Public Services Card: Discussion (Resumed)

I welcome Mr. Tim Duggan, Ms Kathleen Stack, Mr. Philip Cox and Ms Michelle O'Donnell from the Department of Employment Affairs and Social Protection, as well as Mr. Barry Lowry from the Department of Public Expenditure and Reform. You are all very welcome.

I will ask for opening statements in a moment but before that I draw attention to the fact that by virtue of section 17(2)(l) of the Defamation Act 2009, witnesses are protected by absolute privilege in respect of their evidence to this joint committee. If, however, they are directed by it to cease giving evidence on a particular matter and they continue to so do, they are entitled thereafter only to qualified privilege in respect of their evidence. Witnesses are directed that only evidence connected with the subject matter of these proceedings is to be given and they are asked to respect the parliamentary practice to the effect that, where possible, they should not criticise or make charges against any person or an entity by name or in such a way as to make him, her or it identifiable. Members are reminded of the long-standing parliamentary practice to the effect that they should not comment on, criticise or make charges against a person outside the Houses or an official, either by name or in such a way as to make him or her identifiable. If colleagues have mobile phones, I ask for them to be turned off. We have received the opening statements of witnesses and they will be published in due course.

Mr. Tim Duggan

I thank the committee for the invitation to come along this morning. We are in the middle of a departmental reorganisation and responsibility for this area is moving from me to Ms Stack, and Mr. Cox is taking over as the head of the division dealing with the public services card and personal public service, PPS, numbers. We are in transition and I think they are here to ensure I do not land them in trouble.

We will do our best.

Mr. Tim Duggan

I am sure the committee will. I do not need to tell members there has been much discussion in recent months about the standard authentication framework environment, SAFE, and the public services card. Unfortunately, quite a bit of it has not been entirely correct and it has led to some degree of confusion. As the committee knows, last year we published a comprehensive guide to SAFE and the public services card and we sent copies to all members. I hope they have had a chance to read it. We published it, essentially, to give people a better understanding of the entire programme and to try to answer many questions that were emerging in media and political circles at the time. Additionally, we came to the House and presented to Members and their staff last September on the programme. Again, I asked the secretariat to circulate a copy of that presentation, again with the intention of trying to answer some questions that members might have on the programme.

The SAFE public services card programme is simply about verifying the identity of people engaging with public services. It is no more or less than that. Everyone accepts that the public service has an obligation to know who it is dealing with and to whom it is providing services, entitlements and payments. There are a number of really good reasons that is important. Public bodies need to ensure they are providing services to the right person and ensure that somebody else is not pretending to be that person, as well as to ensure the person is not claiming to be somebody else, either with a real or false identity. That is needed to safeguard public services and public moneys, so as to ensure they are not incorrectly or mistakenly delivered or to ensure they are not fraudulently achieved by someone.

Public bodies need to be sure of who they are dealing with so they do not inadvertently expose personal and sensitive data to the wrong person, again either by accident or because somebody is perpetrating fraud. We need to do this to ensure we comply with data protection law and that we safeguard the privacy and confidentiality of individuals engaging with us. As all public bodies need to verify the identity of people to some extent in the provision of services, it makes sense we do it in a way that does not require an individual to go through time-consuming processes to prove his or her identity over and over again. In other words, a person should be able to verify his or her identity once and it would hold for all interactions with public bodies. We do this to ensure efficiency in the delivery of services; this includes efficiency for the public service and, equally, efficiency for the individual engaging with us. Finally, there is now and expectation - even a demand - that public services can be provided digitally. As a result of the remote and non-personal nature of digital engagement, it is impossible to know with whom one is dealing online unless the identity is verified with tokens in advance. Consequently, an identity verification process is critical to being able to platform services digitally.

In the past, identity was relatively easy to verify as most people were known in their local communities and their identities could be testified to by other local individuals, such as doctors, teachers, gardaí, clergy, etc. However, given the remarkable changes the country has experienced in the past few decades, when we have seen considerable immigration, significant population growth and greater urbanisation, we are now a much more diverse and cosmopolitan society. The traditional ways we had of establishing and verifying identity do not work as well as they used to. Consequently, in 2004, the then Government tasked a senior level interdepartmental group with developing a framework or standard for establishing and authenticating the identity of individuals in their engagements with the public service. That work was completed and agreed by the Government in 2005. The framework emerging from it was called SAFE, which means standard authentication framework environment, and it comprised four levels of identity verification, which we set out at question No. 1 in the comprehensive guide, if members wish to look through that. I can go through it in detail if members wish.

This is very similar to the approach taken in other countries, both at that time and since. It is also very similar to various kinds of standards set out by different groups dealing with identity over the past couple of decades. Most of them have adopted a similar four-tier model to what has been set out in the SAFE framework we have in the comprehensive guide. Under this framework, the traditional ways of verifying identity would be classed as SAFE 0 equivalent, where no PPS number was involved in the transaction, or SAFE 1 equivalent, where a PPS number but very little else was involved. In the first case, identity is asserted with no assurance and in the second it is being established on the balance of probabilities only. SAFE level 2, on the other hand, involves many factors, and we have set out the processes involved in the comprehensive guide at question No. 7. It is the combination of all those factors that make it different and which allow identity to be verified to a substantial level of assurance. I can go through that in minute detail if anyone on the committee wants me to. As it is capable of verifying identity to a substantial level of assurance, it is now Government policy that it should be the level of identity verification required to provide high value and personalised services to people for the four big reasons I mentioned at the start.

It is always important to keep remembering that this is about verifying identity only and nothing else really. The data collected during a SAFE 2 identity verification are the basic identity data items one would expect to be collected when somebody is verifying identity. Essentially, they are the same as those used by most modern public services throughout Europe and the world. They include elements such as name, address, date and place of birth, nationality, sex, former surnames, photo, signature and, in Ireland's case, a PPS number. This is called the public service identity data set, or PSI.

We have provided again full details of that data set in the comprehensive guide. It is also important to note that the public service identity, PSI, is not new. It has existed in various formats since the 1970s, when PPS numbers were first introduced as RSI numbers. It has been around for a long time. For the majority of people, the public service has all of the data already that are in the PSI. Therefore, the SAFE identity verification process is not collecting any new data for those people. It is simply verifying the basic identity data that are already held in the PSI. The process is only collecting all of the data afresh or anew where a person does not have a PPS number. In most cases, those are adults coming to Ireland from abroad.

Once a person successfully completes a SAFE 2 process, he or she may be issued with a public services card as a physical token of proof that he or she has successfully identified his or her identity to a substantial level of assurance. That is all that the card is; a physical token of proof that the person has been through the process and verified his or her identity to a substantial level of assurance. It means that a person who gets a public services card does not have to engage in further identity verification processes when dealing with the Department of Employment Affairs and Social Protection or any other public body. In addition, a person may be provided with an online MyGovID account, as digital proof that he or she has successfully identified his or her identity to a substantial level of assurance. Then using that account, because it provides that proof, he or she can access public services digitally and access his or her own information and data digitally.

In the context of SAFE, the public services card, PSC, and MyGovID, the only data that are shared with other public bodies is that basic identity I listed earlier - nothing more. It is only shared in the context of that public body being a specified body in the legislation, having a transaction with the individual concerned and in the performance of its public function as it relates to that particular person. Additionally, these basic identity data are the only data that are stored on the public services card. It is important to note that contrary to some misleading information from some commentators, the PSC and the data sharing arrangements for identity data do not contain any other data or information on people, such as people's means, financial data, scheme data, relationship data, health, medical, property or asset data. No such data are on the public services card and no such data are transferred in the data sharing arrangements that are in place around identity. The public services card does not provide access to data of that kind.

