I propose to take Questions Nos. 657, 658 and 663 together.
Completion of registration to SAFE Level 2 - which is the process used by my Department to establish and verify a person’s identity to a substantial level of assurance - is the minimum requirement for a Public Services Card (PSC) to issue.
The Department uses facial image matching software to strengthen the SAFE registration process. A standard photograph is captured during this process and is inputted into and stored in the facial image matching software. It is then searched against the Department’s photo database to ensure that the person in the photograph has not already been registered using a different identity.
While the PSC does store a person’s photograph, it does not store the biometric or arithmetic template of that photograph. The collection and printing of a simple JPEG image on the PSC does not, therefore, constitute the collection or processing of special category data, as set out in the GDPR.
To be clear, the photograph in addition to being printed on the PSC, is processed, in a separate process, via facial imaging software to create an arithmetic template which is used to detect potential identity fraud. This arithmetic template is not stored on the PSC, does not form part of the public service identity set and is not shared with any other third party.
My Department’s position is, therefore, that the SAFE2/PSC photo is not itself biometric in nature – it is simply a photograph. My Department is also clear that it does not collect or share biometric data but that it does create such data for its own use, to enable it to carry out its functions in relation to the PSC, as set out in the Social Welfare Consolidation Act 2005. In this context, the Department also acts in accordance with the Data Protection Act 2018 and Article 9 of the GDPR.
Article 9(1) of the GDPR prohibits the processing of special categories of personal data, including biometric data. However, recital (51) of the GDPR provides that the ‘processing of photographs should not systematically be considered to be processing of special categories of personal data as they are covered by the definition of biometric data only when processed through a specific technical means allowing the unique identification or authentication of a natural person’.
Article 9 (2) of the GDPR sets out exceptions to the prohibition on processing in Article 9(1). These exceptions are further transposed into Irish law by way of the Data Protection Act 2018 and in particular Part 3, Chapter 2 and Part 5 of that Act.
Where the Department makes considerable efforts to authenticate identity, in part through facial matching, this should be regarded as a positive measure which protects an individual’s identity.
It is the Department’s firm view that these measures are necessary, prudential and of benefit to individuals by protecting against identity fraud and theft and that this processing is proportionate to the outcome in ensuring personal data is appropriately protected.
The European Data Protection Supervisor (EDPS) Opinion 7/2018 - referred to by the Deputy - relates to the Proposal for a Regulation strengthening the security of identity cards of Union citizens and other documents. The EDPS is an independent institution of the EU for advising Community institutions, bodies and data subjects on all matters concerning the processing of personal data. The Commission is required - when adopting a legislative Proposal relating to the protection of individuals’ rights and freedoms with regard to the processing of personal data - to consult the EDPS.
In summary, this opinion paper supports the objective of the European Commission to enhance the security standards applicable to identity cards and residence documents. At the same time, the EDPS considers that the Proposal does not sufficiently justify the need to process two types of biometric data (facial image and fingerprints), while the stated purposes could be achieved by a less intrusive approach. It specifically states that "The EDPS understands that using biometric data might be considered as a legitimate anti-fraud measure, but the Proposal does not justify the need to store two types of biometric data for the purposes foreseen in it.
The opinion paper refers on numerous occasions to dactyloscopic/dactyloscopy which is identification by comparison of fingerprints. The Deputy should note that my Department does not collect or store fingerprints.
I hope this clarifies the matter for the Deputy.