The Department of Employment Affairs and Social Protection has said a reference to processing biometric data on individuals included in its new privacy statement was an error and that public services cards do not store biometrics.

The policy, updated in May to reflect the coming into force of new data protection laws, reads that “at times” the data the department may collect includes “data concerning health and biometric data used for the purpose of identification”.

Biometric data is information relating to the physical characteristics of individuals, including their photographs and fingerprints.

Changes to privacy policy

A new contract worth more than €9 million to print up to two million public services cards was awarded in recent days to Security Card Concepts Ltd, which was called Biometric Card Services Ltd until a month ago.

That company had produced over 3 million public services cards under a contract to the department and had been paid €23 million up to last October.

Minister for Social Protection Regina Doherty has repeatedly said – including in the Dáil in May – that the department “does not ask for or collect biometric data from its customers such as fingerprints, retinal scans or any other items that could be listed as biometric data”.

Privacy advocates and civil liberties groups have raised concerns about the card project, saying it amounts to the introduction of a national identity card without proper debate and safeguards. The department said it is not a national identity card.

Contacted by The Irish Times about the new privacy policy, the department said the cards, which have an image a photograph of the holder on the face of them, do not “store” any “biometric or arithmetic template” of that photograph.

It said the “existing privacy statement referred to biometric data in error” and that the error “is being corrected”.

In relation to the so-called SAFE registration process people go through before the issuing of a public services card, the department said it used “facial image matching software to strengthen the SAFE registration process”.

“In addition, the Public Services Card (PSC) which is the physical token provided from SAFE registration does not store biometrics.

“While the card does store the person’s photograph and it appears on the card, it does not store any biometric or arithmetic template of that photograph,” the department said.

It said a standard digital photograph was captured during the registration process and was “inputted into and stored in this facial image matching software”.

“It is then modelled and searched against the department’s photo database to ensure that the person in the photograph has not already been registered using a different personal public service number or a different identity dataset. It is a similar approach to that taken by the Passport Office in its systems when processing passport applications/renewals.”

The department also said none of the equipment or processing involved in the SAFE registration process captured eye scans/iris scans and nor was there any intention to do so.

Under the EU’s General Data Protection Regulation and the new Irish Data Protection Act, biometric data means “personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic (fingerprint) data”.

The department’s privacy statement was modified on May 24th last, the day before the new regulation came into force and the same day the new Irish Act was signed into law.