Maureen O'Sullivan (Dublin Central, Independent)
Link to this: Individually | In context | Oireachtas source

60. To ask the Minister for Employment Affairs and Social Protection if she is satisfied that the introduction of the public services card will adhere to the highest standard of data protection; and if she will make a statement on the matter. [39618/17]

Regina Doherty (Meath East, Fine Gael)
Link to this: Individually | In context | Oireachtas source

Section 263 of the Social Welfare Consolidation Act 2005 (as amended) provides for the data items that can be inscribed on the face or encoded on the chip of the Public Services Card. That data is part of the Public Service Identity (PSI) dataset as set out in section 262 of the Act. The PSI data set is stored in enterprise class databases maintained in my Department’s secure datacentres. My Department is committed to ensuring that customers’ personal data is securely held and used only for business purposes. Accordingly, access to the dataset is restricted to those members of staff who have a business need to reference the data and all accesses to the data are logged. All members of staff must, on an annual basis, sign undertakings that they have read, and will act in accordance with, data protection policies and guidelines. Failure to comply with these simple rules could leave them exposed to potentially serious allegations. Where such allegations are substantiated, staff could face disciplinary action (including possible dismissal) and potential legal action including possible claim for compensation for distress/damage caused to the customer. My Department ensures oversight in relation to data protection by keeping records of data accesses which are then subject to audit. Twenty eight security audits have been undertaken within the last five years, twenty two of these are completed, and six are in progress. Three Penetration tests, two Privacy Impact Assessments, and a Risk Assessment of the Information Systems environment were also carried out during this timeframe. The PSI data set is also stored by the Department of Public Enterprise and Reform as part of the Single Customer View. This system brings identity data together from a number of public bodies. The Single Customer View database is stored in a secure Government data centre. Access to the data is tightly controlled and restricted to the Government network. All data access is logged and regularly audited.

The PSC is produced in Ireland by an Irish-registered company called BCS. It was a condition of the award of contract that all data and related services provision and operation be provided on-site in Ireland and subject to the jurisdiction of the Irish courts. Once PSCs are personalised (i.e., the data is put on the card), the data used to so personalise them is not retained by BCS but is destroyed as an automatic part of the personalisation process in accordance with advice provided by the Office of the Data Protection Commissioner. In addition the systems used in the card production have been subjected to audit by external experts.

The Public Services Card itself has multiple protection mechanisms, all of the highest current international standards, to prevent and detect tampering with the physical card and its contents. As well as some hidden security features, there are visual measures such as the overall graphical design, branding, microprinting, the use of optical variable ink and a kinegram.

In addition, a PSC and a card reader communicate with each other by cryptographic means. Only card readers specifically programmed to accept PSCs can undertake this functionality.

I hope this clarifies the matter for the Deputy.