MAY 2017

Loughlin O’Nolan & Elaine Edwards

TL;DR: The Irish state is building a national identity register with no discussion or debate. Whether this register is being created by accident or design, the lack of debate is alarming. The justifications for doing so are opaque and vague, where justifications can be found at all. This project is proceeding right now, and there is a financial incentive for elements of it to be done as quickly as possible, reducing further the possibility of any discussion. The Department of Public Expenditure has fought to protect records that might reveal what the Data Protection Commissioner has been saying behind the scenes about the project, arguing successfully to the Information Commissioner that it would be contrary to the public interest to disclose them. A department that is processing the personal data of every citizen in the state from birth to death is arguing that it is contrary to the public interest to disclose records about a giant biometric database it has established with no public debate or scrutiny.

Some key interacting issues here are information, consent and trust.

The state should, with some legal exceptions, only acquire, store and process citizens’ personal information with the full informed consent of each citizen.

The state must inform citizens about any plans to use their personal data in any way other than the purpose for which it was acquired. Clear information about these other purposes must be provided at the time and place at which the data is acquired.

Whether legally or illegally obtained, personal data has a long and persistent life and those who control access to it will change.

For data protection purposes the state is not a monolithic entity. If one department intends to share personal data with another, it must inform citizens fully about this when it collects this data.

Informed consent such as this leads to trust and empowered decision making by individuals. Citizens can choose whether they wish to trust the state with their personal data, in which context and for how long.

In addition to this the government and a range of public bodies have fairly extensive powers to demand personal data from other bodies without consent, where the individual involved might never be aware of it and doesn’t have to give consent.

The various state bodies involved have to earn trust from citizens. In order to earn trust, full information about uses and safeguards around personal data must be provided.

If the state seeks to short-circuit this relationship built upon trust by forcing people unwittingly or unwillingly onto the register, citizens will suspect the state cannot give enough assurances that the state is a trustworthy guardian of their personal data.

Privacy campaigners have expressed concern that a plan by the Government to make all citizens applying for a passport and a driving licence first obtain a State-issued public services card represents the introduction of a “national ID card by stealth”. Minister for Public Expenditure and Reform Paschal Donohoe confirmed that all passport applicants will be required to have a Public Services Card (PSC) from the autumn, although he insisted it “is not and will not be” compulsory for citizens to get the card.

Not calling the Public Services Card an identity card is the thinnest of rhetorical cover and it is surprising that this has gone on mostly unquestioned for several years until it hit the front page of the Irish Times last Monday. If the state wants to introduce a national identity card it should let citizens know and make its arguments as to why it feels this is necessary.

Responding to the Irish Times story, former justice minister and current Senator Michael McDowell said he has always been opposed to national identity cards and remains so.

The executive director of the Irish Council for Civil Liberties Liam Herrick said that the government should “propose such a measure through primary legislation and facilitate a national debate on such a measure”.

“In such a debate ICCL would argue that ID cards are an ineffective, expensive and intrusive mechanism to advance the stated public policy objectives. We note that plans to introduce a national ID card system in the UK were abandoned in 2010 for these reasons”. Dr. Dennis Jennings, the only Irish inductee into the Internet Hall of Fame and the closest thing Ireland has to a Tim Berners-Lee, was before the joint Oireachtas Committee on Finance on Tuesday and was scathing in his criticism of the way the state is going about introducing the Public Services Card. The current situation where the Department of Public Expenditure and Reform is trying to introduce 3 million Public Services Card, using data sharing from multiple sources under the provisions of a very old and out-of-date (from a privacy perspective) Social Welfare legislation is, I think, truly shocking, and a gross breach of this principle and of the trust that is required.

Just A Spoonful Of Coercion

Various forms of coercion, such as designation of the application process for identity documents issued by UK ministers (eg passports), are an option to stimulate applications in a manageable way. There are advantages to designation of documents associated with particular target groups, eg young people applying for their first driving licence.

