London Borough of Newham for the National Smart Card Project

Card Governance

Report WP8 - 02

Version 2.0

September 2003

© London Borough of Newham for the National Smart Card Project

WP8-02 - Card Governance - V2.0 Release 15/11/2018

1.Abstract

This report considers the legal issues connected with the card governance aspects of a Smart Card Scheme. It looks at the legal issues that may arise in the establishment and operation of a Smart Card Scheme and the way in which certain issues may be managed by means of contract. An overview of the basic principles of contract law is set out in Appendix 2.

1.1Project management and Smart Card Scheme administration

The Smart Card Scheme will rely upon a variety of different technical processes and systems, and if any of them fail the smart card will not work. As each of these processes and systems are potentially provided by separate suppliers, the contracts will need to clearly specify the responsibilities of each individual party.

The Smart Card Scheme can broadly be split into three phases: Development, Implementation and Operational. There must be a clear chain of authority in relation to the management of the Smart Card Scheme throughout each of the phases. In any event, an individual should be appointed within the Card Issuer to take responsibility for the project as a whole from an early stage.

During the first two phases it may be necessary for the relationships between the various parties to be controlled by a Project Manager.

At an early stage in the project, an appropriate project management methodology should be adopted, and thereafter adhered to.

The Project Manager may be an employee of the Card Issuer, or the function may be outsourced to an external organisation. The Project Manager's role and powers must be clearly defined, particularly where they can bind the Card Issuer.

During the Operational Phase, the Card Issuer should appoint:

• a Scheme Administrator; and
• a Technical Administrator.

The Scheme Administrator and Technical Administrator may be either internal or external appointments.

The Development Phase is crucial to the success of the Scheme overall. Careful planning will be required to determine the services to be made available through the Scheme, which may in turn dictate the functionality and design of smart cards, and the Card Infrastructure to be adopted.

The Card Issuer may be able to allocate some liability by contract to the Project Manager, Scheme Administrator and Technical Administrator. However, the Card Issuer will remain liable for any breach of its statutory duties.

There are two contractual models on which the Scheme can be based:

• where the Card Issuer appoints a prime contractor to design, build and implement the Scheme; or
• where the Card Issuer appoints contractors for each separate task and enters into a contract with each of them.

A design and build relationship may improve procurement processes, and shifts responsibility for completion on time and in budget onto the prime contractor. It will be important in this situation to ensure that the contracts between the prime contractor and its contractors establish the Card Issuer as an interested third party, able to enforce its rights directly.

If the Card Issuer contracts directly with separate contractors, it retains control over each of the contractors in terms of the standard to which each performs. This model also allows flexibility where one contractor is failing to meet its obligations. It will be important in this situation to ensure that each of the supply contracts is drafted so that they work together, and therefore, Card Issuers will not be able to simply accept the standard terms of each contractor. In particular the contracts should contain a provision allowing for the Project Manager to oversee the project as a whole.

1.2Physical Smart Card and Reader issues

Whilst It may not be possible to impose the same technical standards in all Smart Card Schemes, it should be a best practice recommendation for all Smart Card Schemes to adopt the same technical standards in order to achieve interoperability.

Physical design aspects of both Smart Cards and Readers must be based on the overall aims of accessibility, reliability and physical durability.

Quality control of Smart Cards and Readers may be managed contractually but must be backed up by the internal checking procedures of the Card Issuer.

The Card Issuer may not be able to retain complete control over branding on the smart card but should as far as possible deal with branding issues by contract.

The Card Issuer will be subject to duties under health and safety legislation in respect of Card Users and other members of the public, as it would in respect of any other work undertaken by it or on its behalf. Such duties are likely to include vetting Technology Suppliers as part of the procurement process.

1.3Accessibility

Accessibility by all and social inclusion are key Government objectives, and should be fundamental to any Scheme. In addition, Card Issuers, Secondary Service Providers and certain third parties will be subject to duties under the Disability Discrimination Act 1995 ("DDA"), related regulations and guidance. For these reasons the interests of groups such as disabled people, the elderly, children and minorities by language or culture must be considered in developing a Smart Card Scheme.

Liability under the DDA may be split between the parties involved in the supply chain. The key question is who is responsible for service provision. Primary liability for the provision of Local Authority services will lie with the Card Issuer. The Card Issuer should seek to pass associated risks to others in the supply chain through contract.

