Feeds

Should your system offer Mr, Ms ... and Mx?

Time to phase gender out of your databases

3 Big data security analytics techniques

Analysis Last week the Australian government announced new rules for declaring a gender on passports. This week UK authorities revealed they are conducting their own review of gender on passports. What are the implications for systems design and management?

The Australian move follows increasing pressure from transgender and intersex lobbyists to alleviate difficulties they encounter when crossing borders, where there is variance between someone's apparent gender and what is written on a document. In some countries, such difference can pose a real risk, and the problem has only intensified with the introduction of body scanners at many airports.

The Australian proposal is pretty tame in system terms. It allows passports to be marked M or F according to an individual’s recognised gender; intersex individuals may opt for an X for "unspecified" – or "intersex" – although there remains some argument as to whether the X category was ever intended to be used in this way.

This does not change the underlying systems. Rules are set by the International Civil Aviation Organisation (ICAO), whose lengthy standards – obligatory for countries wishing to issue machine-readable travel documentation – explain that sex is mandatory and already allow three values in the machine-readable area of passports: M, F or <.

The main objection is practical: is travelling on a passport that marks you out as intersex a good idea?

The UK debate, however, goes further. The official Home Office position is that they are looking at "the gender options available to customers in the British passport". Asked to clarify, a spokesman added that the statement should be taken at face value.

And in the end, nothing much may happen: the review is wide-ranging, but that does not make change inevitable.

Gender change on a need-to-not-know basis

So, regardless of the review's outcome, it's business as usual? Not quite, because the genie may be out of the bottle in terms of gender and documentation in two ways. First, the Gender Recognition Act 2004 (GRA) and new Equality Law last year both place discrimination centre stage and create real difficulties for systems that archive the past or regard gender as immutable.

The GRA allows an individual to effectively re-register their birth, gender-wise. John becomes – and always has been – Jane? Sort of. The catch within the GRA (section 22) is that the fact that an individual has "changed" gender by this route is “protected information”: it is a criminal offence to disclose such information except for very specific purposes – and the offence is “strict liability”, so ignorance is no excuse.

One of the better practice models in this respect is UK credit-referencing agency Experian: there, once gender has been changed by means of a gender recognition certificate (GRC), the old version is completely overwritten as though it had never existed.

In systems terms, the GRA may require a review of archiving policy: because careless archiving that leaves old gender information available to staff could lead to a fine. Added care is also needed in respect of offline work: staff must be fully aware of the consequences of disclosure.

A further joker in the pack is the fact that unless personal information creates specific advantage to an individual, it is possible to change gender designation (and title) within many systems at will. The NHS is one: it is perfectly possible to obtain a new record in one’s identified gender simply by writing to your primary care trust.

Should any such change be linked to what went before? Probably not, since it is not always possible to know whether the request is backed by a GRC (see above). Can you challenge this? Again, organisations are on difficult ground here, since checking gender might itself be discriminatory – and, besides, it implies that processing of data is done differently depending on gender, which under equality law is only permitted in very specific situations.

One organisation that came a cropper in this respect is credit-referencing agency Equifax. Their procedures for dealing with GRCs are immaculate, but when it comes to simple name change, they had different processing and data architecture rules according to whether the individual was female and changed name for marriage purposes – or did so for any other reason. Equifax is now putting this right: but the resources and costs required to do so are not trivial. The company said it had appointed a senior IT team to correct the problem.

The proportion of the population that is transgendered is small: but in order to comply fully with legal obligations, systems must be able to deal with the gender implications of even one customer being trans.

Intersex adds a further complication: if the government now begins to look at this minority, the numbers are greater (2 to 4 per cent of the population depending on definition and estimate) and different segments of the community want different solutions.

Some would like simply to identify as one of the two currently recognised genders, some want to opt out of gender definition altogether (“unspecified”); yet others would like recognition as a third gender. There is no consensus. However, the implications for system designers range from trivial to major.

