Mr. Simon McGarr:

Members will be glad to hear that I do not intend to rehash any of Mr. Herrick's submission, which I fully endorse and on which we had a brief conversation before we came in order that we would not cover the same ground. I will deliver a focused approach on a few points because they are the ones we see coming up over and over again. There is not a legal basis for this project, as it has been implemented, and I would like to explain why I say that. In September 2013 the Cabinet met and issued a formal Government decision, which is a form of an official document, and, among other matters, it ordered that a research and consultation exercise was to be undertaken by the Department of Social Protection on the suitability of the current legal basis for the personal public service number, PPSN, and the making of recommendations. There was to be a review on the legal basis of the personal public service number and all the legislation around that. I have confirmed with the Department of Employment Affairs and Social Protection that, as of October 2017, that had never been started and not a single record had ever been created. That was a missed opportunity. In the time between those two decisions, that is, between 2013 and the present, we have seen an extensive ramping up of a project rooted in the PPSN legislation but which has gone well beyond it and without that review, I am afraid that the Government has fallen into error. The consequence of this was that in October 2016 when the Court of Justice of the European Union, CJEU, issued a judgment on the interpretation of the limits of state rights in aggregating and sharing data between state agencies and public agencies, that is the Bara case, the court gave quite a pithy summing up, unusually so in such judgements. The judgment states that "with regard to processing of personal data and on the free movement of such data, [the European law] must be interpreted as precluding national measures, [that is legislation and other internal protocols] such as those at issue in the main proceedings, which allow a public administrative body of a Member State to transfer personal data to another public administrative body and their subsequent processing, without the data subjects having been informed of that transfer or processing".

In order to inform a data subject of the purposes of processing, there must be a purpose defined. As the Comptroller and Auditor General has pointed out, there is no set purpose defined for this project. There has never been a single business case set out for it. The difficulty there is that if one collects data without a set purpose, there can never be informed consent or consent at all received from a member of the public, nor can the public ever have been informed in advance of the data sharing happening. The result is that, as it has been structured, this plan has resulted in a system which cannot be in compliance with the Bara decision. The national laws which are cited, and I will go on to discuss those, all live under the shadow of that superior law from European level, which is incorporated into our Constitution. That means that no matter what legislative provision is passed in respect of data sharing -- let us be clear, the State has attempted to pass all sorts of legislation on the data sharing front - if there is not prior information given to members of the public as to what the purpose of it being processed was, and what it will be used for in the future, it cannot meet the requirement of the CJEU.

The Data Protection Commissioner recognised almost immediately that this was a very significant challenge to the way the State had approached databases and data sharing. She issued a detailed briefing note in respect of this case alone, an unusual enough event from the Data Protection Commissioner's office. She said:

The consequences of this judgment are significant and potentially very far reaching. The Office of the Data Protection Commissioner recommends that all public sector bodies complete a full review of their obligations and arrangements on the basis of the findings [of this report].

Unfortunately, as we have seen, this was also something the State intended to do off its own bat in 2013 but, in so far as we know, nothing has ever been done about that. Nonetheless, the urge to carry on collecting and sharing sensitive personal data may have proved stronger than the wish to inquire into how this data collecting and processing project could be compliant with European law but it will hold consequences in the near future.

The period for the coming into force in May 2018 of the general data protection regulation, GDPR, is currently ticking down. We are only a few weeks away from it now. That will allow for states, just as private institutions, to be liable for non-financial loss breaches of data protection rights. There is a risk that the personal public services card data, that is, the single customer view database, is not complaint. I have set out why I believe it is not and cannot be complaint under the current system and we are told it currently contains approximately 3 million individuals' details. If it is the case that it is not compliant, that would indicate that each one of those 3 million people have a claim on the State. In fact, there is a requirement, under European law, that in any instance where there is a breach of human rights and charter rights, that breach must be met with a remedy and the remedy is now being set out in the GDPR. It is a remedy in terms of financial compensation. That is available through the courts. Any figure that would be picked as to what a court might consider to be appropriate for that kind of breach is a very large number when multiplied by 3 million.

