Joint Committee on Employment Affairs and Social Protection debate -
Thursday, 8 Feb 2018

I apologise for the slight delay and for keeping the witnesses outside. I welcome Mr. Simon McGarr, Mr. Liam Herrick and Dr. Maeve O'Rourke of the Irish Council for Civil Liberties, ICCL.

Before I ask the witnesses to make their opening remarks, I draw their attention to the fact that, by virtue of section 17(2)(l) of the Defamation Act 2009, witnesses are protected by absolute privilege in respect of their evidence to this committee. However, if they are directed by it to cease giving evidence regarding a particular matter and they continue to do so, they are entitled thereafter only to a qualified privilege in respect of their evidence.

They are directed that only evidence connected with the subject matter of these proceedings is to be given and they are asked to respect the parliamentary practice to the effect that, where possible, they should not criticise or make charges against any person, persons or entity by name or in such a way as to make him, her or it identifiable.

Members are reminded of the long-standing parliamentary practice to the effect that they should not comment on, criticise or make charges against a person outside the Houses or an official, either by name or in such a way as to make him or her identifiable. Those with mobile phones should turn them off or set them to flight mode. It does not just interfere with the meeting but also with recording it. I will ask for opening statements from both parties and then members of the committee will have an opportunity to ask a number of questions.

I invite Mr. Herrick or Dr. O'Rouke, or both - they may share time - to make an opening statement.

I am Liam Herrick and I am the executive director of the Irish Council for Civil Liberties, ICCL. I will make the opening submission on behalf of the ICCL. My colleague, Dr. O'Rouke, and I will answer any questions that members of the committee may have subsequently.

We thank the Chairman and members of the committee for inviting us to make a presentation on what we believe is a very important matter of public interest. The Irish Council for Civil Liberties is concerned about the public services card system as it has been extended and we wish to put before members our concerns. We sent a written submission to the committee secretariat.

We are approaching this issue primarily from the perspective of the right to privacy as is provided under the Irish Constitution, under the European Convention on Human Rights and under international law. This right under international human rights laws is not absolute. States may interfere with personal privacy in certain circumstances in the public interest, but certain standards have to be met. First, any such interference by the State should be based in law, which should be clear and accessible. Any interference should be necessary to achieve a legitimate aim, and it should be proportionate to the aim that is being pursued. Both with regard to the legal basis for the public services card and whether it is necessary or proportionate, there are reasons to believe that it does not meet those tests. We have identified a number of risks from the security perspective that are presented by the type and form the scheme has taken.

In our submission we provide some background information as to what is the public services card, PSC, system. The Department of Employment Affairs and Social Protection provided an information guide in October last year which contains some very useful information about the details of the scheme, but I will not rehearse them. It would, of course, have been much more desirable if this information had been put in the public domain before the introduction of the scheme or before the Government presented its eGovernment strategy. It is notable that this information was only made public around the same time the Data Protection Commissioner announced an investigation into the legal basis of the scheme.

The scheme, we believe, is now compulsory in all key characteristics because it is deemed to be essential or necessary to access fundamental State services. During the course of 2018, as it is extended as the only acceptable form of authentication of identity for a driver's licence and a passport in addition to existing provisions for social protection payments, we will see something that is mandatory and compulsory in all essential characteristics as is ordinarily understood by the people. That presents a particularly intense interference with privacy rights.

It is clear that the public services card has been declared now as the only acceptable form of verification for the following services: child benefit, social welfare payments, school transport, treatment benefits, driver licence applications, age verification, school grant appeals, health and revenue portals, student grants from later this year, and we understand farm grants through the agfood.ie range of services. We believe that by extending the range of public services for which this is the only acceptable form of identity, this is a fundamental change in the nature and quality of the scheme. It is materially different from the scheme as introduced in 2005. We believe that represents a significant public policy change and in line with the provisions of the Irish Constitution, significant changes in public policy should be provided for in primary legislation and should be debated by the Houses of the Oireachtas. That has not happened in this case. That goes to the heart of what we mean by saying there is no legal basis for this scheme.

The Government's information guide cites a number of legal provisions, particularly relating to the Social Welfare Consolidation Act 2005. We have a number of qualified lawyers working in our organisation and we have struggled to identify a clear picture of where the social welfare Acts currently stand. There is no available consolidated Act, which is probably a matter of greater public concern than just in relation to this specific issue, given the central importance of the social welfare code to a significant proportion of our population.

It is very difficult to get a clear and transparent picture of what the social welfare code currently provides in this regard. I will give some examples. There are three key provisions in the Social Welfare Act which the Government relies on in stating that it is a legal basis for the public services card. Sections 241 and 242 of the Social Welfare Consolidation Act 2005 has been amended 31 times in the intervening period as far as we can assess. Section 247 of the Act has been amended 35 times and section 263 has been amended eight times. It is almost impossible for a member of the public to be able to see clearly what the law states on this issue. This is why, in October 2017, the Data Protection Commissioner announced a formal investigation into the lawfulness of the public services card and highlighted issues that are not yet resolved, including biometric data processing and governance and data issues associated with the interplay between the public services card, the public service identity set, mygov.ie, single customer views and infosys, which are all the different technical components of the system.

As we reach a key phase in the extension of the scheme, particularly with the extension to the driver licence system in March of this year, as scheduled by the Government, and the passport system in the fourth quarter of this year, also as provided under the eGovernment strategy, the fact that there is an investigation ongoing by the Data Protection Commissioner into the legal basis of the scheme surely gives rise for pause for review. Pending the conclusion of that investigation, the findings of the commissioner and what advice, if any, the commissioner, has to offer to the Government on this issue, we do not believe it should continue to be extended while these concerns are outstanding.

