Three years ago, the Government embarked on a grand scheme to consult with the public service, government departments and members of the public on how the personal data of citizens might be shared to improve and streamline State services.
Even in a rapidly expanding environment for private and public services online, it was an ambitious proposal, but it remained almost entirely under the radar apart from being noted by a tiny cohort that might be unkindly referred to as the “privacy geek” community.
One high-level observer said the public should be properly informed about the “grand bargain” involving the trading of their personal data for the benefits they get from the State.
Such arrangements may, under recent plans, include the sharing of sensitive health information for so-called health “solutions” for the general public. Delivered via apps or through other routes, these services might be processed by third parties, such as multinational corporations with their headquarters outside the EU – namely the US – which does not generally provide the same fundamental rights protections as the EU for personal data. There are ongoing concerns (to say the least) in the EU over the processing of citizens’ personal data which may be accessed by US national security authorities or by other law enforcement authorities, with minimal scrutiny.
Hacking, for identity theft and data fraud, in particular in the health sector, is a growing and ever-present threat, with some studies suggesting health data breaches take up to twice as long to detect and also that health data is also worth up to 10 times as much as other data on the black market.
Ruling scuppers plan
But back to Ireland: following a public consultation in late 2014, a draft piece of primary legislation that would cover government data-sharing projects was drawn up and approved by the Government in the middle of 2015. But in October of last year, a ruling by the Court of Justice of the European Union in the Romanian case of Smaranda Bara, appeared to blow much of that plan out of the water.
In that case, the Luxembourg-based court held that the requirement of fair processing of personal data meant a public administrative body had to inform citizens of the fact that their data would be transferred to another public administrative body for other purposes.
At the recent re:Publica conference in Dublin, Dr Dennis Jennings, who sits on the Government's open data governance forum, said he had informed the Government that much of its plan for sharing citizens' data, under that draft legislation, would be illegal under the Bara ruling. The legislation is back at the drawing board, but has not yet been before the Oireachtas.
The Data Protection Commissioner, who is responsible for ensuring the processing of citizens’ personal information is in compliance with the law, issued guidance on the Bara ruling.
Helen Dixon’s office said that the public policy objective being pursued by a particular data sharing arrangement without consent should be “explicit” and that an assessment should be made as to whether the likely benefits of the sharing justified the overriding of the individual’s data protection rights.
Public sector bodies should consider the potential benefits and risks, either to individuals or society, of sharing the personal data, her office said.
In theory, that should have sent the Government's data-sharing project, driven mainly by the Department of Public Expenditure and Reform and the Department of Social Protection, back to the drawing board. The drafting of legislation is still under way.
Yet a number of massive Government data-sharing projects have continued apace – almost as if the European ruling in Bara had not happened.
Active Government projects currently include the HSE’s eHealthIreland division’s project to create an individual health identifier for every person in the State and the creation of a database on every primary school pupil.
The Department of Social Protection has a plan, in conjunction with the Department of Public Expenditure, is to issue every adult in the State with a “public services card” by the end of this year. The Government has a contract with a private provider to fulfil a requirement to issue three million cards and has already issued around two million, but is short of the number it is required to issue. It appears to be desperately trying to get them out the door, through means such as issuing cards to customers using their passport details from the Department of Foreign Affairs.
At least 431,000 public services cards have been issued in this way, according to the Department of Social Protection. Both departments insist the legal basis for sharing personal data resides in the Social Welfare Act of 2005.
Yet question marks remain over whether the legislation cited by both those departments provides a legal basis for sharing citizens’ data.
Records released under the Freedom of Information Act reveal that the MyGovID project – an online identity management system for members of the public – launched in February, was still in need of “appropriate communications, governance and standards” two months later.
Privacy impact assessment
Separately, the HSE was warned by the Data Protection Commissioner that a privacy impact assessment on the implementation of the individual health identifier for every citizen did not cover the creation of new databases, such as a national diabetes register.
The DPC also said “serious consideration” must be given to its guidelines in relation to data sharing in the public sector, and in particular around the issue of transparency.
In comments on the draft of the HSE’s privacy impact assessment for the health identifier project, the Data Protection Commissioner’s office said the 82 submissions received on the public consultation was a “somewhat disappointing return given that this project will affect every citizen of the State”.
Records released under the Freedom of Information Act said that while there was no indication as to the identity of the respondents to the consultation, it appeared that the majority of responses are from individuals within the health sector, which “may lead to a distorted view of the privacy risks for individuals associated with the project”.
While the office recognised there had been a concerted effort by eHealthIreland and the HSE to promote and discuss the health identifier project, it said the lack of public knowledge regarding the legislation and its impact was “a risk in itself”.
The Department of Social Protection has control of the MyGovID online identity management project launched in February. As of March, it had already given presentations to the Revenue Commissioners, the Department of Transport, the Road Safety Authority, Solas, the Department of Education, the Immigration and Naturalisation Service, the Private Residential Tenancies Board, the Department of Health and the Passport Office, clearly with a view to them accessing the service.
The Garda Vetting Unit, which assesses people for certain job applications, has drafted a business case for access to the system.
Earlier this week the Government’s MyGovID online platform for citizens to access State services through an online “identity management” platform won an award in the Civil Service Excellence and Innovation awards.
Daragh O'Brien, managing director of Castlebridge Associates, a consultancy firm on data governance and data protection issues, said the new General Data Protection Regulation, various judgments of the Court of Justice of the European Union, as well as the EU Charter of Fundamental Rights, made it clear that data collection on a grand scale must be both necessary and proportionate.
“Nothing exemplifies the failure of the Irish public service to recognise that data protection law exists, and has evolved, more than the celebration of an award for a project that on the face of it appears to ignore the Court of Justice ruling in the Bara case,” he said.
In relation to the MyGovID project, he said that building governance controls after a department had built a massive database of citizens’ information was the equivalent of “blocking the door after the horse has bolted”.
As of October, the Data Protection Commissioner was still reviewing the documentation pertaining to the health identifiers project, which was presented as a fait accompli by the HSE in the summer.