At the beginning of 2016 I was writing a letter that I intended to send to the Data Protection Commissioner. In the letter, I wrote my concerns regarding the photographs of citizens that are being saved in a Central Population Database (CPD).

Unfortunately, not having my freedom between 23rd January 2016 and 2nd February 2016, it’s only last week that I completed the letter and posted the same to the Data Protection Commissioner.

end-of-privacy

The Central Population Database is hosted by the Mauritius National Identity Card Centre (MNIC).

The MNIC follows guidelines of the International Civil Aviation Organization (ICAO) for the photograph requirement for the National Identity Card. As per the Machine Readable Travel Documents Programme of ICAO, the technical standard for photograph is ISO/IEC 19794-5 which refers to Biometric Data Interchange Formats – Part 5: Face Image Data. The standard is the fifth of eight parts of ISO/IEC 19794 describing interchange formats for several types of biometric data.

Section 3.9.1.6 of the MRTD Doc 9303 states that the photograph shall comply with the appropriate definitions set out in [ISO/IEC 19794-5].

Whereas according to the Supreme Court judgment in the case Pravind Kumar Jugnauth vs The State of Mauritius and Anor 2015 SCJ 178, the judgment given is as follows:

...we grant a permanent writ of injunction prohibiting the defendants from storing, or causing to be stored, as the case maybe, any fingerprints or biometric information data obtained on the basis of the provisions in the National Identity Card Act and the Data Protection Act.

According to general understanding of the above judgment of Senior Puisne Judge Eddy Balancy, the current practices of the Mauritius National Identity Card Centre are in contradiction to a Supreme Court injunction, such that the Mauritius National Identity Card Centre might have acted and might be acting against the legal premises and interests of the citizens of the Republic of Mauritius.

In the letter, dated 18th February 2016, I appealed to the Data Protection Commissioner, as guardian of data integrity and privacy of the Republic, to investigate in the matter whereas there is a strong suspicion that an offence is being or has been committed.


Image source: https://i.ytimg.com/vi/pBFjJ9DXPJk/maxresdefault.jpg Courtesy of XPRIZE, The end of Privacy


Reply from the Data Protection Office

- Update: 18 March 2016

I received a letter from the Data Protection Office last week. The letter is dated 9 March 2016. The letter says:

  • fingerprint data (images & minutiae) are not permanently stored into the system.
  • the fingerprint data of all previously enrolled citizens in the MNIC database have been destroyed. MNIC backup storage have been electronically destroyed.
  • the photograph of the citizen, which is taken during registration, has always been of JPEG format which remains into the database. The JPEG format photographs follow the guidelines of the International Civil Aviation Organization (ICAO) and no biometric data are being extracted.

The letter does not specify the standards of the photo, which I quoted in my initial letter, i.e ISO/IEC 19794-5.

Upon reading the line “has always been of JPEG format which remains into the database”, I am tempted to believe that the Commissioner did not understand how the judgment affects the old practice of keeping the JPEG format photograph in the database. It seems that the understanding of the Commissioner is that it has been the practice and there is no problem in that.

However, the judgment prohibits the storage of any other biometric information, which raises the question whether or not a digital photograph is considered biometric in Mauritius.

Regarding my actual complaint, the Commissioner says:

"for any non-application of the judgment, you are advised to refer to the Supreme Court or any other competent court"

That leaves me with no option, technically, as it is beyond a simple citizen’s financial capacity to challenge the State in a Court in Mauritius.