In January 2008 a UK Home Office document titled ‘Options for Analysis’ was leaked to the Sunday People . It discussed options for increasing registrations for the national ID card, including some forms of what were called “coercion”. The Home Office was careful to stress that “universal compulsion should not be used unless absolutely necessary”. Suggested forms of coercion included leveraging existing arms of government which many citizens could not avoid interacting with, such as those responsible for issuing existing identity documents like passports and driving licences.

Responding to the leaked document, Shami Chakrabarti, director of the human rights group Liberty, said: “So much for a voluntary scheme … compulsion is the ultimate ambition of this scheme and it can be achieved by stealth without the need for further parliamentary debate.”

On the 5th May 2017 the Road Safety Authority of Ireland announced that from June 2017 onward all those presenting themselves for the mandatory theory test would have to be in possession of a Public Services Card.

all theory test candidates will need to have a Public services card to book their theory test or CPC case study test. The Public Services Card is also an ID requirement at the centres from the 17 June onwards.

Source: ‘Public Services Card (PSC) ID Policy’, theorytest.ie

Does “young people applying for their first driving licence” ring any bells?

A lesson clearly learned by the Irish state from the failed attempt to introduce identity cards in the UK between 2004 up until the scheme was scrapped was to maintain at all times and at all costs that the card was voluntary, while simultaneously introducing it into situations and interactions which required identification and subsequently insisting that it was the only form of identification that was acceptable.

From later this year it will not be possible to apply for a passport without having a Public Services Card. Up until now a passport was accepted as the primary form of identity authentication issued by the Irish state. This change downgrades the passport for reasons that have not been made clear.

Another lesson learned from the UK debacle seems to have been to avoid at all costs calling the tangible manifestation of the identity register an identity card, despite it being used as such.

The Card Itself

In December 2009 the Department of Social Protection signed a contract with a manufacturer to produce three million cards. Why the department settled on a figure of three million in a country with a population of far more than that is a mystery. After some stops and starts over the years, this contract is due to finish either when three million cards are produced or at the end of the calendar year 2017. If three million cards are not produced by the end of 2017 the department will still have to stump up for the balance of the cards not issued.

The 2016 contract provides for an advance payment by DSP in January 2017 of 50% of the cost of the outstanding balance of 3 million cards. The cost of cards produced in 2017 is to be deducted in full from the advance. Also, should the target of 3 million cards not be reached by the end of 2017, the cost of the cards not produced will become payable in full.

Source: Comptroller & Auditor General’s report, 10.28

Low Risk Customers

The 2012 Department of Social Protection Annual Report describes how issuing the Public Service Cards nationwide in bulk began in earnest this year. “The majority of cards issued were to the Department’s customers on the Jobseeker and One Parent Family Payment schemes.” These customers went through what the civil service calls its SAFE registration functionality, which involves a face-to-face interview with a department official to confirm the customer is who they say they are.

The department also notes in the 2012 report that it has opened communications with what it terms “low risk customers” with a view to issuing the Free Travel Variant of the Public Services Card to them in 2013 through a ‘reduced registration’ process using data held by the Passport Office.

The 2013 Annual Report describes this as a “postal registration process”, since consent to use the data held by the Passport Office had to be acquired in writing. Over 100,000 of these low risk customers had been issued with Public Services Cards by the end of 2013 without any face-to-face interview.

So, to phrase that in a slightly different way, by the end of 2012 department officials had divided their customers into at least two groups when it came to overtures and approaches to be made about Public Services Cards. In 2013 department officials issued cards in entirely different ways and with entirely different levels of verification to these groups.

That officials in this department have started profiling and categorising their customers into tiers of risk like this based on no published criteria is alarming. This is precisely why the creation of – and continued access to – a biometric database of all citizens by this department should not be carried out in the shadows, as is presently the case.

