Recently I've heard a number of people suggest that the best 'primary index' to any UK national identity scheme would be the National Insurance Number (NINO) - the equivalent to the US Social Security Number. In the UK, your NINO is issued automatically, as you approach your 16th birthday - the age at which you could legally exit the education system and start full-time employment. Thereafter, you need to provide your NINO to any employer, or when claiming benefits, and it is also one of several identifiers used by the tax system.
The use and abuse of SSNs in the United States is a core topic of identity management and identity theft discussions... if one were designing a university course on 'Identity', there would probably be a module dedicated to that - so I'm not going to dwell on it here.
I just wanted to give an example of how hard it is to ensure that this kind of data is processed appropriately throughout its lifespan.
I received a letter recently from an employment bureau, asking if I would provide a reference for a young person seeking a job. Included as part of the heading of the letter was that person's name, date of birth and... National Insurance Number. Now, the employment bureau had no reason to suppose that I'm a business (the letter was addressed to me personally with no company name, at a normal residential-sounding address), so why on earth they thought I would need this information I don't know.
Perhaps they were worried that I might not know which of my acquaintances had suggested me as a referee - which implies a bizarre inner monologue...
"Hmm - a letter asking for a reference on behalf of George Miller. I wonder which George Miller they can possibly mean? Ah - here we go, a National Insurance Number: thank heavens for that... now I know which one they're referring to".
So, I now happen to know someone's name, date of birth and NINO (as well as 'acquaintanceship' information such as gender, marital status, address and car registration number). If I had been that person's employer, chances are I might also have a bank account number for them too. By most reckoning, I have enough to perpetrate some form of identity theft and then fraud - and all courtesy of a third party to whom the subject had entrusted their data, and who, frankly, one might expect to have much better data custody practices.
I think one of the lessons here is this: in the States, anecdotally, the SSN may have started out as a more or less secure piece of data - but certainly now is used in ways for which it was never intended, and disclosed to a far greater degree than its issuers would like. As a result, it has become an insecure index to a huge amount of data about the individual concerned. In the UK, the NINO is not, currently, an index to as much information about its holder, but (as this example illustrates), one consequence is that even organisations who ought to know better may feel that there is no risk in disclosing it, whether or not there is any need to do so.
The risk for the future, then, is of a NINO which is 're-purposed' to serve as an index to far more data about the individual, but a whole set of background assumptions, habits and data custody practices which continue to treat it as a 'plain old National Insurance Number'. Experience should tell us that it is far easier to re-define the data than it is to change the culture of how it is used... and that represents a huge risk.
![[RSS Newsfeed]](/themes/sotto/images/valid-rss.png)
![[This is a Roller site]](/themes/sotto/images/roller-logo.gif){kind=logo}