We have set out in the comprehensive guide the various legal bases for SAFE identity validation for the PSI and for PSI data sharing and we are fully satisfied that these provisions provide a robust legal basis for the approach we have taken to identity verification. Although the only data involved in the SAFE process are those basic identity data, we endeavour as best we can to ensure they are secured as best as possible. Again we have set out in significant detail in the comprehensive guide how we have done that. We have covered aspects such as the secure storage of the data, how we use role-based access to them, the obligations and training that staff must go through, the logging and auditing that we do, the encryption that we employ when we are transferring them, the destruction of the data in the company that produces the card and the various security features on the physical card itself. It is worth noting that we have a dedicated unit in the Department that deals solely with information security generally and is our direct liaison with the Office of the Data Protection Commissioner.

In this context, the Department is acutely aware of the general data protection regulation, GDPR, and its impending deadline of 25 May 2018. In this regard the Department has established its own dedicated implementation team, which is undertaking a major programme of work to ensure compliance with the GDPR. It has specific work streams on legislation, communications, information provision, information sharing, the forms that we use and the systems that we use. In addition, our staff, both front-line and at management level, are getting specific GDPR training and awareness and all of that work is being overseen by a very senior level data management programme board and it is a regular feature on the management board agenda.

We note that some people have highlighted difficulties accessing and comprehending some of the legislative provisions relating to the Department's identity verification processes, given the amount and complexity of social welfare legislation generally. Accordingly we have published an administrative consolidation of the Social Welfare Consolidation Act 2005, in which we have endeavoured to encompass all Acts since 2005 up to and including the Social Welfare Act 2017. That is now available on the Department's website for access. As is usual with such administrative consolidations, it comes with the usual caveats about errors and omissions and cautions against using the text in legal proceedings. However, we hope it does help people to better understand the legislative provisions relating to these matters.

Following on from that, we also note that a number of commentators have expressed concerns about section 5 of the Social Welfare, Pensions and Civil Registration Bill 2017, which proposes to allow individuals to voluntarily provide their PSC to non-specified bodies, as proof of identity. We note that some of those commentators have expressed a view that this proposal will result in current protections being withdrawn and that as a result, private companies will have access to the identity data. Let me make it really clear to the committee that nothing could be further from the truth. It is exactly the opposite. At present, only public bodies specified in legislation and currently included in Schedule 5 to the Social Welfare Consolidation Act or their agents can ask for and use the public services card. The current proposal in section 5 of the social welfare Bill does not change this at all. That protection will remain if that legislative proposal is adopted. It will not be watered down or changed in any way whatsoever.

However, as the law currently stands, even if a card holder volunteers his or her PSC, a private sector organisation would be committing an offence by accepting it as it is not a specified body. Our customer feedback is that people should be allowed to volunteer the card to non-specified bodies if it suits them to do so for the purposes of verifying identify, such as when signing up to a utility company contract or opening an account with a financial institution. Therefore the legislative proposal is that non-specified bodies that accept a PSC that is offered to them voluntarily by the holder should not be prosecuted or at risk of such prosecution. At the same time, such non-specified organisations should not be able to request or force a person to use their PSC and that would remain an offence. In other words, the key issue is that the volunteering of the card is at the heart of the transaction. Furthermore and for the sake of absolute clarity the proposal in no way allows a private sector body to access the customer data on the card chip or any Government database. It simply allows such bodies to view or accept the card as a form of identity and stops it being an offence for them to accept it - similar to any other State-issued identity documents, such as a driver's licence or a passport. This measure will be beneficial to holders of the public services card most especially those who do not hold a driving licence or a passport. It is the Department's view that it is their identity and as such, the holder should be allowed to volunteer it if he or she so chooses, even in a commercial setting.

As the committee is aware, the Office of the Data Protection Commissioner is undertaking an audit of the various elements of the identity verification infrastructure that I have described here. The Department is co-operating fully with that audit and has already furnished the Office of the Data Protection Commissioner with a great deal of information and records to assist it with that audit. The commissioner has now furnished the Department with her plan for the completion of the audit, including timelines, and I believe the committee has been copied with that information. What members may not know is that the Commissioner for Data Protection wrote to the Department late yesterday evening and has slightly revised the timescale and pushed it out a little bit. Contrary to information provided by others to the committee, this is not the first time that the Office of the Data Protection Commissioner has used its powers to conduct such an audit and there are a number of examples of same on that office's website, including a previous one done in our Department some years ago. The Department looks forward to the preliminary findings of the commissioner and discussing them with her with a view to dealing as quickly as possible with any issues she may identify.

In the meantime, the Department will continue to conduct its business as usual, as is normal in such circumstances. I hope the foregoing gives the committee a reasonable understanding of the important aspects of SAFE and the public services card, PSC. My colleagues and I will endeavour as best we can to answer any questions that members may have.

I thank Mr. Duggan and call on Mr. Lowry.

Mr. Barry Lowry

I thank the committee for inviting me here today to inform the discussion on the public services card and MyGovID. My name is Barry Lowry and I am the Government chief information officer. My objective this morning is to give the committee a sense of the strategic need to increase the adoption and usage of the card and, in particular, the MyGovID service token.

I will begin with the European context for the ongoing plans and then focus on the national interest. As regards Europe, I was interested to read a recent comment by Thomas Donohue, chief executive and president of the United States Chamber of Commerce, who predicted that Ireland will take on a more significant role in Europe if Brexit proceeds as planned. Given the importance of the EU to our economy, I am sure the committee fully accepts that it is essential for us to be at the forefront of any European initiatives that impact on our trade and economy.

The European Commission is extremely committed to the concept of digital government driving digital commerce and, therefore, economic growth. It estimated that ICT is currently responsible for half of productivity growth in the EU and the digital sector is expected to grow seven times faster than the overall EU economy. The Vice President of the European Commission, Mr. Andrus Ansip, has, therefore, set out ambitious plans for cross-border eGovernment and the establishment of a digital Single Market. Mr. Ansip has frequently quoted figures produced by the European added value unit indicating that, taking into account various constraints, a fully realised digital Single Market could increase GDP by €340 billion a year and make a very significant contribution to overall GDP growth in Europe over the next decade. He has repeatedly stated that governments can play a substantial role in progressing the concept of a digital Single Market by facilitating cross-border access to digital government services, whether that be an Irish citizen accessing our services regardless of his or her location or an EU citizen being able to plan to work, live or holiday in Ireland and put all of his or her arrangements in place before arriving in the country. It is imperative that we take all possible steps to make certain we are aware of, shape and are ready to utilise such developments to ensure Ireland is not disadvantaged or left behind the rest of Europe in terms of digital trade and digital government.

EU Regulation No. 910 of 2014, often known as the eIDAS, electronic ID and trust services, regulation, addresses electronic identification and trust services for electronic transactions in the Internal Market. The regulation has been established to enable people and businesses to use their own national electronic identification schemes to access public services in other EU countries where eIDs are also available. The regulation also creates legal validity for electronic signatures, seals, time stamps etc. such that they will have the same legal status as traditional paper-based processes. If Ireland is to be recognised as a progressive digital state within Europe, then we must have a safe, secure and verifiable State eID. MyGovID gives us a basis for that capability. It provides substantial assurance that a person online is who he or she claims to be and gives considerable protection against personation and fraud. It can also provide the foundation for the future use of electronic signatures. MyGovID is the only viable approach that can underpin future citizen interaction with a digital Europe.

The EU’s eGovernment action plan 2016-20 sets out a shared eGovernment vision and a series of principles to which member states should adhere. The principles include that public administrations should deliver services digitally as the preferred option through a single contact point or a one-stop-shop; that they should ensure that citizens and businesses only need to supply the same information once to a public administration; that public administration offices should take action if permitted to internally re-use these data, in due respect of data protection rules, such that no additional burden falls on citizens and businesses; and that public administrations should share information and data with one another and enable citizens and businesses to access, control and correct their own data and monitor the administrative processes that involve them. It is reasonable to expect of any digital government that citizens be able to carry out more transactions online, provide information only once, have it securely stored for future needs and then be able to see and correct the data held on them and how they are being used. Much of that aligns closely to the general data protection regulation, GDPR, which will come into force in May.

