Technology Exploration Project – M591






Introduction

There are various methods used for identification in different industries today. However, has this sudden obsession with identification tampered with what was once known to be privacy? Does privacy even exist at all if things that are considered to be private are being used for identification purposes? How do we go about verifying that an individual is who they claim to be? Is there a way of actually verifying that the details being presented are true or not?
The aim of this article is to examine the identification methods used by two different industries, and to examine how these identification methods are verified.
The two chosen industries are the education industry and the health industry. However, as examining the education industry and health industry as a whole will be making too more of a generalized analysis and overview; a specific look into the University of Portsmouth admission system and the Nuffield surgery will help to look into specific identification and verification process used by both industries.
Although it might appear that both of these industries are similar as they both deal with the ‘welfare’ of students, and their method of authentication and identification are oddly similar (although it is often common to find out that methods of authentication and identification are often similar in different industries), through careful research, there are several aspects of their methods that are different.
Authentication can be said to be a process of establishing a level of confidence in the truth of a claim (Kent, Stephen T, 2003, Who Goes There? : Authentication through the lens of privacy). This level of confidence can vary depending on what is being authenticated. Also, this level of confidence does not affect whether what is being authenticated is true or not, or whether the authentication system works, it only establishes the level of the confidence in the truth of what is being claimed to be true.


ATTRIBUTES USED FOR IDENTIFICATION

There are various attributes that are used to verify identification. These attributes may differ depending on the industry; the use of these attributes makes it possible to uniquely identify an individual/agent.
The records system used by the University of Portsmouth to manage students’ personal and academic information is called Jupiter. The use of this Jupiter records make it possible for the university to manage and track new applicant’s progress. The academic registry serves as the department in charge of this system. As they act as the record keeper of all the students’ information and courses, it is their job to manage this system.
At the University of Portsmouth, according to Admissions staff, A. Bond (Personal communication, October 19, 2007), the main attributes used to identify a student is the name of the student, the student’s date of birth and the student’s permanent address.
The use of these attributes makes it easier to identify one student from the other. Each of these attributes can be used on its own, although, the use of a single attribute does not make it sufficient enough to identify a particular student, e.g. two students can be called Bob Adam, or two or more students can live at an address. However, a combination of each of these attributes makes it possible to uniquely identify a student, i.e. it will be almost ‘impossible’ to find two students bearing the name Bob Adam, born on 12th of may 1986 and lives at 1, Adam street. Therefore, a correct combination of these attributes makes a search exclusive enough to uniquely identify a student. As these attributes are classed as main attributes, there are other minor attributes that are used to identify a student, depending on what the ‘filtered results’ is meant to produce, i.e. a student could be identified according to the department they study in, or according to what course they are studying. A more ‘sensitive’ attribute could be according to the ethnic origin of a student, although this could seem harmless and could be used purely for statistical purpose (for example, the Higher education statistics agency, HESA), some people might feel like it is too much of a sensitive topic to address, or perhaps it causes segregation. Another popular attribute is the gender, which could be used for statistical purposes as well.

At the university surgery, a similar set of attributes are used to uniquely identify a patient/client as the university. Although, the attributes may vary, as attributes is what can be uniquely identified to an individual. So in the case of the University surgery, this includes a list of diagnosed illnesses, or list of allergies or statement of medications given. If a patient was to walk into the university surgery to book an appointment for example, the main attribute used to identify the patient is the date of birth, followed by the full name.

As shown between both industries above, it is possible to see that these two organisations have certain attributes in common, and this could be said for other organisations (e.g. bank employees etc). This similarity could be because they both deal with similar clients (students).
The attributes used for identification can be used for a variety of reasons. These could include, statistical purposes (as mentioned above), or for uniquely identifying an individual.

AUTHENTICATION METHODS USED TO VERIFY IDENTITY

The use of authentication could help an organisation expand on the knowledge they have about an individual. As it establishes a certain level of confidence, it is vital that the method used for authentication by an organisation is tangible enough to raise the bar of confidence up. This level of confidence does not determine whether the authentication system/method works or not.
At the University of Portsmouth, there are a various methods used for authentication to verify a student’s identity. The authentication method varies on the status of the student, i.e. whether the student is a new or current student. These factors do not stop there, they are further broken down, and the tree below gives a clearer indication of this. Each of these factors is clearly explained below the tree.






A new student is classified as a student who has never applied to the university before. A new student can apply to the university in one of two ways; either by UCAS (Universities and Colleges admission service), or by filling out a direct entry application form.
If the university receives an application through UCAS, majority of the authentication and verification has already been done through the UCAS system (this will not be discussed as the main focus of this article is on the University of Portsmouth and the University surgery).

