Although it missed the second-quarter timeline for issuance, Prime Minister Mark Phillips said that the government’s eID project was “coming along” and would be delivered, but he could not give a new timeframe.
“It is coming along. We have moved through all problems and are on target to deliver to the people of Guyana,” Phillips told Stabroek News last week when asked for an update.
The US$34 million project with Germany-headquartered Veridos, and the United Arab Emirates (UAE) acting as an intermediary, was signed in March last year with the government saying this year that it would be rolled out in the second quarter of 2024. The project falls under the Office of the Prime Minister with the National Data Management Authority as the agency responsible for its execution.
However, while not going into details, Vice President Bharrat Jagdeo on June 13, had informed that there had been a delay and it was being worked through.
Phillips could not say what the problems were but said that new “timelines will be given later.”
During the 2024 Budget presentation, Senior Minister in the Office of the President with Responsibility for Finance Dr Ashni Singh had announced that some $783 million had been set aside for the project.
“The implementation of the National eID which began in March 2023, with the finalisation of the requisite policies and design is currently in progress. Issuance of these cards will begin in the second quarter of 2024, with $783.4 million being budgeted to continue this project in 2024,” he had stated.
“This ISO certified, International Civil Aviation Organization (ICAO)-accepted card system will allow for the issuance of resident identification and work permits and will facilitate a more coordinated approach to public service delivery. The eID system would allow for fingerprint verification and validation of individuals so that the need for proof of address and all the audit documentation may be eliminated,” he added.
The Alliance For Change and the Guyana Human Rights Association had called on the government to pause the proposed programme and submit it to Parliament, as they pointed to lack of legislation to guide it and a dearth in public awareness.
But while Guyana hopes to boost easier access across platforms, with the swipe of the card and privacy aspects being “second to none”, technology experts have expressed concern about this country neither having ample nor robust legislation to guard against cyber threats, nor a comprehensive data privacy policy. Questions are also being raised as to whether this contract should have been subject to public procurement as opposed to direct discussions with the UAE.
“There isn’t an ISO 27001 certified data centre in Guyana to house this data. While the e-Governance unit subscribes to the NIST [National Institute of Standards and Technology], they do not follow NIST 800-53 guidance for security,” a United States cyber-security expert who requested anonymity told Stabroek News, in an invited comment.
“Has this company and the solution been assessed, potential risks identified and mitigated?” the IT technician questioned while pointing out that Guyana has to carefully monitor to assess and remedy gaps.
One observer pointed out that while the US is among the countries that have implemented digital ID systems, to ensure the safety of its citizens’ data, that country has enacted stringent laws.
“These laws include the Gramm-Leach-Bliley Act (GLBA), which mandates financial institutions to explain their information-sharing practices and safeguard sensitive data, the Health Insurance Portability and Accountability Act (HIPAA), which sets national standards for the protection of medical records and personal health information, the Children’s Online Privacy Protection Act (COPPA), which regulates the collection of personal information from children under 13, and the California Consumer Privacy Act (CCPA), which grants California residents the right to know what personal information is being collected and opt-out of its sale,” the observer explained.
“Unlike the US, Guyanese citizens lack comparable legislative safeguards against the misuse and breach of their centralised and easily accessible data,” the sources added.
Noted too was that “concerns about privacy and the potential for unauthorised access to the data collected by the system remain. The implementation of a national ID card system is also expensive, and the cost may be passed on to taxpayers. Some citizens who do not have the necessary documentation to obtain an ID card, such as refugees or stateless persons, may be excluded. Technical issues such as system failures, glitches, and errors can also cause inconvenience and frustration for citizens.”
To implement the project from the technical side, there will be a central ID processing system, pre-enrolment and fixed enrolment stations, mobile stations and delivery stations. Features of the card include laser engraving and an Automated Fingerprint Identification System (AFIS) to access all of a user’s biometric information on a polycarbonate document with a chip. All of the features, according to President Irfaan Ali, are tailored for this country. “The system allows the capture of biographical information, based on international standards and stores it to provide identity based services to individuals and other government offices,” he stated.
In addition to pointing out privacy breaches and violations, former auditor general Anand Goolsarran had called for an overall cancellation citing legal breaches in the contract’s procurement.
None of the calls to pause the process, however, have been heeded.
On March 10 last year, the government announced the virtual signing of the deal with the Germany-headquartered Veridos with the UAE acting as an intermediary.
Ali had explained that the Government of Guyana sought the assistance of the UAE in October of 2021. “On an invitation of His Highness Sheik Amah al Maktoum, two internationally recognized industry leaders [a Swiss company] and Veridos presented their national ID system solutions. These solutions were evaluated by a technical team comprising members of the National Data Management Authority and the office of the National ICT Advisor. The evaluation criteria factored technology use, other government clients, as well as biometric security subsystems, and Veridos was the company in the estimation of the evaluators that presented the best solutions for Guyana,” the President had said.
Attorney General Anil Nandlall SC justified government’s sole-sourcing of the contract, contending that the sensitivity of the data it would contain required world-class security features from trusted companies and an “open market” opened the floodgates to data being compromised.