Countdown To The End Of The Year

Based on Minister Varadkar’s assertion in April that by then the Department of Social Protection had issued more than 2.5 million Public Service Cards, that still leaves them in a bit of a tight spot if they want to hit their target. We’re looking at between 1,500 and 2,000 registrations per day, every day until the end of the year. That doesn’t take account of weekends, bank holidays or days when the roving mobile bands of card enforcers might get lost.

As an aside, one can’t help wondering what proportion of the 6,000 staff in the department are currently devoted to ensuring that the numbers in the contract are met, and whether this might be contributing to recent high-profile failures to deliver basic services such as the payment of maternity benefits on time.

In a nation of allegedly garrulous types who love to have a national discussion about anything and everything, this covert introduction of a national identity register is progressing remarkably silently. Could this be because, whether by design or not, the state has slowly extended the requirement of the Public Services card through groups who traditionally don’t have a particularly loud voice in the public sphere?

Unless the bookmakers are wrong Leo Varadkar will shortly become the next Taoiseach. He has recently spoken of positioning Fine Gael as the party of people who get up early in the morning, and of removing the right to strike from certain workers. What might this entail in a state which has granted itself extraordinary access into the private lives of its citizens through such a wide-ranging yet seemingly haphazard data capture, storage and processing regime? There’s a rewarding video at the end of the slideshow below which puts forward a few suggestions.

Resistance To Registers

One of the first controversies of Donald Trump’s presidency was what became known as the Muslim ban. It rumbles on still. Alarmed by Trump’s talk of this immigration ban combined with the heightened aggression of the U.S. Immigration & Customs Enforcement in pursuing and expelling immigrants, a significant number of US technology workers pledged not to participate in or aid any government efforts to create a national register of people that could be used to target individuals by religion or other attributes

As part of the pledge, the individuals promised, among other things, to:

Refuse to participate in the creation of databases that would allow the government to target individuals based on race, religion or national origin

Advocate within their organizations to minimize data collection that would facilitate ethnic or religious targeting

Responsibly destroy high-risk data sets and backups

Resign from their organization if ordered to build such a database

At the time of writing there are over 2,800 signatories.

In the United Kingdom last month the National Union of Teachers passed a motion at their annual conference “condemning the Department for Education’s attempts to record pupils’ nationality and country of birth in the national pupil database (NPD), with delegates told that the details could be passed to the Home Office and police.”

Pupil Registers, Ireland

The Department of Education has made repeated attempts to acquire highly detailed personal information about primary school students to add to its Primary Online Database. The department initially planned to hold this information until the individuals were thirty years old. The department on occasion threatened to withdraw funding from schools which did not comply with these requests.

This information included

First and second names

PPS number

Mother’s maiden name

Date of Birth and gender

Full address

Mother tongue

Ethnicity

Religion

Irish language exemptions

Enrolment date, teacher / class details

Previous school / pre-primary education

Learning support details

Simon McGarr and some alarmed and determined parents fought a long and tedious battle with the Department of Education over the legality of this Primary Online Database which wound its way through refusals of Freedom of Information requests, abrupt changes to the terms for which information would be held and an intriguing attempt by the department to claim that the Data Protection Commissioner’s office had approved the entire thing (that’s not what the Data Protection Commissioner’s office does.) Some highlights are below and you can read more in Simon’s archive of the whole (as yet unfinished) affair.





If you prefer listening, the first episode of Rossa McMahon’s Adventures in Information podcast was devoted to the POD saga. There are plenty of links to more reading on the podcast page as well.

Health Identifiers, Ireland

Late last year the HSE proudly announced that Ireland’s first digital baby had been born in Cork

This child was assigned an Individual Health Identifier at birth. The health identifier contains the following information

Forename

Surname

Place of birth

PPSN

All former names

Date of birth

Mother’s maiden name

Signature

Address

Photograph

Sex

Date of death

Nationality

The identifier appears to be a unique identifier that identifies not just the baby, but the baby and the mother together. This is problematic, considering the identifier is supposed to stay with the child (and therefore the mother, presumably) for life. This raises all kinds of concerns for privacy issues in the future.

