Should your system offer Mr, Ms ... and Mx?

Time to phase gender out of your databases

Intelligent flash storage arrays

Analysis Last week the Australian government announced new rules for declaring a gender on passports. This week UK authorities revealed they are conducting their own review of gender on passports. What are the implications for systems design and management?

The Australian move follows increasing pressure from transgender and intersex lobbyists to alleviate difficulties they encounter when crossing borders, where there is variance between someone's apparent gender and what is written on a document. In some countries, such difference can pose a real risk, and the problem has only intensified with the introduction of body scanners at many airports.

The Australian proposal is pretty tame in system terms. It allows passports to be marked M or F according to an individual’s recognised gender; intersex individuals may opt for an X for "unspecified" – or "intersex" – although there remains some argument as to whether the X category was ever intended to be used in this way.

This does not change the underlying systems. Rules are set by the International Civil Aviation Organisation (ICAO), whose lengthy standards – obligatory for countries wishing to issue machine-readable travel documentation – explain that sex is mandatory and already allow three values in the machine-readable area of passports: M, F or <.

The main objection is practical: is travelling on a passport that marks you out as intersex a good idea?

The UK debate, however, goes further. The official Home Office position is that they are looking at "the gender options available to customers in the British passport". Asked to clarify, a spokesman added that the statement should be taken at face value.

And in the end, nothing much may happen: the review is wide-ranging, but that does not make change inevitable.

Gender change on a need-to-not-know basis

So, regardless of the review's outcome, it's business as usual? Not quite, because the genie may be out of the bottle in terms of gender and documentation in two ways. First, the Gender Recognition Act 2004 (GRA) and new Equality Law last year both place discrimination centre stage and create real difficulties for systems that archive the past or regard gender as immutable.

The GRA allows an individual to effectively re-register their birth, gender-wise. John becomes – and always has been – Jane? Sort of. The catch within the GRA (section 22) is that the fact that an individual has "changed" gender by this route is “protected information”: it is a criminal offence to disclose such information except for very specific purposes – and the offence is “strict liability”, so ignorance is no excuse.

One of the better practice models in this respect is UK credit-referencing agency Experian: there, once gender has been changed by means of a gender recognition certificate (GRC), the old version is completely overwritten as though it had never existed.

In systems terms, the GRA may require a review of archiving policy: because careless archiving that leaves old gender information available to staff could lead to a fine. Added care is also needed in respect of offline work: staff must be fully aware of the consequences of disclosure.

A further joker in the pack is the fact that unless personal information creates specific advantage to an individual, it is possible to change gender designation (and title) within many systems at will. The NHS is one: it is perfectly possible to obtain a new record in one’s identified gender simply by writing to your primary care trust.

Should any such change be linked to what went before? Probably not, since it is not always possible to know whether the request is backed by a GRC (see above). Can you challenge this? Again, organisations are on difficult ground here, since checking gender might itself be discriminatory – and, besides, it implies that processing of data is done differently depending on gender, which under equality law is only permitted in very specific situations.

One organisation that came a cropper in this respect is credit-referencing agency Equifax. Their procedures for dealing with GRCs are immaculate, but when it comes to simple name change, they had different processing and data architecture rules according to whether the individual was female and changed name for marriage purposes – or did so for any other reason. Equifax is now putting this right: but the resources and costs required to do so are not trivial. The company said it had appointed a senior IT team to correct the problem.

The proportion of the population that is transgendered is small: but in order to comply fully with legal obligations, systems must be able to deal with the gender implications of even one customer being trans.

Intersex adds a further complication: if the government now begins to look at this minority, the numbers are greater (2 to 4 per cent of the population depending on definition and estimate) and different segments of the community want different solutions.

Some would like simply to identify as one of the two currently recognised genders, some want to opt out of gender definition altogether (“unspecified”); yet others would like recognition as a third gender. There is no consensus. However, the implications for system designers range from trivial to major.

