This week saw a mixed response by the State to the Data Protection Commission’s report finding key aspects of the public services card illegal. Minister for Employment Affairs and Social Protection Regina Doherty came out swinging, insisting that her department would not respect the findings in that report unless compelled by the courts to do so. She was backed by Taoiseach Leo Varadkar, who said that “anyone who actually reads the law” would take the same view, presumably suggesting that the Data Protection Commissioner and her legal advisors hadn’t.
But behind the public defiance there was private compliance. Shortly after the report came out, the Department of Foreign Affairs confirmed that it would no longer insist on a PSC for passport applications. The Department of Children and Youth Affairs backed away from plans to require a PSC for the National Childcare Scheme. With the Road Safety Authority having already abandoned the requirement of a PSC for driving licence applications, the overall picture is one of retreat.
The most obvious reason is that other Ministers do not share Doherty’s confidence in her legal position and are worried about enforcement orders and fines against their departments. Varadkar, as a former Minister for Social Protection, faces embarrassment if he is not seen to stand up for the PSC but others aren’t so constrained. Minister for Transport Shane Ross has already said his officials were “vindicated” for expressing doubts about the legal basis for the card and other departments clearly are no longer relying on assurances from the Department of Social Protection.
Risks and goals
But just as important is another factor revealed by the grudging publication of the full report – the PSC in its current form (from 2011 onwards) has been mismanaged from the start and does not offer significant benefits.
The PSC from 2011 onwards has been mismanaged and does not offer significant benefits
In 2016, the Comptroller and Auditor General found that the Department of Social Protection had failed to develop a business case for the PSC, failed to carry out a comprehensive risk evaluation, and failed to set any goals for savings from its introduction. This latest report confirms that these failings have continued.
Consider, for example, the security aspects of the PSC. The report reveals that the contact chip on the front of the card which made it so expensive to produce was introduced without any clear rationale, was never used, and has now been abandoned. In fact, in the case of passport applications, the Department of Foreign Affairs only ever required a photocopy of the PSC, bypassing the security elements altogether. Even the supposedly central requirement of a face-to-face interview before the card was issued was skipped in many cases, with no clear explanation why.
The report also found that the PSC was being used in a way which made it harder rather than easier for citizens to access services by being artificially required where identity verification was not needed. The most remarkable example was in relation to appeals regarding school buses where the DPC noted pointedly that “it is not readily apparent how or why the PSC is now to be introduced as a core requirement of any appeal about a local school transport decision”. This confirms a core criticism of the PSC project – that it was being imposed on services to force uptake of the card rather than for any administrative or individual benefit.
Identity data
Another promise was that the PSC would reduce paperwork for individuals by ensuring that they only had to register details such as their home address once, with that information then being automatically shared and updated between relevant State bodies. The report found this was not happening in any reliable or consistent way, so that individuals were left “in a position where they do not know – and cannot know – what the up-to-date position is in relation to basic personal identity data held about them by the State”.
Certain benefits said to be associated with the PSC are illusory because the infrastructure to unlock them is not in place
As the DPC put it, “this very simple example underscores the fact that certain of the benefits said to be associated with the rollout of the PSC project are, in truth, illusory, because the infrastructure necessary to unlock them is not in place. As a matter of principle, the idea that the project is based on justifications, at least some of which are illusory, is hugely concerning, not least because it means that a large-scale project being rolled out by the State and which, by definition, involves interference with the data protection rights of individual citizens, cannot be said to be founded on a credible and sustainable legal basis.”
Discussion of the report has naturally focused on the question of legality. The lack of a legal basis for almost all aspects of the wider PSC project and the unprecedented refusal by the Minister to accept the findings of the independent regulator are deeply concerning. But even if the requirements of data protection law were met, the report would still be damning for the mismanagement it reveals.
In addition to enforcement by the Data Protection Commission, it is time for a root-and-branch review of the PSC to include accountability for the Department of Employment and Social Protection and the Department of Public Expenditure and Reform for their roles in promoting a costly, ill-thought-out and ultimately illegal project.
Dr TJ McIntyre is an associate professor in the UCD Sutherland School of Law, chair of Digital Rights Ireland and consultant with FP Logue Solicitors