In addition, there is the new privacy bill (which I still haven't read) - but since it is based on the EU privacy directives, I am very confident that it will list the ID number as private information and ask that it should be protected.
The problem is, we are trying to shut the gate once the horse has already bolted. The need to supply ID numbers is ubiquitous - and in many cases it does not make sense. Some buildings require you to provide a number (not any supporting documentation, just the number) to enter. Interact with a bank or any personal business relationships (credit applications, phone applications, post box etc.) you need an ID number. Need a job - you need an ID book. The numbers are everywhere, in multitude of systems, and they are also published online with no regards to data sanitisation. For example, here is a PDF I found detailing ID numbers of restaurant owners who applied for liquor licenses in Gauteng. I was looking for the address of one of the listed restaurants ... Oh, and Government gazettes are public documents, and the bylaws require that the information should be published.
The problem is that we use ID numbers for things we are not supposed to be using it for; namely authentication of persons. To illustrate, let's examine the definition of authentication (as a process) in RFC 2828.
An authentication process consists of two steps:
- Identification step: Presenting an identifier to the security system. (Identifiers should be assigned carefully, because authenticated identities are the basis for other security services, such as access control service.)
- Verification step: Presenting or generating authentication information that corroborates the binding between the entity and the identifier.
The ID number is an identifier. It is a 13 digit numeric string that is unique to all legal South African permanent residents (citizens and non-citizens). The verification step rests solely with the Department of Home Affairs. However, companies never make that leap - the Identity number and the associated Identity book has become a one stop authentication solution which it was not designed to be (or it would have other built in verification steps). Since business rely solely on the ID book and the ID number, the verification step is incomplete and thus ID fraud takes place.
The ID number does not necessarily need to be private. it is after all an unique identifier for persons - a more unique name. What is required is an easier, usable and secure verification service. That is the answer to identity theft resulting from "stolen" identity numbers. As for privacy of identity numbers - the number itself does not need to be private - it is after all an identifier. However, that does not mean that every one should collect the numbers. There should still be a reason to collect information, and should it be collected, there needs to be secure storage of the data. In these regards the EU privacy directive is absolutely correct.