In regard to the balance of whether it is necessary or proportionate as regards a restriction on privacy rights, a balancing assessment should take place which must consider whether there are less intrusive means by which the State could achieve the stated public policy aims, whether sufficient safeguards are in place to prevent abuse or risk of security breach or whether the State's actions are justified in light of the intensity of the interference with privacy. We are not convinced that this scheme is necessary to achieve the stated aims, which are cost savings. The Comptroller and Auditor General in his assessment of the scheme found there was no business case undertaken or presented before the scheme was initiated and he raised certain concerns about the overall cost of the project. There are clearly open questions on savings at present.

With regard to security, the Government has repeatedly referred to the fact that this is a safe level two standard of identity authentication as opposed to the previous safe level one standard. Our understanding is that the distinction between safe level one and level two is an internal government assessment. It is not an independent, international standard of authentication, rather it is one that has been developed internally. It refers, it would seem, to the inclusion of biometric facial scans in this particular scheme. We are not convinced that this type of technology is a necessary form of security authentication for the range of services for which it is being currently used. We see no difficulty with the existing passport or driver licence system in terms of proving their identity.

In terms of risks and potential abuse, it is now a norm in other European countries that where national identification systems of this type are introduced, a bespoke and specific oversight system is put in place to monitor it. We obviously have a very sophisticated and well resourced Data Protection Commissioner office, which has competence in this area, but it would be the norm to have a specialist body in addition to that office and we think that is something that should be considered.

In terms of the types of risks we are seeing, we make reference in our submission, for example, to the case of India where an extensive biometric national identity card system, not entirely dissimilar from ours, was introduced. Some of its characteristics were certainly different and the political context, as members of the committee will appreciate, is quite different. However, despite a significant investment of resources in rolling out that system, security breaches by external agents, hackers and so on were found, the system was accessed and full administrative access is now being sold on the open market - we have been told and has been reported in the international press - at a cost of €7 per person.

We do not want to be alarmist about this but members will be aware that already within existing public sector databases in Ireland, there have been significant and worrying data breaches in recent years with regard to the PeoplePoint system and the EirGrid system. Members will also be aware that in terms of human involvement in violations of privacy, the Department of Employment Affairs and Social Protection has had difficulties in the past, which have, in some cases, led to criminal prosecutions. These risks are great but when we have an extensive system of this type, where we have sharing of data across a huge number of agencies, the nature of that risk is very much magnified. Also, from an international perspective, complex extensive systems of this type are more of a target for hackers because of the potential access to information once somebody gets into the system.

We also believe an important political point is being made here. As the scheme is currently extended, it disproportionately affects those members of our population who are dependent on social protection payments, pensions and so on. Perhaps that will change as it extends to drivers' licences and passports over the next year but at present, vulnerable sections of the population are particularly in line here if they raise questions about this system. We know of instances where ordinary members of the public, who are dependent on social protection payments or pensions, have asked the Government to clarify what the legal basis for the system is before they were happy to progress and we know of cases where people have been cut off from pension payments by simply asking questions.

We see our role here as simply asking questions and we believe the Government has not answered all of them yet. There should have been an open democratic discussion about a public policy initiative of this significance to ordinary citizens in terms of privacy rights before it was initiated. It is deeply regrettable that has not been how the Government has chosen to proceed on an initiative of this significance. There is currently an inquiry by the Data Protection Commissioner into the fundamental questions about the legal basis for the scheme. In such a context, we certainly urge the committee to call on the Government to at least suspend the extension of the scheme and await that review before it extends the scheme to drivers' licences, passports and the other services that are scheduled for 2018.

Members will be glad to hear that I do not intend to rehash any of Mr. Herrick's submission, which I fully endorse and on which we had a brief conversation before we came in order that we would not cover the same ground. I will deliver a focused approach on a few points because they are the ones we see coming up over and over again. There is not a legal basis for this project, as it has been implemented, and I would like to explain why I say that. In September 2013 the Cabinet met and issued a formal Government decision, which is a form of an official document, and, among other matters, it ordered that a research and consultation exercise was to be undertaken by the Department of Social Protection on the suitability of the current legal basis for the personal public service number, PPSN, and the making of recommendations. There was to be a review on the legal basis of the personal public service number and all the legislation around that. I have confirmed with the Department of Employment Affairs and Social Protection that, as of October 2017, that had never been started and not a single record had ever been created. That was a missed opportunity. In the time between those two decisions, that is, between 2013 and the present, we have seen an extensive ramping up of a project rooted in the PPSN legislation but which has gone well beyond it and without that review, I am afraid that the Government has fallen into error. The consequence of this was that in October 2016 when the Court of Justice of the European Union, CJEU, issued a judgment on the interpretation of the limits of state rights in aggregating and sharing data between state agencies and public agencies, that is the Bara case, the court gave quite a pithy summing up, unusually so in such judgements. The judgment states that "with regard to processing of personal data and on the free movement of such data, [the European law] must be interpreted as precluding national measures, [that is legislation and other internal protocols] such as those at issue in the main proceedings, which allow a public administrative body of a Member State to transfer personal data to another public administrative body and their subsequent processing, without the data subjects having been informed of that transfer or processing".

In order to inform a data subject of the purposes of processing, there must be a purpose defined. As the Comptroller and Auditor General has pointed out, there is no set purpose defined for this project. There has never been a single business case set out for it. The difficulty there is that if one collects data without a set purpose, there can never be informed consent or consent at all received from a member of the public, nor can the public ever have been informed in advance of the data sharing happening. The result is that, as it has been structured, this plan has resulted in a system which cannot be in compliance with the Bara decision. The national laws which are cited, and I will go on to discuss those, all live under the shadow of that superior law from European level, which is incorporated into our Constitution. That means that no matter what legislative provision is passed in respect of data sharing - let us be clear, the State has attempted to pass all sorts of legislation on the data sharing front - if there is not prior information given to members of the public as to what the purpose of it being processed was, and what it will be used for in the future, it cannot meet the requirement of the CJEU.

