State will not learn from Public Services Card fiasco

Net Results: Apart from data abuse, card cost €60m but detected just €2m in welfare fraud

Public Services Card: Pascal Donohoe and Regina Doherty had preliminary copies of the damning Data Protection Commission report a year ago.
Public Services Card: Pascal Donohoe and Regina Doherty had preliminary copies of the damning Data Protection Commission report a year ago.

Last week's sharp statement from the Data Protection Commission showed the Public Services Card (PSC) project was indeed the data-gathering fiasco that critics and privacy campaigners have been saying for years.

The card was envisioned years ago as a limited-use chip-and-pin card to streamline accessing some State benefits (and yet, relevant departments never bothered to invest in the needed chip-and-pin technologies).

But in recent years it bloated into a multidepartment card used for all sorts, from the casual to the critical. You could collect a package from An Post with one. For a time, it was required when applying for a driving permit and, until last week, was needed to get a first-time passport or apply for Irish citizenship.

YetI found even though I needed the PSC to get a passport, and a passport was no longer considered adequate ID for others to get social welfare payments (who had to use the "compulsory but not mandatory" PSC or forfeit their payments), the Road Safety Authority would only accept a passport, but not a PSC, to get a driver's licence.

READ MORE

As public opposition built against the card two years ago, department Ministers and officials rallied around the green piece of plastic. Minister for Social Protection Regina Doherty (she of the "mandatory but not compulsory" statement to RTÉ) was adamant about the benefits of the card, particularly as a tool to counter welfare fraud.

Minister for Public Expenditure Paschal Donohoe also argued for further expansion of the card's uses – no surprise when it has been his own department that has pushed for the card's multidepartment metamorphosis, according to data privacy organisations. In an opinion piece in The Irish Times two years ago, Donohoe came to the conclusion that the PSC was a project which would help "exemplify transparency, confidentiality, integrity, availability and resilience in the management of our citizen data".

Sensitive data

Well, no. The DPC statement has – in a phrase Donohoe's department should appreciate – put paid to that particular conceit.

The card does exactly the opposite, according to the DPC. Without any legal basis, the PSC has been used by other departments to gather sensitive data. That data has been held for periods longer than needed. And then, it turns out there’s no adequate transparency, either: “In terms of transparency . . . the information provided by the department to the public about the processing of their personal data in connection with the issuing of PSCs is not adequate.”

And there’s this: “As new uses of the card have been identified and rolled-up from time to time, it is striking that little or no attempt has been made to revisit the card’s rationale or the legal framework on which it sits, or to consider whether adjustments may be required to safeguards built into the scheme to accommodate new data uses.”

A key selling point to the public was that the card would curtail welfare fraud, a duplicitous argument that eternally appeals to a segment of the angry middle classes ready to swallow false claims that greater surveillance benefits us all because of those nasty welfare cheats.

But all evidence indicates such fraud is minimal. The Department of Social Welfare’s own estimates are that, in the lifetime of this sorry card, it has caught less than €2 million in welfare overpayments. Meanwhile the card has cost taxpayers more than €60 million to implement. A pretty crappy return on investment.

To address the problems identified by the DPC, expect many more millions to vanish down the PSC black hole.

Donohoe and Doherty

Most worrying is that, so far, Government bodies and many politicians continue with the exact same dismissive and exasperatingly underinformed attitude towards data protection, data privacy and data security that led to this shambles (and others – Ireland's cavalier approach to data retention resulted in a landmark European Court of Justice ruling, five years ago).

With news that Donohoe was briefed on the DPC report a year ago, and that both Donohoe and Doherty possessed a preliminary copy of the full report then, but not only failed to act upon its findings (as if they might evaporate over time) but continued the card’s expansion, serious questions must be asked regarding a political system which chose to ignore its key regulator in this area, rather than engage with any of the most critical findings that affect millions of Irish citizens.

Instead, the Taoiseach has suggested that the way to address all these problems (some, raised by a UN special rapporteur) is to whip up a few new laws to enable the State to move ahead as desired, rather than rethink the card and its myriad problems.

When will the State learn European and national laws are not aspirational, but rather, mandatory? Even compulsory?