I consider the collection and sharing of this database without a proper legal basis to be one of the major financial risks the State has voluntarily taken on in recent years. I am attempting, as I was in other committees, including the Joint Committee on Justice and Equality, to sound the alarm in respect of this issue. This is not something the State needed to do or that is financially beneficial to the State, even without the question of compensation. At the last count, the cost of this project had exceeded €60 million. The State had estimated it had made something in the region of €1.7 million to €2 million in savings. These cards will have to be reissued at regular intervals. That means there is an ongoing cost to this in a one-off project. On a cost basis alone, therefore, this is a project which is not saving the State money. It is costing the State money but also has left it with uncrystallised potential liability running into unknowable many zeros in terms of the moneys that may be due to the State's citizens.

I want to deal with some of the questions. Mention was made of a lady whose pension was cut off. She has joined us in the Public Gallery today; I met her briefly earlier. Her experience is instructive because it is an experience where an individual has been affected very badly by the application of systems which do not appear to wish to answer a simple question: how is this lawful? The Department of Employment Affairs and Social Protection cited as the legal basis for the stopping of that lady's pension section 247C of the Social Welfare (Consolidation) Act 2005, as amended. The relevant section 247C(3) specifies the manner in which the Minister may be satisfied as to a person's identity. It is important to point out that there have been statements to the effect that, henceforth, only the public services card will be an acceptable method of proving identity but section 247C(3) foresees that there will be alternative methods and it allows that the Minister has discretion to use those alternative methods solely for proving identity. In addition to using those alternative methods, the Minister has the discretion to apply other methods she deems appropriate. A blanket policy, therefore, that no other method will be permitted is fettering the Minister's discretion. These are grounds for an appeal to the courts if anybody wished to take one and more importantly, it is a demonstration that this is not a good public policy position for the State to take.

The Department is relying upon a section which is designed to prove a person's identity to the Minister. That is a laudable and necessary part of any social welfare system. After all, State money is being handed out to individuals. There must be a method of making sure that the people who should get the money are getting it. That is not the argument. The problem is that this is the sole lawful purpose for which this information can be collected. That purpose is set out also in section 347C, and when the Department cites the section it oddly leaves out this portion of it, namely, that the purpose is "to satisfy the Minister as to his or identity". Once that purpose has been met, there is no lawful basis for further processing of those data. What is happening, however, is that in order that people be required to have a public services card, if they are to satisfy the Minister, the information is then being passed into the single customer view database where it is then shared with approximately 120 to 150 public agencies and bodies as necessary. That is processing over and above that which is allowed for under the national legislation, quite apart from the limitations the EU law has brought in, which I addressed earlier.

This is not a one-off. The State, and by the State I am not referring to any particular Government as these matters have been passed under the aegis of a number of different Governments but rather the administrative State, has a particular background in attempting to limit the effects of data protections for citizens and legislating away its own duties. For example, section 8 of the Health Identifiers Act 2014 attempts to interfere with the Data Protection Commissioner's independence by requiring her, if she undertakes an investigation into any form of breach or complaint in respect of the independent health identifiers database, to simply make a report to the Minister. I am aware the commissioner has already expressed her concern about that fettering of her independence, and that independence is written into European law as a requirement in any legislation at a national level which clashes with that. It is non-effective and should not be given effect by any part of the State.

Those are the individual legal bases that are cited but in terms of what has happened, what we have seen is a national identity card and national identity index, as it was described by Deputy Burton when she was Minister for Social Protection. She recognised that establishing a national index and producing a national identity card is a wider issue which is not part of the remit of the standard authentication framework environment, SAFE. That is the in-house developed, departmental internal standard, which is the basis on which these requirements are being placed upon individuals. She said it will require due consideration by appropriate agencies before any policy decisions could be formulated and would require the development and implementation of legislation to support any such policy. I agree with that. If one wishes to bring in a national identity card - a position I would argue against although I could lose the argument - it should be brought in openly with public debate and by way of grounding legislation where everybody knows what is happening and is given an opportunity to weigh in.

