My religious community, numbering approximately one million worldwide has a centralised system for almost everything (both religious and non-religious). One of the non-religious centralised systems that has really irked me over the last couple of years has been the eJamaat system which is maintained by the religious administration.
The eJamaat system (update: now called ITS or Idaratut Ta’reef al Shakhsi) contains personal biodata (name, DOB, address, education, business details, levels of religious learning, blood type, family trees/relationships) of almost all community members worldwide. This system is mainly used to gather data about the community and also to perform registration for attendance of reglious events or sermons. Now – the administration seeks to make entering passport information mandatory as well.
Why does it irk me? It’s not because the system is not needed or because it performs no useful functions. In reality, there is a real need for this system and it is effectively used to manage registration for events. It irks me because of the administration’s compulsion for collecting data that is not required just for the sake of collecting it. Further, there is no disclosure as to how the information is used and no information about what steps are being taken to secure our personal data. For starters, communication is unencrypted because SSL is not used to secure HTTP conversations so any data entry is inherently insecure, especially if you do so over a public wifi signal.
When this system was first set up, I requested a copy of eJamaat’s privacy policy. It is not publicly listed anywhere and I never got a response. From this I can infer that either they don’t have one, or that it is not available for public viewing. In some jurisdictions the collection of this kind of personal data without a published privacy policy that meets certain guidelines is actually outright illegal (see below for details on relevant legislation within the UK).
I am genuinely concerned that if this data was to fall into the wrong hands, it would be a treasure trove for individuals seeking to engage in identity theft. With information including full name, father’s name, mother’s name (including maiden name), DOB, passport information, photographs, address, blood type, information about health conditions, business details, educational qualifications it is frankly quite scary to imagine what could happen if this information was stolen by a third party or misused by those with access to the data. Identity theft would be the tip of the iceberg.
It would be reassuring to the community if important information was disclosed (and more importantly followed) regarding what steps are taken to secure the data, under what circumstances data will be shared with other parties, if users will be informed in the case of a data breach, and also why data like passport information is required (personally, I can’t see a legitimate reason for this).
I think it would be naive to think that feeding all this information into a black box with no accountability is a good idea and that there will never be a major breach of confidentiality. With the scope of data contained, it is quite plausible that someone could call a bank and successfully obtain account information and effect transfers, or apply for a library card by post in someone else’s name.
I hope someone can demonstrate that my concerns are unfounded, but I doubt that will happen.
For those who are interested, the Data Protection Act 1998 is the most relevant piece of legislation in the United Kingdom to this discussion (and other countries may have their own equivalents). Accoring to the ICO, there are eight basic principles, which is to make sure that personal information is:
- Fairly and lawfully processed
- Processed for limited purposes
- Adequate, relevant and not excessive
- Accurate and up to date
- Not kept for longer than is necessary
- Processed in line with your rights
- Secure
- Not transferred to other countries without adequate protection
[Source: Personal data, Personal rights – Data Protection Act (DPA) – ICO]
The page on legal obligations imposed on data controllers is also interesting:
- Do I really need this information about an individual? Do I know what I’m going to use it for?
- Do the people whose information I hold know that I’ve got it, and are they likely to understand what it will be used for?
- If I’m asked to pass on personal information, would the people about whom I hold information expect me to do this?
- Am I satisfied the information is being held securely, whether it’s on paper or on computer? And what about my website? Is it secure?
- Is access to personal information limited to those with a strict need to know?
- Am I sure the personal information is accurate and up to date?
- Do I delete or destroy personal information as soon as I have no more need for it?
- Have I trained my staff in their duties and responsibilities under the Data Protection Act, and are they putting them into practice?
- Do I need to notify the Information Commissioner and if so is my notification up to date?
[Source: Personal privacy, legal obligations – Data Protection Act (DPA) – ICO]
Update 16 November 2008: I have been requested by a legal advisor to Dawat to temporarily remove this post while some issues are being worked on. Certain representations have been made which paint a positive picture of what is going on behind the scenes and if this is followed through it will be a very positive development for all eJamaat users.
Update 23 September 2009: eJamaat now has a privacy policy in place (see also locally archived copy dated 23/09/2009) which addresses many of the concerns stated above. It is good to know that positive steps are being taken and users are being told why data is being collected, why, and who will process it, and also how to opt out, and it is also being made clear that the entering of passport information is optional and not mandatory. The privacy policy is not perfect, it does not address how the data is being kept secure, but it is a step in the right direction.
Given that I was requested to remove the post only temporarily until action was taken, I am quite comfortable to put the entire post back online in the knowledge that action has already been taken (and there was ample opportunity to do so) and I hope that the privacy policy will be vigilantly enforced and that steps will continue to be taken to protect the privacy of eJamaat users.
One further step that I would like to see taken is for eJamaat to publish a list of organisations that they share our data with. In the privacy policy they mention that they only share information with organisations affliated with Dawat-e-Hadiyah but this could be a very extensive list and sometimes the distinction between being affiliated or not is an obscure one.
For example, the site Malumaat.com requires users to register with an eJamaat number and says that if incorrect information is entered then an account is liable to deactivation. This is interesting because it means that any one of the following cases must be true:
- Malumaat is able to access eJamaat records in order to verify that the numbers provided are correct. In this case, eJamaat is in violation of their own privacy policy because Malumaat is not an organisation which is affliated with Dawat-e-Hadiyah or Alvazaratus Saifiyah.
- Malumaat is not able to access eJamaat records in which case Malumaat is purporting to collect eJamaat numbers for a purpose otherwise than what they state and users have no guarantee about the privacy of their data provided (and in any case should be wary of providing unique personal identifiers to a site which has not issued them in the first instance).
Another point worth mention is that eJamaat, according to their privacy policy, does provide information to third parties. In this case it is legally incumbent upon eJamaat to ensure that the third parties they provide data to are also processing it in accordance with the protections that eJamaat is subject to otherwise the provision of said data to third parties may be unlawful.
One more easy improvement that could be made is to encrypt all website transactions using SSL (preferably EV SSL). At the moment all information entered by users on the eJamaat website is not encrypted and in this day and age there is no legitimate justification for this.
In short, the situation today is much better than it was a year ago, but data privacy is an aspect of data retention that needs to be continually addressed at every step of data processing and data sharing. A “write a privacy policy and forget about it” approach will not yield the correct result. The more users are reassured that their data is being sensibly and lawfully processed, the more comfortable they will be to provide sensitive data.