Oireachtas Joint and Select Committees

Thursday, 22 February 2018

Joint Oireachtas Committee on Social Protection

Public Services Card: Discussion (Resumed)

10:30 am

Photo of Alice-Mary HigginsAlice-Mary Higgins (Independent) | Oireachtas source

I hope there will be a second round of question, but I will try to focus.

Others have spoken about a person having no more and no less than what is required to satisfy the Minister as to his or her identity. Perhaps the delegates might specify why, for example, a passport or a driving licence cannot satisfy the Minister as to a person's identity? Is it not really the case that this is about the single customer view database? The delegates are not really asking people to come in on one occasion to satisfy the Minister as to their identities. The new element is that they are asking people to agree to having their information included in a single database which would have other uses. There is the question of whether it is necessary and proportionate to do this under the general data protection regulation, GDPR. It may well be necessary and proportionate to have somebody prove his or her identity to access a payment or benefit, but is it necessary and proportionate to require somebody to commit his or her information to a database which can be accessed by approximately 40 bodies? Perhaps the delegates might clarify how many specified bodies can access the database. I know that they will say this is the basic information and that the bodies will identify it in this way. Nonetheless, it is a large number of bodies. As I understand it, others may be added by legislation without necessarily having a requirement to obtain consent. The potential to add other bodies is important.

The delegates mentioned that the public servicew card would simply be used to confirm identity. It would be useful for me to know that no further information is contained on it. Will there be a record of the number of occasions on which a person's identity has been verified and by whom? Will there, for example, be a situation where one will be able to say the driving licence service, the health service and others have checked a person's identity? That brings us to the issue of public or private bodies potentially accessing the information. There is a blurring of the lines in the Data Protection Bill where private companies contracted by the HSE and others, for example, will be reclassified as public authorities. While they may not be specified bodies, there is ambiguity about which people may be concerned.

There are key questions about the roll-out of the public services card. The phrase "optimised citizen experience" was used. It certainly was not an optimised citizen experience for many of those who were effectively threatened and, in many cases, would have had their payments cut off if they refused to agree to their information being included in a single customer database. To clarify the position in the case of the woman whose pension payments were withheld, she did not say she did not want to have a public services card but that she wanted to know what was the legal basis. While her payments were restored, as I understand it, the legal basis had not been satisfactorily illustrated to her. Crucially, it has not been been illustrated to the satisfaction of the Data Protection Commissioner. There is an ongoing investigation in that regard.

In response to Mr. Lowry, this is not about being pro or anti-digital, nor is it about the digital or data future.

The people who are most concerned are the ones who are most engaged and most keen for us to take a responsible approach to the digital world and data protection, given their increasing importance. This is not a Luddite concern but about doing things properly. If the public services card is as crucial as we hear it is, should we not be deeply concerned about getting it right? If we are to be the main regulator of private company data regulation in Europe, should we not set high standards for ourselves? Nobody is complaining about doing things online, but people are complaining about the lack of due respect for data protection rules. Would it not send a very worrying signal if Ireland decided that it did not want to wait to satisfy the concerns of the Data Protection Commissioner? She is looking at the legal basis and the appropriateness of the technological and organisational systems. Mr. Duggan mentioned a previous data commissioner who had expressed concern in these areas, as well as dissatisfaction with the measures in place within public bodies.

Comments

No comments

Log in or join to post a public comment.