Alice-Mary Higgins (Independent) | Oireachtas source

I will do that. It is not a concern for the Minister but it is an important point in terms of the operation of work in this House.

The issue of bogus self-employment is important. The Minister knows it has been looked at and examined. How do we now look backwards at situations where tests cases may have been used? How can those who may have been affected appeal? I know this is an appropriate topic for discussion because in the past, with the Minister's predecessor, I have submitted many amendments. By comparison, today is an easy day. There were up to 40 amendments in previous years in respect of data protection and the Department of Social Protection. In 2016 and 2017, I specifically implored the Department to pause some of its practices relating to the public services card and the single customer view data set because of their incompatibility with the general data protection regulation. That has been vindicated and the Department has withdrawn its appeal against the report from the Data Protection Commission.

We know from the findings of the Data Protection Commission that there are certain legitimate uses of data within the Department. This is a core area that is dealt with in large sections of the Social Welfare Bill. Four or five findings of the Data Protection Commission now need to be acted upon. The report now stands and its findings are now binding and need to be acted upon. Much of the focus has, rightly, been on the second finding in the report, which it makes it clear that it is not appropriate to process personal data in respect of a person engaging with a specified body. That has no legal basis, despite our being assured there was a legal basis. There is a long list of specified bodies in the Social Welfare Act. It is in the legislation we are discussing. The aspect associated with driver's licences got a lot of attention. A large number of specified bodied had been hoping to use the card. It is clear now that there is not a legal basis for that. I commend the former Minister, Shane Ross, who was one of the only Ministers who, when myself and others raised legal concerns, took our legal advice in his response to that matter. He was right to do so.

The decisions relating to specified bodies stand. That is important, and has important implications. However, there are also findings that need to be addressed by the Department. It was found that insufficient information was given to many data subjects as to what was involved and how their personal data would be processed. It was also found that there were contraventions of Acts, including a contravention of section 2D(2)(d) of the relevant Act in light of a failure to provide data subjects with sufficient information concerning the relevant potential consequences for cardholders who fail to update their information.

Crucially, the third finding deals with the blanket, indefinite retention of personal data consisting of documents and information other than an applicant's photograph and signature which were originally collected for the purposes of identity authentication. People provided the Department with documents and were told they needed to do so for the purposes of verifying their identity. The signatures and photographs have been stored, and I will come to them in a moment. The Department has retained original documents and letters that were given to it by people seeking to prove their identity, those documents having performed the only purpose which is legitimate under the legislation. Those documents performed the purpose of verifying those people's identity. It has been verified. The Data Protection Commission, in the third finding in its report, makes it clear that the Department should not be retaining information or documents that were provided by people for the purpose of verifying their identity after that purpose has been conducted, which it has been at the point the people concerned are given their public services cards. The information should be retained after that point. This is important. These are the findings of the Data Protection Commission. There are obligations on the Department under section 2(1)(c)(iv) of the relevant Act.

The amendment relating to the public services card has been ruled out of order, even though the exact same topic has been discussed in at least three social protection debates in the past.Those are actions that need to happen now and need to be followed up. These are findings that need to be addressed. They are no longer challenged. This report is effectively standing now as an imperative. I hope the State, the Minister and her Department will take action on those findings and take action to resolve the issues that have been signalled and addressed in that regard. That is very important.

I want to compliment the very few people who did very good work and were very much framed as being quite outside the margins in having highlighted concerns in regard to these matters, including some very good legal experts and human rights and civil society advocates, and some individuals who were simply concerned about data protection rights and who raised those issues.

There are two or three other reviews under way at the moment by the Data Protection Commissioner. One that is very important relates to the treatment of biometric information, which can include photographs. I encourage the Department, and Deputy Humphreys, as a new Minister in this role, not to take the combative approach that the Department has taken in the past against this report, which dragged on for years. We saw that the cost, or the expenditure, went up by €30 million for these cards. Millions of euro were spent for long after the alarm bells started ringing. The cost of the PSC has ended up being huge. It jumped from €60 million to €90 million, or perhaps it was €30 million to €60 million, but it was a lot. The Department and the Minister should engage constructively on biometrics, particularly the fact that photographs, as biometric data, need to be treated separately as a special category of personal data and need to be stored separately and differently.

One of the other concerns identified in the report, which sends signals, was the concern regarding insufficient security, or perhaps less than ideal security and controls in how that single customer view dataset is accessed and used. We do not want to create a honeypot for hacking, which the Department of Health has experienced. Let us make sure the Department of Social Protection does not end up being a repository of an excessive volume of information, some of which is not rightfully being held, on millions of people. It is very important we get this right.

Ireland is one of the key data regulators for Europe. We are at risk of losing that role if it looks like we, as a State, want to evade those responsibilities. We need to step up and show leadership, and try to push ourselves, as a State, to best practice so we can then be credible in holding the private sector and the many corporations in this area to the highest standards as well.