The Data Protection Commissioner told the head of the Department of Social Protection last year that there was a risk the public services card (PSC) was expanding in scope and that this would turn it into "a form of national ID card".
Helen Dixon's concerns are contained in an email to former secretary general Niamh O'Donoghue, released to The Irish Times under the Freedom of Information Act. The department initially refused to release the record late last year and, on appeal, the Information Commissioner overturned the decision.
Ms Dixon wrote on August 19th, 2016, that expanding the use of the PPS number and the card beyond their original boundaries would “increase the exposure of the PPSN system to heightened risk in terms of the protections provided to the data privacy rights of individuals”.
She also expressed concern that "an alternative legislative framework" outside the normal strictures of social welfare legislation had been used to mandate the collection of the PPS number for the new Central Credit Register established by the Central Bank.
‘Leap in purpose’
During the appeal process, the department told the Information Commissioner it believed the release of the views expressed in the letter would “misinform the public about the PSC”. It also believed releasing the correspondence would “erode public confidence in the project and/or in the ODPC”.
In her email, Ms Dixon said the current interdepartmental focus on identifying opportunities for the wider use of the card, and initiatives such as the proposal to replace the Garda Age Card with the PSC, “further underscore the ever increasing expansion of the PPS number and the PSC beyond their stated purpose”.
“Again, as a risk of functional creep, intentionally or otherwise, there is a risk that the PSC will be altered from one which contains limited information [name and PPSN] existing to facilitate transactions with public services into a form of national ID card.”
This would represent a “considerable leap in purpose for the card”, far beyond the original concept, Ms Dixon said.
Functional creep is when something intended for one purpose is gradually widened or extended for other purposes.
Ms Dixon said that should the use of the PPS number and the card continue to be extended for purposes other than transacting with the public services, the provisions to safeguard against its misuse could be “severely undermined”.
She noted “numerous examples” of unauthorised disclosures – both accidental and malicious – of people’s personal data by the public sector.
“Such breaches when they become public knowledge have the strong potential to weaken wider public confidence in the PPSN system, as well as bringing significant potential harm and detriment to the individual.”
“In our view, expanding the use of the PPSN and PSC in the manner I have outlined would likely increase the exposure of the PPSN system to heightened risk in terms of the protections provided to the data privacy rights of individuals,” Ms Dixon wrote.
She said the purposes for which the PPSN and PSC were now being, or proposed to be, used, indicated the need for a comprehensive and transparent public sector-wide strategy on the future uses of both.
On August 29th, Elizabeth Dolan, senior investigator with the Office of the Information Commissioner, directed the release of the email and said the department had not adequately demonstrated that the release of the records would be contrary to the public interest.
Taoiseach Leo Varadkar and other Ministers have insisted the card is not, and was never intended to be, a national ID card. Writing in The Irish Times last week, Minister for Finance Paschal Donohoe said the card infrastructure and the associated MyGovID digital identity was part of "ambitious plans for cross-border e-government and the establishment of a digital single market".
The Social Welfare, Pensions and Civil Registration Bill 2017 currently before the Oireachtas proposes to remove restrictions on the use of the public services card so that it may be used more widely as a form of ID.