Tuesday, 17 September 2019

Questions (6)

Brendan Howlin


6. Deputy Brendan Howlin asked the Taoiseach if he will report on cybersecurity policy in his Department. [29288/19]

View answer

Oral answers (20 contributions) (Question to Taoiseach)

Cybersecurity is not a new concept, nor are the threats associated with it.

However, digital technology now encompasses so many aspects of our day-to-day lives that anything which could disrupt our use of these technologies must be taken more seriously than may have been necessary a few years ago.

This is reflected in the sixth national risk assessment, which was published earlier this year, in which the significance of the risk associated with cybersecurity has been increased since last year.

The introduction of the general data protection regulation a little over a year ago also requires that personal data are "processed in a manner that ensures appropriate security of the personal data".

As is common to many types of business, regardless of their size or the industry within which they operate, my Department is hugely reliant on its information and communications systems. These underpin much of our work.

When IT systems are being designed or considered for use in the Department of the Taoiseach, they are designed and considered in the context of minimising any interruption to the service which they will provide.

This is with a view towards business continuity, disaster recovery and the security of the system.

My Department works with several suppliers that specialise in the areas of cybersecurity and information security. There is also ongoing contact with the computer security incident response team in the National Cyber Security Centre, which provides regular guidance and advice relating to current Internet security alerts and threats.

Preventative measures recommended by the response team are taken seriously and are reviewed when they are received with appropriate action then being taken.

Cybersecurity should not be seen as solely a technical discipline. Building resilience to cyber-based attacks continues to be a challenge for businesses, individuals, the public sector, and society in general.

My Department provides advice and guidance to all staff on reasonably common cybersecurity threats such as phishing and ransomware which may be received through email or through other digital channels.

This is intended to offer guidance while in work but can be applied equally at home, where digital technologies and Internet-connected devices can be just as common, if not more common.

The response to cyber threats continues to be a whole-of-Government challenge with the Department of Communications, Climate Action and Environment leading on the development of a new national cybersecurity strategy. A public consultation took place recently on the development of the new strategy, which will seek to take account of heightened threats, new responsibilities and the need to develop new skills and wider engagement internationally.

Cybersecurity is a major issue for every citizen as well as for the State itself. The Taoiseach indicated to the House previously that the report of the Data Protection Commission on the public services card would be published today despite calls by the Department of Employment Affairs and Social Protection during the summer for it to be suppressed. I am glad that this decision has been arrived at.

The public services card contains highly personal data relating to health information, educational records and, we understand, interactions between State bodies. We also understand from the leaks of the report that the commission has stated that retained documents with personal data must be destroyed. The public has an absolute right to know whether this is actually happening and to have personal data protected.

The determination by the Data Protection Commission must be respected by the Government. This is the important matter that I wish to discuss. We have a Data Protection Commission that will regulate important data, not only for the citizens of this State, but for citizens across the EU, given that so many multinational companies are based in Ireland. It is an important signal that the determination of the commission is fully respected. If it is the point of view - I understand that it might well be - that the broadening of the use of the public services card is a legitimate objective of the Government, surely the right way to move forward is, if it is not covered by current legislation, to introduce amending legislation and seek the sanction of the Houses. That would be a much better way to go than giving encouragement to others who might not like future decisions of the Data Protection Commission and would then be able to cite the Government as a body that took legal challenges.

Instead of simply appealing a report that the Government disagrees with, which would be fine, will it address the essence of the report, that being the lack of a legal underpinning for what the Government is doing, and introduce amending legislation in the House in order to seek the authority of this and the Upper House to achieve the Government's objective?

In a submission to the Committee on Justice and Equality this month, Women's Aid again highlighted the absence of specific cyberharassment or cyberstalking legislation. As the Taoiseach knows, various avenues of criminal and civil law can be used to a limited degree, but they fall well short of what is needed to deal with cyberharassment. Women's Aid suggests that a specific all-encompassing law is needed that enables the courts to assess the various types of cyber offences as a pattern as opposed to having different tactics prosecuted under different Acts.

The Opposition has constructively engaged in this broad area of protecting women and children from online harassment and violence. There are a number of Opposition Bills stuck in the legislative process because Ministers have promised legislation that has yet to appear. Sinn Féin introduced legislation to promote and encourage measures to improve digital safety for all persons, with a specific focus on so-called revenge pornography. My colleague, Deputy Ó Laoghaire, has introduced legislation that provides for a stand-alone office of digital safety commissioner with online safety as its key area of work. Critically, the office would be responsive to the ever-changing landscape of digital safety.

The Taoiseach knows that the Opposition benches will work with the Government on legislation where we share common cause. Cybercrime legislation is needed to give effect to the provisions of the 2001 Council of Europe Convention on Cybercrime, which is not currently provided for in legislation. This legislation has long been promised by the Government and is much needed. We want legislative solutions in place that protect all from online harassment, violence and crime. When will the Minister for Justice and Equality publish the Government's cybercrime Bill?