The Data Protection Commissioner recognised almost immediately that this was a very significant challenge to the way the State had approached databases and data sharing. She issued a detailed briefing note in respect of this case alone, an unusual enough event from the Data Protection Commissioner's office. She said:

The consequences of this judgment are significant and potentially very far reaching. The Office of the Data Protection Commissioner recommends that all public sector bodies complete a full review of their obligations and arrangements on the basis of the findings [of this report].

Unfortunately, as we have seen, this was also something the State intended to do off its own bat in 2013 but, in so far as we know, nothing has ever been done about that. Nonetheless, the urge to carry on collecting and sharing sensitive personal data may have proved stronger than the wish to inquire into how this data collecting and processing project could be compliant with European law but it will hold consequences in the near future.

The period for the coming into force in May 2018 of the general data protection regulation, GDPR, is currently ticking down. We are only a few weeks away from it now. That will allow for states, just as private institutions, to be liable for non-financial loss breaches of data protection rights. There is a risk that the personal public services card data, that is, the single customer view database, is not complaint. I have set out why I believe it is not and cannot be complaint under the current system and we are told it currently contains approximately 3 million individuals' details. If it is the case that it is not compliant, that would indicate that each one of those 3 million people have a claim on the State. In fact, there is a requirement, under European law, that in any instance where there is a breach of human rights and charter rights, that breach must be met with a remedy and the remedy is now being set out in the GDPR. It is a remedy in terms of financial compensation. That is available through the courts. Any figure that would be picked as to what a court might consider to be appropriate for that kind of breach is a very large number when multiplied by 3 million.

I consider the collection and sharing of this database without a proper legal basis to be one of the major financial risks the State has voluntarily taken on in recent years. I am attempting, as I was in other committees, including the Joint Committee on Justice and Equality, to sound the alarm in respect of this issue. This is not something the State needed to do or that is financially beneficial to the State, even without the question of compensation. At the last count, the cost of this project had exceeded €60 million. The State had estimated it had made something in the region of €1.7 million to €2 million in savings. These cards will have to be reissued at regular intervals. That means there is an ongoing cost to this in a one-off project. On a cost basis alone, therefore, this is a project which is not saving the State money. It is costing the State money but also has left it with uncrystallised potential liability running into unknowable many zeros in terms of the moneys that may be due to the State's citizens.

I want to deal with some of the questions. Mention was made of a lady whose pension was cut off. She has joined us in the Public Gallery today; I met her briefly earlier. Her experience is instructive because it is an experience where an individual has been affected very badly by the application of systems which do not appear to wish to answer a simple question: how is this lawful? The Department of Employment Affairs and Social Protection cited as the legal basis for the stopping of that lady's pension section 247C of the Social Welfare (Consolidation) Act 2005, as amended. The relevant section 247C(3) specifies the manner in which the Minister may be satisfied as to a person's identity. It is important to point out that there have been statements to the effect that, henceforth, only the public services card will be an acceptable method of proving identity but section 247C(3) foresees that there will be alternative methods and it allows that the Minister has discretion to use those alternative methods solely for proving identity. In addition to using those alternative methods, the Minister has the discretion to apply other methods she deems appropriate. A blanket policy, therefore, that no other method will be permitted is fettering the Minister's discretion. These are grounds for an appeal to the courts if anybody wished to take one and more importantly, it is a demonstration that this is not a good public policy position for the State to take.

The Department is relying upon a section which is designed to prove a person's identity to the Minister. That is a laudable and necessary part of any social welfare system. After all, State money is being handed out to individuals. There must be a method of making sure that the people who should get the money are getting it. That is not the argument. The problem is that this is the sole lawful purpose for which this information can be collected. That purpose is set out also in section 347C, and when the Department cites the section it oddly leaves out this portion of it, namely, that the purpose is "to satisfy the Minister as to his or her identity". Once that purpose has been met, there is no lawful basis for further processing of those data. What is happening, however, is that in order that people be required to have a public services card, if they are to satisfy the Minister, the information is then being passed into the single customer view database where it is then shared with approximately 120 to 150 public agencies and bodies as necessary. That is processing over and above that which is allowed for under the national legislation, quite apart from the limitations the EU law has brought in, which I addressed earlier.

This is not a one-off. The State, and by the State I am not referring to any particular Government as these matters have been passed under the aegis of a number of different Governments but rather the administrative State, has a particular background in attempting to limit the effects of data protections for citizens and legislating away its own duties. For example, section 8 of the Health Identifiers Act 2014 attempts to interfere with the Data Protection Commissioner's independence by requiring her, if she undertakes an investigation into any form of breach or complaint in respect of the independent health identifiers database, to simply make a report to the Minister. I am aware the commissioner has already expressed her concern about that fettering of her independence, and that independence is written into European law as a requirement in any legislation at a national level which clashes with that. It is non-effective and should not be given effect by any part of the State.

Those are the individual legal bases that are cited but in terms of what has happened, what we have seen is a national identity card and national identity index, as it was described by Deputy Burton when she was Minister for Social Protection. She recognised that establishing a national index and producing a national identity card is a wider issue which is not part of the remit of the standard authentication framework environment, SAFE. That is the in-house developed, departmental internal standard, which is the basis on which these requirements are being placed upon individuals. She said it will require due consideration by appropriate agencies before any policy decisions could be formulated and would require the development and implementation of legislation to support any such policy. I agree with that. If one wishes to bring in a national identity card - a position I would argue against although I could lose the argument - it should be brought in openly with public debate and by way of grounding legislation where everybody knows what is happening and is given an opportunity to weigh in.

There are political and legal issues about national identity cards. That was seen in the United Kingdom where an attempt was made to bring in a national ID card system under the Government of Tony Blair and, subsequently, under Gordon Brown's Government. That was eventually scrapped when the legislation could not get the support it needed through the Houses of Parliament. The subsequent database, which ran to many millions of people, was erased because it did not have any basis. I do not want to see Ireland reaching the position the UK reached where it wasted billions of pounds on building a database that was eventually scrapped because the legislation could not be got through the Parliament. I do not believe that was the right thing to do but they did the right thing in facing up to the necessity to have that public debate before it brought in the law and to bring it in by way of primary legislation.

