FIPR response to consultation on civil registration
Foundation for Information Policy Research is an independent body that studies
the interaction between information technology and society. Its goal is to
identify technical developments with significant social impact, commission and
undertake research into public policy alternatives, and promote public
understanding and dialogue between technologists and policy-makers in the
This is the Foundation’s response to “Civil Registration: Delivering Vital Change”. The response is addressed to information policy implications of the proposed changes, and does not respond by reference to the particular questions identified in the consultation paper. References in this response to paragraphs are to the paragraphs of the consultation paper.
Paragraph 9.1.6 observes that “civil registration is recognised by the United Nations as the foundation of a legal system for establishing the rights and privileges of individuals.” This formulation rightly recognises that those rights and privileges exist in their own right, and that the function of registration is to support them. Paragraph 1.1.1, however, claims that civil registration “provides the individual with a name and identity within society.” This is an excessive claim: registration does no more than record the name given to an individual by his or her parents or custodians; it is also an objectionable claim, for it implies that the right to a name is granted by the state.
think that it should be an important element of the philosophy of civil
registration that its function consists of the performance by the state of
duties to establish and support the rights of individuals by recording facts of
value to those individuals and to others whose rights depend on those
facts. The inevitable consequence that
civil registration gives rise to collections of information which can be used
by the state in the exercise of its powers in relation to individuals should be
regarded as a source of risk to the privacy and liberty of those
individuals. Measures relating to civil
registration should be evaluated with a view to reducing such risks; and
information infrastructures should not be created which might facilitate the
abuse of human rights by the state. (The
fact that the political structures of a democratic country such as the
The proposal which requires critical evaluation in the light of these observations is that summarised and explained as follows:
1.2.4 A person’s birth record will be the start of their ‘life record’. Where possible, events will be linked creating a ‘through life record’. This linkage information will not form part of the public record but may be used in checking that people are free to marry and that a dead person’s identity cannot be abused. This will help to prevent fraud.
2.1.5 Central to the proposals would be a central electronic database of key life events administered by the Registrar General.
5.1.5 At the heart of the proposals would be the central database containing registration records. This would make it possible to link registration records relating to the same person, provided they were held by the Registrar General. It would also allow non‑registration records (eg divorce, naturalisation) to be included on the database and linked to birth and marriage records.
5.2.2 It is proposed to move from a system that holds ‘snapshots’ of life events to one with records which are ‘updated’ with subsequent information on civil status.
5.2.5 The creation of ‘through life’ records would bring benefits to individuals, Government Departments and Agencies, other bodies and society as a whole.
5.2.7 ...Government Departments and Agencies and other users of the central database would be consulted on what record linkage would be most beneficial to them and what would be most cost effective.
5.2.13 Apart from births, marriages and deaths, there are other events in people’s lives that, if added to the central database, would contribute to the move towards ‘through life’ records. Divorce records are an obvious example. Including these on the central database would make it easier for people wanting to remarry to prove they are free to do so and therefore complete the necessary preliminaries (as long as the divorce took place in England and Wales). Naturalisation records would also add value to ‘through life’ records, as would the births, deaths and marriages of British citizens overseas (see Chapter 8). It is proposed to include these records on the central database where possible. The Court Service (divorce records) and the Home Office (naturalisation records) have agreed in principle for their records to be included.
5.2.33 It is possible that some people will not want their individual records linked to form a ‘through life’ record. For example, they may not want other people to know some information about them. They will not be able to opt out of this linkage. Linking records will bring benefits and safeguards to them as individuals as well as to Government Departments and society.
5.2.34 However, the linking information will not be in the public domain, so will not be available to those searching the central database. It is likely to only be available to the person concerned, those to whom the person gives permission and some users of registration records where there are legal or other reasons for doing so. The list of those entitled to access the linking information will be set out in legislation. These measures will ensure that the privacy of individuals is not compromised.
This proposal amounts to establishing the foundations for a compulsory dossier on every citizen. It has the potential to acquire new functions piecemeal on no basis beyond the convenience of the state. Once begun, it would develop its own momentum as agencies discovered new advantages. The consultation paper mentions fraud, repeatedly, though without identifying the frauds concerned. Fraud and crime prevention could be argued to justify the inclusion of information or linkages relating to social security benefits, tax, passports, drivers’ licences, criminal records and much else. Public health considerations might be argued to justify extension of the snapshot of information about the cause of death to an accumulation of information about health events during life. The protection of children might be argued to justify linkage with information accumulated by social services departments. The needs of the war on terrorism seem capable of being used to justify almost anything.
of the kind here imagined are themselves the foundations for abuse of power by
the state. They fail what might be
called the Holocaust Test: if they had
No system with such a potential should be introduced. To contemplate introducing it under delegated legislative powers on the basis of a consultation in which these issues are not exposed or explored seems to us deplorable.
