On January 11, 2016, Manitoba announced its approval of an all-in-one personal identification card (PIC). The PIC will offer Manitobans a combined driver’s licence, photo ID, Personal Health Identification Number (PHIN) and travel document as early as fall 2017.1 While the consolidation of identification into one location is a blessing for consumers, it raises privacy concerns and creates some challenges for business.
Convenience Factor Drives Adoption
Manitoba is not the first Canadian province to move towards a multi-use identification card. BC introduced a similar combined card in February 2013. But unlike BC, where the province was criticized for not consulting the public,2 Manitoba Health Minister Sharon Blady emphasized that the move towards PICs came after a five-week public consultation process where overwhelmingly positive responses were reported.3 Indeed, 80% of Manitobans surveyed said they agreed with the idea of creating an all-in-one PIC.4
However, a closer look at Manitoba’s full consultation report reveals interesting data on why PICs were supported. For example, when asked what the most important benefits of the proposed PICs were, 73% of respondents indicated convenience while only 18% cited enhanced protection.5 Similarly, in an online survey of 1,515 Manitobans, 71% rated convenience as the top benefit while only 16% indicated protection of identity theft/fraud.6
Public sentiment towards the convenience of PICs illustrates how privacy concerns, which trumped proposals for a national identity card in 2002,7 could be overlooked in today’s digital age. As a recent survey by the Pew Research Centre demonstrates,8 people are consistently willing to share personal information in exchange for something of perceived value. For example, 52% of respondents in the Pew survey said they would allow their doctor’s office to upload their personal health information onto a website described as “secure” if it made scheduling appointments easier and facilitated easy access to medical records.9
Aside from PHINs, Manitoba promises no personal health information or prescription drug records will be shared with Manitoba Public Insurance (the organization tasked with administering PICs), and no driver’s licence information will be shared with Manitoba Health. Nevertheless, as more provinces move towards multi-use cards that function across different government bodies, privacy advocates are calling for national privacy and security standards for the provincial systems. It remains to be seen whether convenience and administrative efficiency will continue to shift the discourse.
Privacy Concerns for Business
Although convenience and efficiency are worthy objectives, privacy concerns in the context of multi-use cards warrant greater scrutiny. For instance, discrete databases that act as natural barriers to the inappropriate sharing of personal information are now being integrated to allow for the free flow of personal information across government ministries, accessible via hundreds or even thousands of portals.10 Other concerns raised by privacy advocates include the potential for citizen profiling, state surveillance, insider abuse and external attacks.11
An additional challenge for business will be validating identity through the use of such cards. The Ontario Privacy Commissioner has cautioned against businesses using Ontario health care cards as identification (although Ontario residents may provide the cards voluntarily). On the federal level, the Office of the Privacy Commissioner of Canada has published a Fact Sheet that outlines the government agencies which are authorized to use Canadians’ Social Insurance Numbers and cautions other organizations against collecting this information (although it notes there is no legislation that prohibits the collection of SIN numbers). Additionally, the BC, Alberta and federal privacy commissioners recently teamed up to issue a notice reminding retailers that routine collection of drivers’ licence information may, in many cases, be inappropriate.
With the rise of multi-faceted ID cards, organizations should review their privacy policies to see if they permit the collection of this type of information. Organizations which are already collecting this type of identity information should consider reviewing their practices to determine if such information is absolutely necessary and, if so, what safeguards may be required to keep additional “bundled” personal information safe.