I have made written notes on the discussion in respect of the legal situation regarding the single customer view database. It is rather detailed and for the purposes of the submissions today I would like to deal with one side issue, which I have marked as a side issue because I do not believe it is central to the discussion but is indicative of the Department's approach to these queries. Are the single customer view and the public services card database a biometric database? I have said what is the helpfully short and easy definition of biometric data. It is taken from Article 4.14 of the general data protection regulation, GDPR, which states that biometric data means "personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person". It gives two examples of biometric data, namely, facial images or dactyloscopic data, which are fingerprint-related data.

The Department is currently holding to the position that its database, which contains very high resolution and biometric level facial imagery of everybody who has been carded, does not include any biometric data. That is at odds with the European law's definition of biometric data and it means that the Department is arguing for its own new definition of biometric data, which is that data such as facial images, fingerprints and perhaps even iris scans, which are referred to in the SAFE 3 standard, may be stored but none of those count as biometric data. It is only when that data are run through a piece of software and some biometric matching is done with them that they become biometric data. That would make a nonsense of the GDPR's protections relating to data collected from individuals because no one collects their output of a software scan. What is collected from them are the actual data relating to their physiognomy.

When presented with two readings of legislation, one of which would be irrational and the other rational, generally speaking, lawyers prefer to believe that the rational one is the one that should be relied upon. The rational one is that biometric data is exactly what Article 4.14 says it is, and it includes facial images.

While it is a side issue, the reason I bring it up is that it shows the disconnect between people who are trying to advance what is quite a fact-based and heavily-researched position in terms of what is legal argument, in effect, to demonstrate that what the Department is saying is inaccurate, and the Department's quite superficial response in respect of those very seriously held concerns. The Department would not answer questions from the lady who is present today and whose pension was cut off. The question she asked was, "Can you show me the legal basis for requiring me to get this card?" If it showed her the legal basis for requiring her to get that card, she would have got the card. The problem was it never answered that question.

I have had this experience on behalf of a separate client, where I wrote seeking exactly the same position because my client received a letter from the Department of Social Protection saying it was now a legal requirement to get one of these cards and to attend to be carded if she wished to continue to get her child benefit. She contacted me and said she was not having any luck in receiving an explanation as to what was the legal basis that required that attendance. I then wrote to the Department. It ignored my letters for slightly under one year, during which I got no response whatsoever. Eventually, I phoned the Department and said I had not been given any response. I was told I would receive a response shortly and when I did receive it, I was told, "We will not be answering your question and we are forwarding this matter to the Chief State Solicitor to answer." When I received a response from the Chief State Solicitor, I was told: "We will not be answering your question because the matter is moot because your client did not lose her child benefit, and, therefore, there is no legal issue."

From the point of view of citizens, what has happened here is that the State has written out to them and told them there is a law that makes them do a thing. That is a very significant issue as the thing it is asking them to do is quite intrusive in terms of their human rights. They are told to come to a place, be registered by the State, have a photograph taken and have that loaded into a State database. It is not unreasonable to ask, "What is that law?" It is very telling that when that question is asked, the response is not to answer the question but to ramp up in respect of threats and then, when threats do not work, to simply move on to the next person who may not have the benefit of a lawyer asking the question for them.

She received a letter in, I believe, June 2016. I wrote my first letters in September or October 2016 and I eventually received an answer just before Christmas 2017 from the Chief State Solicitor's office. During most of that time I was attempting to make contact and receiving no response whatsoever. It was only in the September to Christmas period that I was receiving holding responses. My client did not suffer any financial loss. She was not penalised despite a letter having gone out telling her that would be one of the consequences if she did not attend and that it was necessary to do so. However, there were many other people who received letters with identical wording and they will not have known who to contact in order to try to advance the question, "What is the legal basis on which this is being done?"

From my point of view, when I hear that the Department has issued 3 million public services cards, that says to me, if I am correct in my legal assessment on the lack of compliance with European law, that we have a 3 million person contingent liability. More important, we have 3 million people who have been told to go and get a card, and they have been told to do it under varying wordings and letters inviting them to attend to get a card. However, none of those wordings has advanced any legal basis for that and a number of those wordings that were sent to people asserted there was such a legal basis and a requirement. That is very concerning in terms of the way the Department addresses this.

I have probably spoken longer than I should have. My apologies to the committee and my thanks to the members for their patience. Hopefully, they have questions that I, Dr. O'Rourke or Mr. Herrick will be able to help them with.

Thank you for your opening presentations. The witnesses have certainly brought a degree of clarity that there is no underpinning legislation which is consolidated in social welfare legislation and they have highlighted a number of very significant issues. I will take questions from the members. I call Deputy Joe Carey.

I welcome the witnesses and thank them for their presentations. I personally do not have a difficulty with the public services card and I think it is a good initiative which streamlines people's engagement with services, notwithstanding what the witnesses have said. In particular, in regard to the Bara case, as I understand it, it involved Romanian self-employed citizens who challenged the lawfulness of the transfer of their personal data by the national tax authorities to the national health authorities-----

-----under the data protection directive 95/46/EC. Unlike Romania, Ireland, under the Social Welfare Consolidation Act 2005 at section 262, sets out that we share the use of our PSI data and that it is restricted to public service bodies specified in law or their agents. Unlike Romania, Ireland has legislated specifically to restrict the scope of the obligations and rights contained in that particular directive. I would take issue with the witnesses' interpretation of the Bara judgment and their basis for saying we are in contravention of European law.

