UK government policy towards the wider use of the National Insurance Number (NINo) as a general identifier appears to have changed again. This ever-shifting policy now illustrates that well-known saying “What goes around comes around”.
As is well known, the “general identifier” powers in the Data Protection Act (Schedule 1, paragraph 1(4)) have never been activated with respect to the NINo. This is because the government well knows that there are lots of data controllers using the NINo for all sorts of curious things and to exercise these powers could make these NINo uses unlawful, almost overnight.
Under the Data Protection Act 1984, there were no explicit rules banning wider use of the NINo as an identifier for general use. However, the Data Protection Registrar used to stop such wider use of the NINo by treating a general use as a breach of the Fourth Principle of that Act (“Personal data held for any purpose or purposes shall be adequate, relevant and not excessive in relation to that purpose or those purposes” which is recognisable as the equivalent of the Third Principle in the current Act).
The first two Data Protection Registrars (Eric Howe and Elizabeth France) used to enforce the Fourth Principle with respect to the general use of the NINo on the grounds that such a wider use of a government-issued national identifier was excessive because an organisation could easily have developed their own specific customer identifier.
If I remember correctly, the insurance sector in Northern Ireland and the Student Loans Company were stopped from using NINo as a general identifier used in delivering their services; these companies had to develop their own customer identifiers.
The argument was also aired by these Registrars that if Government wanted the NINo to be used for wider purposes, then Government would legislate for such wider use. In the absence of such legislation, the Data Protection Registrar was not going to allow the NINo to become as widely used (or abused) as the USA’s Social Security Number.
Then, for short time, the NINo was officially not available for any wider use at all. For instance, in the mid-1990s, Parliament was informed that “The national insurance number can be used only for national insurance, tax and social security benefit purposes and there are no plans at present to introduce legislation to extend its use" (Hansard, 1/2/1995, vol 253, c697W).
Then, from about 2008 there was an authorised list of NINo (see references); this assumed that one needed authorisation from the DWP before using the NINo for something else. No authorisation, no use – end of argument.
Now, policy has changed again. I discovered this because I asked for an updated file of authorised NINo users which now does not exist. This in turn prompted another FOI request about NINo policy in general (full response; see references) where the DWP explain the current NINo policy in the following terms:
"DWP and HMRC joint owners of the National Insurance number (NINo) reviewed the policy for authorising applications to use the NINo. We determined, where there is no link to data held on our systems we had no legal powers to control the use of the NINo by individuals or external organisations.
“Other Government Departments and Organisations can choose to use the NINo however, they are required to ensure that they comply with the provisions of the Data Protection Act and Human Rights Act, in particular the can only use the NINo with the informed consent of the individual.
"If the DWP discovers an organisation using the National Insurance Number for a purposes unconnected with taxation or benefits, then it assumes that data controllers “must have the informed consent of the individual” and have “assured themselves, potentially by seeking legal advice, that they are compliant with the Data Protection Act and Human Rights Act”.
The above looks as if the NINo is free for general use if one has data subject consent, but it isn’t.
For a start, the processing of personal data by a public authority is normally legitimised in terms of the processing being “necessary” for their functions or “necessary” for a non-contractual legal obligation (in Schedule 2 of the DPA). That is why the DWP referred to the Human Rights Act (HRA) in their answer to me as “necessary” in Schedule 2 is linked to “necessary” as used in Article 8 of the HRA.
I would argue that if other legislation did not permit the public authority use of the NINo, then there is a risk that the test of necessity would not be passed (e.g. it is not “necessary” to link diverse datasets via the NINo; it is not "necessary" to use the NINo when an alternative identifier can be easily developed).
As is well known, the data subject consent condition in Schedule 2 is not associated with a “necessity” test (unlike the rest of Schedule 2), and this appears to suggest that data subject consent could allow for wider the use of the NINo in general. However, data subject consent only meets the requirements of the First Principle in Schedule 2; it does not begin to address the problems that the processing might constitute a breach of the Third Principle.
In other words, any data controller who gets mass data subject consent for a general use of the NINo, might have to run the gauntlet of an Information Commissioner (ICO) who can still argue that it is excessive to use a general identifier when the controller can develop his own identifier. For clarity, note that specific, one-off uses of the NINo could well be acceptable; it is the general use that is the problem.
So I think it’s back to the days of the 1984 Act with the NINo. As I said “What goes around comes around”; with respect to the NINo, it is now for the ICO to decide on an enforcement policy (or not) again. This story originally appeared at HAWKTALK, the blog of Amberhawk Training Ltd.
My FOI request that contains the DWP policy towards the NINo (PDF)
The file of authorised users of NINo (now defunct). Authorised Users of NINO April 2011
Sponsored: Ransomware has gone nuclear