Alice-Mary Higgins (Independent) | Oireachtas source

I move amendment No. 1:

In page 11, between lines 12 and 13, to insert the following:“Amendment of Social Welfare Consolidation Act 2005

16. Section 242 of the Principal Act is amended—

(a) in subsection (4)—

(i) by the substitution of following paragraph for paragraph (a):

“(a) his or her public services card,”,

and

(ii) by the substitution of following paragraphs for paragraph (b):

“(b) a card that has been issued to the person by the Minister under section 264 and such other information or documentation as the Minister, an officer of the Minister or a payment service provider, as the case may be, may reasonably require for the purposes of authenticating the identity of that person,

(c) an Irish Passport and such other information or documentation as the Minister, an officer of the Minister or a payment service provider, as the case may be, may reasonably require for the purposes of authenticating the identity of that person, or

(d) such information or documentation as the Minister, an officer of the Minister or a payment service provider, as the case may be, may reasonably require for the purposes of authenticating the identity of that person.”,

(b) in subsection (6)—

(i) by the substitution of following subparagraph for subparagraph (b)(ii):

“(ii) such other information or documentation as the Minster, an officer of the Minister or a payment service provider, as the case may be, may reasonably require for the purposes of

authenticating the identity of the appointed person, or”,

and

(ii) by the insertion of the following new paragraph after paragraph (b):

“(c) such information or documentation as the Minster, an officer of the Minister or a payment service provider, as the case may be, may reasonably require for the purposes of authenticating the identity of the appointed person.”,

and

(c) in subsection (7), by the substitution of following subsection for subsection (7):

“(7) Where a person fails to comply with subsection (4) or (6), payment of benefit may be withheld until such time as the identity of the person is authenticated. Possession or production of a public service card shall not be a mandatory requirement for the payment of a benefit.”.”.

I welcome the Minister for Employment Affairs and Social Protection, Deputy Regina Doherty, to the House. The issues I am speaking to in amendments Nos. 1 to 4 do not concern specifically the public services card itself but the manner in which it is being rolled out, the database to which it is attached and the procedures under which specified bodies are accessing the data. I recognise that many of these issues will be examined in the Social Welfare and Pensions Bill but the immediate concern is that the card is being rolled out in what I believe to be a heavy handed fashion. We have been told that it is "mandatory" if not "compulsory" and, increasingly, we are hearing story after story emerging of those who are being denied access to essential services or supports which allow them to live a dignified existence if they are not willing to participate in the process by giving their data over to have it fed into the single customer view dataset. This, of course, is where data gathered for the public services card goes.

During the summer we heard the case of the pensioner who was denied her pension and then later granted it despite strong avowals that she would not be able to access it and would have to forfeit it. More recently, we have heard cases of students being denied access to important student grants made under SUSI which allow them to attend college. We have heard of the multiple letters to people telling them they need to attend or may lose child benefit and essential payments.

I do not believe that the Department or the specified bodies, such as the Road Safety Authority in terms of the driver's licence, which are demanding people have a public services card are acting within the set boundaries. We have not yet been satisfied that there is a legislative basis to allow the demand to be made and to allow for the mandatory possession of this card in order to access essential services. We have not seen a satisfactory mandate and very serious concerns have been raised around, for example, the single customer view dataset. Information obtained under the freedom of information regime highlights that the 2009 ministerial agreement which allows data to be shared between the Department of Employment Affairs and Social Protection and the Department of Public Expenditure and Reform was not signed by a Minister. That is a small concern in the bigger picture but it is an example of a lack of robustness in how this information is gathered, stored and shared.

More importantly, serious concerns have been expressed by the Data Protection Commissioner. In response to questions posed, the Data Protection Commissioner received a number of answers from the Department and, subsequently, initiated a section 10 investigation. This is the first time the Data Protection Commissioner has launched a section 10 investigation, which is an investigation into the storage, collection and sharing of data within the Department of Employment Affairs and Social Protection. Of course, it also points to that wider question about the single customer view dataset. This is a real concern but this is not the first Data Protection Commissioner to be concerned. The outgoing Data Protection Commissioner also expressed extreme concern about how data was managed in the Department. This is not to point at the Minister or any officials. However, these are the concerns of those who we, as a State, appoint to guard us and ensure that the proper data standards are met.

My amendments seek to further clarify and underscore the situation. I believe the Minister has the discretion to accept forms of identification other than the public services card. I also believe that specified bodies do not have the power to insist on production of a public services card. My amendments seek to clarify, lest there be any doubt, that there is the capacity to accept "such other information or documentation as the Minister, an officer of the Minister or a payment service provider, as the case may be, may reasonably require for the purposes of authenticating the identity of that person". It spells out that the reasonable requirement may not necessarily be the public services card.

For example, if the SAFE 2 standards are the Minister's primary concern, in determining eligibility for a payment it is at her discretion to demand that SAFE 2 standards be met on a single occasion. I believe the Minister would probably have better sanction for demanding that the SAFE 2 standards are met in order to consider and determine eligibility for a payment. Where the question mark arises is in the addition of that information into the single customer view dataset and in the subsequent sharing and accessing of that information by more than 40 specified bodies. There are huge questions about whether those who give their data for the purposes of accessing a payment can be said to have agreed to the data being used for what is sometimes called excessive or additional processing by these specified bodies. There is a question mark there.

In terms of the regulations which we, as a European community, are bringing into play from spring onwards, the general data protection regulation sets out clear parameters on the storage and processing of information and, crucially, on consent. The bar that it sets is for full, fairly obtained and informed consent. In terms of "full" and "informed", the question is whether people have been fully informed as to all the uses the data they are given will be put. In terms of fairly obtained, was the information gathered or compelled by threat? If so, it will fall short of the standards of the general data protection regulation. It is hard to see how the potential loss of payment, loss of access to education or loss of the right to drive would not be seen as a threat and an attitude of compulsion.