Discrimination against disabled people under the DDA may arise where the service provider, without justification:

• refuses or fails to provide any service otherwise provided to the public;
• offers any such service only at a lower standard or on less favourable terms;
• fails to make reasonable adjustments to its policies, procedures and practices in relation to any such service; or
• fails to make reasonable adjustments to its premises (or to provide a reasonable alternative method of access) which makes it impossible or unreasonably difficult to use such service.

Sanctions for breach of the DDA include investigations instigated by the Disability Rights Commission, fines and claims for damages by individuals through Court action.

Card Issuers must consider the physical, technological and social aspects of access to the Smart Card Scheme in line with the requirements of the DDA to make adjustments to allow equal access to services.

Effective smart card design can increase accessibility for disabled people in a number of ways. A Card User may indicate individual preferences, such as a preference for a large print screen. The smart card can therefore identify special needs of the Card User when it communicates with a Reader, and can incorporate tactile identifiers.

The design of Readers should facilitate physical accessibility by: standardising user interfaces; positioning Readers at a convenient height; and ensuring ease of access to Readers. Biometric measurements for verification should be approached with caution and may not be usable by all groups.

Card Readers should be located at convenient locations to ensure optimum take-up of the Scheme.

Card Issuers should consider the extent to which additional customer support may be required by disabled users, or other sectors of the community.

Where the Card Issuer uses a website to host information or application forms relating to the Smart Card Scheme, it should ensure that the website is accessible to disabled people. The guidelines provided by the World Wide Web Consortium (W3C) provide best practice standards for website accessibility.

1.4SoftwareApplications

The Card Issuer should establish a series of technical standards relating to Software Applications to ensure that the system operates successfully. These standards should apply equally to the Card Issuer's Software Applications as they do to those of Secondary Service Providers.

If the Card Issuer commissions the development of Software Applications by third parties, the Card Issuer should ensure that it is assigned ownership of the intellectual property in the software. At a minimum the Card Issuer should be granted an adequate licence to use the Software Application as required for the purposes of the Scheme.

As owner of the Cards and operator of the Scheme, the Card Issuer should retain control over the Software Applications. To assist with this, the Card Issuer should establish protocols to govern: the means of adding, removing, blocking, amending and upgrading Software Applications to a smart card; and the method of ensuring that Software Applications link up with associated data on a smart card or separate database.

There are a range of issues which a Card Issuer should consider when contracting with Secondary Service Providers to integrate their services in a Smart Card Scheme. In addition to imposing technical standards on Secondary Service Providers, as referred to above, the key points will include:

• ensuring the Card Issuer will retain ownership of the smart card;
• ensuring the Secondary Service Provider has all rights necessary to use its Software Applications;
• ensuring the Card Issuer has the right to approve the Card User terms and conditions imposed by the Secondary Service Provider;
• the commercial basis of the relationship with the Card Issuer.

The Card Issuer must ensure that data is segregated effectively where more than one Software Application is used. This is necessary to ensure compliance with data protection legislation, and to maintain the integrity of the data.

1.5Voluntary and Mandatory Smart Card Schemes

Smart Card Schemes may be Voluntary, Mandatory or a mixture of the two.

Where a Scheme is Voluntary, the Card User should be given a genuine choice between accessing the service via a smart card or via traditional delivery methods.

The Card Issuer's decision as to whether a Scheme may be operated on a Mandatory basis or will be dictated by the nature of the services being provided, and the legislation from which the Card Issuer derives its powers.

In relation to a Mandatory Smart Card Scheme, it is important to consider social exclusion and accessibility issues, such as the right of users to access services equally, without risk or threat of social or other discrimination or disadvantage.

A hybrid Scheme is one which involves both Voluntary and Mandatory elements. The Card User's rights in relation to these services must be clearly specified in the terms and conditions implemented in the contract between the Card Issuer and Card User.

1.6Interoperability of a Smart Card Scheme

It may be desirable or necessary for Smart Card Schemes operated by different Card Issuers to interoperate. Even where this is not initially the case the same set of technical and administrative standards should be implemented to allow future interoperability.

Where a Card may be used in two or more Schemes, the original Card Issuer of such Card will wish to retain control over the Card. To the extent that other Card Issuers provide any services to such other Card Issuers will be acting as a Secondary Service Provider to the Card User. Where such services are different from, or in addition to, those services provided by the original Card Issuer, a separate contract will need to be entered into between the Card User and other Card Issuer.