That is a core point. If it were the case that what Ireland had done was somehow very different from what Romania had done, then the finding of the European Court of Justice would have referred to this, given it is meant to be applicable to all nations in the EU, not merely in respect of one case, but in terms of setting principles beyond the particular facts of a case. When the former Minister, Deputy Noonan, was asked questions about this in the Dáil by Deputy Catherine Murphy, he presented the position that Ireland was different from Romania because our position was based on legislation and the Romanian transfer was not based on legislation. I thought that was a very surprising position for him to take given the judgment sets out what the Romanian legislation is. The judgment has a heading entitled "The Legislation" which sets out that legislation. There was controlling legislation, just as there is here. There was also an inter-agency protocol, as there is here between the Department of Social Protection and the Department of Public Expenditure and Reform, and we mirror that relationship very closely in the way that we handle that data sharing between Romania and here.

Even though the assertion was made in the Dáil that we were different because we had legislation and Romania did not, the judgment itself refers to the Romanian legislation, so there was no difference on that basis. Therefore, to meet that point, it is concerning that I find there are these positions that have been taken, not by Deputy Carey but by the State agencies, which appear to be based on either misreadings or misunderstandings as to the meaning of the legislation but also in respect of the actual facts in the judgment. As I said, the Romanian Government had a piece of legislation and we know this because the judgment goes into describing the terms of it, it quotes from it and it then sets out why that legislation was not sufficient, given there was also a protocol between the two agencies which dealt with the detail of what would be transferred, and so on. What we have is a piece of legislation and a separate protocol - a memorandum of understanding - which sets out exactly the same thing. In European law terms it is a data processing agreement. Therefore, we very much mirror the Romanian experience.

I have listened to Mr. McGarr but I take issue with that and do not think he has a foundation for it. I deal on a daily basis with people who have public services cards and I hold one myself. I think there is huge merit in the public services card. I do not really get Mr. McGarr's arguments. I think it streamlines the service and enables people to access services in a more streamlined way.

I have many questions, but I will try to ask a couple of them and come back with more if I have an opportunity.

What stands out for me from the Bara judgement is the specific point that the data subjects were not being informed of the transfer or processing. There is a question of full information and consent, which seems to be very crucial, and the extent and clarity of the information around the intended use of their information for those who have been issued with a public service card or have been told that they need one. It is very clear that we are not talking about a moment of identification but rather a person's information being given into a single customer view database. This relates to the transfer of information to a database. Are the purposes for the collection of this data provided clearly, adequately and in full? The general data protection regulation, GDPR, is very clear, and describes freely given, informed and full consent so that a person is able to agree to all of the potential uses of his or her data. Can the witnesses provide clarity on the issue of defined purpose?

I note that within the Government's response document, which was reissued to us in advance of this meeting, it is mentioned that where a specified body has a transaction with a person, the Minister may share the person's public services identity with the specified body to the extent necessary. That transaction provides authentication by the specified body of the person's public services identity. Does the Minister really have the right to determine and respond to requests that may come in from a specified body subsequent to a person having given his or her data to the Minister? It seems to me that such an after-the-fact use of data is proposed here.

The question of proportionate and necessary use of data needs to be clarified as well. It seems to be crucial within general data protection and indeed European law. There is a real concern about proportionality of response. We will make a person's access to his or her pension, child benefit, and information on SUSI grants - which I believe will open up a whole can of worms as it involves looking at a person's entire educational prospects - conditional upon his or her agreeing to undergo a process which does not have an agreed legal basis in terms that are recognised by the Data Protection Commissioner, and where there are clearly other ways in which the identification of the person could be conducted. It was made very clear that SAFE 2 is the system the Department of Employment Affairs and Social Protection has chosen to put in place and is not an international set standard. Could a Department or Minister be satisfied as to a person's identity on an individual occasion without the need for that information to be transferred into a single customer view database?

It seems to me that there are two issues here which require individual and separate consent. There is the consent in terms of agreeing to undergo an identification process and there is also the question of what happens to one's data subsequently. I would appreciate clarity on those issues. It seems that there could be another appropriate mechanism which would potentially be more proportionate, particularly when the stakes are so high for individuals. I want to commend the woman who took her case in respect of her pension. We should not be relying on individuals to try to fix the law in this State. We should be making sure that we as legislators are getting it right and that we have oversight of what is coming through. We should not be looking at this on a case-by-case basis. It is very notable that the State has backed down in every individual case of challenge. There is a case here, and there is huge liability. It is very unfortunate, given that we have often heard our overstretched court system bemoan the fact that we open ourselves up to having to drive through the court system for every individual person's rights to be vindicated.

I note the Comptroller and Auditor General's involvement, and believe that it deals very explicitly with the question of the cost to the State. That issue will be of serious concern to all of us in terms of the uses of public money.

Mr. Herrick from the Irish Council for Civil Liberties, ICCL, spoke about the international context. I would appreciate if he could expand on that. I understand that India followed the same model; it was voluntary initially, then mandatory and compulsory. There are breaches there, but of course we have already heard of breaches within the Department of Employment Affairs and Social Protection. I believe the value of a recent breach was not €7 per person but €23 per person. That is of serious concern. There were also breaches in Sweden, and I know there are very serious concerns in China in terms of how information is being used and how data is gathered. That is a worst-case scenario.

The ICCL has been working on other issues in this area for decades. How rare is the kind of investigation that the Data Protection Commissioner is carrying out now? I understand that this section 10 investigation is unusual. Is it not the case that the previous Data Protection Commissioner also raised concerns?

Senator Higgins covered many topics in her contribution. Public services cards were originally brought in in the context of old age pensioners and their access to transport. That was leading to problems. The idea was they would not have to carry something in their pocket but would instead have a card. The scope of these cards has broadened without serious discussion and debate in this building. The primary legislation that needs to be in place has not been passed yet. That is very serious, and I am very concerned about it. I do not have a public services card and I will not get one until I am confident that it is safe, secure and has all the legislative backup it needs. The data on the cards can be breached so easily, as we have seen in India. I am not sure how much protection and primary legislation there was in India when the cards were brought in. Was it brought in in the same way we are bringing it in here?