However, we can only do such things if we are absolutely certain that persons seeking to carry out such transactions are exactly who they say they are. MyGovID is of great importance in that regard because it provides a very strong means of online verification. Contrary to what some have written and stated, underpinning Government services with MyGovID and the SAFE 2 process will help us to provide more secure and transparent Government services. Consequently, the eGovernment strategy published in July by the Minister of State with responsibility for eGovernment, Deputy O’Donovan, set out ten key actions aimed at enabling citizens to access digital government services of similar levels of quality, transparency and safety as the leading digital countries in Europe. These actions include the development of a digital services gateway, a roadmap for allowing citizens to authenticate themselves for any government digital service using MyGovID, plans for business and location e-identification, the means for governed data-sharing across Government, plans to build on our open data success and plans to ensure that our staff have the requisite digital skills and capabilities.

This is an area of rapidly growing national interest as increasing numbers of the public want us to proceed down this road. In the 2017 Civil Service customer satisfaction survey conducted by IPSOS MRBI, 61% of the total consulted and 76% of those in the 18-34 age category agreed or strongly agreed that they would be more inclined to use online Government services as their preferred method of initial engagement with the Civil Service, provided they were easier to find and use. Some 65% of the total, and 82% of the 18-34 age category, thought that a single digital identity would be very convenient or fairly convenient.

We have a real opportunity to provide Government services that are more efficient, convenient, transparent and provide a better user experience but that cannot be achieved without a single electronic identification scheme. The committee is aware of the existing importance of the digital industry to Ireland. The digital economy is estimated to account for 6% or €12.3 billion of Ireland's GDP. The digital and ICT sector is a very significant employer, offering high-quality jobs through the strong presence of global players, our world-class SME capability and the many organisations which deploy digital and ICT as part of their day-to-day business. Research completed for the Department of Business, Enterprise and Innovation’s future skills needs analysis stated that there was a growth in ICT jobs provision of around 8% to 9% from 2016 onwards, with demand partly being met through attracting foreign talent. More than 6,500 ICT employment permits have been issued in the past two years. A compound annual growth rate of 8.5% per annum is expected from 2017 to 2022. Although this requirement will again be helped by the recruitment of foreign talent, it also offers tremendous opportunities to our current and prospective workforce through graduate recruitment, apprenticeships and retraining schemes. If we accept that talented workers are more likely to apply to and stay with companies that deploy digital technology well, it must follow that countries which provide an optimised citizen experience through the use of digital and ICT will be more likely to attract and retain the best talent.

I hope my opening statement has been helpful in briefly giving the committee an indication of the importance of the role that MyGovID and the underlying SAFE 2 process can and must play in establishing Ireland as a European digital and eGovernment leader, helping it to attract and retain the highest quality jobs and best talent and providing government services to its people that are safer, more efficient and more transparent than ever before.

I am very happy to listen to the committee's views and answer any questions members may have to the best of my ability.

I thank Mr. Lowry. I usually do not ask questions at this point but it might be useful for the committee to reflect back on Mr. Duggan's opening point. He said:

[I]n 2004, the then Government tasked a senior level interdepartmental group with developing a framework or standard for establishing and authenticating the identity of individuals in their engagements with the public service. That work was completed and agreed by the Government in 2005.

That is very specific. It obviously went to Cabinet and there was a decision of some sort. Further in his presentation, however, Mr. Duggan went on to say:

SAFE level 2, on the other hand, involves many factors, and we have set out the processes involved in the comprehensive guide at question No. 7. It is the combination of all those factors that makes it different and which allows identity to be verified to a substantial level of assurance. [...] As it is capable of verifying identity to a substantial level of assurance, it is now Government policy that it should be the level of identity verification required to provide high value and personalised services to people [...].

Mr. Duggan has not been as forthcoming about the steps to SAFE level 2, in other words, the policy decisions. He was very specific about the interdepartmental group in 2004 and the Government decision of 2005. However, there has been no reference to what group identified and developed the process, underpinned by what Government decisions, since 2005. I do not know if Mr. Duggan has that information with him. Although he opened very specifically, he has made no reference to any other specific decisions or policy groups tasked to develop this since 2005. Does he have a comment on that?

Mr. Tim Duggan

In 2004, the Government tasked an interdepartmental group with developing the standard. The standard developed was the SAFE set of standards, from levels 0 to 3. That was presented to Government in 2005. The Government accepted the framework and, as part of that decision, it set SAFE level 2 as the standard for card programmes in the future and for accessing public services. In 2013, I think - I will try to dig out the exact Government decision and we will get it to the committee afterwards - the Government said the public services card and SAFE infrastructure should be used for all government services and public bodies where possible by 2016. That was the ambitious target the Government set. While that has not been fully achieved, it is being rolled out, as the Chairman knows. That was the Government decision in 2013.

So 2005 and 2013-----

Mr. Tim Duggan

Those were the years of the two big Government decisions.

For clarification, before we go into full discussion, I know that SAFE 2 is a system that the Government has chosen to set up and is not an international system. It might be useful for Mr. Duggan to specify exactly what the difference is between, say, the passport and driving licence-----

That is a different issue and, to be fair to others, we will come to it.

Mr. Tim Duggan

We will get the specific Government decisions for the committee.

I read the guide and found it pretty useful. From Mr. Duggan's statement, it seems that one of the primary purposes of the card is to be an anti-fraud device. He emphasises that very strongly. We know social welfare fraud is a phenomenon here just as it is in every other country. The level here is relatively low, at around €40 million a year, which is not insignificant but it is a hell of a lot less than we were told during the anti-fraud campaign last year, when figures of €500 million were mentioned. The other aspect of the card is convenience, as one does not have to produce all this information every time one is looking for a passport or whatever. As Mr. Lowry has pointed out, it is very important that we be digitally up with our competitors.

On the controversy that has surrounded the public services card, Mr. Duggan says that if one produces the SAFE 2 evidence, one may get a card. Is that automatic? If someone applies for some sort of welfare benefit and produces the information sufficient to meet the requirements of SAFE 2, does he or she automatically get the card or does it have to be requested? People who come in with sufficient information to satisfy the requirements of SAFE 2 are being told they must produce the card before they are entitled to whatever they are looking for, be it a social welfare entitlement or whatever. If people go through the SAFE 2 process, can they say they do not want the card and would prefer to produce the information, however inconvenient it may be for themselves and the person dealing with them every time they come in? If somebody is not in possession of a card, the legislation states that the data on the card can be shared with other stipulated public bodies. If somebody does not seek the card but completes the SAFE 2 process, is that information also shared?

What exactly is the data commissioner investigating at the moment? It is taking quite a considerable length of time by all accounts. If everything is as straightforward, clear and above board as we are being told today, what precisely is she investigating?

How many public services cards are in existence at the moment and what was the cost of producing them?

I welcome the officials. There has certainly been huge concern among the public and organisations dealing with civil liberties, for example, as well as on the part of the data commissioner. The commissioner issued comprehensive questions to the Department. Is she satisfied with the responses that have been given to date? Has she asked for further information?

Following on from Deputy O'Dea's point about the number of cards issued to date, can we have a full breakdown of costs? When was the contract signed and when is it due to expire? What is the overall cost of the contract? How many cards do the officials anticipate will be issued?

A lot of the debate and controversy has been fuelled by the officials' own Minister, Deputy Regina Doherty, who stated that the card was mandatory but not compulsory. There is still a lot of concern. Any time Ministers open their mouths, they seem to muddy the waters even further. There is still huge concern that this is compulsory and that it is the introduction of a national identity card through the back door by stealth. I and my party have serious concerns in that regard, as do members of the public and many organisations. It is a legitimate concern. I genuinely believe that this is the introduction of a national ID card.

