What Paschal Said

at

Then Minister for Public Expenditure and Reform, Paschal Donohoe, at the Public Services Card Centre, D’Olier House in Dublin after he registered for a Public Services Card (PSC) with the Department of Social Protection on September 8, 2016

This morning.

Cianan Brennan, in The Irish Examiner, reports that Public Expenditure Minister Paschal Donohoe was briefed on Data Protection Commissioner Helen Dixon’s interim report on the Public Services Card a year ago.

This is despite him telling RTÉ last Friday that he had been briefed by his officials on the report’s “key points” that morning.

Ms Dixon’s report found that there is no legal basis for anyone to have to present a Public Services Card in respect of any transaction between a person and a public body outside the Department of Employment and Social Protection.

She also ordered that the supporting information that the 3.2 million card holders had to hand over in order to get their card – such as utility bills, proof of ID, etc – and held by the department must now be deleted as it was unlawfully held.

It’s interesting to note comments made by Mr Donohoe after he apparently saw the report:

On September 25, 2018  he said:

“During 2017 and over the course of this year, my Department and the Department of Employment Affairs and Social Protection have worked with a number of specified bodies to integrate the PSC and MyGovID, into their processes in order to improve access to and the security of public services.

“Currently, the PSC and MyGovID underpin access to social welfare entitlements, first time adult passport applications, citizenship applications, Revenue services, SUSI grants, driving licence and driver theory test applications.

During the rest of this year and 2019, access to more public services will be underpinned by the PSC and MyGovID. My Department along with the Department of Employment Affairs and Social Protection is engaging with the relevant Departments to assist with the transition of services in line with the schedule set out in the eGovernment Strategy 2017-2020.”

Also, on October 24, 2018, he told the Dáil:

“I listened to Deputy [Éamon] Ó Cuív’s comments about the need to simplify the tax code and the sharing of information between Departments, which is what underpins the public service cards.

“I agree with his point that if a citizen supplies information to the State, particularly when it is created by the State in the first place and then made available to the citizen, it should not be the case that the citizen must supply the same information to multiple agencies.

“It is a fair point and it is why the work is under way in the SAFE 2 process, where citizens who must provide information to the State receive a single digital identity which, once it is has been provided, is used by the State to ensure information is available to all Departments more quickly than it is now.”

Meanwhile, separately, before Mr Donohoe would have seen the report, on March 22, 2018, Mr Donohoe told the Dáil the following:

“I want to reiterate to the House that we have the highest level of protection in place to ensure that citizens’ information and private data are safe, secure and stored and regulated in accordance with data protection law.

“I am aware of the issues of concern that were raised in the second half of last year. That is why we have published the document I referred to a moment ago on the website of the Department of Employment Affairs and Social Protection.

“It explains to citizens how we are handling the various issues of concern. We have responded, and will continue to respond, to any matters of public concern and any observations or views that the Data Protection Commissioner may have.

“We are dealing with matters of concern for the public, and that is why we have tried to communicate what the benefits are.

At a time when there are such legitimate concerns about how we protect our digital identity and make sure information that people share is securely protected I would have thought that the rationale for the public services card has actually grown rather than been diminished.”

Donohoe was briefed on investigation into public services card last year (Cianan Brennan, The Irish Examiner)

Transcript: Kildarestreet.com

Rollingnews

Previously: Your Card Has Been Declined

House Of Card

27 thoughts on “What Paschal Said

  1. Clampers Outside

    What do we want?

    We must save on govt spending!

    We must stop the PSC card info from being shared between departments!
    .
    .
    .
    Pick one, not both…. surely.

    1. millie vanilly strikes again

      Why does it have to be one or the other? That’s a dreadfully simplistic view to take, Clamps.

        1. Clampers Outside

          There are other ways to save, of course. I am being specific to the situation being discussed, in fairness.

          1. millie vanilly strikes again

            Agreed, but, as in all things in this country, self interest and a lack of transparency will be it’s downfall. I was never wild on it, but I’ll admit to it being useful in my dealings with various govt departments.

  2. Jake38

    Data protection is cited as a reason why we have no unique patient identifier in our health service, unlike many other European countries.

    Just one example of data protection regulations preventing safe, effective, efficient public services. There are no doubt many more. What a farce.

