Alice-Mary Higgins (Independent) | Oireachtas source

I have many questions, but I will try to ask a couple of them and come back with more if I have an opportunity.

What stands out for me from the Bara judgement is the specific point that the data subjects were not being informed of the transfer or processing. There is a question of full information and consent, which seems to be very crucial, and the extent and clarity of the information around the intended use of their information for those who have been issued with a public service card or have been told that they need one. It is very clear that we are not talking about a moment of identification rather a person's information being given into a single customer view database. This relates to the transfer of information to a database. Are the purposes for the collection of this data provided clearly, adequately and in full? The general data protection regulation, GDPR, is very clear, and describes freely given, informed and full consent so that a person is able to agree to all of the potential uses of his or her data. Can the witnesses provide clarity on the issue of defined purpose?

I note that within the Government's response document, which was reissued to us in advance of this meeting, it is mentioned that where a specified body has a transaction with a person, the Minister may share the person's public services identity with the specified body to the extent necessary. That transaction provides authentication by the specified body of the person's public services identity. Does the Minister really have the right to determine and respond to requests that may come in from a specified body subsequent to a person having given their data to the Minister? It seems to me that such an after-the-fact use of data is proposed here.

The question of proportionate and necessary use of data needs to be clarified as well. It seems to be crucial within general data protection and indeed European law. There is a real concern about proportionality of response. We will make a person's access to their pension, child benefit, and information on SUSI grants - which I believe will open up a whole can of worms as it involves looking at a person's entire educational prospects - conditional upon them agreeing to undergo a process which does not have an agreed legal basis in terms that are recognised by the Data Protection Commissioner, and where there clearly other ways in which the identification of the person could be conducted. It was made very clear that SAFE 2 is the system the Department of Employment Affairs and Social Protection has chosen to put in place and is not an international set standard. Could a Department or Minister be satisfied as to a person's identity on an individual occasion without the need for that information having to be transferred into a single customer view database?

It seems to me that there are two issues here which require individual and separate consent. There is the consent in terms of agreeing to undergo an identification process and there is also the question of what happens to one's data subsequently. I would appreciate clarity on those issues. It seems that there could be another appropriate mechanism which would potentially be more proportionate, particularly when the stakes are so high for individuals. I want to commend the woman who took her case in respect of her pension. We should not be relying on individuals to try to fix the law in this State. We should be making sure that we as legislators are getting it right and that we have oversight of what is coming through. We should not be looking at this on a case by case basis. It is very notable that the State has backed down in every individual case of challenge. There is a case here, and there is huge liability. It is very unfortunate, given that we have often heard our overstretched court system bemoan the fact that we open ourselves up to having to drive through the court system for every individual person's rights to be vindicated.

I note the Comptroller and Auditor General's involvement, and believe that it deals very explicitly with the question of the cost to the State. That issue will be of serious concern to all of us in terms of the uses of public money.

Mr. Herrick from the Irish Council for Civil Liberties, ICCL, spoke about the international context. I would appreciate if he could expand on that. I understand that India followed the same model; it was voluntary initially, then mandatory and compulsory. There are breaches there, but of course we have already heard of breaches within the Department of Employment Affairs and Social Protection. I believe the value of a recent breach was not €7 per person but €23 per person. That is of serious concern. There were also breaches in Sweden, and I know there are very serious concerns in China in terms of how information is being used and how data is gathered. That is a worst case scenario.

The ICCL has been working on other issues in this area for decades. How rare is the kind of investigation that the Data Protection Commissioner is carrying out now? I understand that this section ten investigation is unusual. Is it not the case that the previous Data Protection Commissioner also raised concerns?