I question the legal basis for the introduction of this card. I listened to Mr. Duggan and read through his presentation before he delivered it this morning. I do not think there is a legislative basis for the introduction of the card. Section 263 of the Social Welfare Consolidation Act 2005 allows the card as an option. It does not say that it should be rolled out. It merely provides that the Minister may require any persons receiving a benefit to satisfy the Minister as to his or her identity.

It does not specifically state a card should be introduced; it just mentions the need for a person to satisfy the Minister as to his or her identity. Will the delegates expand on their points to say there is a legal basis for it, as I do not think there is? There have been a number of high profile cases in which people have had their payments, including pension payments, etc. stopped. In one case a lady had her pension payments stopped for over 18 months because she did not have a public services card, only for them to be restored later. How many other cases have there been to date in which any type of payment has been stopped because the individual did not have a public services card?

Another issue has arisen. It involves people who have been adopted who have been told to obtain a public services card. We know that up to 100,000 Irish people have been adopted. Of these, approximately 40% do not know that they have been adopted. This has caused much concern. People are told to go to the Intreo office to obtain a public services card and bring the necessary documentation with them. They are then told that they are not on the adoption register, that Intreo does not have access to it and that they need to come back with the long form of their birth certificate. Not only are there financial implications for them in having to spend €40 to obtain the long form of their birth certificate, it is also causing huge difficulties for them. How is this issue being handled? I do not think it is being handled properly. There are people who want to obtain a public services card, while others are being forced to obtain it. I ask the delegates that question about people who have been adopted and are being forced to obtain the public services card.

I thank the Deputy. If there is time, we will come back to him, but there are others who wish to speak.

A few questions have been asked and I will not repeat them.

The delegates seem to be emphasising that people go through the SAFE process. I have a question about a person has not gone through it and not received a public services card. I know that there is a system in place in the post office where one ticks a series of boxes, one of which concerns identification. I presume a person has to tick it to show that he or she has a public services card and will automatically be paid. In the case of the lady who did not want the public services card and specifically asked the Department for the legislation to show why she had to obtain it, it is my understanding she was told that she would not receive back money. She eventually received it after a period and her pension payments were reinstated. How was her case processed if she did had not gone through the SAFE process? Questions have been raised about the Data Protection Commission. Why has it been slightly revised and pushed out again? Is the commissioner seeking more information from the Department? Has there been a request for more information from the commissioner?

I am very concerned. I do not have a public services card and do not want one until I am very clear on what it means for me. Others have received it and have no problem with it. What am I stopped from accessing? We have heard about the potential to include other areas in which one would need a public services card such as Student Universal Support Ireland, SUSI, grants, passport renewals and driving licence applications, a process now run by a private company. How far will the Department extend the system? If in six months' time I want to apply for a driving licence, will I have to have the public services card? I have my passport, birth certificate and PPS number. It is not just a matter of obtaining the public services card but for what services it will be required. How secure is the Department's systems, given that it is a private company that is involved? A driving licence is renewed through a private company, is it not?

Mr. Tim Duggan

Parts of it.

How far do the delegates think the system will be extended? I know that they have talked about some people volunteering to use their public services card with electricity and other companies. It is a grey area. The company could then state it was seeking a form of identification and that it required the public services card because it was the best form identification there was. Things would start to go askew. Therefore, people are hugely concerned. I have received many calls in the past couple of weeks since this issue began to seep into the public arena and people are saying they will not accept the public services card. Do I legally have to get one?

I hope there will be a second round of question, but I will try to focus.

Others have spoken about a person having no more and no less than what is required to satisfy the Minister as to his or her identity. Perhaps the delegates might specify why, for example, a passport or a driving licence cannot satisfy the Minister as to a person's identity? Is it not really the case that this is about the single customer view database? The delegates are not really asking people to come in on one occasion to satisfy the Minister as to their identities. The new element is that they are asking people to agree to having their information included in a single database which would have other uses. There is the question of whether it is necessary and proportionate to do this under the general data protection regulation, GDPR. It may well be necessary and proportionate to have somebody prove his or her identity to access a payment or benefit, but is it necessary and proportionate to require somebody to commit his or her information to a database which can be accessed by approximately 40 bodies? Perhaps the delegates might clarify how many specified bodies can access the database. I know that they will say this is the basic information and that the bodies will identify it in this way. Nonetheless, it is a large number of bodies. As I understand it, others may be added by legislation without necessarily having a requirement to obtain consent. The potential to add other bodies is important.

The delegates mentioned that the public services card would simply be used to confirm identity. It would be useful for me to know that no further information is contained on it. Will there be a record of the number of occasions on which a person's identity has been verified and by whom? Will there, for example, be a situation where one will be able to say the driving licence service, the health service and others have checked a person's identity? That brings us to the issue of public or private bodies potentially accessing the information. There is a blurring of the lines in the Data Protection Bill where private companies contracted by the HSE and others, for example, will be reclassified as public authorities. While they may not be specified bodies, there is ambiguity about which people may be concerned.

There are key questions about the roll-out of the public services card. The phrase "optimised citizen experience" was used. It certainly was not an optimised citizen experience for many of those who were effectively threatened and, in many cases, would have had their payments cut off if they refused to agree to their information being included in a single customer database. To clarify the position in the case of the woman whose pension payments were withheld, she did not say she did not want to have a public services card but that she wanted to know what was the legal basis. While her payments were restored, as I understand it, the legal basis had not been satisfactorily illustrated to her. Crucially, it has not been been illustrated to the satisfaction of the Data Protection Commissioner. There is an ongoing investigation in that regard.

In response to Mr. Lowry, this is not about being pro or anti-digital, nor is it about the digital or data future.

The people who are most concerned are the ones who are most engaged and most keen for us to take a responsible approach to the digital world and data protection, given their increasing importance. This is not a Luddite concern but about doing things properly. If the public services card is as crucial as we hear it is, should we not be deeply concerned about getting it right? If we are to be the main regulator of private company data regulation in Europe, should we not set high standards for ourselves? Nobody is complaining about doing things online, but people are complaining about the lack of due respect for data protection rules. Would it not send a very worrying signal if Ireland decided that it did not want to wait to satisfy the concerns of the Data Protection Commissioner? She is looking at the legal basis and the appropriateness of the technological and organisational systems. Mr. Duggan mentioned a previous data commissioner who had expressed concern in these areas, as well as dissatisfaction with the measures in place within public bodies.

I thank the Senator.

It is crucial to get this right. In the Data Protection Bill which is before the Houses huge discretion is given to Ministers to provide for exemptions from the GDPR following consultation with the Data Protection Commissioner. If, following that consultation, Ministers are to disregard data commission infrastructure, we will have to be very concerned about the GDPR. It is crucial to get this right and we are not satisfied that it is.

Mr. Duggan said private company access would be voluntary, but will there be any measure to stop a company from refusing to provide a service because it is not satisfied as to a person's identity? Could a company put up a sign stating it only respected the public services card, or could it simply refuse to accept a driving licence or a passport? We have seen that there is a nuanced difference between what is mandatory and compulsory. Do we need another imaginary line between what is voluntary and what is required?

I refer to the cost of the verification process in the Department. I have obtained information from the Mirror on foot of a freedom of information request on the response from the Department to a journalist last November. It stated the initial costs associated with producing the public services card were €18.284 million, ex-VAT, and that a further €1.5 million in costs were related to other aspects of the project. The sum of €18.284 million allowed for a figure of €347,000 towards the cost of the operation of a help desk facility to support the issuing of the public services card. It went on to state that, subsequent to the overall contract being put in place, the then Data Protection Commissioner had requested that specific control measures be put in place to ensure that it could be verified that the public services card had been sent to and received by the correct person. This resulted in customers, on receipt of their public services card, being required to make contact by telephone with the Department to confirm receipt. Essentially, the customer contacted a telephone line and the telephone line staff member recorded the fact that the public services card had been received. Although this process became known as activation, it did not result in anything being done to the public services card or the system and cards were not invalidated if no such call was made. The response went on to state that it was important, therefore, to note that all public services cards issued by the Department were valid and could be used with or without activation. The departmental official went on to say the telephone line had received approximately 1.385 million calls, at a cost of €2.47 million, up until August 2016 when the service was discontinued.