If an application is received by a direct entry application form, once again the residential status of the applicant is split into two categories; home student and international student. As a home student any form of photo id is used to verify the student’s name and date of birth (if available on the id), however for an international student, a passport is required to verify the student’s identity (name, date of birth etc). This split decision on what form of identification is required from each applicant could raise a few eyebrows about the ‘relaxed’ approach to a home student. However, after a discussion with Admission office employee, A. Bond (personal communications, October 19, 2007), it was discovered that the only reason as to why an international student is expected to produce a passport and not very crucial for a home student is because, an international student will have (should have) a passport, whereas a citizen of the United Kingdom might not necessarily own a passport, thereby an alternative form of identification can be accepted.

Another authentication method that is performed on new students include requesting for a copy of an applicant’s educational qualifications, which are then checked and verified with the named academic institution where the qualification was acquired.
An applicant is also required to note down any relevant criminal convictions they might have, and especially for an applicant applying for courses in teaching, health, social work, children or vulnerable adults, a form of criminal record check is required of the applicant by the university (University of Portsmouth, 2007, Application form guidance notes). This criminal record check is a document (Enhanced disclosure document) which can be obtained from either Criminal Records Bureau or the Scottish Criminal Record Service. If an applicant is known to have a criminal record, then it will be made known to the university, and it is up to the university how this affects the status of the applicant’s application.

Other checks that are made the university include if an applicant have declared to having a disability, then this can be verified by a doctor/specialist note.

In the case of a current student, once again the status of the student is split between a home student and an international student.

For a returning home student, the verification process is usually straight forward as all the student needs to produce is a campus card from the previous year of study, to confirm that the details are still correct. The main verification performed on a returning home student is usually verification on whether the tuition fees have been paid or not. This is usually verified by a variety of ways. If the student’s Local Education Authority (LEA) has paid the fees, then the student is sent a notification letter, which usually has a barcode, which is then entered by the University into their system for verification. If fee payment was made online by the student, then a receipt is usually printed by the student to prove payment. This claim is then checked in accordance with the record the university has. Other forms of claim include bank statement, etc.

For a returning international student, the student is asked to specify if his/her residential status has changed (i.e. if they he/she have become a UK citizen), if the student claims to be, then it is verified and checked (usually with the home office). These checks are often necessary as it affects the fee status of the student, i.e. a student might start paying the fee rate of a home student rather than that of an international student. Also, any notification of criminal offences will also be checked, and proof of fee payment. This proof can be from a variety of sources, e.g. letter from sponsor with a certificate of payment or a bank note indicating that the total sum has been paid.
In terms of verifying the truth in the claim of a fee payment to the university, the student has to provide a form of fee payment, but the university also have to check with their record that this statement is accurate.

It is interesting to find out that the campus card issued to a student after the authentication process is complete, can then be used as a form of authentication method in other aspect of the student’s life. For example, for a student to be able to borrow books from the university library, the production of a campus card is required to verify that the student is in fact a student. Also the campus card can be used in conjunction with any other form of id to open a students’ account in a bank.
At the university surgery, at the registration stage of a patient, there are a variety of authentication methods carried out by the verifier to ensure that the details being provided are accurate. For example, the patients’ GP (General Practitioner) is verified in order to retrieve the patients’ medical records, and any other details that need to be known about the patient.
To verify the name, address and date of birth of a patient, a proof of id is often required, which could be a students’ campus card, passport etc.
It will be possible to see that with registration to the University surgery, the authentication process is a lot more relaxed than applying to the university. This could be because of the fact that health service in the UK is free; therefore there is no need to waste time, money and effort on verifying the identity of an individual. Whereas, if t was in another country where the health service is not free, then a lot of measure would be carried out to verify the identity of an individual. Although this relaxed approach could pose as a problem in the case of identity theft and fraud.


HISTORICAL CONTEXT LEADING TO THE CURRENT ID METHOD

As with any method used with any system, there is always a previous method that was used leading to the current technology being used.
At the University of Portsmouth, before the introduction of the campus cards (see picture below), a paper id was used. The campus card being used at present is in the form of a plastic identity card.

The use of campus cards was introduced to the university in 2002, at the start of the academic year, and has been used ever since then.
The use of the paper id was not efficient enough as it could be easily forged. The use of the plastic id makes it more difficult to forge the identity of a student, however, with the right equipment; it probably could be forged but not so easily (might be expensive, so anyone planning on doing it might want to think twice about it).
Also, the previous system used by the University for managing student records was HEMIS (Higher Education Management Information System); this has now changed to Jupiter (University Of Portsmouth, 2007, Jupiter Admissions)
At the moment, patients details at the University surgery are computer based, with paper records used as back up copies. Before the introduction of the computer system, all patients’ details were all paper based, which could often mean repetition of data or inaccurate entry of data.
Before the introduction of the computer system, the only way to identify a patient was to search through copious amount of paper records (which does not always prove successful). Another new system that has been introduced into the university surgery is the introduction of a touch pad system that a patient who has an appointment enters their details as soon as they arrive at the surgery. This way the nurse/GP is informed of their arrival.