The list above of data associated with the IHI is taken from a presentation given by the HSE’s Chief Information Officer in Malta on the 11th May 2017. How the HSE plans to extract signatures from newborns is unclear.

That same CIO, Richard Corbridge, told the Dail Committee on the Future of Healthcare in September 2016 that the Departments of Health and Social Protection were working together to see if they could combine their identifiers and put them onto the Public Services Card.

Richard Corbridge: One plan through which the Department of Health is working with the Department of Social Protection is on how the individual health identifier can be on that same card, that is, how in the future that number and code could be part of that same identity and dataset. It is a discussion between the Department of Health and the Department of Social Protection about how to make that happen. It makes complete logical sense to do it; the Deputy is absolutely right to say that.

When We Were PIIGS

Despite a brief credit-fuelled delusion in the 00s, Ireland is not an especially wealthy country when compared to many of our Western European neighbours. In the UK – a wealthier countrier than Ireland with a much more robust healthcare system – a scandal broke recently when it was revealed that an arm of Google had been granted access to 1.6 million citizen’s medical records on an “inappropriate legal basis”. Italy, one of our former partners in the PIIGS grouping has just handed over all its citizens’ health information to IBM for apparently very close to nothing at all.

Every prescription, every clinical record, each patient’s entire diagnostic history, all the data in the Substance Rehab Agency archives, each and every Emergency Room case, each and every appointment with a specialist. And of course all genetic data.

Personal health data, or any other personal data for that matter, is not a state’s property to trade and barter with without consultation with the owner of that data, the citizen.

When he was before the Future of Healthcare Committee Mr. Corbridge occasionally addressed the issue of cost. When discussing the eHealth Ireland Ecosystem Corbridge said “some of the biggest digital organisations globally, which come and provide assistance – not at cost – to make sure we can learn from other jurisdictions and keep driving forward in how we do this.” Organisations such as Microsoft, Oracle and IBM rarely provide assistance “not at cost” without expecting something in return, as can be seen in the Italian example above.

This All Adds Up

In this new data-driven Ireland as envisaged by these government departments a newborn child is assigned a health identifier at birth, which the HSE would like to attach to the Public Services Card. When these children go to primary school additional personal data is captured which would have been kept for thirty years if the Department of Education had had its way. The Department of Social Protection is doing its darnedest to sign up secondary school students for the Public Services Card- “an initiative has commenced to roll-out to all transition year students in the 2016/2017 school year.” There is nothing to be found on how consent is being obtained for taking biometric images of students, some of whom are presumably under the age of sixteen, for this national database. Or even whether consent is being sought from parents and guardians or from the teenagers themselves.No new applicants for a driving licence or a passport can acquire one of these perfectly good forms of identification without being placed on the register that lurks behind the bland facade of the card.

All the departments involved in these separate projects have been evasive and / or fantastical (see tweets below) in their justifications and legal bases for collecting the data. They have been unclear about which uses the data may be put to in the future.

What’s behind the card?

It’s not the issuance of a piece of plastic which can be used by a citizen to identify themselves to state and other authorities, it’s the register that lurks behind the card which is of concern. The future uses to which it can be put and the changes in the relationship between state and citizen when the state grants itself these awesome powers without debate.

On a recent trip to Dublin the UN Special Rapporteur on privacy Professor Joe Cannataci asked the audience if they trusted the Irish government with their personal data. Nobody raised a hand. Cannataci smiled. He told the audience he asks that question in every country he visits and the answer is always the same.

For private sector services such as those provided by Facebook and Google which flourish by acquiring and mining personal data, the ability to opt-out and not use the service, however impractical, always exists. This is not the case for public services.