I have a number of questions. Originally, €347,000 was allocated for the operation of a hotline by then Department of Social Protection staff. It is good practice for people to be advised how they might go about going through the process of obtaining a public services card and for the Department to address their concerns. Because of the intervention of the Data Protection Commissioner, it appears that a new system was set up which appeared to be a hotline to nowhere. Some 1.4 million people contacted the help desk to activate their public services card, even though activation was not required, but many who have the card did not contact the hotline. This did not make any difference whatsoever because the cards were valid, as the Department made clear in its letter in November.

Is Mr. Duggan claiming a 100% success rate? Does everybody who is meant to have the public services card have the correct one? Are there thousands of people walking around with incorrect cards in their pockets? If there was no requirement to activate the card, as one would with a debit or a credit card from a financial institution, what was the point in spending an additional €2 million, over and above the original sum of €347,000, on a hotline to nowhere? I do not understand it. Why was this money spent if there was no activation process and no cards were invalidated? People were not required to contact the Department to validate their public services card.

Clarity is required. At the last hearings there was a lot of misinformation on this issue. I value the public services card and believe it is a good initiative. I hold one and deal with people on a daily basis who have it and do not seem to have an issue with it. Has the Department received many complaints about the public services card? Does the take-up vary from region to region? Are people refusing to obtain it? The hysteria at this committee about the issue is not warranted. It is welcome that the delegates have clarified matters.

Last week delegates were very clear on the difficulties they had in understanding the legislation. There is no primary legislation. Mr. Duggan referred to the main Act of 2005 and the consolidation Act since. There have been numerous amendments and Mr. Duggan spoke about the complexity of the legislation. He said that, as is usual with such administrative consolidations, it came with the usual caveats of errors, omissions and cautions against using the text in court proceedings. That is exactly the point the delegates made last week. Even with the consolidation, they found going through the Act very difficult and that there was a lack of clarity.

The heading on Mr. Lowry's presentation includes a reference to the "Draft General Scheme of the Data Sharing & Governance Bill".

Is there something Mr. Lowry is trying to tell us? Is there a scheme to put this on a more regular footing, that the future management of SAFE, SAFE2 and the cards and so forth, would be best served by primary legislation dealing with its future use and management? Has that been considered? From 2005 it has evolved but in recent years, since the decision of 2013, which the Department said would be rolled out by 2016, we have been behind the curve. Is that what Mr. Lowry was trying to tell us with the title?

Could the witness also deal with the data-sharing agreements, which I understand is the current basis used between the Department of Public Expenditure and Reform and the Department of Employment Affairs and Social Protection? I understand concern has been expressed that there have been legal lapses where that data-sharing agreement has been in place and there have been gaps when it has been out of date for periods. I know that is the system in the absence of new primary legislation.

Mr. Tim Duggan

It is not the case that the card has a fraud focus. There is too much emphasis on the card. The issue is verifying identity to a substantial level of assurance. We have established processes to do that. The card is a side effect of that. It is a token to say a person has gone through that process and successfully verified their identity to a substantial level of assurance. No one has to get one but we do automatically issue it to a person as a token of proof that they have verified their identity to a substantial level of assurance. The difficulty for a person who does not have one is how to prove to other public bodies, or to us when they come into another of our offices, that they have done it. We would have to check through the system to make sure they had verified their identity to a substantial level of assurance. It is the same as when a person passes a driving test and gets a certificate of competence but if they are not issued with a licence how can a garda check the person passed the test? It is of that nature. We issue a token to prove the identity has been verified in accordance with the law. That is all the card is. The Minister is quoted as saying a person can take it home and put it in a drawer and she is absolutely correct. The difficulty, however, for the person is that they must needlessly go through some form of identity verification process if they choose not to use the card. That is the big issue.

Fraud is also a side effect. It is a question of making sure we are dealing with the right people, that when somebody presents we know who they are, we give them the right service and payments and no one else can pretend to be them and take their entitlement. I think Joe Duffy highlighted an issue about treatment benefit where a lady had been impersonated and the impersonator got the treatment benefit but as a consequence the first lady did not. We are trying to protect against incidents like that. This is a good side effect in that anyone trying to perpetrate identity fraud is highly unlikely to get through this process and it will be very difficult to perpetrate such frauds in the future.

The Data Protection Commissioner has set out in correspondence with the committee precisely what she is doing in her audit. The Senator mentioned some of these actions. She is examining the legal basis for processing data in connection with the public services card; considering the appropriateness of the technology and organisational measures we have employed in respect of security and other personal data processing operations; and examining the transparency of information provided to data subjects or customers in respect of the processing of personal data and she is doing that in respect of the public service identity dataset, the public services card, the single customer view and MyGovId. She hopes to conclude the initial phase next month and the second phase probably in May or June.

Somebody asked whether she had pushed it out because she had greater concerns or had looked for more information. The answer is no. We furnished the responses to her initial set of questions to the Department in early December. They were very comprehensive detailed responses. The main response ran to just under 100 pages and there were a load of documents and records associated with that which were also furnished to the Data Protection Commissioner's office. It is a lot of information. I suspect, given the pressures of work in other areas and the amount of information on this, it is taking longer than originally envisaged. The commissioner has not told us why she is extending the timeline a little but we are not concerned about it. We think it is for normal pressure of business reasons.

To date, as of this morning, 3.14 million public services cards have been issued. That represents approximately 2.65 million people. There are more cards than people for a bunch of reasons. First, people's entitlements change. A person who got it when they were younger than 18 years would automatically be issued with a new one when they pass 18. Anyone who was younger than 66 years would get a new one after that because of the free travel entitlement. Some people have lost or damaged cards and got new ones. Some have expired because the original cards were five year cards. Approximately three quarters of the adult population of the country have cards.

The figures for the cost go up to slightly earlier than end December 2017, to the time we finished producing 3 million cards as part of our contract. It was €55.7 million for everything, including the cards, the staff and a bunch of miscellaneous costs associated with systems development. I can break that down if the Deputy wants me to. The Comptroller and Auditor General estimated the cost at €59.7 million. The staff costs alone are in the region of €29 million because there have to be so many people on the ground for identity verification. That contract for the production of cards concluded at the end of 2017. We need to put a new contract in place.

I refer to second generation because there have been developments in card technology since we went out to market originally, therefore the next generation of public services cards will be slightly different to the current generation to reflect those advances in technology. We are in the process of doing that at the moment, and as a consequence the contract with BCS, the original card producer, was extended under European law for a further year. There is no volume commitment in the extended contract; it simply gives us the facility to produce first generation cards as we need them until a new contract is in place.

Deputy Brady asked about the Data Protection Commissioner and the responses to the 47 questions that she issued to the Department back in September. We produced a comprehensive guide, which is an amalgam of a number of things. It covers all of the questions the Data Protection Commissioner asked plus many of the issues that we felt were arising in the media and political coverage of the project at the time. As a consequence we put that comprehensive guide together. We furnished it to the Data Protection Commissioner in October of last year, and we have not heard whether she has any difficulty with any of the responses provided in that guide since.

Did she not initiate the investigation following the responses?

Mr. Tim Duggan

She did; it was approximately one month or five weeks later.

Is that not indicative of a response?

Mr. Tim Duggan

I do not accept that that was a response to the comprehensive guide being produced. She has not responded to the Department on the quality or otherwise of the responses in the comprehensive guide.

