Public Services Card reveals State ignorance of data privacy issues
Net Results: Government must be aware of citizen rights when drafting database plans
Concern over the now infamous Public Services Card has been a slow build.
A very slow build.
The card was being discussed in the Dáil in 2005 – Fine Gael’s Olivia Mitchell asked then minister for social and family affairs Séamus Brennan when such a card might be introduced. The card was formally launched in 2011. About 2.8 million people now have one.
As Minister for Employment Affairs and Social Protection Regina Doherty noted, the cards are now “mandatory but not compulsory”, the difference between the two being about as thin as the skin of the current US president.
But, as often with privacy issues, it took a real-life case – the major story by my colleague Elaine Edwards regarding an elderly woman denied social welfare payments because she refused to get a PSC – to make abstract concerns palpable to the general public.
And more surprisingly – and alarmingly – to lawmakers as well.
Finally, a long list of needed questions about the PSC were tabled by TDs in August and September, after Edwards’s stories. But what took them so long?
The Data Protection Commissioner and her office have been asking the department for clarifications and explanations on this scheme, and flagging worries, for a long time. Most recently was before the Joint Oireachtas Committee on Finance, Public Expenditure and Reform, and the Taoiseach back in mid-May, during a discussion on the draft general scheme of data-sharing and governance Bill.
At that time, Dale Sunderland, deputy commissioner at the Office of the Data Protection Commissioner, noted: “[We] believe there is much greater need for transparency about what is happening at the moment. A fundamental part of data protection law is that the individual is fully aware of what data bodies hold about them, how they are using it, how they are protecting it and we are not convinced there is enough transparency into how Government itself is sharing data and for what purpose it is being used.”
He added: “This is a matter which we have raised with the department and with the Department of Social Protection in particular, in relation to PPSN and the Public Services Card.”
Only days later, the Government revealed that people would need to have a PSC in order to get a passport. Chairman of privacy advocate Digital Rights Ireland TJ McIntyre warned the PSC increasingly looked like “an identity card by stealth”.
He highlighted the giant databases behind the card, the ability to access and share information across government departments and potentially, other places, and the alarming how-long-is-a-piece-of-string approach to what might go into it.
But Dáil discussions and TD questions reveal almost no one ever considered these obvious privacy, security and data protection elements.
For a decade, TDs instead raised queries about how quickly the scheme would be brought in, whether citizens abroad might have difficulty renewing passports if they didn’t have a PSC, whether a minister could expedite the PSC application of a constituent, and how much fraud the cards prevented.
Even during May, when the joint committee meeting was held, and when the passport issue made headlines, TDs queried little other than possible passport delays.
To her credit, one of the few TDs probing for answers in these areas was Galway West independent TD Catherine Connolly who asked as early as April about “the extent to which other public bodies can authenticate the Public Service Cards; the regulation involving such data sharing; the level of privacy involved”.
Then minister for social protection Leo Varadkar responded that to ensure data protection compliance, “a Memorandum of Agreement is signed between each specified body and my department regarding access to the department’s records and the obligations of the body with regard to such access.”
Except it isn’t. According to a Freedom of Information response received by Elaine Edwards, no such memorandum exists yet between the Department of Employment Affairs and Social Protection and the Department of Foreign Affairs, regarding the exchange of sensitive passport-related data.
Yet the PSC/passport scheme was implemented five months ago, and planned long before that. Data protection and privacy look to be an afterthought.
We still don’t know – because even the ODPC does not yet know – the full intent of the PSC, what data is being collected in various departments and agencies for it now or planned for it in the future, what firm legal grounds there are for its rollout and use, or why it is supplanting even a passport as acceptable identification.
What we do know is that the vast majority of politicians still do not understand, in depth or breadth, the data protection and privacy issues that lie at the heart of a functional, transparent democracy.
Yes, journalists have an important role in scrutinising projects like the PSC and holding politicians and departments to account.
But lawmakers, across the political spectrum, must ensure the citizens they represent are better protected by asking relevant questions, and demanding clear answers, as these large database schemes are proposed and drafted. Not after – too often, long after – alarms are raised.