Regina Doherty (Meath East, Fine Gael) | Oireachtas source

I thank the Senator. I do not propose to accept any of the amendments which relate to the public services card and also to the general data protection regulation. I would like first to make some points about the public services card. When I get to the end of my contribution, the Senator might remind me about the fourth amendment, which is not included in this response, as I want to make a specific point about it.

The main legal powers providing for and relating to the public services card and the SAFE registration process are set out in the Social Welfare Consolidation Act 2005, as amended. They are as follows. Sections 262 and 263B provide for the verification of identity to facilitate the issuing and use of a public services number, the PPS number or PPSN. Sections 263, 263A and 263B provide for the verification of identity to facilitate the issuing, use and-or cancellation of a public services card.Section 241 provides that a person must satisfy the Minister as to his or her identity when making a new claim and sets out how the person might go about doing that.

Section 247C provides that an existing claimant must satisfy the Minister as to his or her identity, sets out how that can be done and provides for disqualification where an existing claimant fails to so do.

The standard authentication framework environment, SAFE, registration process is used by my Department to establish and verify a person's identity in order that it can be sure that the person using its service is the person he or she claims to be, that nobody else is using that person's identity for the purpose of claiming a payment or service, that the person is not claiming another payment or using another service under a different identity and in addition, and to minimise the requirement for people to provide the same identity information repeatedly when accessing different services.

SAFE is a standard for establishing and verifying an individual's identity for the purpose of accessing public services and was agreed by the then Government in 2005. The SAFE standard has four levels. SAFE 0 is no assurance of identity, SAFE 1 is the balance of probabilities and the minimum authentication level for the allocation of a PPS number, SAFE 2 is a substantial assurance and the minimum authentication level for issuing a public services card, PSC, and SAFE 3 is beyond reasonable doubt, for example, if we were ever in a situation where fingerprinting, which is real biometric data, would be required.

My Department is implementing SAFE 2 registration on a phased basis with its customers and the customers of other public services that require identity verification to a substantial level of assurance. Until recent times, many public services were provided to people who had their identities verified only to the SAFE 1 standard. For example, identity documents such as passports and driver licences were issued following SAFE 1 equivalent registration processes. Since the introduction of SAFE 2 registration in 2011, more services are moving to identity verification at this level to ensure a substantial assurance of someone's identity.

While it is a matter for each public service provider to determine the appropriate level of identity verification required for each of its services, it has been the policy of this Government and the previous two Governments that SAFE 2 registration is required for access to all services that require substantial proof of a person's identity.

My Department makes it clear to customers in receipt of welfare payments or entitlements that they need to register for the SAFE 2 verification process, in accordance with the relevant legislative provisions, to access or continue to access those payments and-or entitlements. Once customers complete the SAFE 2 registration process, they may be issued with a PSC. They may not be issued with one either, though, as customers do not have to have PSCs. The PSC is replacing older documents used to show entitlement to a benefit, including the social welfare services card and, in some cases, the paper travel pass for free bus and rail travel. Accordingly, it will in future be necessary to produce a PSC as proof of identity for certain types of transaction, including collecting welfare payments in cash at post offices and availing of free travel by old age pensioners and others who currently have the free travel pass.

The recently published Comprehensive Guide to SAFE Registration and the Public Services Card document is available on my Department's website. Compiled as part of my Department's ongoing engagement with the Data Protection Commissioner, it contains 54 detailed questions and answers that address a wide range of questions about SAFE registration and the PSC, including an explanation that, while the PSC stores a person's photograph, it does not store the arithmetic template of that photograph. It also explains that the arithmetic template is not stored in the public service identity, PSI, dataset that we hold offsite, nor is it shared with other public bodies. We can split hairs, but the Department does not hold biometric data. They are only taken in the registration process.

Appendix 1 of the guide lists the legislative provisions associated with the PSC. Appendix 2 contains the full list of specified bodies that may use PSI data under sections 260 to 265, inclusive, of the Social Welfare Consolidation Act 2005. Primary legislation can be used to add new bodies to this Schedule should we ever feel the need to.

The general data protection regulation, GDPR, which will come into force on 25 May 2018, will replace the existing data protection framework under the EU data protection directive and impose a general necessity to have specific legislative provisions underpinning the methods that organisations such as mine use to process data. The GDPR has significant implications for the way in which the public service does its business. By using a regulation rather than a directive, the EU legislature aims to have a more uniform application of EU data protection law across member states than was the case under the previous EU data protection regulation.

The GDPR is complex legislation. For example, it contains 173 recitals. These are the preliminary paragraphs setting out the objectives and intentions of the EU legislation and guide interpretation, but they are not directly binding. In addition, there are 99 articles, which are the operative provisions that are binding on EU member states. Due to this high level of complexity and even though the EU legislature has opted for a regulation, there remains a need for national implementing legislation to give full effect to the regulation at national level.

The House is aware that my Department collects and holds large volumes of personal data on customers. We are aware of the need to have adequate data protection policies, procedures and structures in place in line with the GDPR. Preparations for the GDPR are being overseen by my Department's data management programme board, which comprises many of the Department's most senior personnel. The Department has a dedicated GDPR implementation team in place and has commissioned external expertise to assist it with achieving GDPR compliance. My colleague, the Minister for Justice and Equality, has published the general scheme of the data protection Bill, and the Minister for Finance is working on a data sharing and governance Bill to simplify data sharing between public bodies. Officials from my Department are examining both legislative measures in light of the GDPR and the relevant rulings by the Court of Justice of the European Union.

There are strong frameworks and safeguards in place within the legislation governing the use of the PSC and the necessary steps are being taken to ensure compliance with the GDPR. The Social Welfare, Pensions and Civil Registration Bill 2017, which is progressing through the Dáil, includes a number of specific provisions relating to the PSC. That Bill would offer a more appropriate vehicle for discussing the issues raised by the Senator, given that, when we return in the new year, our GDPR scheduling team will have advanced its preparations and we will be closer to the 18 May deadline.

Regarding the final amendment to which the Senator referred, there is no legal requirement to produce a PSC. The card is a by-product of the SAFE 2 authentication process. Therefore, the number obtained upon completing the registration process is what is vital for accessing other services, for example, SUSI. It is not specifically the card that is the magic piece of information.