    1. Cian

      The HSE are working on an integrated patient system across all health areas. This is a hugely complex issue – particularly around data protection – and many other European countries have implemented it badly.

    2. Clampers Outside

      Same DP rules apply across Europe. If it can be done abroad it can be done here.

      The issue with the PSC card was that it was open ended in that when you were given one, had one pushed on you, or whatever, it did not come with specifics regarding the use of info. This is why it was a breach of GDPR.

      All that needed be done was to make its use specific and stated and there would be no GDPR regulation broken.

      I just completed a cert in DP&GDPR at WIT and that is my understanding.

      Correct me please, if I am mistaken.

      1. Listrade

        Pretty much. There are other issues with the PSC and legality, but the GDPR was the easiest to pursue. IYou have to explain in full what the data will be used for and the Social Welfare Consolidation Act 2005 doesn’t, it only states “transactions” and leaves it open to possibly every body listed in Schedule 5 from being allowed to process and request you PSC card. Basically every body allowed to ask for PPS number is permited now say you must provide PSC card before they complete any “transaction”.

      2. Commenter #1

        The statement of the Data Protection Commissioner says explicitly that the “findings [were] made by reference to the Data Protection Acts, 1988 and 2003.”, not GDPR, because the scheme and investigation pre-date the introduction of GDPR.

        https://www.dataprotection.ie/en/dpc-statement-matters-pertaining-public-services-card-0

        The DPC found that there was a legal basis for some of the data processing associated with the PSC, but not with loads more. Again, nothing to do with GDPR; these would have been just as lacking in lawful basis in 2004 as they were when the card was introduced.

        1. Listrade

          Ok technically, it was older legislation. However, however very little changed for with GDPR, it was largely they old Data Protection legislation. The same requirement existed for clarity on how data is used and for what purposes.

          Such as CCTV. The requirements are explicitly the same. Tell people there is CCTV. Tell them what you use it for. You cannot use it (legally) outside of those. That is the same under old and GDPR legislation.

          1. Commenter #1

            Correct; I just get annoyed at the constant blaming of things on GDPR when there’s been Data Protection legislation in this country since 1988. Largely similar in a lot of ways, as you say, to the new legislation based on GDPR.

            There’s an impulse to throw up our hands and say “God, GDPR is making it impossible to do our work.” It’s not, it’s just data protection rules haven’t been properly followed for decades and there’s now a greater awareness of the consequences.

    3. Listrade

      Data Protection is used as an excuse, that doesn’t mean it is a reason. The key to the rules on data is in the title “Data Protection”, it is about protecting the data collected not limiting the data you collect.

      Medical and health data can be collected, can be shared (i.e. between services) as long as there is a legitmate reason forr doing so, that there are sufficient protections in place for securing the data and that individuals know exactly how the data will be used and for what purposes.

      Nothing is stopping the HSE from implementing a more efficient system. But there’s plenty stopping them posting out wrong medical files to people, putting an individual’s medical files in the general waste bin when they died, leaving laptops around with details on unecrypted USB sticks.

      1. Cian

        It is hugely complex, and deciding what the limits to data sharing is not easy.

        It is simple to say that your records should private, but where should you draw the line? If we had an integrated system that joined all hospital, health centres, GPs, dentists, pharmacies, ambulance service, … wait – where do you draw the line? Should my acupuncturist get access?

        Some records (probably) should be shared to all – say my blood pressure results. Imagine if any medical practitioner could see a full history of all the times my blood pressure was taken? they could easily know if the current reading is ‘normal’ for me. And could also see if there are any long term changes. Simple.

        What about medication?
        There is a good argument that the medication I’m currently being prescribed should be seen by all. So the ambulance lady knows what I’m currently taking – sounds safe. The pharmacist should probably also see it (to avoid certain combinations of drugs). But wait – what if I go for a new job with a medical – should that doctor see that I’m on anti-depressants? What about historical prescriptions? Does the dentist really need to know that I was prescribed the morning-after pill five years ago?

        Okay, so we could make everything ‘opt-in’. When a surgeon wants to access my records he has to ask me for particular access rights. But what if I’m unconscious? What if I don’t want him to know about the anti-depressants – so say no… but now he doesn’t see the other medications I’m on.

        When you start to look at all the combinations of services involved and the permutations of who should see what – and also layer in taking into account peoples personal preferences – it is a massively complex project.