On the cybersecurity issue, it seems to me from all I have heard from various interests and observations from other countries that Ireland is vulnerable to cybersecurity threats. Will the Taoiseach indicate to the House the strength within our Defence Forces in terms of cybersecurity and their capacity, given their retention and recruitment crisis, to deal with a cybersecurity threat? My information is that there has been some migration of personnel from the military to the civilian departments because the pay there is higher and that, to a certain extent, the capacity within our Defence Forces has been reduced and diluted on a consistent basis in this and other areas of specific expertise that the Army, Naval Service and Air Corps require. Will the Taoiseach comment on this matter and the particular strengths that our Defence Forces have in terms of contributing to Ireland's protections against cybersecurity attacks?

I raised a matter relating to the Data Protection Commission on the Order of Business. There has been an unhealthy response to the commission's report. First, there was a reluctance to publish it early enough during the summer. Second, it was suppressed, although it is being published today. We in this House, including the Executive, need to understand and reflect more on the reasons the Data Protection Commission would issue the kind of report that was issued. Whereas the public services card may be desired and something with which people agree, the Government cannot dictate to the citizens of this country that, just because it thinks the card is a good idea and it will harvest and collect all of their data, their use of the card must be mandatory or compulsory if they want to avail of other services outside of those provided by the Department of Employment Affairs and Social Protection.

On the face of it, it seems that the Government and the Department have acted illegally. Of course, they can challenge that and say that they did not, but I would have preferred a more intelligent discussion around the Data Protection Commission's report instead of a knee-jerk reaction that was more about trying to undermine the commission's judgment and the conclusions of the report and to pour scorn on that office, which raises major concerns in the broader perspective. The modern economy and society are about data and the harvesting of same. We must be extremely careful with the rulebook and legal and regulatory framework that we create for it. The Government cannot just lecture and hector those in the private sector about data. It must also be seen to be acting in accordance with best principles.

I thank the Deputy, but we must give the Taoiseach a chance to respond.

As I informed the House on several occasions in the past hour or two, the report will be published today. The report is being published on the direction of the Minister, Deputy Regina Doherty, notwithstanding the concerns of some of the officials in her Department. It is being published alongside a response from the Department. I think that is a good thing because people only heard one side of the story in August. Being able to see the report as well as the Department's response will, I hope, allow for an intelligent and reasoned discussion about the content of the report and also the Department's response to it. I hope that both will be read and considered together.

To the best of my knowledge, the public services card does not contain any health information, and I do not think it contains any educational information either. The data sent forward are actually quite limited.

It is used for Tusla.

I have always been of the view that the public services card is a good idea. It is a success. It is very popular. We know from surveys of people who have one - I have one - that over 80% of people like it, particularly those who now use it as a free travel pass, elderly people in particular. It is designed to make public services more accessible, for greater efficiency and for removing duplication. It is also designed to reduce fraud, but that was only ever a small part of the project.

In terms of accessing public services more easily, it means that people only have to fill in a form, go to the chemist and get photographs, which need to be signed and stamped by a garda once every seven or eight years.

It has also brought about efficiencies. One does not need a separate travel pass, pension book and social welfare services card because all those things can now be replaced with one card, which is much more efficient. It has been helpful with fraud - not so much detecting fraud but certainly deterring it. We know that the instances of confiscation of false travel passes has gone down dramatically since the public services card travel pass was introduced.

I acknowledge the role of the Labour Party, which ran the project for five years, Deputy Burton having introduced the card and Fianna Fáil having introduced legislation before that.

It has evolved since then.

There is a certain narrative at the moment that this is some sort of Fine Gael, Big Brother-style police state conspiracy. It is not, because Fine Gael has only had control of that Department for approximately three years. The public services card was an all-party effort and debates in the past show that all parties were very much in favour of it.

The concept of the public services card was first launched in 1998. It does exactly what it says on the tin - it is a public services card. It is not only for social welfare services but for public services in general. It is absolutely not an identification card. It is prohibited in law for the gardaí to ask somebody to produce it. The whole point of a national identification card is that police can ask one for it. That has been prohibited in law and neither the Garda nor any private sector body can ask for it. The law contains a schedule of the exact public sector bodies that can ask for and use the card.

What about someone who is trying to get a passport?

It is all in the Social Welfare Consolidation Act 2005. The passport legislation is also covered in the specific legislation. It was always intended to be a public services card and that is why it is called that. That is why the legislation lists all the public service bodies that can use it.

What about if one is trying to get a passport or a Student Universal Support Ireland, SUSI, grant?

The legal advice from the Attorney General and a third party is very strong but if it has to be tested in the courts, so be it. I do not think appealing a judgment or a finding is somehow wrong.

The Government should bring in legislation to deal with the issue.

We do not need to bring in legislation because it is the view of the Attorney General and third party legal advice that the Social Welfare Consolidation Act 2005, as amended, covers the matter.

The statutory authority says otherwise.

To pick up on one other thing, it is not possible for us to appeal the report because it has no legal status or standing. We can only appeal an enforcement order and one has not issued from the Data Protection Commissioner; only a press release has issued.

Did the Attorney General or the Department seek third party legal advice?

The Department did. There was advice from the Department's counsel, the Attorney General and a third party, all of which was in agreement.