John Curran (Dublin Mid West, Fianna Fail)
Link to this: Individually | In context | Oireachtas source

1870. To ask the Minister for Employment Affairs and Social Protection if non State agencies or bodies have access to the information contained on the public services card; her plans to make this information available in the future to non State agencies and bodies; and if she will make a statement on the matter. [38190/17]

Róisín Shortall (Dublin North West, Social Democrats)
Link to this: Individually | In context | Oireachtas source

1936. To ask the Minister for Employment Affairs and Social Protection the data set held by her Department as the PSI; the manner in which this data is stored; if this data is stored solely by her department or by a third party on its behalf; the number of security audits that have taken place in the past five years; and if she will make a statement on the matter. [39003/17]

Róisín Shortall (Dublin North West, Social Democrats)
Link to this: Individually | In context | Oireachtas source

1938. To ask the Minister for Employment Affairs and Social Protection the private companies which have access to data held on the public services card or wider PSI; the sanctions in place for breach or misuse of this data; and if she will make a statement on the matter. [39008/17]

Róisín Shortall (Dublin North West, Social Democrats)
Link to this: Individually | In context | Oireachtas source

1939. To ask the Minister for Employment Affairs and Social Protection if an assurance can be given in respect of the security and confidentially of the data held on the public services card; the legal sanctions which apply breaches or misuse of this data; and if she will make a statement on the matter. [39010/17]

Regina Doherty (Meath East, Fine Gael)
Link to this: Individually | In context | Oireachtas source

I propose to take Questions Nos. 1870, 1936, 1938 and 1939 together.

Section 263 of the Social Welfare Consolidation, Act (as amended) provides that:

(a) the following information is inscribed on the Public Services Card (PSC): forename, surname, Personal Public Service (PPS) Number, photograph, signature, card issue number and expiry date; and

(b) the following information is encoded on the chip of the PSC: forename, surname, date of birth, place of birth, sex, nationality, former surnames (if any), mother’s former surnames (if any), photograph, signature, issue number of the PSC, and expiry date of the PSC.

The above data (apart from the issue number and expiry date of the PSC) is part of the Public Service Identity (PSI) dataset as set out in section 262 of the Social Welfare Consolidation Act 2005 (as amended).

Section 262 also sets out how the sharing and use of the PSI data is restricted to public service bodies specified in law or their agents. Designation as a specified body requires primary legislation and as such can only be done by an Act of the Oireachtas. I am not aware of any plans to specify any additional bodies.

Section 262 provides that PSI data can only be used by a specified body for authenticating the identity of an individual with whom it has a transaction and in performing its public functions insofar as those functions relate to the person concerned. In addition, where a specified body collects any element of PSI data from a person, that information shall also be collected for the purpose of maintaining the person’s public service identity. Additional cover is provided by the Data Protection Acts as amended, Subsection 1 c iii of Section 2A, where personal data may be processed providing “the processing is necessary for the performance of a function of the Government or a Minister of the Government”.

The full PSI dataset consists of the surname; forename; date of birth; place of birth; sex; all former surnames (if any); all former surnames (if any) of his or her mother; address; nationality; date of death; certificate of death, where relevant; where required, a photograph of the person, except where the person is deceased; where required, the person’s signature, except where the person is deceased; any other information as may be required for authentication purposes that is uniquely linked to or is capable of identifying that person; and any other information that may be prescribed which, in the opinion of the Minister, is relevant to and necessary for the allocation of a personal public service number.

The PSI data set is stored in enterprise class databases maintained in the Department’s secure datacentres. The Department is committed to ensuring that customers’ personal data is securely held and used only for business purposes. Access to the dataset is restricted to those members of staff who have a business need to reference the data and all accesses to the data are logged. All members of staff must, on an annual basis, sign undertakings that they have read, and will act in accordance with, data protection policies and guidelines. Failure to comply with these simple rules could leave them exposed to potentially serious allegations. Where such allegations are substantiated, staff could face disciplinary action (including possible dismissal) and potential legal action including possible claim for compensation for distress/damage caused to the customer. The Department ensures oversight in relation to data protection by keeping records of data accesses which are then subject to audit. Twenty eight security audits have been undertaken within the last five years, twenty two of these are completed, and six are in progress. Three Penetration tests, two Privacy Impact Assessments, and a Risk Assessment of the IS environment were also carried out during this timeframe.

The PSI data set is also stored by the Department of Public Enterprise and Reform as part of the Single Customer View. This system brings identity data together from a number of public bodies. The Single Customer View database is stored in a secure government data centre. Access to the data is tightly controlled and restricted to the government network. All data access is logged and regularly audited. The Secretary General of the Department of Employment Affairs and Social Protection is the Data Controller for the Single Customer View.

The PSC is produced in Ireland by an Irish-registered company called BCS. It was a condition of the award of contract that all data and related services provision and operation be provided on-site in Ireland and subject to the jurisdiction of the Irish courts. Once PSCs are personalised (i.e., the data is put on the card), the data used to so personalise them is not retained by BCS but is destroyed as an automatic part of the personalisation process in accordance with advice provided by the Office of the Data Protection Commissioner. In addition the systems used in the card production have been subjected to audit by external experts.

The Public Services Card itself has multiple protection mechanisms, all of the highest current international standards, to prevent and detect tampering with the physical card and its contents. As well as some hidden security features, there are visual measures such as the overall graphical design, branding, microprinting, the use of optical variable ink and a kinegram. In addition, a PSC and a card reader communicate with each other by cryptographic means. Only card readers specifically programmed to accept PSCs can undertake this functionality.

I hope this clarifies the matter for Deputies.