        1. martco

          @Cian that all sounds great, sensible stuff..but it IS that line that’s at play here really, isn’t it? I’ll take your “unconscious” argument & raise it with my infamous Chinese personal scoring system:

          https://en.wikipedia.org/wiki/Social_Credit_System

          lol you might say shure that’ll never happen here & even if it did shure it would be for our own good…I say blx to that. I’m sick sore & tired of people taking liberties with personal data. I don’t want it owned, traded, 3rd partied, big data’d. I want it only selectively known to parties I want to know it. and it has to be nipped right at the start, like Japanese Knotweed. you allow it in & 10 years from now the person who wishes to be anonymous, private per their rights to be becomes the outsider, pariah, suspicious. I witnessed a little phenomenon that started turning up in HR circles a couple years back across the water – applicants whom DIDN’T have a social media presence were to be viewed with suspicion!! they were to be treated as suspicious because they chose not to have a LinkedIn or a Friendface page?! ridiculous, right? oh, and the job profile in question…SECOPS?!?!? (IT Security work). pure comedy hour but serious stuff.

          It can only ever be opt-in. and we must push back against any attempts in the public domain to relax the stance. you’ve got to look around the corners. it might not affect you today, it might look innocuous. Makes things nice n efficient? It’s not worth it. It’s worth the cost to keep that balance imo.

        2. Listrade

          It may be complex, i never denied that, but there is nothing under GDPR that prevents it, that is my point.

          1. some old unicorn

            Surely the storing of utility bills/ bank statements etc is breaking GDPR? They can be asked for as part of the identification process but should be destroyed once that is complete?

          2. Listrade

            @SOQ,

            No. It’s not illegal. There are circumstances where it is legitimate (or even required, eg money laundering checks) to require proof of identity/address. Utility Bills are one means. GDPR does not prohibit data gathering or processing. It is about security of data.

            As long as you have a legitimate operational reason you can do it. All you need is to have assessed how secure the data is, have a system in place to keep it secure, define what it is used for, how long it will be kept and when and how it will be destroyed.

            Where companies/business are required to ask for proof of address (utility bill), they usually have to keep that as proof they have checked. That could be length of service (plus 5 or so for your employer), etc. You can only ask to be forgotten when there are no statutory requirements on data retention.

          3. some old unicorn

            OK thanks- one more- what about emails which identify an individual? Lets say my email address includes my full name and I am no longer doing business with that particular organisation.

            In theory they have no right to be storing information about me- should all emails with my name be deleted?

          4. Listrade

            Business emails or personal? Business, no. They identify you, but they only identify you as an employee of that organisation. The contents of all emails you send and receive from that address belongs to your employer. They can, and do, keep them indefinitely.

            Personal emails, yes. Websites, marketing firms, email mailing lists must have an easy option to unsubscribe or means of removing you from the list. Plus, for those you have the right to formally request that your personal data is removed (right to be forgotten).

            Only exceptions would be where the personal email was used for something that has a statutory basis and or defined statutory retention period. Financial services springs to mind.

  3. eoin

    This whole government is up to its neck in illegal mass surveillance and a sneaky attempt to introduce a national ID card through the back door without consulting citizens. Leo, Ross, Coveney (passports), Paschal and of course Regina. And you can bet your last cent Flanagan and Harris were fully aware of the draft conclusions a year ago. Apart from Leo, they’ve all gone to ground (Coveney is refusing to answer questions and if you want an interview on Brexit, the subject of PSC is off the table, despite passports being under his aegis in the Dept of Foreign Affairs).

    What has been the response by govt to the illegality? Leo says he’ll think about laws to make what is illegal, legal.

    How the fupp are the opposition letting them get away with this.

    1. Clampers Outside

      Serious question.

      Can you explain what you mean by “mass surveillance” that has been carried out, or attempted.

      PS, I do like your posts :)

      1. eoin

        A definition of “surveillance”, this one from the US military is

        “The systematic observation of aerospace, surface, or subsurface areas, places, persons, or things, by visual, aural, electronic, photographic, or other means.”

        A PSC card allows for the “systematic observation” of “persons” by “electronic means” that is, the use of the PSC card allows the observer to monitor activities.

        “Mass” means a large number. When the data commissioner started her investigation, there were 3,200,000 PSC cards. According to Leo, there are now “nearly” 4,000,000 PSC cards.

Comments are closed.