Mr. Barry Lowry:

The digital Covid certificate is probably a template for how interoperability can work across the EU and the EEA member states. The digital Covid certificate itself is what we would call a "credential". In other words, it is a proof given by the Government of Ireland that an individual who is resident in Ireland, has received two vaccinations, or has recovered from Covid, or has successfully had a negative test, either a PCR test or whatever it happens to be. This is what we call a credential. In the same way that a person's driver's licence is proof that he or she has passed the driver test and has not driven such a way that it has been taken back for a regulatory breach of driving rules. In much the same way in the private sector, a car insurance certificate is proof that a person has been through the process of insuring his or her car, which means that should the person have an accident and is at fault then the other driver is protected. We call all of these things credentials. The digital wallet seeks to find a way to safely collect all of these credentials together and can use them in a way where the individual has full choice and full control.

That is important. When this idea of individual sovereignty or self-sovereignty is talked about, it means you control what happens to your data. That is obviously compliant with the GDPR and it is how we have always understood data works. If I decide to go and get health insurance I would have to reveal information about my health to that provider because it is entitled to know it for the purposes of how it insures me and how much it will cost. That is what the GDPR call proportionality and specificity. The insurer does not need to know other information about me, such as my bank details and so on but obviously if I took out a car loan it would be entitled to know some of that information, and so on. The purpose of this is to ensure that for every transaction I wish to complete, parties involved in that transaction, whether it be a public service or a private one, only see the information relevant and pertinent to that transaction. If I no longer require that transaction with them, they no longer see that information about me. Those are really the underlying GDPR principles that have to be applied in this model. If they are not successfully applied in this model then the European data protection commissioners will insist they revise the model until it is acceptable.

I have not read the input into this session from our Data Protection Commissioner but I suspect that is broadly what it said because it can see how it works. However, it will be ensuring all principles of GDPR will be adhered to right through the process. Mainly, those are that as an individual I can participate in this, entirely through my own choice, and I can cease to participate in this through my own choice and my data will be removed.