The rollout of three million public services cards to citizens using out-of-date welfare legislation from a privacy perspective is "truly shocking and a gross breach" of the trust required between the citizen and State, an Oireachtas committee has heard.
Irish physicist Dr Dennis Jennings told the Joint Oireachtas Committee on Finance that public confidence in the data protections provided by Government systems was required before making an ID system compulsory.
The Government has been issuing public services cards to citizens since 2012, with more than 2.3 million provided to date.
Ministers have confirmed all citizens applying for a passport or a driving licence in the future will be required to have the card, although they insist the card is “not compulsory”.
The card's infrastructure is built on a database controlled by the Department of Social Protection. Citizens may access some State services through the recently launched online portal MyGovID, which is built on the same database.
Dr Jennings, a delegation from the privacy advocacy group Digital Rights Ireland and data protection barrister Dr Denis Kelleher addressed the committee at a session examining the general scheme of the new Data Sharing and Governance Bill.
Dr Jennings, who made a major contribution to the development of the global internet in the 1980s, said current identity mechanisms, including passports, driving licences, medical cards and PPS numbers were all, in his view, “poor substitutes for what is actually required”.
Public confidence
“General buy-in to the use of unique identifiers can and will be achieved by the State offering compelling value propositions, better, faster, slicker, more convenient, more accurate, more efficient services, so that in due course, when public confidence in the data protection provided by the systems has been established, the identification system may be made compulsory,” he said.
Giving citizens access to their own data must be an integral part of it “from the very beginning”.
Data protection consultant Daragh O’Brien said the Bill was a “missed opportunity” to learn from prior experiences.
He said we had seen recent cases where the careless handling of information had resulted “in a fact being created”, and a process put in train, that impacted on the private life of at least one whistleblower.
“We have also seen a constant procession of cases before the Data Protection Commissioner and the courts where data has been accessed inappropriately and without authorisation.”
Dr Kelleher said that to comply with the new EU General Data Protection Regulation, data sharing by the state required a law, he said.
The model used in the proposed Bill was one of memorandums of agreement between government departments.
Vice-chairman of the committee Senator Gerry Horkan (FF) said if the legislation was not fit for purpose as far as the delegation was concerned it should be sent back to the Department of Public Expenditure saying "improve your efforts".