The Data Protection Commissioner is to open a formal investigation into whether the State's public services card and related systems fully comply with the law.
Helen Dixon's office was responding on Friday evening to comprehensive questions and answers about the card project which were published, at her request, by the Department of Employment Affairs and Social Protection.
Some 2.8 million cards have been issued to individuals in the State since 2011 and their use across the public sector for transactions and for verifying identity has continued to expand.
The department’s questions and answers about the card scheme and the online digital identity system MyGovID were published on its website on Friday evening. They address issues such as what people should bring to an appointment to register for the card and why a driving licence or passport are not sufficient to establish identity for the department’s purposes.
A comprehensive table of legislative provisions, which the department says underpin the card scheme and its related systems, was also published.
In August, the commissioner said she and her staff had "strongly conveyed their views on numerous occasions" to the department, including before Oireachtas committee hearings, that there was a "pressing need" for clearer and updated information about the "mandatory" use of the card to be communicated to the public.
Ms Dixon had also written to the then secretary general of the department last year expressing concern that the uses of the card and the PPS number were expanding to the degree that it was “a form of national ID card”.
In a statement on Friday, the commissioner noted the publication by the department of the FAQ (frequently asked questions) documents about the card.
She said she welcomed the greater clarity certain responses brought, such as the description of the SAFE registration system which people must undergo to get the card. The commissioner also welcomed anwsers about the status of the driver’s licence and passport in terms of how they relate to the SAFE framework.
“That said, engagement between the DPC and D/EASP is ongoing in relation to matters covered in the FAQs and in recent Dáil responses to parliamentary questions particularly as they relate to biometric data processing and governance and data issues associated with the interplay between the Public Services Card, Public Service Identity set, MyGovID, Single Customer View and [information system] Infosys,” the commissioner said.
The statement added that in the last week, the Data Protection Commissioner’s office had signalled its intention to the department to use its investigation powers under section 10 of the Irish Data Protection Acts “to examine details of the above matters further with a view to establishing whether there is full compliance with the requirements of the Acts”.
In her 2016 annual report, the commissioner said such large-scale government projects without a specific legislative underpinning posed challenges in terms of the transparency to the public and the uses to which their personal data was now being applied.