On the mandatory versus compulsory element, when most people say compulsory, I believe that they are referring to the national ID card. This is certainly the context in which the Minister answered that question all that time ago. This is not a national ID card. The Minister said that it is not compulsory in that context. There is no intention for this to become a national ID card or anything of that nature. To be boring, this is about verifying identity to a substantial level of assurance for public service purposes. That is what this is about.

A national ID card is an entirely different idea. That would entail a person having an identity card that they are required to use. They would be compelled to have the card by virtue of existing in the nation, which is the usual nature of a national ID card. In most countries that have one people are compelled to carry it with them. If a member of a police force in such countries stops a person and asks for his or her national ID card and he or she either does not have it or refuses to furnish it, the police can draw inferences from that, and in many countries the person can simply be detained until such time as it is produced or until the police can verify identity in another way or find out what that person is doing. In most countries that operate national ID cards they are not only required for engaging in public services but also almost all private sector commercial-type services as well where identity is an element of consideration. It is impossible to open any kind of financial account or to get any kind of insurance without one. In fact, it is impossible to do fairly basic things without a national ID card. My sister lives in a country that has a national ID card, and when video stores were a thing the card had to be produced to open an account with a store in order to rent a video.

National ID cards are an entirely different thing to the public services card. The public services card cannot be asked for by anyone other than a specified body in the legislation. It is illegal to request it otherwise. Organisations that have attempted this in the past have been threatened with prosecution. It is illegal for a member of An Garda Síochána to request a public services card as it is not a specified body. The legislation is quite clear that it would be an offence for a non-specified body to request the card.

Will it be legal to deny a service to someone if he or she does not produce the card or does not have one? That does happen, and it is a key question. The 2017 proposal, the new Bill, extends the voluntary capacity-----

Mr. Tim Duggan

I am not a lawyer or a judge. However, I am fairly clear that the intention of the legislation is that if somebody requests the card on behalf of a non-specified body, regardless of how that request is carried out, it is illegal and is an offence under the Social Welfare (Consolidation) Act. Any body refusing to provide a service when a card is not produced would be acting illegally. That is the same thing as demanding the card.

What if a non-specified body refused to furnish a service because it was not satisfied as to identity?

Mr. Tim Duggan

Those bodies have to have standards for that, and those standards would have to be based on something.

(Interruptions).

When the witness speaks about the difference between compulsory and mandatory, it is very disingenuous to say that persons whose child benefits will be denied, who will potentially lose his or her pensions and will potentially be denied SUSI grants, which affects the opportunity to-----

Mr. Tim Duggan

The same thing applies.

I apologise for interrupting.

Mr. Tim Duggan

The Senator is overstating matters. It is also the case that somebody has to have a PPS number to do those things, yet nobody is suggesting that a PPS number is a national identity number. One cannot engage in most public services unless he or she has a PPS number. One cannot get a SUSI grant, a driver's licence, a passport or a social welfare benefit or payment without that number. I do not hear it being described as a national identity number because it is not. The national ID card is essentially the same thing. All the card contains is the public service identity dataset that people have had since they were issued with a PPS number. All that is on that card is basic identity information. In fact, only a subset of it is on the physical display of the card. The rest of it is on the chip, which is encrypted and cannot be accessed by anybody unless my Department provides that access. To date, no one has been provided with such access.

On the issue of the legal basis for the card, as I said earlier, the whole purpose of the card is to verify identity to a substantial level of assurance. If a person is a customer of the Department, we rely on section 247 of the Social Welfare Act to require them to satisfy the Minister as to his or her identity. We do not require them to get a public services card, but rather to satisfy the Minister as to his or her identity by virtue of section 247. We have always told people that that is the basis on which they must go through the safe process. Section 247 sets out that we have to give notice to a person who is receiving a benefit. That is covered by the letter we write to people. If a person does not satisfy the Minister he or she may be disqualified from receiving the benefit. In fact, the section uses the word "shall", so the Department has no discretion under the law. A person may satisfy the Minister as to his or her identity by attending at an office that the Minister designates and providing the information and documents the Minister requires. The items that must be furnished are set out in the notices sent to the people in question. It includes the types of items that one would expect, such as photographic ID and proof of address.

Claimants must have a photograph and provide their signature. The statute gives the Minister the power to retain those, so that they can be reproduced by electronic means in the future. One of the parts of that provision on which people have seized is the following stipulation: "This section shall not be construed as preventing the Minister from using a method of authentication of the identity of a person in receipt of benefit, other than a method referred to in this section, which the Minister considers appropriate to use." People have asked why a passport or driving licence would not be appropriate. I am sorry for being boring about this, but the issue here is that we are trying to verify people's identity to a substantial level of assurance. That is not verification on the balance of probabilities or on the basis of assertion. That section means that the method we use is still intended to verify the identity to a substantial level of assurance. We use alternatives to a face-to-face meeting in Intreo centres or branch offices around the country. In some cases we have used mobile solutions. In these situations a claimant does not have to turn up at our office. We go to them, either in their place of work, in a congregated setting or indeed in their home, as has happened in several exceptional occasions.

In a second variety of case, somebody in a particular set of circumstances is unable to furnish all of the documentation that is ordinarily required to satisfactorily prove identity. For those cases we have an exceptions process, whereby we still put them through an interview, but the interview changes in that we ask for a range of information for which we do not ordinarily ask. We carry out background checks to make sure that their answers hold up. We assign senior officers, rather than normal officers, to reviewing that information and determining whether the identity has been verified satisfactorily.

The third type of scenario is that in which we have used postal processes, in two different ways. The first of these is where somebody who has a passport and is over the age of 66 is paid in cash at a post office, and all of the identity data that the Passport Office has for that individual precisely matches our own data. In those circumstances, the risk is mitigated significantly, and we are willing to offer that person a postal process to effectively satisfy the Minister as to their identity. We write to the person and ask them for any information that we need to verify. We also ask them to provide some security questions to protect their account so that no-one else can pretend to be them. We are willing to furnish them with a public services card, PSC, in those circumstances, having satisfied ourselves that their identity has been verified to a substantial level of assurance. The kickback is that this person turns up at a post office, usually every week, to get their payment, and their identity can be validated. The verification is post-factum rather than before the event. The claimant walks in with their public services card, which has their photograph and signature on it, and they collect their payment.

There is always an element of face-to-face engagement, but the point at which it is done varies. In the last several years, we have done similarly for people who have renewed their driving licence, again where their data precisely matches the identity data held by the Department. Quite a number of people have been able to satisfy the Minister as to their identity and have their identity status elevated to SAFE 2 level as a consequence of going through that process.

As such, there are at least five methods by which we are able to identify somebody to a substantial level of assurance to the satisfaction of the Minister, all operating under that legislation.

I have heard a number of quite credible reports from people who have received public services cards in the post but do not recall having applied for or sought a public services card. Perhaps Mr. Duggan might comment on these.

There are still a number of issues to be addressed, to be fair to the committee colleagues.

It would be useful to get a breakdown of the number of cards which were issued.

There are other issues, to be fair.

Mr. Tim Duggan

Deputy Brady asked about adopted people. I invite members to imagine the situation when somebody goes into an Intreo centre to go through the SAFE process. The SAFE officer has no idea who the person is, and has no idea of his or her birth status, adopted status, or anything like that. There is no difference in the Department's treatment of people on the basis of whether they have been adopted or not. If they are a customer of the Department and have been invited to appear, then they have been issued with a letter which tells them very clearly what they need to bring with them to go through the process. In the case of adopted people, that includes an adoption certificate.

The SAFE officers in the Department have full access to the register of births. Consequently we do not require people to bring their birth certificate with them to their appointment. We encourage them to bring it along if they have it, but we do not absolutely need it. If I appear and give my name and date of birth, the officer is able to directly check the register of births to make sure I am there.

