Courtesy Biometric  Update.com

The Department for Registration of Persons (DRP) in Sri Lanka is raising concerns about the proposed unique digital identity project (SL-UDI), especially pertaining to the role of a foreign master system integrator (MSI) accountable for the project’s delivery, maintenance, and integration.

A senior DRP official told Biometric Update on Wednesday that the DRP has to be aligned with the 1968 Number 32 Persons Registration Act in the country, which is a law that provides for the registration of all citizens and the issuance of National Identity Cards to eligible individuals, and will not do anything that goes beyond this act.

The Indian National Institute for Smart Government (NISG) is seeking bids from Indian companies to appoint an MSI for this initiative, to collect citizens’ demographic and biometric data, similar to India’s Aadhaar system. At least 40 Indian firms have applied for this.

P.T.G. Perera, the Acting Project Director of Sri Lanka’s electronic national identity card (e-NIC) project, raised 22 specific concerns to the Digital Economy Ministry in a letter. A major issue is that the MSI would have control over sensitive data and profile management, which traditionally falls under the DRP’s IT department, potentially undermining established oversight and data security protocols.

The senior official noted that signing off on this will need the Attorney General’s clearance.

The SL-UDI project is positioned as a basis of Sri Lanka’s digital economy, aiming to provide citizens with a unique digital identifier that enables seamless digital transactions and interactions. However, Perera’s letter highlights several risks, including restricted bidding of the MSI to Indian entities, vague clauses regarding data export, and the potential for data leakage during the data migration process. The MSI’s control over critical security components raises further alarms about data sovereignty.

At this point, we need the roles and responsibilities of the DRP to be clearly outlined. There are concerns about data migration and setting up data centers, etc, which need more clarity. Also, the arbitration process outlined in the bid documents would take place in New Delhi, effectively side-stepping Sri Lanka’s judicial system, while intellectual property rights may remain with the contractor,” the senior official further stressed. The limitation of liability clause poses a major risk, as it limits the contractor’s liability to only 10% of the contract value in cases of data breaches, leaving the Sri Lankan government susceptible to substantial financial losses.

Perera’s letter also notes overlaps with existing systems, such as the e-NIC, and warns that the MSI’s management of IT assets could upset governance and security protocols. Legal frameworks for certain biometric data collection, like iris scans, are still not enabled by law, which is also a setback.

The Supreme Court is set to consider a petition challenging the India-Sri Lanka Memorandum of Understanding related to SL-UDI on October 17, underscoring the ongoing legal and governance challenges surrounding this major digital initiative.