THE PUBLIC SERVICES Card may well turn out to be the most expensive administrative error in the history of the State.

Put that statement in the context of the €55 million wasted on e-voting machines, the €220 million wasted on the HSE’s personnel, payroll and related systems (PPARS) software. Not to mention the approximately €300 million in costs and damages paid out to army personnel as a result of an administrative decision to scrimp on hearing protection.

Ironically, the reason the Public Services Card project may top that list is because of the efforts the State has made over the past five years to force, pressure or cajole millions of citizens to get the card.

The State has confirmed that more than three million cards have been issued. The risk now is that if they have – in any way – infringed upon the GDPR rights of citizens in how they have run the Public Service Card database, they will be liable to compensate each and every one of those millions of citizens.

Almost any sum of compensation multiplied by three million would dwarf the State’s other famous administrative errors.

Alarm bells

Nearly 12 months ago, the Irish Council for Civil Liberties and I appeared before the Joint Oireachtas Committee overseeing the DEASP.

It was already clear at that stage that the PSC project had gone well past what was covered by the legislation.

Mr Herrick of the ICCL set out the reasons that the PSC project did not meet the standards required under EU law. The very substantial financial risks the project posed were also highlighted.

We specifically said we were attempting to ‘sound the alarm’ on the risk the State’s obduracy was storing up.

According to Article 82 in the GDPR – the EU’s data protection laws introduced last year.

Any person who has suffered material or non-material damage as a result of an infringement of this regulation shall have the right to receive compensation from the controller or processor for the damage suffered.

The lawfulness of the PSC project has been under investigation by the Data Protection Commission since 2017.

In September 2018, the Sunday Times reported that the Commission had found that the legislation which the Department of Social Protection was relying on did not provide a sound legal basis to compel people to have a card to access other public services, apart from welfare payments.

Last week it emerged that the Department has refused an FOI request to reveal key documents related to the Commission’s draft report on its investigation. The Department absurdly cited among its reasons – that revealing what is in the report might be contrary to the public interest.

There can be few instances where it is more acutely in the public interest to reveal whether the State has been acting lawfully or unlawfully – than in the Public Services Card project.

Article 43 of the GDPR confirms specifically that a State authority cannot rely on consent as a basis for processing personal data. Every act of processing must have a legal basis.

Processing personal data- particularly the sensitive personal data, included as part of the Public Service Card database, is a breach of the GDPR if there is no legal basis.

For every instance of unlawful processing, Article 82 of the GDPR triggers a right to compensation.

The State capped the maximum fine that the Data Protection Commission can levy on its bodies at €1 million. But no such cap is possible on the compensation due directly to citizens.

Legal justification

To justify making the Public Services Card mandatory, the Department is relying upon Section 247C of the Social Welfare Acts, which is designed to justify a requirement, to prove a person’s identity, to the satisfaction of the Minister.

Correctly applied, that is a laudable and necessary part of any social welfare system. After all State money is being handed out to individuals and so there must be a method of making sure that the people who should get the money are the ones getting it. There’s no argument about that.

The problem is that this is the sole lawful purpose for which this information can be collected. Once that purpose has been met, there is no lawful basis for further processing of that data.

What is happening, however, is that after people have been required to get a public services card to ‘satisfy the Minister’, the information is then being passed into the single customer view database where it is then shared with approximately 120 to 150 other public agencies and bodies.

That is processing over and above that which is allowed for under the national legislation, quite apart from the limitations that the EU law (GDPR) brought in last year.

We know that the Attorney General has briefed ministers on the legality of some of the data transfers, which have happened, as a result of that sharing.

Papers obtained from the Department of Transport confirm that Minister Shane Ross, on the 9 March 2018, told the Road Safety Authority that, on legal advice, they should cancel their requirement for a PSC to apply for a driving licence.

A transport official said:

I have also been advised (verbally) by the AGO (Attorney General’s Office) that you should give consideration to ‘pulling’ your recently launched advertisement campaign re the use of the card and that delivery, of the required legislation to permit online applications by 30 April, is now seriously in doubt.

Despite being told of the AG’s advice, the RSA continued to process the PSC cards under the same unlawful system for a further five months.

It is this administrative inertia which has continued to embed the project further and further into the State’s relationship with citizens, even while warnings of the risks pile up.

The requirement to justify these flawed decisions, after the fact, is doing real damage to the relationship of trust between the citizen and the State.

We are seeing a battle to simply deny what the law says, rather than face its consequences.

The Minister for Employment and Social Protection has repeatedly been left delivering incoherent denials. During a radio interview, she even claimed that images of people’s faces on the Public Services Card, and in the accompanying database, are not biometric data.

This, despite the fact that Article 4.14 of the GDPR specifically defines biometric data as including ‘facial images’.

We cannot allow the State to continue to assert its own Trumpian ‘alternative facts’ to the law. It’s time to let in the light rather than normalise these administrative manoeuvres in the dark.

What should happen now?

To start with, the rollout of the cards should be stopped until the Data Protection Commission’s report into the project is published, in full, and without delay.

Any attempt to let the State hide its own errors by withholding parts of the Commission’s report, will rob the public of the ability to learn from those mistakes.

If we are not allowed to recognise the patterns of behaviour which lead to e-voting, PPARS and Army Deafness then that list will just continue to grow.

The Public Services Card project involves the personal data of most of the citizens of the country. Now those citizens must ask themselves – can our State be trusted with our data?

Related Read Timeline: The Public Services Card saga

If the State continues to put its own administrative convenience above the legal rights of its citizens, it risks losing their trust and confidence. In those circumstances, the true costs of the Public Services Card project may prove to be more than merely financial.

Simon McGarr is a practising solicitor at McGarr Solicitors and the Director of Data Compliance Europe. See https://datacomplianceeurope. eu