Should your system offer Mr, Ms ... and Mx?
Time to phase gender out of your databases
Analysis Last week the Australian government announced new rules for declaring a gender on passports. This week UK authorities revealed they are conducting their own review of gender on passports. What are the implications for systems design and management?
The Australian move follows increasing pressure from transgender and intersex lobbyists to alleviate difficulties they encounter when crossing borders, where there is variance between someone's apparent gender and what is written on a document. In some countries, such difference can pose a real risk, and the problem has only intensified with the introduction of body scanners at many airports.
The Australian proposal is pretty tame in system terms. It allows passports to be marked M or F according to an individual’s recognised gender; intersex individuals may opt for an X for "unspecified" – or "intersex" – although there remains some argument as to whether the X category was ever intended to be used in this way.
This does not change the underlying systems. Rules are set by the International Civil Aviation Organisation (ICAO), whose lengthy standards – obligatory for countries wishing to issue machine-readable travel documentation – explain that sex is mandatory and already allow three values in the machine-readable area of passports: M, F or <.
The main objection is practical: is travelling on a passport that marks you out as intersex a good idea?
The UK debate, however, goes further. The official Home Office position is that they are looking at "the gender options available to customers in the British passport". Asked to clarify, a spokesman added that the statement should be taken at face value.
And in the end, nothing much may happen: the review is wide-ranging, but that does not make change inevitable.
Gender change on a need-to-not-know basis
So, regardless of the review's outcome, it's business as usual? Not quite, because the genie may be out of the bottle in terms of gender and documentation in two ways. First, the Gender Recognition Act 2004 (GRA) and new Equality Law last year both place discrimination centre stage and create real difficulties for systems that archive the past or regard gender as immutable.
The GRA allows an individual to effectively re-register their birth, gender-wise. John becomes – and always has been – Jane? Sort of. The catch within the GRA (section 22) is that the fact that an individual has "changed" gender by this route is “protected information”: it is a criminal offence to disclose such information except for very specific purposes – and the offence is “strict liability”, so ignorance is no excuse.
One of the better practice models in this respect is UK credit-referencing agency Experian: there, once gender has been changed by means of a gender recognition certificate (GRC), the old version is completely overwritten as though it had never existed.
In systems terms, the GRA may require a review of archiving policy: because careless archiving that leaves old gender information available to staff could lead to a fine. Added care is also needed in respect of offline work: staff must be fully aware of the consequences of disclosure.
A further joker in the pack is the fact that unless personal information creates specific advantage to an individual, it is possible to change gender designation (and title) within many systems at will. The NHS is one: it is perfectly possible to obtain a new record in one’s identified gender simply by writing to your primary care trust.
Should any such change be linked to what went before? Probably not, since it is not always possible to know whether the request is backed by a GRC (see above). Can you challenge this? Again, organisations are on difficult ground here, since checking gender might itself be discriminatory – and, besides, it implies that processing of data is done differently depending on gender, which under equality law is only permitted in very specific situations.
One organisation that came a cropper in this respect is credit-referencing agency Equifax. Their procedures for dealing with GRCs are immaculate, but when it comes to simple name change, they had different processing and data architecture rules according to whether the individual was female and changed name for marriage purposes – or did so for any other reason. Equifax is now putting this right: but the resources and costs required to do so are not trivial. The company said it had appointed a senior IT team to correct the problem.
The proportion of the population that is transgendered is small: but in order to comply fully with legal obligations, systems must be able to deal with the gender implications of even one customer being trans.
Intersex adds a further complication: if the government now begins to look at this minority, the numbers are greater (2 to 4 per cent of the population depending on definition and estimate) and different segments of the community want different solutions.
Some would like simply to identify as one of the two currently recognised genders, some want to opt out of gender definition altogether (“unspecified”); yet others would like recognition as a third gender. There is no consensus. However, the implications for system designers range from trivial to major.
For example: some intersex individuals now style themselves Mx (as opposed to Mr, Miss, etc. and pronounce it “mix”). Some systems – those that restrict title to a pre-set list – will reject that out of hand. But should intersex gain formal legal recognition, systems will need to be capable of recognising and processing Mx. What happens if the review of gender in documents goes beyond passports? Many women would happily dispense with gender being recorded, while a key debate in this respect – on the abolition of ID cards – brought up the idea that gender should be removed from official documents unless absolutely necessary.
Existing law means that there are almost no circumstances where gender should be used for scoring purposes or selection – though those operating marketing systems may well use it to target offers and change the tone of advertising. It's unlawful as one high street bank found a few years back when it recruited student customers with gendered incentives: a free calculator for the lads and a mirror for the lasses.
Problems potentially exist already for organisations in two circumstances: where gender is mandatory for processing purposes, and/or where it is used in follow-up processing, even for something as innocuous as setting title.
Until recently, for instance, simply identifying yourself as “Ms” caused difficulties when applying for a criminal record check: the criminal records system contained a presumption that anyone with this title might have been married and possesses a previous (non-declared) name. This led to delays in handling applications, which, in turn, was discriminatory and unlawful – although, according to the Home Office, the issue was fixed in July 2010 and all applicants are now asked for birth and current names.
Still, that hasn’t stopped some organisations, apparently, regarding Ms as a title that an individual can only claim if they have been married – and refusing to process applications if a Ms has not yet tied the knot.
Forget gender, avoid problems
The lessons appear to be twofold. Equality legislation already requires organisations to not use gender in their processing, unless demonstrably necessary. Anyone doing so without need should clean up their act – or they are a walking target for anyone with a litigious bent.
Government ponderings on gender, whether or not limited to passport, should have little impact on systems already compliant: a shift in legal emphasis would be likely, however, to expose non-compliant systems.
The solution, though, both for future-proofing and current compliance, is relatively simple: start now to disconnect gender from anything that is mandatory, anything that is required within your processes. Where there is a choice between limiting gender options and leaving them open-ended, go for the latter.
If no change follows, there should be little harm done, but if, at some point in the next decade, all individuals obtain the right to not be gendered unless absolutely necessary, your systems will already be prepared. ®
Sponsored: Becoming a Pragmatic Security Leader