Additional reporting by Cianan Brennan
The Minister for Employment Affairs and Social Protection, Regina Doherty, faced calls for her resignation last night as the fallout from the Data Protection Commissioner’s investigation into the Public Services Card continued.
Privacy expert TJ McIntyre said that Ms Doherty and her secretary general John McKeon “absolutely should go” for their role in a series of data protection issues that have befouled the department in recent weeks.
“You have to remember this is the third strike in a matter of weeks, for a department that has consistently shown a disregard for private data,” Mr McIntyre told the Irish Examiner.
“It needs to be pointed out that the secretary general is directly implicated, as he was the one who personally sent an email requesting that the department’s privacy statement be altered to remove reference to biometric data,” he said.
That instance surrounds last week’s DPC ruling against the department with regard to alleged interference by senior officials with the role of the Department of Employment Affairs and Social Protection’s data protection officer.
Yesterday, the Data Protection Commissioner, Helen Dixon, revealed that the expansion of the Public Services Card’s remit to State bodies other than social protection itself was unlawful, and that the department would be required to delete all historic data it holds on the card’s 3.2m applicants.
At the end of July, the DPC also ruled that the department had erred in the manner with which it was collecting personal data on child benefit recipients — a ruling which saw the department take the unprecedented step of taking a case for judicial review at the High Court.
“At this stage, I think it’s both mandatory and compulsory that they both go,” Mr McIntyre said, echoing Ms Doherty’s own prior pronouncement regarding the mandatory nature of the card for accessing State services such as the renewal of a driver’s licence.
“All three of these issues have in common that the department has pushed ahead with being stubbornly unwilling to listen to outside concerns, and has doubled down on this even after being told that what it was doing was illegal,” he said.
Nevertheless, last night the Social Protection Department refused to say if Ms Doherty accepts the report’s findings, or if she will publish the report despite growing concern the scandal could put her political future on the line.
In a series of questions to the department, the Irish Examiner asked if the minister accepted the findings, will publish the report and if she is concerned about GDPR breaches.
However, in a statement last night, a department spokesperson ignored the questions — saying instead that officials are “considering the report and will respond in due course”.
The comment was repeated by Paschal Donohoe, the finance minister, who told RTÉ that he does not believe the public services card issue has been a “mess” despite accepting that €60m has been spent on a project which will now be scrapped.
Opposition parties lashed out at the situation yesterday, with Fianna Fáil and Sinn Féin both warning that it is the latest example of Government misspending of vital public funds, and a clear breach of the law.
“The Data Protection Commissioner’s report is damning,” said Fianna Fáil’s social protection spokesman, Willie O’Dea.
His Sinn Féin counterpart, John Brady, went further, saying that Ms Doherty will have to consider her position if she does not accept the report’s findings in full.
“She can’t ignore the findings,” he said. “It would be totally incorrect and the wrong thing to do. The minister is in a hole at this particular point in time, and I don’t think she can afford to keep digging.”
By Cianan Brennan
What has the Data Protection Commissioner done?
The Office of the Data Protection Commissioner (DPC) is Ireland’s privacy and personal data watchdog.
Since October 2017 the DPC, Helen Dixon, has been investigating the legal basis for the Public Services Card (PSC), a quasi-ID card issued by the Department of Employment Affairs and Social Protection (DEASP) for the processing of welfare payments. The DPC has now released the findings of that investigation, some 15 months after the initially projected end date.
What is the Public Services Card?
The PSC was a project first mooted in the early 2000s and given reference in the 2005 Social Welfare Consolidation Act. The first cards were issued by the then Department for Social Protection in 2011, with people seeking access to welfare payments obliged to register for one.
Each card displays a photo of the holder, with their personal data (gender, address etc) digitally encoded. To date, some 3.2m cards have been issued. As at end 2017 some €60m had been ploughed into the project, one which was initially conceived in order to avert welfare fraud. As at that time roughly €2m had been saved from that point of view.
What does the decision mean?
