Wednesday, 25 September 2019

Questions (1)

Willie O'Dea


1. Deputy Willie O'Dea asked the Minister for Employment Affairs and Social Protection her plans to challenge the findings of the report from the Data Protection Commission on the subject of the public services card; and if she will make a statement on the matter. [38825/19]

View answer

Oral answers (14 contributions) (Question to Employment)

I realise that we are having a debate later this afternoon on the public services card. I want to get a preliminary view on the Government's current thinking on the matter and on where we are.

The public services card, PSC, was provided for in legislation in 1998 when it was introduced alongside the personal public service number, PPSN to replace the previous revenue and social insurance, RSI, number and the social service card, SSC. The clear and stated objective, as articulated in Oireachtas at that time, was that the public services card was not to be confined to welfare services, as has been reported in recent weeks, but to act as an identifier for access to a broad range of public services. Successive Governments have reaffirmed this policy both in Government decisions and through legislation. The Attorney General’s office advises that the legislation is clear and provides a strong basis for the existing and continued use of the PSC across the public service.

The PSC provides citizens with the convenience of having to submit information only once to verify their identity. As an example, about 70,000 people use the PSC to apply for passports each year; we pay more than 600,000 people approximately €150 million through our post offices each week using the PSC as the identifier in each case; 600,000 free travel journeys are made using the PSC each week; about 400,000 PSC users use the MyGovID service to access online services with the Revenue Commissioners, Student Universal Support Ireland, SUSI, the National Driving Licence Service, NDLS, welfare and, shortly, the national childcare scheme, NCS.

The PSC has strong public support, and approaching 90% of the adult population hold a PSC. Research indicates that they overwhelmingly value the card, are fully aware of and agree to the sharing of data required to enable its use across the public service, believe they have more than enough information about the purposes of the card, understand why their data is being retained, and do not object to their data being retained.

In October 2017, the Data Protection Commission, DPC, commenced an investigation into the SAFE PSC process and delivered its final report to the Department on 15 August 2019. On 17 September, the Department published the report of the DPC together with a summary of its own response to the findings of the report, and related correspondence between it and the DPC.

Additional information not given on the floor of the House

As stated earlier this month, the Minister for Public Expenditure and Reform, Deputy Donohoe, and I informed Government that we were satisfied that the processing of personal data related to the PSC does, in fact, have a strong legal basis, that the retention of data is lawful, and that the information provided to users does satisfy the requirements of transparency. This opinion was arrived at following very careful consideration both of the report and of the strong legal advice of the Attorney General’s office.

The DPC had requested that the Department implement a number of actions on foot of the publication of its statement on Friday, 16 August, within a very short timeframe. Based on the strong legal advice received, however, we believe that it would be inappropriate, and potentially unlawful, to withdraw or modify the use of the PSC or the data processes that underpin it, as has been requested by the DPC.

The Department sought to meet the DPC on two occasions since receipt of the report with a view to outlining the basis for its conclusions and seeking to clarify a number of matters of concern relating to inconsistencies both within the DPC's report and between the report and the accompanying letter from the DPC. The request for a meeting was declined on both occasions.

The Department wrote to the DPC to advise it of the decisions taken and understands that the DPC is in the process of preparing an enforcement notice. To date, the DPC has not issued an enforcement notice. On receipt, the Department will consider the scope and terms of the enforcement notice and respond appropriately at that time. It should be noted that the findings in the DPC report do not have the force of law until such time as they are formalised in an enforcement notice. In the meantime, the Department will continue to conduct SAFE registration and issue PSCs. It will also retain the supporting documentation collected as part of the SAFE process. The reason for this is that it is not sufficient, in the case of a dispute over any decision, simply to record that decision was taken. It is also necessary to produce the documentation on which the decision was grounded. Other bodies, for example, credit unions, public utilities and banks, similarly retain documentation submitted in support of applications for their services for as long as the person concerned is a customer of their organisations.

My Department is committed to ensuring that data relating to individuals are securely held and used only for relevant business purposes. The Department’s commitment to safeguarding data is reflected in its use of advanced data processing and storage technology hosted in secure, State owned and operated data centres, and is reinforced by a range of legislative and administrative provisions that are designed to protect the rights and interests of individuals. Neither the PSC nor the underlying public service identity dataset contains any information relating to the holder’s use of public services.

