Mick Wallace (Wexford, Independent) | Oireachtas source

The Bill contains some welcome provisions which have the potential to improve efficiency in the public sector, interactions between staff and the public and also reduce costs. The proposed personal data access portal, the establishment of a data governance board and new data sharing agreement requirements, particular the necessity for all public bodies to hold a public consultation process before entering into a data sharing agreement, are all positive. However, some problems still need to be addressed in the Bill. Many of them relate to how the Bill, particularly section 7, will interact with the Social Welfare Consolidation Act 2005.

The Bill attempts to establish a legal basis for the large-scale data sharing that is already happening via the public services card registration process. Most people will welcome the convenience the once-only principle in the Bill promotes. I refer to the idea that a person will only have to give his or her data or information to a public body once. He or she will not have to provide his or her data repeatedly should he or she need to interact with other public bodies. However, it is also true that many people will want more control over their data and will not want them reused for an additional purpose other than the one specified when they were initially collected.

We cannot continue to coerce people to consent to the sharing of their data. That is what we have been doing illegally for a few years. The Bill fails to address the problem of forced consent. According to the general data protection regulation, GDPR, "consent should not be regarded as freely given if the data subject has no genuine or free choice or is unable to refuse or withdraw consent without detriment". Withholding a pension payment from an elderly woman for 18 months because she had refused to register for a public services card is clearly coerced consent and a form of State coercion.

It is important to acknowledge the work done in the Seanad by Senator Alice-Mary Higgins in amending the Bill into shape. It is also important to acknowledge that the Minister of State, Deputy O'Donovan, and his Department seem to have genuinely engaged with the Senator and accepted many of her amendments or else, based on conversations with her, came back with Government amendments to improve the Bill. That is to be commended. However, during the debate in the Seanad the Minister of State stated that when people presented to the Department of Employment Affairs and Social Protection to apply for a social welfare payment, "it could be inferred that there is a consent already contained in that by virtue of the fact that they have presented themselves to look for that particular support or service from the State." That can be a worrying statement. People apply for social welfare support because they are vulnerable and need help. It would be strange for the Minister of State to extrapolate from this that these vulnerable people are at the same time also automatically consenting to such widespread sharing of their data. There are approximately 150 public bodies with which data are being shared via the single customer view database. It is important to understand the fundamental fact that, according to Article 4 of the GDPR, consent must be freely given and cannot be coerced. Recital 42 of the GDPR gives us further guidance on how we should interpret this definition of consent. Consent must be informed, which means that the data subject must be made aware of the purpose of processing. Informed consent cannot be obtained if there is no clearly defined purpose for the processing of a person's data. The data subject needs to know why his or her data are being collected and processed.

The lack of a defined purpose for such large-scale data processing is addressed to some extent in Part 4 of the Bill and the requirements in respect of data sharing agreements. The once-only principle which forms the basis of the Bill completely undermines any meaningful notion of consent. The Minister for Employment Affairs and Social Protection, Deputy Regina Doherty, has being blurring, consciously or unconsciously, the true purpose of this data processing. She has repeatedly tried to suggest in this Chamber that the SAFE2 process is simply a matter of verification and that the public services card is merely a token having completed the verification process. In February this year the head of client identity services in the Department of Employment Affairs and Social Protection told the Oireachtas Joint Committee on Employment Affairs and Social Protection that "the SAFE public services card programme is simply about verifying the identity of people engaging with public services. It is no more or less than that." It is, of course, completely acceptable and very welcome that the Department should verify an applicant's identity to minimise fraud and make sure the payment is going to the right person. We have no problem with this and no one is questioning it. However, the claim that the SAFE2 process and the public services card a person receives having successfully completed it are just about verification and no more or less than that is disingenuous.

The Minister and her Department are attempting to divorce the SAFE2 registration process and the public services card from what is a data sharing project of enormous proportions, the single customer view database and the sharing of the public services identity data set.