The private sector is also involved. The driver's licence sector is now run by a private company, and they can use a person's information and pass it on. That is very serious, and unless one is very on the ball from the point of view of awareness of what he or she is signing, it is very dangerous. This committee should perhaps look for a debate on this issue in the Dáil in the near future. If we decide that there are still things that have to be done before the public services card can be rolled out fully we should slow the pace down on its implementation. I would be interested in having that debate because it is a very serious issue. The British Labour Party brought in a similar card under Tony Blair and then tried to extend its remit. I am not necessarily opposed to an ID card, but not if it is brought in under the radar. It should be discussed and there should be public debate on it.

Is anybody who refused to accept the card waiting for any payments owed to them? If there are any problems like that what stage are they at?

I am not sure that our witnesses today can answer that question. That information may have to come from the Department.

I do not want to reiterate the points made. Mr. Herrick outlined the issue in terms of the legislation. We have legislated in the sense that different pieces of legislation have added new areas where the card can be used.

There is no stand-alone instrument, as has been said, but different sections have been amended. Therein lies the problem, because as has been clearly outlined, it cannot all be seen in one place.

One of the social welfare Bills listed the next group of organisations to be granted access to the information. In their opening statement, the witnesses referred to more than 100 public bodies which now have access to it. I share Deputy Collins's concern. We have always envisioned the public services card being used for interactions with public bodies, but the time will come when access to this information will creep. I do not have very clear cases in mind, but an example might involve a cardholder who is entitled to free travel which is provided by a private operator or as part of a benefit, a cardholder might receive units of energy, such as gas, from a private operator. While these would be attempts to provide a benefit, the concern is that the card is involved and there is creep in access, and the centrally held information has the potential to spread much further than was ever envisaged. I would like to hear the witnesses' views. We have constantly kept the debate on the subject of the card's use by public bodies. After public bodies, however, will private companies eventually have access to some of the information, in the absence of primary legislation?

I will first address the question of the law being transparent and readable to the public. To be clear, it is not just a preference that the law should be accessible. There is a legal obligation on the State to ensure that laws which restrict individual privacy rights are accessible. We refer in our submission to the European Court of Human Rights jurisprudence in the cases of Sunday Times v. United Kingdom (No 1), and S and Marper v. United Kingdom. In both of those cases, respectively concerning defamation law and surveillance law, the Court outlined a principle that if a law speaks directly to the question of individual privacy rights, there is an obligation on states to make that law accessible. As such, there is a legal principle at stake.

On the specific question that Deputy Collins and the Chairman have raised about potential private sector involvement, there is a relevant international example in Sweden. The Swedish driver's licence database system involved provision of services by a private sector body. It became apparent that the database was being accessed by a private sector body in another jurisdiction, in that case in the United States. We have real-life situations of this happening. The Irish public services card system involves private sector service providers based in this jurisdiction. As we understand it, they are involved in the provision and manufacture of the card itself. There is certainly potential for private sector involvement either in the provision of State services or as part of the card system in various IT infrastructures.

In response to Senator Higgins's questions about international examples, the Swedish case is pertinent to her query. We also have heard about an example from Scotland, where a bus pass system crosses the divide between the public and private sectors. A bus pass is relatively innocuous on its face. However, where information can be accessed about someone's travel habits, the case has been made that personal privacy is affected.

The UK and Australia are two examples of countries where schemes of this type were attempted, but there was public outcry against them. That is part of the tradition of common law jurisdictions, which have always had an opposition and antipathy towards compelling citizens to provide papers or information about themselves on the street. That is not what is at stake here at present, but it does underline where we are coming from as a point of principle. I understand Deputy Carey's point about the benefits of more convenient access to services, but this is something which we would say is beyond that. If an individual is accessing services in two or three Government Departments, and there is a form of identification which could simplify that, there might be a case for co-operation between the HSE and the Department of Employment Affairs and Social Protection. We are now talking about a much wider range of Government services, and we do not see a case where identity cannot be proven using a passport, which is provided through a secure, publicly run system. If someone has reservations or is opposed to the public services card, and we have outlined the kind of reservations that a person might reasonably have, why can they not use a passport? That case has not been made to us. The onus is on the State to demonstrate that, and we do not think that it has done so.

I would like to comment on the legal basis for this and my personal experience of trying to figure out what the law was on behalf of the Irish Council for Civil Liberties, ICCL. I spent at least eight hours trying to read the Social Welfare Consolidation Act 2005 in order to check whether the law actually said what the grid in the appendix to the guide published by the Department of Employment Affairs and Social Protection claimed that it said. I was literally tearing my hair out. That Act, as we said in our submissions, has been amended by five different Acts, or at least, five amending Acts have been referred to by the Department. In order to try to read it, one has to go onto www.irishstatutebook.ie and find the text of the Social Welfare Consolidation Act 2005. The original 2005 Act can be seen there. Then, one must click on the list of amendments, statutory instruments etc. This leads to a list which must include more than 1,000 amendments, as there are already about 350 sections in the Act, practically all of which have been amended in some way, shape or form.

On the left of the screen the heading "S. 263(1C)" appears, and alongside that is an outline of the ways the section has been amended. If one clicks on "S. 263(1C)", the website returns to section 263 of the 2005 Act, because the "C" is not actually a hyperlink. A reader must figure out what section 263(1C) currently states. It may have been amended several times to arrive at the 2017 version or 2018 version of S. 263(1C). These must be patched together. I could not do it. I called the Department of Employment Affairs and Social Protection and asked if the officials there had an internal version of the consolidated Act that they use to come up-----

As amended, exactly. I asked if they had a version which was current, up to date, consolidated, revised or whatever term is preferred, that they used to come up with this appendix. They said that if I submitted my request via email they would get back to me. I did that two days ago. I have not received the version of the legislation that they rely on. The Law Reform Commission is doing a really important job of revising Acts that are important to the public. However, they have not worked on the Social Welfare Consolidation Act 2005, which given its importance to so many people in society, its length and the number of times it has been amended, is unfortunate. Of course, they have their resource constraints.

