The first National Identity Card (NIC) for Mauritius was issued in 1986 for a period of 10 years. The validity period of the National Identity Card was constantly extended after 1996 due to delays in the implementation of the Central Population Database. In 2013, a new identity card system was built to replace the old National Identity Card. The new National Identity Card was designed to include new biometric features such as the storage of fingerprints minutiae of the card bearer and a digital certificate on a chip which is built into the National Identity Card. The biometric data of each card bearer is also stored in a Central Population Database.
According to a weekly newspaper, the requirement for each citizen to provide his/her fingerprints and the storage of the biometric data in a government database stirred some controversy. A citizen of the Republic of Mauritius challenged the constitutionality of the National Identity Card (Miscellaneous Provisions) Act 2013.
The information printed on the front of the National Identity Card is:
The following information is printed on the back of the National Identity Card:
There is also a barcode and a Card Control Number printed on the back of the card.
The information about the data stored on the chip is based on public statements. The four best fingerprint minutae extracted from fingerprint images and a signed digital digest of an agreed set of the citizen’s data are stored on the chip.
According to the National Identity Card Act 1986, the National Identity Card can be used to verify the identity of a citizen of Mauritius. There can be a "SC" logo on the National Identity Card. It is used to identify senior citizens who are eligible for free access to travel by bus. According to the Government, the National Identity Card will also be used in the future for proof of address.
In January, there was a presentation on "innovations in linking civil registration and vital statistics to identity management systems" in South Africa. According to the Registrar of Civil Status Division and the Chief Health Statistician, Ministry of Health, a unique 14 alphanumeric identifier is generated and assigned to each child born from at least one Mauritian parent. The unique fourteen alphanumeric identifier, i.e. one alphabetic character and thirteen digits, is displayed as the "ID Number" on the National Identity Card.
Bank tellers usually write down the ID Number on documents pertaining to transactions when they verify the identity of the person performing the transaction. That also occurs for postal deliveries when the verification of the identity of the person taking delivery is a requirement. It is common to see an ID Number being recorded on paper or a National Identity Card being photocopied for record purposes.
In the near future, the ID Number will be part of the subset of data from the National Identity Card system. It will be an up-to-date database about the population of Mauritius. This database, known as the Central Population Database Version 2, will be used for data sharing across government agencies. The data linking will be as follows:
|Electoral Office||verification of list of valid voters|
|Financial Intelligence Unit||ensuring a strong anti corruption system and [anti] money laundering|
|Independent Commission Against Corruption||ensuring a strong anti corruption system and [anti] money laundering|
|Mauritius Police Force||national security purposes|
|Mauritius Revenue Authority||tax evasion|
|Ministry of Labour||monitoring of registration of unemployed people|
The Ministry of Technology, Innovation and Communication was contacted in 2015 and in 2016 for information about the technical specifications for the National Identity Card. Although the Ministry acknowledged the request, it did not provide any technical information. The only technical information available is that photo is captured as a "jpeg". There is very little technical information available about the security features of the National Identity Card. According to the Government, the visual security features include Guilloche printing, Microprint, Ultraviolet print (UV) and layer engraving is used on different layers on a card.
According to the National Identity Card Unit, "the data on each Smart ID card is electronically secured and can only be validated through the MNIS Certificate Authority (MNIS CA) which ensures the authenticity of the individual's identity". According to the Controller of Certification Authorities, the MNIS Certificate Authority does not require a licence as it "issues its certificates only to hardware devices and not to citizens of Mauritius". The person would be taking possession of a digital certificate unknowingly as the person is not provided with any information about the digital certificate and how it could be used.
Citizens are familiar with having to enter a PIN number as a securiy mechanism which unlocks access to the data on a credit card or a debit card. There isn't any security mechanism for the citizen to control access to the data on the chip in the National Identity Card.
There was a news report in May 2016 about a data breach at a government agency. There isn't any public information about whether the persons affected by the breach were notified about it.