PERSON/GROUP THAT BENEFITS FROM IT THE MOST

It will be almost impossible to make a generalised conclusion on the group that benefits the most from the current identification. Deciding who benefits most from the current identification method depends on what angle/perspective it’s being looked from.
It could be easy to say that the department that the information is being presented to (issuer and/or verifier) benefits the most from the identification method. As they can easily and uniquely identify each student with the use of the student’s Jupiter (or hemis) number for example, means that the search process is made easier and faster. Also as they can easily collate students’ data for the purpose of statistics, mode of attendance or prescribing medications for example, makes their job easier and provides a better form of accuracy, thereby improving their services.
If it is been looked from the presenter’s perspective (the student or patient in this case), then it could be said that they benefit from it as they present information, and they get a form of service in return. For example, a student who has presented his/her information, aims to achieve the status of a student, and get the benefits of being a student (education, student discounts etc.).
A different department that is often overlooked is for example in this case, the HESA (Higher Education Statistics Agency), or the SLC (Student Loans Company) who use the information received by the university and other institutions to come up with a national statistics or database.

KNOWN AND POTENTIAL EFFECTS ON COLLECTION OF PERSONAL DATA

One of the main and most worrying effects on collection of personal data is the theft of private data and fraud. These issues have made the public more reluctant in providing their personal details to anyone, although this can be seen as an advantage, it could also be seen as a disadvantage. For example, if a student decides not to disclose certain information about his/her personal life while filling the application form, this could result in the delay of the student’s application.
According to an interview with the academic registrar J. Ferrett (personal communication, October 22 2007), information collected about a student is often used for statistical benefits etc. Although this process does not look harmful at all, the use of an individual’s information without the user’s consent means the individual feels like they have no control over what their information can be used for. For example, a student might not want certain aspects of their medical information revealed to anyone else. Therefore, the use of this data reduces the individual’s level of confidentiality.
Also, the collation of such a large amount of information about a student (especially with the fact that the University itself is linked with the University surgery), means that if any aspect of the university system is tampered with, or leaked, a huge amount of a student’s information can be leaked to a third party or the public, thereby making it possible to use a student’s details for illegal purposes.
The link between the university and the university surgery means that a worker at the University surgery can easily get access to a student’s course details, or vice versa, which means there is a breach in student privacy.


TRAININGS REQUIRED

As new systems/technologies are being introduced to the university and surgery, regular training is required for all relevant member of staff. For example, the introduction of the new Jupiter system to the university means that the employees in charge of admissions department, which means cost, and overall upgrade of the entire admission system. However, this upgrade means that the system becomes more efficient.

REGULATIONS SURROUNDING THE IDENTIFICATION

The main law surrounding student data at the university and the university surgery is the Data Protection Act. This law is taken so seriously that even when the research for this article was being carried, the admissions department, and patient registrar were very cautious and reluctant to release any information, for fear they might be in breach of the Data Protection Act.
An information disclosure officer has been assigned by the university to deal with issues concerning data protection, and freedom of information (University Of Portsmouth, 2007, Complaints and Information Disclosure). Basically, if a third party was to contact the university to enquire about a student details, the university contacts the student to inform him/her of this enquiry made, and asks for the student’s permission to release the details. Even if the third party happens to be a police officer, the police officer would be directed to the Information disclosure officer, who then has the job of deciding whether the details are released or not. This could be seen as an advantage but also a disadvantage, as if the information disclosure officer decides not to release the requested information, it could be seen as wasting police time etc.

In conclusion, it is easy to see that most of the documents (e.g. campus cards, medical card) acquired after authentication process can be used in the authentication process of another system (e.g. opening a student account, obtaining a library card, claiming health insurance etc.), therefore, it looks like a never ending process of authentication, as we are always authenticating ‘something’ in order to be able to authenticate ‘something’ else.
Also, it can be concluded that no one really has any sort of privacy left, especially in the case of both the university and the university surgery, as if a student’s details from the university is used in conjunction with the details at the University surgery, then basically all there is to know about a student can be known, which is not exactly safe in terms of security and loss of privacy.


Reference
Kent, Stephen T. (2003). Who goes there? : Authentication through the lens of privacy. [Electronics versions]. Retrieved October 15th, 2007, from http://site.ebrary.com/lib/portsmouth/Doc?id=10046903&ppg;;

University Of Portsmouth. (2007). Application Form Guidance Notes. [Paper format]. Retrieved October 19, 2007

University of Portsmouth. (2007). Jupiter Admissions. [Electronic format]. Retrieved October 2 2007 from http://www.port.ac.uk/departments/services/businesssupport/JupiterAdmissions/

University of Portsmouth. (2007). Jupiter Admissions. [Electronic format]. Retrieved October 2 2007 from http://www.port.ac.uk/departments/services/businesssupport/JupiterAdmissions/

University Of Portsmouth. (2007). Complaints and Information disclosure. [Electronic format]. Retrieved on October 22 2007 from http://www.port.ac.uk/departments/services/academicregistry/AcademicRegistrarsOffice/complaintsandinformationdisclosure/