I find it amazing, given the public importance of this issue, that we are not discussing a piece of legislation that tells us what the legislative basis for the card is. I do not understand why there is only a grid or why I cannot check what is written here against the legislation. For example, the appendix to the Department's guide describes a power whereby: "The Minister will retain, in electronic form, the photograph and signature obtained under the process set out in Section 263B (1)."

That might suggest that there are processes prescribed to keep this information safe and to provide legal, explicit provision for the safeguards that are so clearly required when we have a database with this kind of information in it. However, when I found my way to the current version of section 263B (1), I found that it simply says that the Minister shall retain it "in such manner that allows such photograph, other record or signature to be reproduced by electronic means".

It is important to be able to check what is asserted as the legal basis against the actual legislation. It is important for the rule of law, democracy and access to justice for individual people. I thought it would be helpful to describe the difficulties I had, and to let the committee know that I submitted that request. I went everywhere I could. I went to the Irish Human Rights and Equality Commission, Mr. McGarr and Digital Rights Ireland, and I could not find a copy of the revised or amended legislation.

I went through this process when I tabled amendments on section 263 of the Social Welfare Bill before Christmas. I specifically proposed amendments on how photographic information could be used and to preclude it from being checked against databases of biometric information, pending a clear direction on the practice. The amendment was not accepted but on looking closer at the legislation, one can see that the provisions are not there.

I feel Dr. O'Rourke's pain as I went through the same process, which leaves a mark on everybody who experiences it.

There was a question about whether, in time, the private sector would have access to, and sight of, these cards. The old social welfare cards, with the Department's logo on them, were brought in by the then Minister, Séamus Brennan. There was hot debate on the use of the cards as ID cards and he stressed that they would not be so used. He created a series of protections to give reassurance to the Dáil and to the public that the purpose of the card was not to be an ID card. He made it an offence for a card to be produced to somebody unless that person was a public body as scheduled in the Act. This prevented people from being pressurised into producing them, mar dhea, voluntarily and it prevented the cards being used in the wider world outside that of the scheduled public bodies. It was a strong measure that gave reassurance that the cards would not turn into ID cards. Section 5 of the Social Welfare and Civil Partnership Bill 2017, which is before this House, proposes withdrawing that protection. It will no longer be an offence and people may ask a person to produce his or her card in the private sector without any consequences. The explanation for this is that people may wish to use it as an ID card.

It seems to be a case of cognitive dissonance for the Government to hold the position that this is not an ID card database while bringing in legislative provisions which specifically remove the protections which prevent it from being an ID card. The private sector has access to these cards in the shape of private sector data processors working for public sector data controllers and gardaí will be able to ask people if they want to show them their card. It may be voluntary and for an individual to decide but there is nothing preventing a garda from asking a person for it, as there has been up until now. The question of whether a garda could ask to see a person's card was presented as the defining characteristic of whether something was an ID card. Section 5 of the Social Welfare and Civil Partnership Bill 2017 raises the question of whether the protections which were baked into the original scheme are being removed, carefully and bit by bit.

We have not seen legislation that addresses why one would do this, and why we might want an ID card that could be used by the private sector. In the course of my FOI explorations in the Department, I came across an internal document describing the SAFE system. Its architecture provided for passing data through to the private sector, which is not provided for in any legislation. If section 5 proceeds as the Government has proposed it, and without any changes, it is not a question of whether this will be used by the private sector but when, with the answer being "shortly". I was asked whether this would be a good or bad thing. I believe it is a further step to deepen the integration of what was a card for dealing with the Department into a national ID card system. If one puts a frog in a pot of water and gradually turns up the heat the frog does not notice that it is being boiled.

Two lessons appear to have been learned by the Irish State from the UK's experience. First, the UK stated that it was bringing in a national entitlements card which allowed people to access public services and this was a successful way to bring it in without calling it an ID card, something which seems to have been taken on board here. Second, we learned that legislation can fail and a project can end and perhaps that is why we have not seen any legislation being brought forward on this. The problem in bringing forward legislation and having a public debate on an issue is that one never knows what way the debate will end.

I was struck by what Mr. Herrick said about travel in Scotland. The current legislation refers to identification solely in respect of a transaction but when there is such a wide range of points of information identifying a person, it may lead to other forms of information, and a set of information which can be built up around a person. There may be concerns in respect of that issue. The point about passports was well made and given that an Irish passport is one of the most valued and respected internationally, it is dangerous to contemplate one not being acceptable as a form of identification, which could happen in the private sector.

Concerns around the SAFE system architecture are very clear. It is necessary to ask if something can be said to be voluntary when one's means of livelihood, one's income, the benefits one needs for a child or the opportunity to go to college is at stake. We are effectively looking at a mandatory system. Biometrics were touched on and Elizabeth Farries, who has done excellent work in this area within the ICCL, had an interesting article in the Irish Examiner yesterday. She referred to the specific concern around biometric information. If a number or an address is hacked or accessed, it can be changed, but once one's personal biometric information is accessed, there are privacy concerns.

The question about passports is central. The Minister and the Department are asserting that there is something special about the SAFE level 2 identification and authentication and that it is materially preferable to the existing SAFE level 1 system, which includes passports. They need to demonstrate how it is more secure than the passport system but I do not believe they have done so.

Our passport system has very high integrity, as the Senator correctly said, and it is internationally regarded as of a high standard. Of course, there are potential instances of breach or fraud from time to time, but one would have to be able to show that there is something special about this card system that will eliminate the types of risks we currently have with the passport system and that is not the case. On the other hand, we are opening a new level of risks in terms of the possible consequences of breaches of the security of such a system. The Indian example is a cautionary tale in this regard. Simon McGarr mentioned the new scale and level of risks from a legal perspective, but we are talking primarily from an individual privacy perspective. We do not believe the case has been made to make this necessary. There is also particularly valuable biometric data from a criminal perspective in terms of being able to access that with regard to potential personation or fraud down the line.

