The Public Services Card

A NUMBER OF specialist companies that make security card prototypes declined to apply for a bumper multi-million euro contract to produce the second generation Public Services Card (PSC) because they felt the process was unfairly slanted towards the company that held the previous tender.

The as-yet unrealised second iteration of the controversial card, which was first introduced in 2012, went out to tender in February of this year for the production of two million new cards.

The PSC has come in for significant criticism from both data protection and privacy advocates in recent times, most notably since plans were announced for the government to expand the card as a prerequisite for accessing all State services in 2017.

The initial tender to produce the card was held by the company Biometric Card Services (BCS), a subsidiary of Bray-based security contractor DLRS.

That entity, which renamed itself as Security Card Concepts shortly before the new tender was awarded in May for as-yet unknown reasons, ended up being the sole bidder (in partnership with Idemia, a subsidiary of Dutch-based company Morpho) for the contract, worth €9.4 million, perhaps surprising given the lucrative nature of the tender and the competitive nature of the security technologies field.

Unfair

Two separate companies, working in partnership, wrote to DEASP to complain about the perceived lack of fairness surrounding the tender, and to state categorically that they would not be applying as a result, according to documents released to TheJournal.ie under Freedom of Information.

Part of the letter of complaint from Credit Card Services complaining of an 'unfair advantage' being given to the card's original producer Biometric Card Services

Click here to view a larger image

The two are Credit Card Services Limited (CCS), an Irish company based in Clonsilla in west Dublin, which describes itself as “the leading provider of plastic cards and systems in Ireland”, and its would-be partner for the PSC-2 project Gemalto, a Dutch security giant with 15,000 employees and annual revenue in 2017 of €3 billion.

Both submitted detailed correspondence at end March to DEASP using the State’s public procurement portal, Etenders, saying that they would not be applying for the contract and stating the reasons why.

Subsequently, both companies delivered letters to the department reiterating those reasons.

An undated letter from CCS to the department states that it was not in a position to apply due to a “lack of clear guidelines” regarding how the tender should be applied for, the “short lead time for the response given the highly technical requirements”, and “the very short implementation period and associated draconian penalties for any delays”.

That short period “gives any incumbent supplier an unfair advantage”, the company said, the incumbent being Biometric Card Services. It’s unclear what the penalties in question were.

Gemalto, meanwhile, submitted a similar letter to the department on 26 April via Etenders, stating that the technical requirements (which would have been based on Biometric Card Services own technology) which the contract would entail represented “a level of risk that is unacceptable to Gemalto”.

“Gemalto had intended to bid”, it said, “as we believe we can bring substantial value and benefits” to the department.

The letter from Gemalto, dated 26 April

Click here to view a larger image

‘Disappointment’

“It is our belief that the only company with the ability to properly respond and perform under this (tender) is the incumbent,” it added.

Why the tender process should be unfairly geared towards the incumbent contract-holder is not made clear in those submissions.

Two, identical, responses were sent from the department to both companies on 10 April expressing ‘disappointment’ that the two would not be applying for the PSC contract, but stating firmly that the Department of Social Protection did “not accept” that the timeframes and guidelines were inadequate, nor that they conferred “any advantage, competitive or otherwise, to any contractor”.

The time limit given, 41 days from 16 February to 29 March 2018, “is commensurate with the timeframe used when the original RFT (Request for Tender) for Public Services Cards was published (in 2010),” it said, adding that as far as DEASP was concerned it had “complied with requirements under procurement law”.

If any response was sent to the subsequent correspondence with CCS and Gemalto it was not forthcoming.

Plans to expand the PSC to State services other than social welfare (its original remit was to prevent welfare fraud and ease the process of collecting welfare payments) were announced in May of last year.

Some of those services, such as the idea of making the PSC a mandatory requirement for those applying for a driving licence, have since come unstuck in spectacular fashion.

Biometric data

Plans to make the card mandatory for those applying for passports and, potentially, people who wish to vote in future elections and referenda, are understood to still be live however.

Minister for Social Protection Regina Doherty Source: Leah Farrell/Rollingnews.ie

DEASP claims that about three quarters of the Irish population have a PSC. It likewise claims that about €2.5 million in welfare fraud savings (one of the principle reasons the PSC was introduced in the first place) have been achieved since the card was first introduced, as compared with the €9.4 million value attached to the PSC-2 contract.

The PSC project had cost some €60 million in totality as at end 2017.

Last month it emerged that secretary general of DEASP John McKeon instructed his officials to remove a reference to the collection of biometric data from his department’s new privacy policy, which had been drafted in order to comply with the EU’s General Data Protection Regulation (GDPR). Such a move should have been the preserve of the department’s Data Protection Officer, who was on leave at the time.

The department has consistently argued that no biometric data is contained on the PSC, despite facial photographs being deemed to be such under Article Four of GDPR.

Minister for Social Protection Regina Doherty subsequently stated that the collection of facial imagery for anti-fraud measures by the department is legal.