It declares that an expansion of the card to state services other than welfare (such as applying for a driving licence or passport) is fundamentally unlawful. Of the eight findings in the as-yet-unpublished report, seven have proved to be adverse to DEASP.
The DPC has mandated that the department must now delete the historical personal information it has retained on the 3.2m people who have applied for the card — such as utility bills, or even proof that they may have altered their gender.
It has six weeks to come up with a plan of action as to how it plans to do so. It further has three weeks to discontinue the issuance of cards to people seeking to access wider state services such as those mentioned above.
So I don’t need a card any more?
This is where it gets tricky. The DPC has said that the Department is within its rights to require that people hold a PSC for accessing welfare payments or other such benefits such as children’s allowance.
Also, the cards in existence remain effective per their original remit, so if you have one there is no need to give it up.
What does the decision mean for the Department of Social Protection?
This is probably the beginning of a long, drawn-out process. Apart from being compelled to obey the DPC’s orders regarding the historical data it holds and the future issuance of the PSC, the issue of civil liability may soon raise its head.
In simple terms, the DPC conducted its investigation under the auspices of the 1988 and 2003 Data Protection Acts — primarily because the investigation began before the implementation of the EU’s General Data Protection Regulation (GDPR) in May of 2018. However, that regulation gave rise to the 2018 Data Protection Act, which bestowed real teeth upon the Data Protection Commissioner with regard to the handing down of fines for breaches of data protection law.
Those fines can total up to €20m or 4% of a company’s turnover, whichever is higher. The government, however, sought to exempt itself from such fines during the drafting of the Act. A compromise maximum liability of €1m for State bodies is what finally made its way into the legislation.
However, GDPR also gives private citizens greatly enhanced powers with regard to access and control over their personal data, and a legal remit to enforce same. Assuming that the PSC were to turn out to be a de facto breach of GDPR legislation, the Government could theoretically be at risk of 3.2m data protection claims in the civil courts.
What sort of liability are we talking about?
Unknown, but expect the subject to come to the forefront of PSC-related conversation from now on. In theory, 3.2m liabilities, perhaps taken en masse by a non-profit representative organisation at a (conservative) estimation of €100 apiece, could lead to €320m in compensation.
And Regina Doherty?
The Minister for Employment Affairs and Social Protection is now in a very sticky position. While the expansion of the card’s remit began before she took over from Leo Varadkar in the role, she has consistently defended the PSC in the face of marked criticism from privacy activists and legal experts, with her oft-cited claim that the card should be “mandatory but not compulsory” having frequently come back to haunt her.
In Dáil Éireann she has on many occasions denied that the data on the card is biometric in nature, ie capable of identifying an individual via their physical characteristics — a photo for example.
The control of biometric data is heavily provided for under Article 4 of the GDPR. Biometric data is conspicuous by its absence in the DPC’s released findings however, a fact that stands out given it is one of the major brickbats used to assail the PSC.
Is it a resigning matter?
It could very well be, particularly given this conversation is likely to run and run. The Minister has firmly pinned her colours to the mast on the issue, and those colours have now been deemed unlawful. However, a backlash from the Government in the form of a court challenge may happen first.
Two weeks ago the Minister took a Judicial Review case in the High Court regarding a decision handed down on data protection concerns over access to child benefit payments. So the precedent has been set. Opposition politicians such as Sinn Féin’s John Brady have called for the report to be published and for Ms Doherty to accept its findings.
However, no one has called for her head. Yet. Meanwhile, the Public Accounts Committee is set to consider the matter when the Dáil returns to session in September.
Are any other politicians involved?
Yes, the Minister for Public Expenditure and Reform Paschal Donohoe has overall responsibility for the card’s expansion. It was he who launched that expansion in May of 2017 to much fanfare. Numerous other (primarily Fine Gael) TDs have defended the PSC project
Don’t they use ID cards in other countries?
Yes, to great success, in almost every EU country apart from Ireland, the UK and Denmark. However, the legislation exists in each of those countries to back up the issuance of those cards.