The assurance provided by the Government is that the "collection, storage, use and release of data stored in the ID card are protected by the Data Protection Act". The Data Protection Office was asked for advice about data sharing. In its reply, the Data Protection Office wrote that "according to Section 24(2)(d) of the Data Protection Act, personal data may be processed without obtaining the express consent of the data subject where the processing is necessary for compliance with any legal obligation to which the data controller is subject to". The Supreme Court of Mauritius included a survey of legal exemptions in a judgment (2015 SCJ 177) and wrote that "it is manifestly clear that the personal data of individuals such as the plaintiff can be readily accessed in a large number of situations. What is even more alarming is the relatively low threshold prescribed for obtaining access to personal data. A striking illustration of that is the enactment in section 52 (iii) ([Data Protection Act]) whereby access may be obtained merely by invoking that the disclosure of the data is necessary for the purpose of obtaining legal advice". It added that "What is even more objectionable is the absence of any safeguard by way of judicial control to monitor the access to personal data. The only instance where a Court Order is mentioned is under section 52 (i) ([Data Protection Act]) and here too the basis upon which a Court Order may be granted is not set out at all".
The assurance seems light when it is weighed against the survey of legal exceptions and the conclusion reached. Information about the data sharing arrangements between government agencies was not publicized in Mauritius. Is it practical for a citizen to read all the relevant laws to know which government agencies can use that data as there is a legal requirement? A search for the "National Identity Card (Civil Identity Register) Regulations 2015" returned the following search results:
The first search engine results page did not contain any URL to a document about the regulations which were passed in 2015. The first ten search engine results pages did not have any URL to a document about the regulations.
There hasn't been any public consultation at the national level about privacy considerations before the Mauritius National Identity Scheme (MNIS) was introduced. According to the the Project Director of the Mauritius National Identity Scheme, 700 cases of multiple enrollments attempts were identified as "the use of fingerprints has enabled the detection and prevention of multiple enrolments"; it seems that these persons tried to register for a National Identity Card in more than one location. There isn't any information to determine whether any of these 700 cases occurred because of the False Match Rate (FMR) of the biometric system. Is identity fraud a significant problem in Mauritius? An efficient way to detect identity fraud is by having a one-to-many identification system which uses biometrics to uniquely identify each person within a population. This is similar to a dactyloscopic system (Automated Fingerprint Identification System). The use of biometric systems In Mauritius has raised privacy concerns. For example, some public officers were unwilling to enroll their biometric data into the Electronic Attendance System.
At the onset, the Mauritius National Identity Scheme was described as an identification system. It can be viewed as a one-to-many system in which a fingerprint minutae can be matched against a database which contains the fingerprint minutae of the enrolled population. A fingerprint match, which is dependent on the accuracy of the system, enables the identification of any citizen enrolled in the system.
The photograph of the card bearer is captured as a "jpeg" (digital format). The curent state of technology enables the identification of a person by matching his/her photo against a database of "jpeg" images. Facial recognition technology is sometimes used for surveillance. In the future, the technology could be used on a wide scale to generate sensitive personal data, e.g. a list of persons who attended a political rally.
After the legal aspects of the Mauritius National Identity Scheme were challenged and the Supreme Court concluded (2015 SCJ 177) that "the plaintiff has been able to establish that the retention and storage of personal data under the Data Protection Act is not reasonably justifiable in a democratic society", the Mauritius National Identity Scheme was changed to a one-to-one system. In such a system, the fingerprint of a person is matched against the fingerprint minutae to verify the identity of the person. The system cannot be used to identify a person within an entire population through his/her fingerprints as there isn't a database which contains the fingerprint minutae for the entire population.
One of the examples used in 1998 to illustrate the absence of a common unique identifier in health-related database was about a hospital "that does not make use of the NIC number as a primary identifier". From a database design perspective, it is bad practice as the value of the (SQL) field could be null, e.g. in the case of a patient who is not a citizen of Mauritius. It is not clear whether it would be in breach of the security or privacy rules of a government agency to use the NIC Number as a (SQL) primary key.
According to a news article, some parents resorted to fraudulent practices to work around the geographical area limitation for their child to be eligible for entry to a primary school of their choosing. Data linking through a Central Population Database would make make such practices more difficult as a change in the person's address would be distributed to all the services which are linked to the Central Population Database. Is it more important to have an electoral register with the correct address of the voter at the expense of ignoring the "workaround" used by some parents?