As an example, only the naive would assume it hadn’t crossed the mind of someone somewhere in a government building during the Irish Water saga how ideal it would be to match the identities of people who hadn’t paid their water bill with any benefits they were receiving from the state and withdraw these until the water bill was paid. Just a little coercion can go a long way when the tools are made available.

Some Closing Thoughts

The onus is on the state to explain, clearly and simply, why it is issuing Public Services Cards in this manner. What are the benefits to citizens? What are the future uses to which this national register will be put? What limitations and access controls are in place now? As the scope of services linked to the card creeps ever wider, what reviews of these limitations and controls are planned?

Minister Varadkar said last month that the project would be completed by the end of 2017 – “the project is on schedule to be completed within the 4-5 year period originally envisaged for its duration”. So the targets will be met. So eager are the Department to make sure they get the most out of their contract with the card manufacturer that they have deployed mobile Public Services Card registration units. Haring around the country hoovering up personal data. A crack registration team rattling down the highways, byways and boreens of our fair land, mad for personal data.

This makes no sense though. As the Public Services Card is now to be a requirement for any citizen who wishes to sit a driving test or travel outside the state the project cannot just end as 2017 ends. It is a fallacy to even describe it as a project. Well planned and managed projects by definition usually have a clear beginning and end.

The European General Data Protection Regulation which comes into force next year is very strong on encouraging cultural change within organisations which hold and process personal data. This applies at every level of an organisation and every stage of a project which might acquire, hold and process personal or sensitive data.

Privacy by design applies to the planning phase of a project even more so than the implementation phase. It does not solely refer to providing notification to citizens and customers at the points where information is gathered. Senior decision makers who are responsible for initiating these projects are required to assess these projects for the privacy ramifications before they begin. Privacy Impact Assessments must be carried out before work commences and not, as seems to have been the case with several of these ongoing projects as an afterthought because someone dimly remembered reading about it being a requirement.

The Road Safety Authority has indicated that it hopes to have access to aspects of the public service identity dataset later this year. It says a decision will be taken at that stage “in relation to the requirement for a PIA”. This is too little, too late. Asked what the legal basis was for its requirement that applicants produce a Public Services Card it said: “The requirement is on foot of a Government decision.” A government decision is not a legal basis for any such potentially privacy intrusive measures where people are effectively forced to register on a facial recognition database.

When citizens’ data protection and privacy rights are to be set aside, this may only be done with a legal basis and must be both necessary and proportionate in a democratic society. Neither the two main government ministers pushing this card nor their departments – or indeed the government – have made any proper, coherent case to the public for introducing this card other than that it is “handy” for obtaining public services.

So what assurances can the state give that privacy is being baked into the initiation decisions taken on future data projects?

Finally …

If you’re concerned about this mostly unsupervised creeping state surveillance, do drop your elected representatives a line and ask them to ask the relevant Ministers if they can provide more clarity on the plans for this national identity register. Remind them that privacy is a fundamental right laid out in the European Convention of Human Rights.

Article 8 – Right to respect for private and family life 1. Everyone has the right to respect for his private and family life, his home and his correspondence. 2. There shall be no interference by a public authority with the exercise of this right except such as is in accordance with the law and is necessary in a democratic society in the interests of national security, public safety or the economic well-being of the country, for the prevention of disorder or crime, for the protection of health or morals, or for the protection of the rights and freedoms of others.

The right to privacy and the right to the protection of personal data are also enshrined in separate articles in the EU Charter of Fundamental Rights.

Article 7 – Respect for private and family life 1. Everyone has the right to respect for his or her private and family life, home and communications. Article 8 – Protection of personal data 1. Everyone has the right to the protection of personal data concerning him or her. 2. Such data must be processed fairly for specified purposes and on the basis of the consent of the person concerned or some other legitimate basis laid down by law. Everyone has the right of access to data which has been collected concerning him or her, and the right to have it rectified. 3. Compliance with these rules shall be subject to control by an independent authority.

Links and Referenced Documents