What happens next?
The DPC has given the Department seven days to publish the report, or to allow the Commissioner to do so. Whether or not the Minister elects to do so will dictate what happens in the immediate term. The Minister is already coming under concerted political pressure to publish. Should Ms Doherty elect not to, the calls for her resignation may begin in force.
By Fred Logue
The first steps on the path to dismantling the Public Services Card (PSC) system have been taken with the publication of the Data Protection Commission’s (DPC) summary of its findings arising from the first part of its investigation into the legality of personal data processing associated with the issue of PSCs.
The PSC is a card issued to applicants whose identity has been authenticated by three particular steps, namely a face-to-face interview with an official from the Department of Employment Affars and Social Protection, the verification of identity documents such as a passport or driving licence or utility bill, and the processing of a facial scan through a national facial recognition database to check that the applicant has not previously applied.
Once these three steps are completed the applicant’s identity is deemed to be authenticated to SAFE II level and a PSC is issued as a token to prove this.
The same process also underpins the MyGovID system which requires SAFE II registration to access some online government services. Serious concerns have been raised by lawyers and NGOs about the creation of a national biometric database containing unique facial information of essentially. Under the GDPR, which came into effect on May 25, 2018, the processing of biometric personal is generally prohibited unless specifically provided for in legislation.
According to a statement issued by the DPC there is a legal basis under old data protection legislation for the processing of certain personal data in connection with the issue of PSCs to social welfare claimants, but there is no legal basis for the department to process personal data for the purpose of issuing PSCs to facilitate transactions with other agencies such as the Passport Office or the Naturalisation and Immigration Service.
The Commission also found that the indefinite retention of underlying documents provided by applicants and the lack of transparency around processing contravened the previous Data Protection Acts.
Crucially this decision only really applies to processing which took place before May 25, 2018 when data protection legislation was reformed by the introduction of the GDPR. While there are non-binding findings in respect of GDPR, these aspects to remain under investigation which means it is too early to tell whether there are ongoing legal problems with the PSC.
In media interviews, Commissioner Dixon went on to say that the validity of existing PSCs is not being called into question nor is the department prevented from issuing new cards to social welfare applicants.
It seems somewhat ironic that a decision that condemns a serious lack of transparency by the department cannot be published without its agreement.
It seems clear to me that the public has a right to see the DPC’s full decision and that a body found to have contravened the law cannot control how an adverse decision is published.
In the first instance individuals affected by the unlawful retention of information are entitled to rely on the DPC’s decision and to seek compensation. It is impossible to see how the department which may have significant liabilities to affected individuals can legitimately be given the power to decide whether or not the decision is published.
In addition, affected individuals are entitled to check that the DPC made a correct decision and if necessary are entitled to apply for judicial review of the decision if they consider some or all of it to be unlawful.
Meanwhile, concerns over the creation of a national biometric facial recognition database remain unaddressed by the DPC’s decision. Ms Dixon indicated that while copies of applicant’s documents must be deleted, extracted information including facial scans can be retained.
These concerns are all the more serious given that, Commissioner Dixon has seemingly given an unqualified assurance that the department can continue to require PSC applicants to submit to automated facial recognition when the issue is apparently still under investigation.
The risks associated with facial recognition and the building of large biometric databases are becoming increasingly well understood and such moves are now regularly condemned by regulators and civil society organisation throughout Europe.
Given the attendant risks with biometric processing, the recent reform of data protection law introduced specific prohibitions on the processing of biometric data which is now only permitted where strictly necessary, requires specific legislation and appropriate safeguards to protect individuals. In my view none of these conditions have been adopted in Irish law.
It is therefore crucial that the DPC concludes its investigation into the biometric processing associated with PSC as quickly as possible. Only then will we know if the PSC project can continue in its current form or whether it will need to scrapped or radically changed to bring it into line with EU law. Fred Logue is a principal with FP Logue solicitors. FP Logue is a law firm based in Dublin, specialising in environment, technology, data protection and information law.