However, if I am an adopted person, I will not feature on that register. I am unlikely to be on it under the name I have given, and perhaps even with the date of birth I have given. Consequently, all the SAFE officer knows is that he or she cannot find the person on the birth register. This can also happen with people who are not adopted. I do not want the committee to think that this just happens with adopted people. It happens just as often with people who have not been adopted. In those circumstances, the SAFE officer simply advises the person concerned to go to his or her local register to get a birth certificate. The SAFE officer does not know if the person is adopted or not, and it does not matter to the SAFE officer. Those are the circumstances in which that occurs.

When a person who is adopted gets an adoption certificate, it is referred to as a birth certificate. When they produce this document, the SAFE officer still will not know that the claimant was adopted. The only reason the SAFE officer would know that is if the claimant themselves told them.

There are two different forms of adoption certificate, as I understand it. The very detailed version, which is not required for this process, indicates near the bottom of the document that it is issued under the Adoption Act 2010. The shorter version of the document, which is perfectly sufficient, does not say that. Consequently, it depends on what document the claimant produces.

In addition to that, a person who is getting a birth certificate for the purposes of SAFE registration is not required to get the long-form version of their birth certificate. They are also not required to pay the full cost of this form. The cost of a birth certificate for SAFE registration purposes is €1. If they say they are getting it for this purpose then they will be given it for this price. The Department will never know whether or not somebody is adopted.

(Interruptions).

Like anyone else, adopted people appear with the information and documents that they have been told are required. They bring in a short version of their birth certificate. They are told at that point that this document is not acceptable, and that they need to get the long version of their birth certificate. As I stated in my opening remarks, 40% of adopted people do not know they are adopted. They must then try to find that other information and get the long versions of their birth certificate. Why is the short version of the document not accepted in those situations? This system puts them in very difficult situations. There have been very high-profile cases where people felt like second-class citizens within their own State because of their adopted status.

I thank Deputy Brady and call Mr. Duggan.

Mr. Tim Duggan

The public service identity dataset has a whole load of data elements in it and each of those has to be verified to bring somebody to SAFE 2 level. One of those is the former surname of the mother. As far as I am aware, that is not on the short version of the certificate. That is why, on occasion, the long certificate is required. It is to verify that data element. The same applies if a person is applying for, let us say, a passport. It is unusual that it would only occur once in a person's life. It means that they have not been through the passport process either but if they had, they would probably have to do the same thing.

As I said twice already, 40% of adopted people do not know their status. They do not know they were adopted. The logic does not follow that those people do not carry a passport because clearly the vast majority of people do. I think there are double standards at play here. Unfortunately, adopted people feel like second-class citizens and that they are discriminated against when it comes to accessing this information. A lot of people do not want to go and get their adoption certificate. They are happy with their current family situation and status and they do not want to get the details. Some do, and that is fine, but people are being forced into an area where they do not want to go.

A necessary and proportionate test is relevant here as well.

Mr. Tim Duggan

Deputy Joan Collins has gone so I will wait until she returns to respond to her question.

Senator Nash spoke about the activation issue. The Department had never planned to put in place the process he mentioned. Consequently, it had arranged for a helpdesk facility to be put in place for about half a million minutes. That was primarily to deal with people who had queries about the public services card, PSC, or about the SAFE 2 registration process. That was a reasonable estimate at the time of the level of cover that would be needed. The then Data Protection Commissioner, having looked at the project, felt that as an additional safeguard when public services cards were posted to individuals, it would be an additional protection if people were to phone back in and confirm that they had got the card. He asked us to put that process in place. The Department never felt that was necessary because a person validated their address and a couple of days later they were given the card. It would be incredibly unusual for an address to change in that period. Essentially, it would the same as someone renewing motor tax at an address only for him or her to have changed address by the time the certificate got out to them three or four days later. The situation was of that order and, consequently, the Department was not convinced that was a necessary safeguard but as the Data Protection Commissioner of the day requested it the Department put it in place.

I accept what Mr. Duggan is saying, that he never accepted that it was a requirement but he was obligated to do so because of the intervention of the Data Protection Commissioner. It appears to me, however, to be an absolute waste of the Department's resources and staff time for the reasons I outlined earlier. Nobody's card was invalidated because he or she did not contact the Department so therefore we can safely conclude that it was a waste of €2 million.

Mr. Tim Duggan

I suppose it depends on one's perspective. We were confident that because of the very quick turnaround in the delivery and the fact that the card has a photo on it anyway, the likelihood of anything untoward occurring was incredibly minimal but the then Data Protection Commissioner felt it was a useful additional safeguard to have.

I raised the prospect in my earlier contribution about a number of people who are walking around with the wrong card in their pocket. It may happen. There is no system that I am aware of that can provide 100% assurance and reliability that the card would get to everybody safely. Has the Department carried out any risk analysis? Has everybody who was due to receive a card received the correct card? Is the Department dealing with cases whereby people returned cards that were incorrectly sent to them? I would be interested to hear what procedures the Department has in place to address such problems.

Reference was made to the two-day delay before a card goes out but I had mentioned that people have received public services cards who do not recall having engaged actively in any process. That happened in December in particular. Perhaps Mr. Duggan could clarify whether it is one of those circumstances he mentioned earlier?

I thank Senator Higgins.

Mr. Tim Duggan

It is impossible for somebody to get a card without some degree of interaction with the Department. It cannot happen.

It was not interaction with the Department but a request for a public services card.

Mr. Tim Duggan

What does Senator Higgins mean?

For example, somebody may have applied for another payment but may not have actively engaged in the SAFE 2 process.

Mr. Tim Duggan

Does Senator Higgins mean a payment from the Department? If somebody is getting a payment from the Department the likelihood is that he or she will be invited to participate in the SAFE 2 process.

I know PSCs were issued to people who were already in receipt of payments.

Mr. Tim Duggan

No PSCs were issued to people without first engaging with them.

I know the Department would engage with people but were any PSCs issued without people having known that they were engaging in the SAFE 2 process?

Mr. Tim Duggan

No, it is impossible that it would happen.

Deputy Joan Collins is back.

I asked a question about the reliability of the process, in other words, that all cards issued by the Department are correctly held by those who are supposed to have them. Has the Department engaged in a process to ensure that is the case? I accept that there will never be 100% reliability for any system. Sometimes cards may be sent out incorrectly and people may not return them. That is the point I am trying to make. I accept that it would be in a minority of cases but a card could be sent to a valid address but the person has moved in the meantime and somebody else gets the card and does not send it back. What happens then?

Mr. Tim Duggan

Two things. First, we notice customers are not shy, so if somebody who goes through the process does not get a card he or she is quick to tell us and we can investigate that. To be honest, it does not happen very often, rarely in fact.

The second thing is if someone reports that a card has not arrived we immediately revoke it on our system. We do not go looking for it and try to find out where it went, we immediately revoke it. It is highly unlikely to be occurring because we are getting very few complaints from people. The issue has rarely arisen. In fact, I struggle to think of an example.

Could Mr. Duggan address the issues raised by Deputy Joan Collins about access to services? She has not got her card.

Mr. Tim Duggan

The first question was about being troublesome and turning up at the post office without a card and needing a payment. It is not mandatory for a social welfare customer receiving payment at a post office to present a public services card but we would prefer that people presented them to access their payment. If they do not use the public services card, or if they do not yet have one - we have customers who do not yet have one because we are in a roll-out programme and we have not reached everybody yet - we have a protocol with An Post whereby a person presents his or her social services card and some form of photographic ID.

There is a protocol for dealing with that. The alternative to that is that the post office personnel are able to testify to the identity of the person through familiarity and knowing them for years but we want them to have the social services card because that is their record on the system for An Post personnel to pay them.

As for what it stops one from accessing if one does not have a social services card, the whole point is not the card but one's identity being verified to a substantial level of assurance. The card proves that. What public bodies do, including my own, is say that in shorthand, which is that one needs a card for this, but what they really mean is that one needs one's identity verified to a substantial level of assurance and the way one proves that is by presenting one's card. It is the easiest way to do that. Otherwise, both the person in question and us must go to a lot of trouble to make sure the person's identity is verified to a substantial level of assurance.