Finally, on the theme of fraud, one of the public policy justifications put forward by the Department is the public policy objective of eliminating social welfare fraud. We have had a consistent problem with overstatement of the problem of social welfare fraud in this country. However, one thing we do know about social welfare fraud is that personation is a minority element in the overall number of fraud cases. Generally, fraud in the social welfare context tends to be about the status, circumstances or activities of an individual, such as a person claiming to be disabled or the person not working when he or she is working or is able to work, rather than people impersonating other people. Even if this was an effective mechanism to eliminate personation in the social welfare system, it is likely that it is a tiny proportion of what is already quite a small overall financial fraud on the State. It is certainly something that cannot justify the expenditure or the extension of interference in privacy of the scale we are seeing.

Absolutely. If one is looking at this from a proportionality perspective, as we are and as the European Court of Human Rights ultimately would as well, and if one is basing one's justification on the financial saving which comes from this system, the Comptroller and Auditor General has said that no business or financial case was made which would overcome that burden. We have an internal check and balance which was not met in this case. There is overstatement from time to time. This morning the Minister said there are cases every week anecdotally where this card is saving money, but I do not believe a business case has been made that would meet the necessary burden of proof.

As far as we understand, this is the first inquiry of this type and it is ongoing. Given the significance of that inquiry and the significance of the issues at stake, the Data Protection Commissioner, in announcing the initiation of the investigation, said it was going into the legal basis of the scheme. That is surely something that should cause Government agencies to suspend further activity, whatever about the operation of the system as it stands. The Government's schedule is to go ahead with driver licences as the next stage in this in March 2018.

I am not speaking to the question of financial risk to the State but purely from the perspective of privacy rights. We know there is an investigation ongoing into the legal basis of an interference with privacy rights, yet it appears that additional legal steps are being taken by the State while that inquiry is ongoing. We do not have any information about the timescale for the commissioner's investigation - it would be helpful if we knew that - and we do not know what we might expect from it. However, certainly it is something of great significance. Simon McGarr might have further information about the history of it. As far as we know, it is the only inquiry of this type that has been initiated.

It is a very significant step for the commissioner to have taken and it is valuable to see it in the context of what happened. The commissioner passed a series of questions to the Department. Her office was looking for clarification about things which had previously been asserted by the Department in respect of legality and so forth. She came back with 57 extremely detailed questions as to exactly what was meant by various items. The answers to those questions were produced and published publicly as the guide to the legal provisions associated with the public services card. The Department provided the commissioner with the answers. I read them at the same time the commissioner was reading them. I do not know what the commissioner thought of them except that, having read them, she commenced her investigation. That was the context. I know what I thought. Having read them I did not think the Department had answered the questions she had put to it and such answers as the Department had given would not give anybody who knew about the live issues in terms of data protection any comfort that the matter was being run in accordance with EU law and data protection law.

The commissioner's investigation is ongoing and there are very significant constraints as to what she may do. She must be independent in the performance of her duties so there are significant constraints in how she could comment on it. I recognise those constraints. Nonetheless, this investigation was started on foot of the legal basis provided by the Department. The Department said that this was its best foot forward and in response to that the commissioner opened the investigation. As Mr. Herrick pointed out, to my knowledge the commissioner has never used her section 10 power, which is the power to commence an inquiry without a requirement for a complaint but on foot of the commissioner's belief that an inquiry is necessary in respect of a State agency's or body's project.

In terms of our inquiry, what does the witness believe should be the actions of the State at present for the persons who are currently at a potential loss of grants, pensions and so forth rather than each of them going individually to Mr. McGarr or other legal representation? Deputy Joan Collins and other Deputies hear of local constituency cases. People are coming to them with concerns and they are afraid. They feel they need to comply and that there is no legislative basis. It is floating information.

In the course of this discussion, we have referred to 3 million cards. That is the figure given by the Government. We have no information on who those 3 million people are. It would be helpful if that was clarified. Given that persons under 18 years of age typically would not have been asked to access a card at this point and given that people who are not in receipt of social welfare payments, maternity benefits or other benefits are not asked to provide a card, it would be surprising if there were 3 million people already on the system. We have been informed that is the case but it would be helpful to get a breakdown. We are of the view that it is disproportionately people who are dependent for their survival on social protection and pension payments. That gives rise to a vulnerable section of the population who might feel easily put under pressure to participate in a database system about which they may be uncomfortable. It would take somebody of a particularly resolute nature to forgo essential payments because of a point of principle, but individuals have done that.

Unfortunately, what I am doing is attempting to explain in words a visual slide with a graph. We are dancing about architecture. Nonetheless, the graph showed the purposes for which the various levels the standard authentication framework environment, SAFE, that is, SAFE 1, SAFE 2 and SAFE 3, would be used, how the information would be gathered and how it would be distributed. The slide that was circulated internally had an element of the private sector being seen as a recipient of information-----

Yes. I cannot from memory tell the committee under which of the SAFE levels of access it would be given, but SAFE 1, SAFE 2 and SAFE 3 are categories invented by the Department of Employment Affairs and Social Protection. According to the Comptroller and Auditor General, just inventing them cost €1 million.

Upon examination, the definition of the SAFE process at SAFE 2 level, which is the one the Government says it wishes to apply in the case of public services cards and involves a person attending at a location, having his or her photograph independently assessed by someone who will confirm that he or she is that person, and producing documentation showing that he or she is the person, almost exactly describes the method of going to a Garda station to have a passport photograph dealt with. One could easily argue that the passport process meets the SAFE 2 requirements as well. What it does not do is end up with a database entry. It appears that, although the SAFE 2 requirements are presented as merely being a desire to ensure that people are who they say they are, there is an unspoken expectation that, at the end of that process, the providers will have a great deal of data that can be placed in a database, which does not happen with a visit to a Garda station to confirm one's identity.