Mr. Tim Duggan:

I am sure the committee will. I do not need to tell members there has been much discussion in recent months about the standard authentication framework environment, SAFE, and the public services card. Unfortunately, quite a bit of it has not been entirely correct and it has led to some degree of confusion. As the committee knows, last year we published a comprehensive guide to SAFE and the public services card and we sent copies to all members. I hope they have had a chance to read it. We published it, essentially, to give people a better understanding of the entire programme and to try to answer many questions that were emerging in media and political circles at the time. Additionally, we came to the House and presented to Members and their staff last September on the programme. Again, I asked the secretariat to circulate a copy of that presentation, again with the intention of trying to answer some questions that members might have on the programme.

The SAFE public services card programme is simply about verifying the identity of people engaging with public services. It is no more or less than that. Everyone accepts that the public service has an obligation to know who it is dealing with and to whom it is providing services, entitlements and payments. There are a number of really good reasons that is important. Public bodies need to ensure they are providing services to the right person and ensure that somebody else is not pretending to be that person, as well as to ensure the person is not claiming to be somebody else, either with a real or false identity. That is needed to safeguard public services and public moneys, so as to ensure they are not incorrectly or mistakenly delivered or to ensure they are not fraudulently achieved by someone.

Public bodies need to be sure of who they are dealing with so they do inadvertently expose personal and sensitive data to the wrong person, again either by accident or because somebody is perpetrating fraud. We need to do this to ensure we comply with data protection law and that we safeguard the privacy and confidentiality of individuals engaging with us. As all public bodies need to verify the identity of people to some extent in the provision of services, it makes sense we do it in a way that does not require an individual to go through time-consuming processes to prove his or her identity over and over again. In other words, a person should be able to verify his or her identity once and it would hold for all interactions with public bodies. We do this to ensure efficiency in the delivery of services; this includes efficiency for the public service and, equally, efficiency for the individual engaging with us. Finally, there is now and expectation - even a demand - that public services can be provided digitally. As a result of the remote and non-personal nature of digital engagement, it is impossible to know with whom one is dealing online unless the identity is verified with tokens in advance. Consequently, an identity verification process is critical to being able to platform services digitally.

In the past, identity was relatively easy to verify as most people were known in their local communities and their identities could be testified to by other local individuals, such as doctors, teachers, gardaí, clergy, etc. However, given the remarkable changes the country has experienced in the past few decades, when we have seen considerable immigration, significant population growth and greater urbanisation, we are now a much more diverse and cosmopolitan society. The traditional ways we had of establishing and verifying identity do not work as well as they used to. Consequently, in 2004, the then Government tasked a senior level interdepartmental group with developing a framework or standard for establishing and authenticating the identity of individuals in their engagements with the public service. That work was completed and agreed by the Government in 2005. The framework emerging from it was called SAFE, which means standard authentication framework environment, and it comprised four levels of identity verification, which we set out at question No. 1 in the comprehensive guide, if members wish to look through that. I can go through it in details if members wish.

This is very similar to the approach taken in other countries, both at that time and since. It is also very similar to various kinds of standards set out by different groups dealing with identity over the past couple of decades. Most of them have adopted a similar four-tier model to what has been set out in the SAFE framework we have in the comprehensive guide. Under this framework, the traditional ways of verifying identity would be classed as SAFE 0 equivalent, where no PPS number was involved in the transaction, or SAFE 1 equivalent, where a PPS number but very little else was involved. In the first case, identity is asserted with no assurance and in the second it is being established on the balance of probabilities only. SAFE level 2, on the other hand, involves many factors, and we have set out the processes involved in the comprehensive guide at question No. 7. It is the combination of all those factors that make it different and which allow identity to be verified to a substantial level of assurance. I can go through that in minute detail if anyone on the committee wants me to. As it is capable of verifying identity to a substantial level of assurance, it is now Government policy that it should be the level of identity verification required to provide high value and personalised services to people for the four big reasons I mentioned at the start.

It is always important to keep remembering that this is about verifying identity only and nothing else really. The data collected during a SAFE 2 identity verification are the basic identity data items one would expect to be collected when somebody is verifying identity. Essentially, they are the same as those used by most modern public services throughout Europe and the world. They include elements such as name, address, date and place of birth, nationality, sex, former surnames, photo, signature and, in Ireland's case, a PPS number. This is called the public service identity data set, or PSI.

We have provided again full details of that data set in the comprehensive guide. It is also important to note that the public service identity, PSI, is not new. It has existed in various formats since the 1970s, when PPS numbers were first introduced as RSI numbers. It has been around for a long time. For the majority of people, the public service has all of the data already that are in the PSI. Therefore, the SAFE identity verification process is not collecting any new data for those people. It is simply verifying the basic identity data that are already held in the PSI. The process is only collecting all of the data afresh or anew where a person does not have a PPS number. In most cases, those are adults coming to Ireland from abroad.

Once a person successfully completes a SAFE 2 process, he or she may be issued with a public services card as a physical token of proof that he or she has successfully identified his or her identity to a substantial level of assurance. That is all that the card is; a physical token of proof that the person has been through the process and verified his or her identity to a substantial level of assurance. It means that a person who gets a public services card does not have to engage in further identity verification processes when dealing with the Department of Employment Affairs and Social Protection or any other public body. In addition, a person may be provided with an online MyGovID account, as digital proof that he or she has successfully identified his or her identity to a substantial level of assurance. Then using that account, because it provides that proof, he or she can access public services digitally and access his or her own information and data digitally.