For example: some intersex individuals now style themselves Mx (as opposed to Mr, Miss, etc. and pronounce it “mix”). Some systems – those that restrict title to a pre-set list – will reject that out of hand. But should intersex gain formal legal recognition, systems will need to be capable of recognising and processing Mx. What happens if the review of gender in documents goes beyond passports? Many women would happily dispense with gender being recorded, while a key debate in this respect – on the abolition of ID cards – brought up the idea that gender should be removed from official documents unless absolutely necessary.

Existing law means that there are almost no circumstances where gender should be used for scoring purposes or selection – though those operating marketing systems may well use it to target offers and change the tone of advertising. It's unlawful as one high street bank found a few years back when it recruited student customers with gendered incentives: a free calculator for the lads and a mirror for the lasses.

Problems potentially exist already for organisations in two circumstances: where gender is mandatory for processing purposes, and/or where it is used in follow-up processing, even for something as innocuous as setting title.

Until recently, for instance, simply identifying yourself as “Ms” caused difficulties when applying for a criminal record check: the criminal records system contained a presumption that anyone with this title might have been married and possesses a previous (non-declared) name. This led to delays in handling applications, which, in turn, was discriminatory and unlawful – although, according to the Home Office, the issue was fixed in July 2010 and all applicants are now asked for birth and current names.

Still, that hasn’t stopped some organisations, apparently, regarding Ms as a title that an individual can only claim if they have been married – and refusing to process applications if a Ms has not yet tied the knot.

Forget gender, avoid problems

The lessons appear to be twofold. Equality legislation already requires organisations to not use gender in their processing, unless demonstrably necessary. Anyone doing so without need should clean up their act – or they are a walking target for anyone with a litigious bent.

Government ponderings on gender, whether or not limited to passport, should have little impact on systems already compliant: a shift in legal emphasis would be likely, however, to expose non-compliant systems.

The solution, though, both for future-proofing and current compliance, is relatively simple: start now to disconnect gender from anything that is mandatory, anything that is required within your processes. Where there is a choice between limiting gender options and leaving them open-ended, go for the latter.

If no change follows, there should be little harm done, but if, at some point in the next decade, all individuals obtain the right to not be gendered unless absolutely necessary, your systems will already be prepared. ®

Combat fraud and increase customer satisfaction

More from The Register

next story
Android engineer: We DIDN'T copy Apple OR follow Samsung's orders
Veep testifies for Samsung during Apple patent trial
MtGox chief Karpelès refuses to come to US for g-men's grilling
Bitcoin baron says he needs another lawyer for FinCEN chat
Did a date calculation bug just cost hard-up Co-op Bank £110m?
And just when Brit banking org needs £400m to stay afloat
One year on: diplomatic fail as Chinese APT gangs get back to work
Mandiant says past 12 months shows Beijing won't call off its hackers
Don't let no-hire pact suit witnesses call Steve Jobs a bullyboy, plead Apple and Google
'Irrelevant' character evidence should be excluded – lawyers
EFF: Feds plan to put 52 MILLION FACES into recognition database
System would identify faces as part of biometrics collection
Ex-Tony Blair adviser is new top boss at UK spy-hive GCHQ
Robert Hannigan to replace Sir Iain Lobban in the autumn
Alphadex fires back at British Gas with overcharging allegation
Brit colo outfit says it paid for 347KVA, has been charged for 1940KVA
Jack the RIPA: Blighty cops ignore law, retain innocents' comms data
Prime minister: Nothing to see here, go about your business
Banks slap Olympus with £160 MEEELLION lawsuit
Scandal hit camera maker just can't shake off its past
prev story

Whitepapers

Designing a defence for mobile apps
In this whitepaper learn the various considerations for defending mobile applications; from the mobile application architecture itself to the myriad testing technologies needed to properly assess mobile applications risk.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Securing web applications made simple and scalable
In this whitepaper learn how automated security testing can provide a simple and scalable way to protect your web applications.