There may be many who voluntarily, willingly and perhaps enthusiastically sought a public services card.However, those who have been compelled, and who we hear of being compelled, or who are told this is the only form of identification which will be accepted, are having their rights effectively violated. Subsequent to the general data protection regulation, GDPR, coming in during mid-spring next year, it will apply not only to the gathering but to the use of that data. Therefore, those who are compelled to give their data, if those data are used subsequent to May or June, whenever the GDPR is initiated here in Ireland, will have a case. The GDPR comes with very substantial fines, which go up to 4% of a body's turnover.

It is a very serious issue and this is why, in these amendments, I am effectively seeking to encourage the Minister to exercise her control and discretion to ensure we strive to ensure we are as compliant as possible going into that period and that we do not leave hostages to fortune in the future. Effectively, we have seen the concerns raised by the Data Protection Commissioner and a doubling down of the roll-out. This is an urge and a plea, effectively, for the Department of Employment Affairs and Social Protection and the Government, through the Department of Public Expenditure and Reform, to stop digging on the public services card because they are creating trouble for us down the line as a nation.

In terms of the question of fraud, which was the heavily used justification in regard to the risk of people presenting with the identification of others, we saw in the Committee of Public Accounts recently that the figures on fraud proved to be highly exaggerated, although there were concerns. What had been reported to be fraud levels of 2% turned out to be 1.4% departmental error and just 0.6% fraud. What tiny fraction of that can we assume to be based on the presentation of false identification? Is the only way to recognise this false identification through the application of SAFE 2 and the rolling out of a hugely expensive public services card? I believe the imposter argument at the front line of public services is a straw man. I think the incidence is very small. If a straw man is presented to us as policymakers, we need to challenge it because there is a far more robust and more serious threat on the other side.

Although I have spoken at length, I want to speak also to the amendments as a whole and I want to add specific sentences in regard to each amendment, and why I hope the Minister might accept them. I recognise that, in the current world, data are mined and used as currency. Many of the threats to citizens have been in terms of how their data are used by corporations. As Europeans, we have taken a strong stand and I am very proud of Recital 169, which we have collectively produced. However, even though it may mean changing historical practices, what we have done here with the public services card is a case of layering a new entity over historical practices rather than fundamentally rethinking how we do consent or how we gather data. We need to hold ourselves to the highest standards in order that we can legitimately represent our citizens and protect their data in the wider data sphere, and in order that we can ensure that people feel empowered, even though they are living in the modern world and are accessing information.

I do not think those who oppose this are Luddites. If anything, some of the people who have opposed this and spoken about their concerns are those who are most engaged with technology and who want to ensure we are acting in such a way that citizens are empowered around how their data are used and collected. That is something we should aim for collectively. Of course, there are also those who are very vulnerable and frightened and who have taken this card and expressed the view that they are not sure what they are signing up for, which they are not. Those concerns have also come through to us. For example, with regard to pensioners, we saw the case of a person who had been adopted and had to give excessive and inappropriate information in that context.

I believe it is already the case that the Minister has discretion to accept another form of authentication for identity. Nonetheless, the first amendment seeks to spell that out and does this under a number of criteria in the later subparagraphs. While there has been some ambiguity and we know that, under the European GDPR rules, one cannot make it compulsory for someone to share his or her data, we have been told it is mandatory. In that context, I am seeking to spell out that possession or production of a public services card shall not be a mandatory requirement for the payment of a benefit. Perhaps the Minister can reassure me of that in other ways but that is simply seeking to spell it out, even though I do not believe it should be necessary.

Amendment No. 2 sets out the requirement of a report which will set out and make clear the compatibility of all measures that will be put with the general data protection regulation. I know there are bodies within Government and within the Department of Public Expenditure and Reform working to implement GDPR but, given the kind of concerns I have highlighted today, I was targeting and looking for a specific report in respect of the public services card, SAFE 2 and the dataset gathered by the Department of Employment Affairs and Social Protection. My condition here would be that the information gathered for the purpose of the public services card should not be shared and should be essentially for single use by the Department of Employment Affairs and Social Protection for the initial function rather than being shared with the single customer dataset until we have those assurances. When we have those assurances and proper procedures in place, so be it. I am urging an approach which involves caution until we get it right, rather than ploughing ahead and then fixing it afterwards.

On amendment No. 3, there has been some ambiguity around the question of biometrics. A photograph which can be biometrically read is biometric. We have had different statements at different times from different parts of the Department around whether the photographs and cards are biometrics and whether we have had a proper debate on the use of biometrics. The simple fact is that if there is a photograph and it can be biometrically read, it is effectively biometric. If we are not ready to have the debate on biometrics, to discuss that properly and to look at the standards put in place, then for now, any photograph gathered for a public services card should not be shared, subjected to biometric reading or cross-checked against the database of biometric information. I realise there may be imperfections in how this amendment is drafted and I am happy to work on it for Report Stage, if necessary.

My final amendment in this grouping, amendment No. 4, is the one I feel I need to press because it is urgent, unless there is any other way the Minister can indicate that clear direction can be given. It states: "A person shall produce his or her public service card or other appropriate form of identification at the request of a specified body for the purposes of a transaction." Again, while I may look at amending this slightly and perfecting it, the key part of the amendment is: "No specified body shall make possession of a public service card a mandatory requirement for the purposes of a transaction.” That is a key concern. We have a situation where, at the moment, many of the demands for a public services card to be mandatory for specified bodies is based on a very shaky legislative basis, without proper consent having been given. I am simply urging that the State would exercise appropriate caution until that is addressed.