The Oireachtas Committee will be meeting this Thursday regarding the concerns attached to Ireland’s Public Services Card including its National Biometric Database, writes
If you aren’t currently registered for the PSC or its SAFE2 database in Ireland, you can be denied access to essential services in violation of your human rights.
The PSC requires users to provide a facial image biometric scan. Other pieces of identifying information can be combined across agencies into the Single Customer View database accessible by certain public agencies.
The implications of a database with biometric features raise serious alarms for security. When impermeable information like biometric scans are contained, there is no undoing the breach once it occurs.
India, home of the world’s largest biometric identity card system has recently been hacked and the details are being sold online for 10 Euro.
Previous database breaches are not unusual in Ireland and so further breaches are conceivable. See for example the 350 data breaches in two years at PeoplePoint, the centre that provides HR and pensions administration services for 34,500 civil servants.
The Irish electricity transmission system operator EirGrid was also hacked in 2017. See also the survey of 200 professionals carried out by the Irish Computer Society (ICS), which shows that 61% of organisations have had at least one data breach in the last year.
Nor do the cards appear to be financially necessary. While the Minister for Finance and Public Expenditure and Reform cites economic benefits to the PSC, including the prevention of welfare fraud, the Office of the Comptroller and Auditor General observes that no business case has been made for this regime and that a comprehensive estimate of the total projected costs was not prepared at the outset.
One example of extreme cost escalation includes the budget for the managed service provider element, which was increased by €2 million to €26.4 million in 2012 to take account of changes to the contract as a result of delays and card enhancements.
The card is costing, not saving Ireland money.
One way to push back against this regime is to refuse it. However, you are not allowed to refuse the PSC card in many circumstances which appear to be inconsistent.
See the prominent case where the Department of Social Protection suspended a woman’s pension after she refused to register for the PSC.
Digital Rights Ireland referred her to a solicitor and her pension has now been restored. She is just one individual lucky enough to have legal support. Others have not been so fortunate.
Indeed, the PSC has now been made the only acceptable form of identity verification for services including social welfare payments, child benefit, school transport, treatment benefits, driver’s license applications, age verification, school grant appeals, and online health and revenue portals.
Furthermore, the Minister of State for Public Procurement, Open Government and eGovernment, Patrick O’Donovan TD, has announced his intention to initiate requirements for 100,000 students to obtain the PSC before they can apply for grants.
If a person is does not consent to their private details being held in databases in order to access essential services, there needs to be legislative basis for it. There is no clear legislative basis for the PSC.
The Minister for Finance and Public Expenditure and Reform cites the Social Welfare Act 2005; however, while this Act requires a person receiving benefits to demonstrate their identity, it does not require the level of information demanded for the Public Services Card.
It is one thing to submit a photograph and a document with your address on it; it is another thing to be required to provide a facial image biometric scan.
This level of privacy infringing requirements means that the PSC is in breach of the requirement under EU and ECHR law that state interferences with privacy must be both necessary and proportionate.
The PSC is not necessary because alternative forms of identification, including passports, are available and were previously sufficient for the purposes of accessing public services.
The PSC is also a disproportionate interference with privacy because requiring people in Ireland to link all of their personally identifiable information into one database shared by numerous agencies interferes with privacy rights in a manner that far exceeds the asserted goal of easy and convenient service access.
The implications of a hackable database with biometric features exceed that goal even further.
There is also no clearly defined independent supervisory authority responsible for monitoring the management and security of stored data with the PSC, despite this being a growing norm of EU law where issues of surveillance and privacy are concerned.
Clearly defined oversight could review ethical problems in data management, including allegations that the Irish state is deliberately erasing the SCV database history showing who has accessed and changed your personal information.
There is also finally the risk that future governments may use your data for unethical reasons. We are watching how new governments can easily role back rights that citizens previously took for granted.
In the United States, Privacy Act protections have been revoked for non-citizens, making it easier for agencies to share data on legal and undocumented immigrants with customs officials. The PSC risks undermining Ireland’s democratic fabric in a similar way.
The Irish Council for Civil Liberties have been invited to speak to the Oireachtas on 8 February regarding the human rights concerns attached to the PSC.
We will argue that the government has failed to respond to the clear privacy concerns raised by the PSC and has instead invested further funds for promoting a project that is already over budget.
We assert that the PSC should not be continued in its current form. Indeed, we have reservations as to whether a data retention system of this type could ever be implemented in a safe and lawful way.