There are political and legal issues about national identity cards. That was seen in the United Kingdom where an attempt was made to bring in a national ID card system under the Government of Tony Blair and, subsequently, under Gordon Brown's Government. That was eventually scrapped when the legislation could not get the support it needed through the Houses of Parliament. The subsequent database, which ran to many millions of people, was erased because it did not have any basis. I do not want to see Ireland reaching the position the UK reached where it wasted billions of pounds on building a database that was eventually scrapped because the legislation could not be got through the Parliament. I do not believe that was the right thing to do but they did the right thing in facing up to the necessity to have that public debate before it brought in the law and to bring it in by way of primary legislation.

I have made written notes on the discussion in respect of the legal situation regarding the single customer view database. It is rather detailed and for the purposes of the submissions today I would like to deal with one side issue, which I have marked as a side issue because I do not believe it is central to the discussion but is indicative of the Department's approach to these queries. Are the single customer view and the public services card database a biometric database? I have said what is the helpfully short and easy definition of biometric data. It is taken from Article 4.14 of the general data protection regulation, GDPR, which states that biometric data means "personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person". It gives two examples of biometric data, namely, facial images or dactyloscopic data, which are fingerprint-related data.

The Department is currently holding to the position that its database, which contains very high resolution and biometric level facial imagery of everybody who has been carded, does not include any biometric data. That is at odds with the European law's definition of biometric data and it means that the Department is arguing for its own new definition of biometric data, which is that data such as facial images, fingerprints and perhaps even iris scans, which are referred to in the SAFE 3 standard, may be stored but none of those count as biometric data. It is only when that data are run through a piece of software and some biometric matching is done with them that they become biometric data. That would make a nonsense of the GDPR's protections relating to data collected from individuals because no one collects their output of a software scan. What is collected from them are the actual data relating to their physiognomy.

When presented with two readings of legislation, one of which would be irrational and the other rational, generally speaking, lawyers prefer to believe that the rational one is the one that should be relied upon. The rational one is that biometric data is exactly what Article 4.14 says it is, and it includes facial images.

While it is a side issue, the reason I bring it up is that it shows the disconnect between people who are trying to advance what is quite a fact-based and heavily-researched position in terms of what is legal argument, in effect, to demonstrate that what the Department is saying is inaccurate, and the Department's quite superficial response in respect of those very seriously held concerns. The Department would not answer questions from the lady who is present today and whose pension was cut off. The question she was asked was, "Can you show me the legal basis for requiring me to get this card?" If it showed her the legal basis for requiring her to get that card, she would have got the card. The problem was it never answered that question.

I have had this experience on behalf of a separate client, where I wrote seeking exactly the same position because my client received a letter from the Department of Social Protection saying it was now a legal requirement to get one of these cards and to attend to be carded if she wished to continue to get her child benefit. She contacted me and said she was not having any luck in receiving an explanation as to what was the legal basis that required that attendance. I then wrote to the Department. It ignored my letters for slightly under one year, during which I got no response whatsoever. Eventually, I phoned the Department and said I had not been given any response. I was told I would receive a response shortly and when I did receive it, I was told, "We will not be answering your question and we are forwarding this matter to the Chief State Solicitor to answer". When I received a response from the Chief State Solicitor, I was told: "We will not be answering your question because the matter is moot because your client did not lose her child benefit, and, therefore, there is no legal issue."

From the point of view of citizens, what has happened here is that the State has written out to them and told them there is a law that makes them do a thing. That is a very significant issue as the thing it is asking them to do is quite intrusive in terms of their human rights. They are told to come to a place, be registered by the State, have a photograph taken and have that loaded into a State database. It is not unreasonable to ask, "What is that law?" It is very telling that when that question is asked, the response is not to answer the question but to ramp up in respect of threats and then, when threats do not work, to simply move on to the next person who may not have the benefit of a lawyer asking the question for them.