Ossian Smyth (Dún Laoghaire, Green Party) | Oireachtas source

I thank the Chairman and committee members for the invitation to meet them today to discuss Ireland’s implementation of the EU digital Covid certificate. I am joined by Mr. Barry Lowry, the Government chief information officer. He also attended the meeting yesterday.

As the committee knows, I am a Minister of State at the Department of Public Expenditure and Reform and my various responsibilities include eGovernment. It is on this basis that I recently agreed to take on responsibility for the issue of the EU digital Covid certificate. I am aware the committee had a long and detailed session yesterday with various senior officials and is now developing a good understanding of the extent and scale of the technical and logistical challenge we faced in this programme. Therefore, I will try to use my opening remarks to develop, where possible, what Ms Liz Canavan said yesterday.

As the committee is aware, the EU digital Covid certificate regulation entered into application on 1 July 2021. It was developed to facilitate the safe free movement of citizens in the EU during the Covid-19 pandemic. It is proof, in digital or paper format, that a person has either been vaccinated against Covid-19, received a negative test result recently before travel or recovered from Covid-19. The recovery certificate is valid for 180 days from the time a person tested positive for Covid. Providing a certificate for each of these episodes has required a slightly different process, which I will explain later.

While the digital Covid certificate is not a travel document or a passport, it will help people to travel safely within the EU and EEA during the Covid-19 pandemic. It is not a prerequisite to travel. You do not have to have a digital Covid certificate to travel within the EU. The EU digital Covid certificate, DCC, programme in Ireland has been developed by a senior cross-departmental group chaired by the Taoiseach's Department. I congratulate that group and its staff on the success achieved to date. My Department, through the Office of the Government Chief Information Officer, OGCIO, is responsible for the technical component of EU DCC production.

The European Commission has built a gateway through which all certificate signatures can be verified across the EU. Each member state is responsible for, first, maintaining connectivity to the gateway and, second, ensuring the gateway holds the correct QR code key for each country, which means it has been signed with what is called a private key that each country owns. This is required to enable one country to verify the digital Covid certificates produced by other member states. Third, each member state is responsible for ensuring it updates its trust lists frequently. This is an important part of the process. A trust list allows one country to verify the QR code of another and to verify that code in the context of the admittance rules for the country of destination. For example, someone travelling from Ireland on a certificate based on an antigen test would fail if the country of destination did not accept antigen tests as being sufficient. Ireland currently only accepts PCR tests for admission with regard to quarantine rules. The EU recommendation is to download the trust list every six hours, which Ireland does. We then ensure the verifier app, which the committee heard about yesterday, refreshes every time it is opened. This creates the capability to verify another member state’s certificates. In Ireland, we do this through our verifier app, which is already in operation.

This all means we have one of the most robust implementations of the digital Covid certificate across Europe. On 30 June, Ireland connected to the EU digital Covid certificates gateway. This was a milestone, as I have explained, in helping ensure that, first, the digital Covid certificates issued in Ireland are recognised by authorities in other EU member states and, second, that Ireland can verify digital Covid certificates for travellers arriving from other EU member states and apply the public health rules associated with those digital Covid certificates.

The session yesterday gave a sense of the wider programme. I will focus on the technical solution. This involves several bodies working together, and I thank them all for their commitment and hard work to date. First, I will talk about vaccination certificates. The HSE produces a batch of files of data for processing. In line with GDPR, each file contains only the data required for certificate production. A batch file can be either for email or print and post. This is done by examining the email field in the record. If that field is set to null, we know the certificate is to be posted. The second step is that each record in the batch is converted into a certificate by the Office of the Government Chief Information Officer and its partner organisation. A series of validation processes are completed and, once everything is checked, the batch is sent either to Revenue for print and post or to the OGCIO cloud email server. The final step is the certificate is issued by Revenue for next day post or the cloud email server for imminent delivery.

For recovery certificates, the first step of the process is different. It is a pull instead of push process. It is done on request rather than by a pre-emptive sending of the recovery certificates. The reason for this is that when the HSE was informed of a positive Covid case, it collected information for the purpose of track and trace, not for production of a future recovery certificate. Consequently, where an individual has been tested as positive by the HSE within 180 days and is reliant on recovery rather than vaccination for the digital Covid certificate, he or she can contact the helpline, which will verify the caller’s ID and collect the remaining required information, including valid email address. From then on, the steps for issuing recovery certificates are the same as for vaccination certificates.

If you are not vaccinated and have not recovered from Covid, the last option is to get tested shortly before the journey and show you are negative, unlike the recovery certificate, which says the holder is positive. This process is different as we use, and will continue to use, private testing for the purpose of safe travel. In other words, the Government is not the data controller. What is different now is the State’s obligation under the regulation to produce a certificate for a negative test. Technically speaking, we use a similar approach to that with the HSE. We use an application programming interface, API, to receive the data from the private tester and then return a certificate for each test to the tester for issuance to the customer. It is essential the tester accepts responsibility for ID verification, correct testing, accurate data input and the security and data management of its end of the process.

Consequently, approved access to the EU digital Covid test certificate service is contingent on test providers being compliant with the relevant national and EU regulations in respect to SARS-CoV-2 testing, associated public health measures, and the standards and obligations detailed in the standard operating procedure. The detailed instructions for how this will work were posted on gov.ielast Friday. Prior to receiving access to the EU digital Covid test certificate service for test certificate generation, providers are required to review and digitally sign the standard operating procedure and return it by email to an address given on gov.ie, digitalcovidcerts.business@per.gov.ie. The first engagements with responders are already beginning to happen.

As was mentioned yesterday, it is hoped an upgraded version of the Covid tracker app will be available next week. This will not be necessary to use the digital Covid certificate; it is simply to allow people to upload their certificate, whether paper or PDF, to a wallet on their phone if that is their preference rather than carrying it around on a sheet of paper. The Covid tracker app serves as a pandemic response tool and provides a number of functions, including exposure notification, information platform and the check-in function. These are independent of each other. I repeat what was said yesterday: it will be possible for people to disable these features and use the tracker solely as a digital wallet to store their digital Covid certificate on their phone, should they wish to do so.

Data governance has been the subject of ongoing engagement with the Data Protection Commission to ensure the process is fully compliant with GDPR regulations. The HSE and the Department of Health are the joint data controllers, the OGCIO is a data processor, and Revenue is a subprocessor. The requisite data controller and data processing agreements are in place for any data transfers in respect of the generation of vaccination-related certificates. All other requisite processor and subprocessor agreements will be in place prior to any transfer of data.

I hope this statement helps to build upon the information provided by Liz Canavan and the senior officials’ group yesterday. I reiterate that the primary focus throughout the planning and delivery of this programme has been to fulfil our EU obligations in a robust and effective way, including operability by 1 July in the context of EU compliance and delivery of certificates to eligible members of the public in line with Government’s proposed lifting of restrictions on non-essential travel on 19 July. In doing so, we have had to be mindful of developing the certificate in a way which provides the greatest assurance, in line with data protection, as regards sensitive personal information.