For example: some intersex individuals now style themselves Mx (as opposed to Mr, Miss, etc. and pronounce it “mix”). Some systems – those that restrict title to a pre-set list – will reject that out of hand. But should intersex gain formal legal recognition, systems will need to be capable of recognising and processing Mx. What happens if the review of gender in documents goes beyond passports? Many women would happily dispense with gender being recorded, while a key debate in this respect – on the abolition of ID cards – brought up the idea that gender should be removed from official documents unless absolutely necessary.

Existing law means that there are almost no circumstances where gender should be used for scoring purposes or selection – though those operating marketing systems may well use it to target offers and change the tone of advertising. It's unlawful as one high street bank found a few years back when it recruited student customers with gendered incentives: a free calculator for the lads and a mirror for the lasses.

Problems potentially exist already for organisations in two circumstances: where gender is mandatory for processing purposes, and/or where it is used in follow-up processing, even for something as innocuous as setting title.

Until recently, for instance, simply identifying yourself as “Ms” caused difficulties when applying for a criminal record check: the criminal records system contained a presumption that anyone with this title might have been married and possesses a previous (non-declared) name. This led to delays in handling applications, which, in turn, was discriminatory and unlawful – although, according to the Home Office, the issue was fixed in July 2010 and all applicants are now asked for birth and current names.

Still, that hasn’t stopped some organisations, apparently, regarding Ms as a title that an individual can only claim if they have been married – and refusing to process applications if a Ms has not yet tied the knot.

Forget gender, avoid problems

The lessons appear to be twofold. Equality legislation already requires organisations to not use gender in their processing, unless demonstrably necessary. Anyone doing so without need should clean up their act – or they are a walking target for anyone with a litigious bent.

Government ponderings on gender, whether or not limited to passport, should have little impact on systems already compliant: a shift in legal emphasis would be likely, however, to expose non-compliant systems.

The solution, though, both for future-proofing and current compliance, is relatively simple: start now to disconnect gender from anything that is mandatory, anything that is required within your processes. Where there is a choice between limiting gender options and leaving them open-ended, go for the latter.

If no change follows, there should be little harm done, but if, at some point in the next decade, all individuals obtain the right to not be gendered unless absolutely necessary, your systems will already be prepared. ®

Internet Security Threat Report 2014

More from The Register

next story
The 'fun-nification' of computer education – good idea?
Compulsory code schools, luvvies love it, but what about Maths and Physics?
Facebook, Apple: LADIES! Why not FREEZE your EGGS? It's on the company!
No biological clockwatching when you work in Silicon Valley
Happiness economics is bollocks. Oh, UK.gov just adopted it? Er ...
Opportunity doesn't knock; it costs us instead
Ex-US Navy fighter pilot MIT prof: Drones beat humans - I should know
'Missy' Cummings on UAVs, smartcars and dying from boredom
Yes, yes, Steve Jobs. Look what I'VE done for you lately – Tim Cook
New iPhone biz baron points to Apple's (his) greatest successes
Lords take revenge on REVENGE PORN publishers
Jilted Johns and Jennies with busy fingers face two years inside
Sysadmin with EBOLA? Gartner's issued advice to debug your biz
Start hoarding cleaning supplies, analyst firm says, and assume your team will scatter
Edward who? GCHQ boss dodges Snowden topic during last speech
UK spies would rather 'walk' than do 'mass surveillance'
Doctor Who's Flatline: Cool monsters, yes, but utterly limp subplots
We know what the Doctor does, stop going on about it already
prev story


Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Why and how to choose the right cloud vendor
The benefits of cloud-based storage in your processes. Eliminate onsite, disk-based backup and archiving in favor of cloud-based data protection.
Three 1TB solid state scorchers up for grabs
Big SSDs can be expensive but think big and think free because you could be the lucky winner of one of three 1TB Samsung SSD 840 EVO drives that we’re giving away worth over £300 apiece.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.