The Free Market Foundation has warned proposed new legislation dealing with identification in South Africa could result in privacy breaches and poses a threat to South Africans’ right to privacy.

Parliament intends to repeal the Identification Act of 1997 and has published a draft National Identification Registration Bill to replace it. The bill means to record the identification information of everyone living in South Africa, whether temporarily or permanently, on a “secure and efficient digital system”.

The protection of data is assured, according to the bill, as is the privacy of personal information of individuals and the protection of national security interests, to ensure the official identification of individuals, prevent identity fraud and avert fraudulent transactions.

“Identity information” as defined by the bill refers to the biographic, biometric or numerical information that may be collected in respect of any individual. If foreigners are staying in the country temporarily or permanently, the date of entry and country of citizenship must be collected; and the director-general of home affairs must assign a reference number to be included in the database.

The Free Market Foundation, however, has warned that the draft legislation poses a threat to South Africans’ right to privacy.

“It obliges the department of home affairs to develop a comprehensive database including the vital information of every South African and permanent resident. With the government’s track record, it is not unreasonable to fear that such a valuable database might at some point be compromised,” the foundation said.

Attack surface

Head of security research at Orange Cyberdefense Charl van der Walt said any digitisation and concentration of information, particularly personal and private information, always increases risk.

“If the consolidation of this data in a single, mature and well-secured environment, and other instances of the data are removed from elsewhere, then that could be a net security gain; but if just increasing the volume of data, and the locations and systems its stored and processed on, then that increases the attack surface and increases risk.

“It’s not to say that the benefits of the new system don’t outweigh the increase in risk, or that the increased risk can’t be managed with appropriate thought and effort. But governments all around the world have suffered from data breaches before, and ours is no exception.

“A very notable example of a theft of sensitive personal data from a government agency occurred in 2015 when the US Office of Personal Management was compromised by suspected Chinese state actors and over 22 million records stolen.

“This included the incredibly personal and private information regarding US government employees, and is even believed to have led to the detention or death of US government agents working in hostile foreign environments.”

Van der Walt said the question we should be asking is not whether the South African government should be creating or collecting this information, but whether we should trust government to put in place the legislative, bureaucratic and technical systems and processes the country needs to build and maintain trust in all its digital systems.