In the context of SAFE, the public services card, PSC, and MyGovID, the only data that are shared with other public bodies is that basic identity I listed earlier - nothing more. It is only shared in the context of that public body being a specified body in the legislation, having a transaction with the individual concerned and in the performance of its public function as it relates to that particular person. Additionally, these basic identity data are the only data that are stored on the public services card. It is important to note that contrary to some misleading information from some commentators, the PSC and the data sharing arrangements for identity data do not contain any other data or information on people, such as people's means, financial data, scheme data, relationship data, health, medical, property or asset data. No such data are on the public services card and no such data are transferred in the data sharing arrangements that are in place around identity. The public services card does not provide access to data of that kind.

We have set out in the comprehensive guide the various legal bases for SAFE identity validation for the PSI and for PSI data sharing and we are fully satisfied that these provisions provide a robust legal basis for the approach we have taken to identity verification. Although the only data involved in the SAFE process are those basic identity data, we endeavour as best we can to ensure they are secured as best as possible. Again we have set out in significant detail in the comprehensive guide how we have done that. We have covered aspects such as the secure storage of the data, how we use role-based access to them, the obligations and training that staff must go through, the logging and auditing that we do, the encryption that we employ when we are transferring them, the destruction of the data in the company that produces the card and the various security features on the physical card itself. It is worth noting that we have a dedicated unit in the Department that deals solely with information security generally and is our direct liaison with the Office of the Data Protection Commissioner.

In this context, the Department is acutely aware of the general data protection regulation, GDPR, and its impending deadline of 25 May 2018. In this regard the Department has established its own dedicated implementation team, which is undertaking a major programme of work to ensure compliance with the GDPR. It has specific work streams on legislation, communications, information provision, information sharing, the forms that we use and the systems that we use. In addition, our staff, both front-line and at management level, are getting specific GDPR training and awareness and all of that work is being overseen by a very senior level data management programme board and it is a regular feature on the management board agenda.

We note that some people have highlighted difficulties accessing and comprehending some of the legislative provisions relating to the Department's identity verification processes, given the amount and complexity of social welfare legislation generally. Accordingly we have published an administrative consolidation of the Social Welfare Consolidation Act 2005, in which we have endeavoured to encompass all Acts since 2005 up to and including the Social Welfare Act 2017. That is now available on the Department's website for access. As is usual with such administrative consolidations, it comes with the usual caveats about errors and omissions and cautions against using the text in legal proceedings. However, we hope it does help people to better understand the legislative provisions relating to these matters.

Following on from that, we also note that a number of commentators have expressed concerns about section 5 of the Social Welfare, Pensions and Civil Registration Bill 2017, which proposes to allow individuals to voluntarily provide their PSC to non-specified bodies, as proof of identity. We note that some of those commentators have expressed a view that this proposal will result in current protections being withdrawn and that as a result, private companies will have access to the identity data. Let me make it really clear to the committee that nothing could be further from the truth. It is exactly the opposite. At present, only public bodies specified in legislation and currently included in Schedule 5 to the Social Welfare Consolidation Act or their agents can ask for and use the public services card. The current proposal in section 5 of the social welfare Bill does not change this at all. That protection will remain if that legislative proposal is adopted. It will not be watered down or changed in any way whatsoever.

However, as the law currently stands, even if a card holder volunteers his or her PSC, a private sector organisation would be committing an offence by accepting it as it is not a specified body. Our customer feedback is that people should be allowed to volunteer the card to non-specified bodies if it suits them to do so for the purposes of verifying identify, such as when signing up to a utility company contract or opening an account with a financial institution. Therefore the legislative proposal is that non-specified bodies that accept a PSC that is offered to them voluntarily by the holder should not be prosecuted or at risk of such prosecution. At the same time, such non-specified organisations should not be able to request or force a person to use their PSC and that would remain an offence. In other words, the key issue is that the volunteering of the card is at the heart of the transaction. Furthermore and for the sake of absolute clarity the proposal in no way allows a private sector body to access the customer data on the card chip or any Government database. It simply allows such bodies to view or accept the card as a form of identity and stops it being an offence for them to accept it - similar to any other State-issued identity documents, such as a driver's licence or a passport. This measure will be beneficial to holders of the public services card most especially those who do not hold a driving licence or a passport. It is the Department's view that it is their identity and as such, the holder should be allowed to volunteer it if he or she so chooses, even in a commercial setting.

As the committee is aware, the Office of the Data Protection Commissioner is undertaking an audit of the various elements of the identity verification infrastructure that I have described here. The Department is co-operating fully with that audit and has already furnished the Office of the Data Protection Commissioner with a great deal of information and records to assist it with that audit. The commissioner has now furnished the Department with her plan for the completion of the audit, including timelines and I believe the committee has been copied with that information. What members may not know is that the Commissioner for Data Protection wrote to the Department late yesterday evening and has slightly revised the timescale and pushed it out a little bit. Contrary to information provided by others to the committee, this is not the first time that the Office of the Data Protection Commissioner has used its powers to conduct such an audit and there are a number of examples of same on that office's website, including a previous one done in our Department some years ago. The Department looks forward to the preliminary findings of the commissioner and discussing them with her with a view to dealing as quickly as possible with any issues she may identify.

In the meantime, the Department will continue to conduct its business as usual, as is normal in such circumstances. I hope the foregoing gives the committee a reasonable understanding of the important aspects of SAFE and the public services card, PSC. My colleagues and I will endeavour as best we can to answer any questions that members may have.