The failure of the consultation paper to identify the frauds on which it relies has the consequence that it is difficult to see what measures such frauds might justify. It is well known that passport applications can be made by impersonating someone who has died without ever applying for a passport. This form of fraud could be impeded by adding to the details of the registration of a person’s birth the date of their death, where the two can in practice be linked. No more extensive linkage or dossier can be justified for this purpose; and it is far from clear whether the same end could not be more simply served by the Passport Agency carrying out an automatic check of the names of passport applicants against a future computerised registry of deaths, and making further enquiries where apparently justified.
Bigamy is a fraud, and might be impeded by adding to the details of the registration of a person’s birth the details of their marriages and divorces. Prospective bigamists might of course simply impersonate other single men, which would probably exacerbate the harm done by their bigamy. Given the scale on which co-habitation occurs outside marriage, it must be debatable whether the threat of bigamy justifies linkages of the kind contemplated. The consultation paper has made no effort to examine the issue.
No other frauds seem to be identified in the consultation paper. Given the profound potential implications of the proposals, we think that every fraud or similar risk relied on to justify them should be identified with precision and the alternatives examined carefully and in detail.
We now turn from the question of dossiers to that of changes to the records. The existing system of paper registers has an extremely valuable security property, namely that it is practically impossible to rewrite history because the entries are consecutively numbered as they are made and alterations are visible. Electronic registers do not naturally have this property: entries can be changed without any evidence that a change has been made; and unless an electronic system is carefully designed, it may be impossible to detect the creation of bogus “historical” records.
The proposals are as follows:
5.3.9 It is proposed to simplify the legal framework for correcting records. The Registrar General would keep his powers to prescribe the way in which corrections are made and by whom. There would continue to be two categories of corrections, related to the nature of the error, and not to whether the registration was complete or not when the error occurred:
straightforward changes such as spelling errors and some omissions. These corrections would be made locally or centrally. Operators amending records would require the appropriate access level to the central database. In practice this could mean that only some registration staff both locally and centrally can amend records, thus making the whole process more secure; and
complex errors. These would only be handled centrally as they deal with complex corrections or with sensitive issues such as identity and paternity that require in depth knowledge and expertise to resolve, as well as the production of a variety of documentary evidence of the true facts.
5.3.10 There would also be the facility to update records on the central database. Amongst other things, updates would replace the current system for re‑registering births to include the father’s details (see paragraphs 2.2.22 and 2.2.24). Such updates could be administered locally (as they are now on the authority of the Registrar General) or centrally by the Registrar General. The way in which these are carried out would be amended to reflect the move to a computerised system and the changes to the organisation of the registration service locally. The procedures for updating records would allow for the electronic transfer of documents such as court records. Updates would also replace the current system for re‑registering still‑births to add the father’s details. Updates to still‑birth records would all be handled centrally.
5.3.11 Any changes and updates made to records would be captured on the central database and kept along with details of who made them, and when, for audit purposes. The original details and information about the changes would not generally be available, although some users of registration records may have access to it. Any documents issued from the central database, however, would show only the updated or corrected information.
5.3.38 However, it is recognised that under these proposals, people will not routinely be able to see the original information recorded in the record, which they can currently do along with the correction. This could be seen as a limitation to their rights and freedoms. However, allowing access only to the corrected information could save those named in the record embarrassment and distress, particularly if the correction is of a sensitive nature. The Government’s view is that these proposals are justifiable as they balance the public interest in the information with the individual’s right to privacy and protection.
5.3.39 There will be provision for some Departments and Agencies to have specified access to the audit trail of the corrections and name changes in order to prevent fraud. This will be in line with the provisions for accessing the linking information on ‘through life records’.