The biometric features in the new National Identity Card have been a matter of debate because of the storage and retention of fingerprints of citizens by the state. Data sharing through the Central Population Database Version 2 might alleviate the data silo problems encountered during the computerization of government agencies. It is not clear whether there has been an analysis of the unintended consequences of linking the databases of government agencies together. Combing data from all government agencies together is akin to implementing a "SELECT * FROM db where id = 'A1234567890123'" feature. A side effect of that feature is that it could end up as a surveillance enabler even though that may not be the intent of the data controllers. It is up to each and everyone to assess whether there is a significant risk to their security or privacy if there is ever a data breach.
1. http://nao.govmu.org/English/Pages/Ministry-of-Telecommunications-and-Information-Technology-.aspx, "National Audit Office - Ministry of Telecommunications and Information Technology", National Audit Office
2. http://www.govmu.org/English/News/Pages/Media-Briefing-on-New-Identity-Card-.aspx, "Republic of Mauritius - Media Briefing on New Identity Card", Government of Mauritius, August 2013
3. http://www.lemauricien.com/article/carte-didentite-biometrique-itineraire-dune-carte-mort-nee, "CARTE D'IDENTITÉ BIOMÉTRIQUE : Itinéraire d'une carte mort-née | Le Mauricien", Weekend, January 2015
4. http://www.bailii.org/uk/cases/UKPC/2016/30.html, " UKPC 30,  4 WLR 167,  WLR(D) 559", Judicial Committee of the Privy Council, October 2016
5. http://mnis.govmu.org/English/Registration/Pages/How-to-register.aspx, "MNIC - How to register", National Identity Card Unit
6. http://www.crimsonlogic.com/Documents/pdf/resourceLibrary/brochures/eGovernmentConsulting/MNIS_Case_Study.pdf, "MAURITIUS NATIONAL ID SCHEME (MNIS) CASE STUDY", CrimsonLogic
7. http://attorneygeneral.govmu.org/English/Documents/A-Z%20Acts/N/Page%201/NATIONAL%20IDENTITY%20CARD%20ACT,%20No%2060%20of%201985.pdf, "National Identity Card Act 1986 - Act 60 of 1985",Revised Laws of Mauritius, April 1986
8. http://undataforum.org/WorldDataForum/wp-content/uploads/2017/01/TA2.09_Ayelou.Mauritius-Presentation-Cape-Town-final-2.pdf, "INNOVATIONS IN LINKING CIVIL REGISTRATION AND VITAL STATISTICS TO IDENTITY MANAGEMENT SYSTEMS & 10 MILESTONES ALLOWING MAUTITIUS TO REPORT MORTALITY STATISTICS TO W.H.O SINCE 1957", Registrar of Civil Status Division and Chief Health Statistician, Ministry of Health, January 2017
9. http://mnis.govmu.org/English/ID%20Card/Pages/Assurance.aspx, "MNIC - Assurance ", National Identity Card Unit
10. http://defimedia.info/nta-le-piratage-informatique-lie-aux-horsepowers-falsifies, "NTA: le piratage informatique lié aux horsepowers falsifiés ? | Defimedia", www.defimedia.info, May 2016
11. http://civilservice.govmu.org/English/Documents/Circulars/2015/Circ_Let%20No37%20of%202015.pdf, "Implementation of the Electronic Attendance System", Ministry of Civil Service and Administrative Reforms, November 2015
12. http://pmo.govmu.org/English/Documents/Cabinet%20Decisions%202015/Cabinet%20Decisions%20-21%20August%202015.pdf, "Cabinet decisions - 21 August 2015", pmo.govmu.org, August 2012
13. https://www.lexpress.mu/article/ecole-baichoo-madhoo-le-concept-de-%C2%AB-catchment-area-%C2%BB-bafou%C3%A9-par-des-parents, "Ecole Baichoo-Madhoo : Le concept de « Catchment Area » bafoué par des parents | lexpress.mu", www.lexpress.mu, January 2012