The contract between two or more Card Issuers must deal with a number of licensing and liability issues. It will:

• provide which party will be responsible for any loss suffered as a result of error in interoperability;
• provide for co-operation between Card Issuers where a Card User permanently moves from one Scheme to another;
• oblige Card Issuers to cooperate in situations where Cards are misused (the originating Card Issuer should retain responsibility for dealing with withdrawal of Cards);
• deal with apportionment of costs between participating Card Issuers, where a service straddles two or more relevant geographical areas.

1.7Ownership of Smart Cards

It is essential that ownership of Cards is clearly established at the outset of the Scheme. It is unlikely that the Card Issuer will need to own every component part of the smart card, for example the intellectual property rights in the manufacturing process. However, the Card Issuer needs to own the required fundamental elements of the smart card, and obtain licenses where relevant for other elements.

Sufficient physical smart cards (plastic and chip) need to be procured from a Card Supplier in order to meet the demand from Card Users (including additional and replacement smart cards). The supply contract should assign the ownership of the smart cards so that the Card Issuer owns all physical elements of the smart card. The supply contract should also specify the point at which the Card Issuer becomes responsible for the Cards.

The Card Issuer should seek to include a mechanism for testing the technology prior to acceptance. This is likely to be a complex term of the agreement.

The Card Issuer will also need to deal with its ownership rights in the contract with the Card User.

1.8Individual Applications for a Smart Card

In any Scheme it is important to note that the Card Issuer is entering into a contract with the Card User, and that the terms and conditions of that contract must be brought to the attention of the Card User before the Card is issued to him or her. Card Issuers should also consider those terms and conditions that may be implied into a contract by law.

The Card Issuer should retain a Card User 'application process' for Mandatory Schemes, even though this may not be strictly necessary.

The availability of application forms and methods for completion may affect the relative success of any Scheme, and Card Issuers may wish to consider making forms available on-line, at the premises of the Card Issuer or Secondary Service Provider, or associated premises, or where all members of a community are targeted, by delivery to each household.

The Card Issuer will be a Data Controller under the Data Protection Act 1998, and will need to comply with its obligations under such Act.

Where the Card Issuer crosschecks information on application forms against information which it already holds on the applicant, it may breach its obligations under the Data Protection Act 1998.

The terms and conditions, which will control the relationship between the Card Issuer and the Card User, will need to deal with certain key areas, such as:

• permitted uses and restrictions on use of the smart card;
• data protection;
• policies and procedures on lost and stolen cards;
• relationships with Secondary Service Providers;
• the Card Issuer’s right to vary the terms and conditions.

Application forms may be completed and submitted on-line except where the services include a credit or debit function.

It will be important for Card Issuers to verify the identity of every applicant at the point of application, to ensure that it is contracting with the correct person, that they are resident in the local area, that they have capacity to contract and to ascertain the services to which the person is entitled.

Evidence of identity should be obtained in respect of every applicant. The evidence required will depend on the nature of the services to be provided.

Where the Card Issuer accepts documents by post this should be done securely, and the Card Issuer will need to put in place systems to ensure that all original documents are kept safely and returned to Card Users as quickly as possible.

It may be desirable to require applicants to produce original documents in person.

The Card Issuer should consider whether it wishes to enter into contracts with persons under 18, on the basis that where services are not 'necessaries' the contract may be voidable. Wherever possible the contract should be made with a parent or guardian.

1.9Card User authentication

There are no foolproof mechanisms to ensure that an individual is correctly identified. A balance must be met between the need to identify Card Users, and the costs and risks associated with conducting such authentication.

Using the identity verification and authentication levels recommended by the Office of the e-Envoy, authentication by PIN or password systems will provide proof of identity on the "balance of probabilities". Use of these systems does not guarantee that the person using the smart card and inserting the PIN or password is in fact the Card User.

Using the same verification and authentication levels, authentication by a third party, including the use of a digital signature verified by a Certification Authority will provide a substantial assurance of identity. However, digital signatures work only if the Card User alone has access to that signature.

Biometrics is one of the best ways of identifying an individual. However, the cost and social difficulties in implementing such a system may currently make it inappropriate for use in the Smart Card Scheme.