The Bill interacts in a very significant way with the Social Welfare Consolidation Act 2005, of which section 247C states the Minister may require any person receiving a benefit to satisfy the Minister as to his or her identity. Of course, this is a completely reasonable requirement. Section 247C(3) of the Act specifies the manner in which the Minister may be satisfied and essentially describes the SAFE2 verification process for registering a person's identity. The Minister has repeatedly stated this is a similar approach to that taken by the Passport Office in its systems when processing passport applications and renewals. Why not just accept a passport as proof of identity when a person applies for a social welfare benefit? Why does someone now need a public services card to obtain a passport? It is because the aim of the public services card and the SAFE2 process is not just verification, it is also to coerce consent to data sharing and enable the creation of a serious database of citizens' data. However, section 247C(3) of the Social Welfare Consolidation Act 2005 does not state the purpose of going through the verification process is to have data entered into a national database or that data will be shared with 150 other public bodies.

Section 247C(1) makes it clear that the purpose of the verification process described is "to satisfy the Minister as to his or her identity". Once a person's identity has been verified and the Minister is satisfied as to his or her identity, there is absolutely no legal basis for any further processing of the person's data, unless consent has been obtained from him or her. I am not saying data sharing is inherently wrong and I have no problem with necessary and proportionate sharing of data. As I have mentioned, there are positive developments in that regard in the Bill, but the Government must be honest and clear about what it is trying to achieve as otherwise it will continue to undermine trust in how the State handles personal data.

The Bill needs to give people a mechanism to opt out of the once-only principle and indicate a preference to give each of the specified bodies the data separately. In the Seanad the Minister of State indicated that the right to object under the GDPR would serve this purpose instead, but the right to object process is far more arduous for the individual and, more importantly, that process would not solve the problem of coerced consent, as a person would not be able to access public or welfare services without first consenting to the large-scale reuse of his or her data. The Minister of State told the Seanad that he would reflect further on the opt-out option in advance of the Bill being brought to the Dáil and I hope the Bill will see some changes in that regard.

I am glad that the Minister, in conjunction with Senator Alice-Mary Higgins, has amended the Bill to resolve the contradiction between sections 6 and 12 of the Bill, as initiated. The internal contradiction in the Bill derived from the fact that while section 12 specifically excluded the sharing of special categories of personal data, as defined by the GDPR, section 6 permitted the sharing of a person's public services identity. The problem was that a person's public services identity contained biometric data which the GDPR defined as a special category of personal data. I am thankful that the Bill has been amended to remove this contradiction. However and strangely, the Ministers seem to deny that photos or facial images collected as part of the SAFE2 process are biometric in nature. At an Oireachtas joint committee meeting in September the Minister said her Department did not view photos as biometric data. She said the definitions were different and that the Department's definition of biometric data did not include a photograph. Unfortunately, the definition of the Ministers and their Department of "biometric" is completely irrelevant; what matters is the definition in the GDPR and European Union case law, both of which make it very clear that facial images or photographs are biometric in nature. The Irish Data Protection Commission also issued an information notice on biometrics which included, for example, raw images consisting of recognisable data such as an image of a face or fingerprint.

I recently accessed a bundle of emails via the freedom of information process between the Secretary General of the Department of Employment Affairs and Social Protection and the Department's data protection officer covering the period from early July this year which covered biometric processing. Some of the statements made in the emails by the Secretary General reveal a strange and jumbled logic, as well as a complete failure to grasp the basis of the definition of "processing" in the GDPR. The content of the emails was used to brief the Minister for a response to a parliamentary question on 12 July, in which she stated the Department was also clear that it did not collect or share biometric data but that it created such data for its own use in accordance with the law. In an email on 9 July the Secretary General indicated that the Department did not collect data or share biometric data but that it did process them and had been clear that it did so. The Secretary General has admitted to processing biometric data and says there is nothing to hide, but the Secretary General and Minister seem to think the processing in which the Department engages is a second order of processing. That is a failure to understand the definition of "processing" in Article 4 of the GDPR which includes basic operations such as storage, use, retrieval and consultation. It is clear that the Department is processing biometric data and, therefore, special categories of personal data. This is not necessarily bad, but there are separate rules for processing special categories of data. The Department cannot adhere to these rules if it does not acknowledge that they apply to what it is doing.

See this speech in context