Friday, March 09, 2007

Students fingerprints ending up in the States

Back in January I blogged about Canadian students biometric details going over the border to the States without their knowledge - this can happen to students in Europe, Asia, and Africa that sit the LSAT.

Michael Geist writes :"While the predictive reliability of the test has been the subject of considerable controversy, in recent days the LSAT [Law Schools Apptitude Test] has attracted attention for a different reason. As students file into testing centers throughout the U.S., Canada, Europe, Asia, and Africa, they must provide a thumbprint, which is used to crackdown on fraudulent test takers. The biometric data is transferred to the United States and retained by the Law School Admissions Council, the organization that administers the test."

The problem is that once the Law School Admissions Council has the student's biometric fingerprint details it could be compelled, by statutory provisions found in the USA Patriot Act, to give up this information to the US authorities which, according to Philippa Lawson of the Candian On the Identity Trail website "allows FBI access to private sector databases of customer information for counter-terrorism purposes, without any reasonable or probable cause to suspect wrongdoing by the individuals whose information is being disclosed."

She goes on the say: "Once digitally stored, biometric data - like any other data - is easily copied, transmitted, altered and searched. But unlike other personal data such as names, addresses and identification numbers, biometric data does not change. And unlike credit cards, passports, and drivers licences, biometric data cannot be invalidated and substituted once compromised.

The federal Personal Information Protection and Electronic Documents Act which came into force in 2001, is based on a set of widely accepted fair information principles. One of these principles is that organizations should not collect more personal information than necessary for the purposes that they have identified. Another is that those purposes must be reasonable."

Sounds very much like our Data Protection Act:

The Data Protection Priciples, Part I, The Principles
3. Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed.

Canadian privacy commissioners are currently investigating the LSAT complaints.

No comments: