State showing ‘complete immaturity’ on data strategy

The Data Protection Commissioner, Helen Dixon, has accused the government of “complete immaturity” in its data strategy, and said the controversial Public Services Card (PSC) could be in breach of data protection laws.

Dixon has an open investigation into the PSC which began in 2017 after concerns were raised that the government had created a de facto national identity card. A spokesman for the commissioner said the investigation was at an advanced stage.

Speaking at a privacy event in Israel, Dixon said that the government’s strategy “shows a complete immaturity in terms of understanding” the European directive on the issue.

The state was planning to make the card mandatory for access to a range of services, including applying for a driving licence, passport, farm grants and student grants. However, it has since rolled back on some services outside the remit of the Department of Social Protection.

It also planned to use the data stored on the card as part of a new health portal to be established by the HSE.

A video clip of Dixon speaking at a panel on privacy and the digital economy at Tel Aviv University was posted online by organisers of the event last week. It featured strong criticisms of the government and its chief information officer (CIO).

Giving an example of where she claims the state was failing to understand its responsibilities regarding citizens’ privacy, Dixon referred to the PSC as a “national identity card” which the government has denied it is.

When asked to appraise the government’s understanding of data protection she replied “[They] spend a lot of time lecturing me about the great and innovative uses that can be made with personal data, without willing to be accountable.

“I think the government in Ireland has huge leaps forward to make, in terms, first of all, of getting the basics of GDPR correct in various government departments.”

Dixon also repeated her claim that specific legislation was needed to provide transparency to the public regarding how their data is going to be used, which is required under data protection legislation.

“A national identity card has been introduced in Ireland, it is called the Public Services Card,” she said. “It has been introduced in Ireland without any specific underpinning legislation. Twelve pieces of ancient social welfare primary legislation with 71 statutory instruments hanging off them, tied together to produce the legal basis for this public services card.

“The government says: ‘Don’t worry about it, it’s not mandatory’, but it will be necessary to access any service in Ireland. It has a requirement for a high quality photograph on the face of the card that has to be taken on site at the digital agency, and then a centralised biometric template database is stored. So that’s really the situation in Ireland.”

Dixon said Ireland was moving slower technologically in its use of citizen data than other countries, but that it had “an awful lot of ground to catch up in data protection terms”.

The DPC investigation into the PSC began before the general data protection regulation (GDPR) came into force, which means the sanctions available to her are limited.

However, if a breach is found to have been ongoing past the date of GDPR’s enactment in May 2018, an investigation under the directive can be started.

This would give the DPC stronger sanctions against the government, and could lead to individuals taking claims against the state in the courts.

The government has claimed that there is a clear legal basis for the PSC, and three million of the cards have already been issued. The cost of the PSC project to date is €60 million.