the national digital identification program to facilitate “Know Your Customer” requirements that are important for commerce. But this would have entailed including tax ID numbers in the Jamaica NIDS system, and together with other provisions in the law, that meant opening the door to future third-party access to this information. This could have led to surveillance and/or profiling of Jamaicans, and ultimately, discriminatory treatment. Fortunately, legislators ultimately listened to civil society and struck the tax ID number from the final text.
We are also glad to see lawmakers have aligned and harmonized some of the NIRA’s content with the new Data Protection Act. From the beginning, we demanded that the Data Protection Act be implemented before NIRA came into force. Legislators fortunately agreed. Last December, Jamaica appointed a Data Protection Authority, and at the start of 2022, the Data Protection Act came into effect. After activist pressure, legislators also removed ambiguities in the law, including making it clear that personal information will be retained even if you cancel your Jamaica NIDS ID card or registration, and providing alternatives to fingerprinting when someone is physically unable to provide their fingerprints.
What went wrong with NIDS
Unfortunately, despite making the above-mentioned changes, it’s clear from the end result that legislators didn’t take the process of public consultation seriously enough. They failed to take advantage of civil society expertise and in some cases treated these engagements as more of a box-ticking exercise than anything else. For example, while the government did solicit public feedback on the Jamaica NIDS program, they did so only in English, not in Creole or Patois, which are the languages spoken by most Jamaicans. This left the majority of people in Jamaica outside of the discussion — especially unfortunate given the intent of the law is inclusion.
Among the remaining flaws that show a lack of sufficient engagement with civil society: the final text violates key data protection principles such as data minimization and retention limitation principles, which mean an organization can only process the data needed for a specific purpose and can only store it for as long as is needed.
Besides collecting as many as 16 different types of personal information for Jamaica NIDS enrollment, the NIRA says nothing at all about deleting information when it is no longer necessary for the program. This opens the door to potential government repurposing or abuse of highly sensitive data, as well as the possibility that the government will share these data with third parties. This situation isn’t helped by the fact that NIRA states that “any other law” can prescribe the disclosure of identity information. That’s not only risky, but unnecessary. The Jamaica NIDS program was created to provide legal identification, not open up databases of people’s personal information to third parties — especially with no mechanism for notifying data holders and no prohibition against data repurposing or profiling.
On top of this, lawmakers failed to include sufficient safeguards to ensure the security of the data that are collected, making the planned system more vulnerable to attack. That’s alarming, especially in light of the JAMCOVID data breach that exposed half a million travelers’ quarantine orders and COVID-19 information.
Specifically, the system will encrypt and anonymize data, but the NIRA does not specify whether the system architecture and databases will be decentralized for greater security, leaving the issue to future legislation. In addition, legislators failed to take up our recommendation to separate identity information from authentication requests. This is not acceptable when the system and databases in question contain people’s biometric data, making it very difficult for people to “reset” or replace the information in case of hacking or identity theft.
Finally, NIDS is supposed to ensure everyone is included in banking systems, facilitate private transactions, reduce identity theft, and more. But as we’ve seen in India and elsewhere, digital identification systems can become tools that exclude. As a recent NYU research paper points out, even when digital identification systems are promoted or positioned by development agencies and banks as voluntary or optional, they can quickly become a core component of everyday life. When such digital public infrastructure systems provide people with an “economic” or “transactional” identity that is used everywhere, and they are the only option available, they become mandatory in practice, if not in law. That’s not good if you don’t have a digital ID, can’t get one, or don’t want to enroll. It does not bode well that NIRA does not contain sufficient provisions to ensure accessibility for illiterate people, people with disabilities, minority groups such as members of Rastafarian communities, and transgender and non-binary people.
The takeaway: Don’t cut corners on human rights
Lawmakers pushed through the NIDS program without taking enough time to listen to civil society. Had they done so, the law would have more protections for the people it aims to help. But as it is, there is a very real risk that its implementation will compromise human rights. It did not have to be that way. We urge lawmakers in countries that are considering following in Jamaica’s footsteps to take a more considered approach — looking at the evidence and asking “why” before rushing to implement technological solutions that could have serious repercussions for human rights.