The Social Welfare Consolidation Act 2005, as amended, restricts the sharing and use of the public service identity, PSI, data to a number of specified bodies set out in Schedule 5 to that Act and only relating to a transaction a person has with that specified body. It is important to note, contrary to statements by some commentators, that the sharing of the PSI dataset does not involve sharing information regarding use of public services.

A person is required to undertake a SAFE 2 registration process only once. When the PSC reaches its expiry date, a new photograph is taken to update the new card and the PSI dataset. A person who is SAFE-registered can update the other elements of his or her identity dataset as these change, for example, when changing address. In some of these circumstances a new PSC may also be required. For example, a person reaching the age of 66 will automatically be issued with a new card with the free travel functionality, enabling him or her to avail of free travel on public transport services.

We will come back to the question of the 1998 legislation when we will debate this matter later today. Has the Minister fully read the report of the Data Protection Commission? Will she agree that it is carefully researched, detailed and analytical? On the face of it, it seems extraordinary that the Office of the Attorney General which spent much less time considering it was able to come to a diametrically opposed conclusion. In the circumstances, will the Minister agree that it is only right and proper that we should see the legal advice on which the Government’s position is based? Is there some rule, of which I am not fully aware, that precludes the Government from showing us the legal advice received? It is only fair that we should receive a detailed analysis of how the State’s law officer came to a diametrically opposed conclusion. Is the Minister aware that several public bodies, including the Department of Foreign Affairs and Trade, the Road Safety Authority, and the Department of Children and Youth Affairs, have backed off from demanding an individual be compelled to produce a public services card to avail of services they offer? Does that indicate that they do not have as much faith in the Office of the Attorney General as the Minister appears to have?

I would love to tell the Deputy that I had the pleasure of reading the report on several occasions. However, I am not sure I would describe it as a pleasure. I have, however, read it several times. The Deputy is right that it is a comprehensive document which runs to some 170 pages, plus an annex. It is significantly different by some 40 pages and four findings from the draft report we received a year ago. As the Deputy knows having been a Minister in the Cabinet, the sharing of advice from the Attorney General in the public realm is not an established practice. The Attorney General has advised me and other senior Ministers on this issue. He has been involved in the process since 2017. To suggest they just got together several weeks ago to come up with some response is not a true reflection of the amount of work which went into the submissions, as well as the engagement between the Department of Employment Affairs and Social Protection and the Data Protection Commission. This is a comprehensive report on the back of a compressive review carried out by the Data Protection Commission. As I have said before, I have respect for the office and the individual who holds that office. I respect the position she holds. We just have a different opinion on the set of legal circumstances underpinning the legislation. There is a brief available to the Deputy who has been invited by the Secretary General on several occasions to attend the Department. That offer is still open.

Whatever about the Attorney General, the Taoiseach did not seem to require much time to read it. He stated that even a cursory glance - perhaps while he was in the car travelling between functions - of the different sections, subsections, miscellaneous provisions, etc, would readily lead one to conclude that the Data Protection Commission was completely wrong in its two year’s research. What is the Minister’s position now? Will she accept and follow up on what the Data Protection Commission has recommended and directed? Is she going to allow a situation to occur where she will be dragged to court to do so at further expense to the taxpayer?

We will have the final response from the Minister. She has one minute.

The response is in the written reply I would have read if I had been allowed to do so.

It is not that the Minister was not allowed to do so.

I did not mean by the Leas-Cheann Comhairle.

Those who are preparing briefs know that the time allowed is two minutes, not five.

This is a comprehensive issue.

The Minister has one minute if she wants to read it.

In October 2017 the Data Protection Commission commenced an investigation into the standard authentication framework environment, SAFE, and public services card process. It delivered its final report to the Department on 15 August 2019. On 17 September the Department published the report, together with a summary of its own response to the findings made in the report.

As I stated earlier this month, the Minister for Public Expenditure and Reform, Deputy Donohoe, and I informed the Government that we were satisfied that the processing of personal data related to the public services card did, in fact, have a strong legal basis, that the retention of data was lawful and that the information provided for users did satisfy the requirements of transparency. This opinion was arrived at following careful consideration of both the report and the strong legal advice of the Office of the Attorney General.

The Data Protection Commission had requested the Department to implement several actions on foot of the publication of its statement on Friday, 16 August within a short timeframe. However, based on the strong legal advice received, we believe it would be inappropriate, as well as potentially unlawful, to withdraw or modify the use of the public services card or the data processes which underpin it, as requested by the Data Protection Commission.

In short, we will continue to act in the lawful manner we believe we have been acting since 1998.

We are going to court then.