I said we have processes for doing that. Other organisations have different views and use their regulations where they can specify precisely the documentation they require to provide their services. Some have said they want the public services card because it is the best and only way they are willing to accept that someone's identity is verified to a substantial level of assurance. It is possible, therefore, that in those instances a person may not be able to access those services.

We have set out in the comprehensive guide, which I can read for members if-----

No. Mr. Duggan need not do that. We are coming close to a conclusion. We are near the voting bloc and there are one or two issues to be raised. I call Deputy O'Dea and ask him to be very brief.

To get back to basics, as I understand it, under the old system, before the advent of the card, someone goes through a SAFE 2 process. If they are looking for something they produce the information required under the SAFE 2, which is outlined. Mr. Duggan was just about to read it out. Under the current system, however, if one applies for something, one goes through the SAFE 2 process and automatically gets issued with a card. It is the card that triggers the sharing of information with other public bodies, so the information was shared with other public bodies before the advent of the card.

Mr. Tim Duggan

Right. The information that is shared is the basic public service identity dataset - name, address, date of birth and place of birth. That has existed since the 1970s, and probably before that, but the PPS-RSI number came into vogue in the 1970s, and that information-----

The photograph is new.

Senator, please.

Mr. Tim Duggan

That information has always been available to all bodies that are entitled to use the PPS number and it has been shared. Even if we took the card away and even if we did not have the SAFE process, that would still be happening and was happening in advance of this being done. The only addition since SAFE came into play is what the Senator said, namely, the photograph and the signature are now part of the public service identity dataset. They were not prior to that, but they were being collected for public services purposes by the Passport Office and the driver licence office.

With the SAFE 2 process now people automatically get a card. They do not have to look for one but if they are applying for something else, they do not necessarily have to use the card once they can produce the SAFE 2 information.

Mr. Tim Duggan

How would someone do that?

How did they do it before the advent of the card?

Mr. Tim Duggan

They did not.

They have to have the card.

No. The SAFE 2 standards refer to photographic-----

Colleagues, we are coming close to the end and I am very conscious Mr. Lowry has not had an opportunity to speak.

In fairness, I asked a specific question and it was not answered.

Very briefly. The Deputy has spoken a number of times.

I raised the case of an old age pensioner having her payment suspended for 18 months because of her legitimate refusal to get a public services card, PSC. I asked about the number of other individuals who have had their payment suspended, curtailed or cut because of their legitimate refusal to get one, due to legal concerns about the card.

Does Mr. Duggan have that information with him?

Mr. Tim Duggan

It is very difficult to answer that because it is an incredibly fluid situation. In the case of the vast majority of people who have had payments suspended or entitlements suspended, such as free travel, it is not because they are objecting to the card or because they do not believe there is a legislative base for it or anything like that. For instance, almost 4,300 free travel customers have failed to register to SAFE 2 and have had the travel pass withdrawn. The vast majority of those have never engaged with the Department. Essentially, what is going on in that regard is exactly what went on with my own Dad who is in a nursing home and who will never use free travel again, so the people who were dealing with his affairs simply did not respond. That is all that is happening in that regard.

We have had approximately 450 cases suspended; the figure moves all the time. Again, the vast majority of those do not engage and essentially disappear from our system. We believe the vast majority of those have gone abroad, so we have few or no cases where people have definitively objected and refused to engage with the SAFE process.

How many people have formally made complaints about the process? Surely Mr. Duggan has that information on people who raised legitimate concerns and whose payments have been stopped because of the concerns around the-----

Mr. Tim Duggan

Very few.

Mr. Tim Duggan

I do not know of-----

Mr. Duggan does not know.

Mr. Tim Duggan

-----any, with the exception of the high-profile case. One.

Mr. Duggan might have a look at that and if there is information on it, he might forward it directly to the committee. I raised it in the Dáil so there should be somebody working on it. Mr. Lowry has been here for a while and I would like to give him an opportunity to comment on any of the issues that were raised.

Mr. Barry Lowry

First, apologies for putting the wrong heading on my opening statement. My invitation arrived on Tuesday afternoon, so I had only a few hours to prepare it and I was using a template. Perhaps that was a Freudian slip, and I will touch on that.

The main area raised for me to address was digital and safety concerns, and the process behind moving Ireland forward in terms of the digital agenda. To be clear, we have looked very carefully at MyGovID and its appropriateness as the single electronic identifier as opposed to other options, including starting again, and it is by far the best value for money to move forward with MyGovID. I believe it will become ever more important in the world of the general data protection regulation, GDPR, because if people choose to make requests online on the data a public service body holds on them, we need to be absolutely certain that they are who they say they are as a data breach situation would occur otherwise. MyGovID gives us a huge degree of protection against that.

In terms of Departments sharing data, I am not a lawyer but I rely on the advice of the Attorney General's office. When any public body is set up by the State to provide a service, its legal standing in being set up to provide that service gives it a right over certain datasets. When Departments share data, they have to abide by the principles of GDPR anyway. They were long established before the regulation came out, so there has to be a demonstration that the data are necessary. There are elements of specificity and proportionality. It has to be time-bound, and there has to be an element of consent. All of those are strengthened by the GDPR.

The data-sharing and governance Bill will help the State comply with the European eGovernment Action Plan 2016-2020 and, more recently, the Tallinn agreement, which is that we should not ask a citizen for information we already hold and record about them. The data-sharing and governance Bill will ensure that sharing among Government bodies takes place but is driven completely by the principles of the GDPR and excludes completely sensitive data.

Mr. Lowry might comment also on the questions I asked in relation to the Data Protection Bill which is currently before the Houses. I refer to the exemptions and the fact that a Minister only need consult with the Office of Data Protection Commissioner. As we have seen in the case of the PSC, when the Data Protection Commissioner has raised concern it was followed with an advertisement campaign rather than with a reduction in concern. I also asked about the current data sharing arrangements between DPER and the Office of Data Protection Commissioner.

We must bring this to a conclusion.

Those are my questions and they were not answered at all.

Mr. Barry Lowry

It is important to record that the Data Protection Bill is being taken forward by the Department of Justice and Equality. It would be inappropriate for me to answer a question that maybe the Department of Justice and Equality would prefer to have directed to it in writing. I can certainly give Senator Higgins an opinion but the Senator is asking a specific question and the Department of Justice and Equality should be asked to answer that.

In the current data sharing-----

Senator, I am afraid-----

I am sorry, I had one question.

Very briefly. Senator Higgins has had several questions.

Concerns have been expressed that there are gaps in the current data sharing agreements between DPER, that is, Mr. Lowry's Department, and the Department of Employment Affairs and Social Protection. The Department of Public Expenditure and Reform is also encouraging the roll-out to public services despite the Office of the Data Protection Commissioner's concerns.

Mr. Barry Lowry

In terms of the single customer view database, the role of DPER - it is my own office, the Office of the Government Chief Information Officer - is as data processor. We do nothing with the data itself other than collect and process it on behalf of other Departments. Those Departments are all legally bound to only use the data that they are entitled to use.

With respect to the GDPR coming into effect in May, every Department is appointing a data protection officer whose role is to look at how his or her Department uses citizen data, whether there is a legal underpinning of that, whether the data sharing agreements the Department has in place are still appropriate and to take appropriate action.

I thank Mr. Lowry. I am afraid we must conclude at this stage.

Mr. Duggan might send a note to the committee on the specific issue Deputy Brady raised in terms of persons whose payments were suspended. I thank Ms Stack, Ms O'Donnell, Mr. Duggan, Mr. Cox and Mr. Lowry for their attendance today, for their submissions and for their interaction with the committee in trying to address the issues that were raised.

The joint committee adjourned at 12.53 p.m. until 10 a.m. on 8 March 2018.