We think that the correction of clerical errors within a short time of the making of the original entry is a reasonable feature of a registration system. There is no public interest in the perpetuation of clerical errors. But in order to secure the integrity of the registration system as a whole we think that it should be made highly and visibly resistant to the possibility of manipulation. That should be achieved by regular publication in the London Gazette within a short time (we suggest seven days) after the end of each period of a cryptographic hash of all the records for that period, which we suggest should be a period of seven days. The benefit of this procedure is that any change to a record would cause the records of its period no longer to hash to the published hash; and it would of course be impracticable to recall all the copies of the London Gazette to prevent this being evident. As a further safeguard, the previous week’s hash should be included in that of the current week’s, to provide an ongoing chain of evidence.
It follows that corrections made after the initial seven day period would have to be made in the form of a new correction record linked to the original. The same would be true of “updates”, which appear to be intended as invisible changes to existing records. We think that such changes ought not to be permitted: history must not be rewritten. In circumstances where it is justified to replace an old record with a new one, this should be done by rendering the old record inaccessible, and creating a new one. The cases where this procedure is appropriate should be the subject of specific consultation and justification, because it departs from a very basic principle of registration, namely historical accuracy. Sex change is a good example: views may well differ on whether the registration system should reveal or conceal the fact that an individual of one sex was first registered as being of the other. Differences of view of this kind should be resolved by explicit consultation and rational debate.
Finally we address the question of information included in the register but not open to the public. This information appears to be the following:
Restricted in relation to births:
Occupation of father
Occupation of mother
Usual address of mother
Informant’s usual address
Restricted in relation to Deaths:
If married/widowed occupation of husband/wife
If <16, occupation of father and mother
Informant’s usual address
Cause of death
Restricted in relation to Marriages:
Rank or profession of the groom
Address at time of marriage for the groom
Rank or profession of the father and mother and step‑parent of the groom
Rank or profession of the bride
Address at time of marriage for the bride
Rank or profession of the father and mother and step‑parent of the bride.
The consultation paper observes as follows:
6.4.20 In addition, it is intended that the law would allow both the restricted and open data to be available within ONS and to other Government Departments and public bodies (such as the NHS) for statistical research. There would also be administrative arrangements in place for the restricted information to be used for ethically approved medical and social research. This is equivalent to what currently happens and would ensure that important research that is in the public interest can continue. Such research has in the past provided vital information on the causes and prevention of diseases (eg smoking and lung cancer).
6.4.23 Government bodies and private sector organisations would be able to streamline and speed up their processes as a result of not having to handle certificates. Verifying information electronically would be quicker, easier and more accurate and would result in savings for those organisations that use registration information and for their customers. The restricted information (particularly addresses) could be used as a way of confirming that the person applying for a service or benefit is indeed that person, both reducing the fraudulent use of registration information and ensuring that those entitled to those services or benefits are able to obtain them.
Given that the purpose of the registration system ought to be to establish the rights of the individual, it ought to contain only information appropriate to that purpose. It is difficult to see the justification for including occupations, ranks, professions or causes of death within the registration system. If there are justifications, they should be made out specifically, and differences of view resolved by informed debate. What is justified to be included should be publicly accessible unless there are strong justifications for excluding it. Inconvenience to celebrities and others through their addresses becoming known does not seem to us to justify a general exclusion (though it might justify a power to deny access to a specific address for a specific period case by case).
The inclusion of cause of death is discussed as follows:
9.1.6 Civil registration is recognised by the United Nations as the foundation of a legal system for establishing the rights and privileges of individuals. Records from that system are also the main and preferred source of continuous vital statistics on live births, foetal deaths, marriages, divorces, legal separations and deaths. Mortality statistics are one of the principle sources of health information and in most countries, they are regarded as the most reliable source of health data on the whole population. They, together with birth statistics, are also an essential component of information for estimates and projections of the number and characteristics of the population.
This does not seem to us to establish that “cause of death” ought to be included in the information in the registration system, especially if it is thought that it is or may be too sensitive to be the subject of public access. Instead, information about the cause of an individual’s death, which will be provided by a medical practitioner, should be handled in the same way as other health information about that individual. In general that information is confidential to the individual, and should not be used or disclosed except for their treatment or otherwise with their informed consent (or that of their legal personal representatives after their death). The Secretary of State has limited statutory powers to derogate from that principle, obtained in the face of significant controversy. Cause of death should not be treated differently.
A further serious concern about the inclusion of confidential information in the registration system is that it is unlikely that any database that is widely accessible will succeed in protecting the contents that are confidential from determined hackers or corrupt insiders. At a minimum, any such data should be accessible only on a private network that maintains secure logs of every access to the data.