Wednesday, 25 September 2019

Ceisteanna (8)

John Brady

Ceist:

8. Deputy John Brady asked the Minister for Employment Affairs and Social Protection the reason her Department holds onto personal data collected through the public services card application process indefinitely; the way in which data are stored; the person or body that has access to the data; if the data are shared across Departments or other State bodies; and if she will make a statement on the matter. [38803/19]

Amharc ar fhreagra

Oral answers (6 contributions) (Ceist ar Employment)

We will have a broader discussion later this evening on the public services card but my question is about the Department's insistence on retaining indefinitely personal data collected through the SAFE 2 registration process, how the data are stored, who has access to them and if the data are shared across Departments of other State bodies. With due respect, I do not want a response that refers to the Department surveying 1,000 customers who say they are happy with the process. I want facts and direct answers to the questions I have posed.

The reply is the same as the reply to the first question asked by Deputy O'Dea. Given that I read the first half of it into the record, I will read the second half and that might answer the Deputy's questions directly.

The Department will continue to use the SAFE 2 registration process and issue PSCs. It will also retain the supporting documentation collected as part of the SAFE process.

The reason for this is that it is not sufficient, in the case of a dispute over a decision, to simply record that the decision was taken. It is also necessary to be able to produce the documentation on which the decision was grounded. Other bodies, for example, credit unions, public utilities and banks, similarly retain documentation submitted in support of applications for their services for as long as the person concerned is a customer of the organisation. We intend to do the same.

My Department is committed to ensuring that data relating to individuals are securely held and only ever used for the relevant business purposes. The Department’s commitment to safeguarding data is reflected in its use of advanced data processing and storage technology hosted in secure, State-owned and operated data centres and is reinforced by a range of legislative and administrative provisions that are designed to protect the rights and interests of individuals.

Neither the PSC nor the underlying public service identity data set contains any information relating to the holder’s use of public services.

The Social Welfare Consolidation Act 2005, as amended, restricts the sharing and use of the public service identity, PSI, data to a number of specified bodies set out in Schedule 5 to that Act and only in respect of a transaction a person has with that specified body. It is important to note, contrary to statements by some commentators, that the sharing of the PSI data set does not involve sharing information regarding use of public services.

A person is only required to undertake a SAFE 2 registration process once. When the PSC card reaches its expiry date a new photograph is taken to update the new card and the PSI data set. A person who is SAFE 2 registered can update other elements of their identity data set as these change, for example, if the person moves house.

The Minister would admit that the data that are retained are sensitive in nature. There are legitimate concerns in that regard and that is supported by the Data Protection Commissioner in her findings. It certainly does not comply with the data retention principle that data controllers have no basis for collecting or keeping personal data that they do not need just in case a use is found for them at a future date. The Department's response to the Data Protection Commissioner on the blanket retention of data says that the process of satisfying the Minister as to identity is not necessarily complete once the card issues, yet the legislation clearly states that a public services card will not be issued unless the Minister is satisfied as to the identity of the person. It is a nonsensical argument. Numerous bodies, including the Comptroller and Auditor General, have serious concerns about the retention of individuals' personal data. The Minister's response was unsatisfactory so perhaps she will deal with those points.

It is clear that the Deputy and I have a difference of opinion with regard to its use, and I am not going to change his mind here. However, I refer to the four magnificent words he used: "they do not need". The reason we retain the data on the identification of a person's address is that we need them. As I will probably say later this evening, we believe we have a strong legal basis to do what was anticipated back in 1988 and established in the 2005 law, which has been amended a number of times since then by successive Governments. We have a strong legal basis to deliver our mission, which is to give effective public services to people and that they do not have to prove to State services who they are on multiple occasions, as it is done on a once-and-done basis. Regardless of whether the Deputy likes it, people tell us they are very satisfied with the process.

People telling the Minister they are happy with it does not make it lawful. This concerns not just the Data Protection Commissioner.

The Comptroller and Auditor General described the standard authentication framework environment, SAFE, process as a mass registration of the population to a specific standard in a 2015 report. It is not only me, the Data Protection Commissioner or the organisations that have serious concerns about the unlawful retention of people's personal data and how that can be used.

The Minister's response is unsatisfactory. We will follow it up later in the boarder discussion. She keeps citing facts and laws but we have not seen them. I will put a question to her and follow it up later. To follow on from the issue Deputy O'Dea raised, which I raised last week in terms of the advice from the Attorney General, the Taoiseach said last week he had received third party legal advice. The Minister said there is a precedent and reasons the Attorney General's advice cannot be given but there is no reason the third party legal advice cannot be given. The Minister might answer that question as it is critical.

The Deputy seems to think I am hiding something and that there is secret legislation hidden away in a drawer somewhere. All legislation is on the Statute Book for the Deputy or anyone else who wants to go through it. All statements made by successive Ministers when introducing these Bills and the contributions of the Opposition Deputies who were here at the time are available in the Blacks. I invite the Deputy to read them before presenting material that is not factually correct.

The third party advice came from the Attorney General, therefore, it was his office that employed the third party advice. It was to ensure we were not operating in our own little bubble. It is as protected, therefore, as if it was the Attorney General who gave it. The Attorney General secured the advice and he gave us the advice.