A lot of questions have been asked about the government’s Public Services Card Scheme since the story of a pensioner whose pension payments had been withdrawn broke in the Irish Times on Tuesday the 22nd August. Very few answers have been forthcoming to date. Those that have been offered appear to have created more confusion and less clarity, to the extent that one would have to wonder whether that was the intent.
Answers added as we get ’em. Last updated: Sunday 3rd September 2017
On the 24th August the Irish Council for Civil Liberties wrote to the Minister for Finance and Public Expenditure and Reform seeking clarifications regarding the operation of the Public Service Card system.
1. Is it still the Government’s position that the Public Service Card is not mandatory, and that possession of, and application for, the Public Service Card is voluntary?
The Minister for Social Protection Regina Doherty appeared on the radio the following morning and said the cards were mandatory for those wishing to access services from her department. At the same time she insisted the cards were not compulsory.
2. Is it the Government’s position that existing primary forms of identification verification – passport, driving licence etc. – can continue to be used to access all state services and payments? And, if so, will this be communicated to all relevant State agencies?
This has not been addressed.
3. Arising from questions 1 and 2 above, what is the status of the Government Decision, S180/20/10/1789 of 2013 which describes the Public Service Card as the State’s “standard identity verification scheme”?
This has not been addressed.
4. What is the legal status of the set of objectives set out in the Government’s e-Government Strategy 2017-2020, particularly those objectives set out in Annex B to that strategy, which propose to make the Public Service Card the primary identification verification system for a wide range of essential state service?
This has not been addressed.
5. What is the Government’s understanding of the distinction between a “mandatory system” and a “standard identity verification system” which applies to essential services?
This has not been addressed.
On 25th August the Data Protection Commissioner issued a statement. The Commissioner’s office said they had received a commitment from the Department of Social Protection to publish a Frequently Asked Questions document which would provide more clarity about the system to members of the public. The questions would be written by the DPC and the responses by the department.
This FAQ was not published before the Data Protection Commissioner issued a second statement on the 30th August, again mentioning the commitment by the Department of Social Protection to publish the FAQ and adding additional questions. These questions are reproduced in full below.
The Data Protection Commissioner has sought that the Department of Social Protection publish a comprehensive FAQ to fully clarify all of the arrangements, procedures and legislative provisions relating to PSC. The comprehensive list of questions, which the Department of Social Protection has agreed to answer and publish, were provided by the Data Protection Commissioner. The questions included such matters as: How the legislative provisions set out in the relevant Social Welfare Acts, which have been cited to the Data Protection Commissioner as the legal basis for the PSC, provide a robust legal basis for what is now being implemented across the public sector, beyond public services provided by the Department of Social Protection? How is data collected as part of the issuing of a PSC secured? Who can access it? How does the Safe 2 identity verification process interface with the Single Customer View & MyGovID? How it will interface with the published General Scheme of the Data Sharing and Governance Bill? etc.
This FAQ has not been published.
Other questions have arisen since the story broke.
What is the nature of the contract between the department and individual branches tasked with taking data from individuals and loading it onto the system?
If the staff in the branch offices are contractors and not civil servants, who is their employer and are they identified and registered as a data processor with the Data Protection Commissioner?
The minister has talked of state of the art [check this exact quote] Have any penetration tests been carried out on the Public Services Card systems?