The Department of Employment Affairs and Social Protection has finally published the Data Protection Commission's highly critical report on the department's Public Services Card (PSC). The detailed report lambastes a card memorably described as "mandatory but not compulsory" by Minister Regina Doherty, and finds it in breach of data protection laws and rights in eight areas.
Key findings include a decision that the card cannot be required to obtain services from other departments, because no lawful basis exists for such use. It cites numerous examples of the “mission creep” by which the card transformed from its original intention as a chip-and-pin verification device for social welfare services, into a required form of identity for seemingly random purposes, such as sitting a driving test, obtaining a passport, or appealing school transport decisions. The report states that such examples illustrate “obvious and significant deficits in terms of logic and consistency” for when the card is required.
The Government intends to defend the card, in direct defiance of a national regulator
It notes that although the Department claims the card makes it easier for citizens to access services, it frequently makes the process more complicated.
The commission dismisses the Department’s long-standing claim that the PSC is an ultra-secure form of identity. It also finds that one of the original, widely touted claims for the card – prevention of welfare fraud – is a costly nonsense. By the Department’s own reckoning, the card has cost upwards of €60 million, yet has prevented only around €1 million in fraud.
While such findings had been released earlier in summary form by the DPC, the full report adds significant heft and leaves little legal wriggle room for the Department. Yet the Government intends to defend the card, in direct defiance of a national regulator, with both the Minister and Taoiseach Leo Varadkar suggesting that the DPC should have met with the Department to "discuss" the findings.
The international optics here are appalling. If the State continues with a sensitive data-gathering project in defiance of a regulator who also oversees the Irish-based European operations of many of the largest data-gathering multinational companies, it destabilises international confidence in Ireland.
And, as the Government prepares a legal challenge to its own regulator, it should recall that its similarly defended data-retention scheme was ultimately cast down by the European Court of Justice five years ago, in a case brought by Digital Rights Ireland.
That decision, which determined that data gathering must have clear legal purpose and be transparent and proportionate, is one of the foundation stones of the very data-protection laws on which the DPC has based its latest findings.