Minister for Employment Affairs and Social Protection Regina Doherty (left) and Data Protection Commissioner Helen Dixon

This evening.

UPDATE: Welfare has removed the pdf from its website. We managed to save it here.

More as we read it.

Meanwhile

Project Brazen.

Meanwhile…

Good times.

36 thoughts on “This Just In

    1. GiggidyGoo

      Why would they remove it (on the welfare.ie website)?
      Good job some of us downloaded the PDF for some light reading g over the next few days.

  1. eoin

    This is really a 140-page report and it is clear the DPC gave the Minister the findings well in advance of the finalisation of the report and the Minister consulted with legal advisors when responding to the DPC, and the responses from the Minister are included in the report. There was no reason whatsoever for the Minister to withhold the report, save as to show us in black-and-white how the Minister has broken the law.

    I hope the Commissioner now issues the Minister with an order and then, if she doesn’t comply, seek to have Regina committed.

        1. Cian

          eoin has constantly spread Fake News about what the DPC has/hasn’t done. he has constantly accused the department/minister of not adhering to the order… but no order has been issued.

          So yes, I will stand up to his rubbish – regardless of who it is against.

  2. eoin

    RTE doing its level best to protect the FG govt, leading with the Minister’s response, rather than the content of the report and the fact it’s been published nearly four weeks after the deadline given to the Minister by the Commissioner, and the fact, that, right up to this afternoon, the government was rejecting Freedom of Information requests to access the report on the grounds that it wasn’t in the public interest.

    It’s not fake news, it’s manipulation of the news and you can see exactly what RTE is trying to do, currying favour with the government on which it depends to survive after the next 18 months.

    1. Dhaughton99

      I was listening to James o’Brien this morning on LBC and he was praising RTE for their honesty and unbiased reporting. I pee’d myself laughing.

    2. Cian

      So the DPC gave a draft report to the department 13 months ago.
      The department respond.
      The DPC gives a final report + a demand to publish within 7 days.
      The department compiles a 120 page document showing their response and all communication and publishes the report albeit a few weeks later. Seems fair enough to delay the publication to compile their response.

      Bottom line seems to be how two legal teams interpret the legislation differently. Looks like a judge will need to give a final decision. That’s what judges are for.

      1. Listrade

        Bottom Line is the spin on SAFE as a legal basis for the amount of Data needed for PSC. Last year the government took great pains to explain the “legality” of the PSC through its Welfare Website. It uses that same argument in its response. It refers to two separate things. The first is the government agreement in 2005 to introduce an agreed standard for proof of identity. This is called the Standard Authentication Framework Environment (SAFE) programme.

        SAFE was not enacted by any legislation. It is not based on any international standards. It is not a European standard. It is simply the government of the time sitting down and defining levels of authentication for individuals who access public services.As they linked this to the Welfare Act it covers ALL public services including driver’s licence and even An Post.

        Within SAFE there are three levels of assurance as to identity:
        SAFE 1 (more likely than not you are who you say you are) and based on you having a PPS number
        SAFE 2 (substantial assurance you are who you say you are) based on you providing PPS, photo ID, signature, name, date of birth, mother’s maiden name, place of birth and nationality, and proof of address.
        SAFE 3 (beyond reasonable doubt you are who you say you are) based on SAFE 2 plus biometric data.

        It was within this government policy that it was decided that access to certain public services can only be at SAFE2. The means to demonstrate SAFE2 would be the PSC.

        Worth stipulating again: there is no legal basis or legislation defining SAFE and this is where the problems begin.

        The main thing that stands out is that there is a big leap from SAFE1 to SAFE2. Considerably more than from SAFE2 to SAFE3. There was no debate on this and, as already stated, there is no international standard for this. Simply, the government of 2005 said that this was so.

        However, there is a middle ground between the two that is legislated for and formal government guidance on: The Criminal Justice (Money Laundering and Terrorist Financing) Act 2010, which was based on a European Directive. Depending on risk, financial institutions are required to carry out due diligence to ensure the person is who they say they are. At a basic level, this is the usual Photo ID and Proof of Address. Where the risk is greater, then this would require physically turning up with the documents and additional measures.

        While the Act came out five years after the SAFE policy was agreed, SAFE was developed while discussion over the Directive was ongoing. It was known that there would be a defined level of proof of identity. This appeared to have no influence over the SAFE policy.

        However, this in itself is not a major issue, at least not legally. You’d be a cultural marxist if you were to think that the government would set up the mechanism for the PSC and then hastily retrofit a “policy” to justify this. It’s probably just a coincidence that it leaps from PPS to exactly the data used in the PSC card without any middle ground or explanation of where these standards came from. There were probably very detailed, evidence-based discussions during the agreement on SAFE that the public just aren’t privy to at this exact moment…or ever.

        The SAFE programme has no basis in legislation, it is just government policy. That is critical here, because that influences all the legal bits where a PSC is required or requested. There are lots of government policies that end up having no influence whatsoever on their actions. I didn’t say expenses policies, you did. But policies like Regulatory Impact Assessments (RIA) where new regulations have to be assessed as to whether they are necessary or not. It’s just a policy and most RIAs aren’t worth the paper they’re written on. But it’s just a policy and that’s not enforceable, so the various departments pay scant attention to it.

        This is where the grounds for the PSC gets a bit shaky. The PSC was introduced through the Social Welfare Consolidation Act 2005. Note that SAFE doesn’t mention PSC, it only states the data required to give assurance to prove who you ware. In theory, as long as an individual can provide that evidence, it meets the government policy on personal identification.

        The 2005 Act does not mention SAFE or SAFE2, it mentions that the Minister may introduce a PSC. We rely on the Welfare Website to make the link between SAFE and the PSC. In a way that almost makes it all look like a robust legal requirement rather than a link between a government policy and a short, vague section in an Act. The reference to PSC in the 2005 Act mentions that the card could contain:

        263(1) “a) the person’s name, personal public service number, primary account number and date of issue inscribed, and
        (b) the person’s date of birth, gender, primary account number, expiry date of card and card service code electronically encoded, on the card and with any other information that may be prescribed either inscribed or electronically encoded on the card.”

        Take (a) and (b) up to “that may be prescribed”. This is the information held on the PSC. The 2005 Act allows for additional information (such as biometrics), but, as per the last part this is only where “prescribed”, i.e. it would require further legislation to introduce additional information.

        SAFE2 is the means of getting the card, not the card itself. SAFE is the level of information a person must provide in order that they are given a card. The above details of what is included on a PSC only becomes a legal problem if there is information put onto the card that isn’t defined in the above text and has not been prescribed by additional legislation, like photo ID and data stored on a chip that included addition face ID scans…oh.

        The real trouble for us all comes from:
        263(3) “A person shall produce his or her public service card at the request of a specified body for the purposes of a transaction.”

        Clear? Transparent? Not really. Note that those words are very important.

        Everything that has followed with the requirement to produce a PSC card stems from those 23 words. The potential for more uses also falls under that requirement. It’s is where you can let your imagination run wild on what departments and for what public services it will be a requirement to produce a PSC.

        Two key things. Specified Bodies are defined in the Act (Schedule 5). It’s basically everyone (including An Post) who provides a public service of some form apart from the Gardai and the Army. In short: if they can ask you for a PPS number, they are a “specified body” as it is the same term and same list.

        It really is a big list and the above provision does not limit it either. It doesn’t state that the request must be on the basis of ministerial prescription (further legislation), it simply allows everyone in Schedule 5 of the Act to ask for you PSC before a transaction. So take the DPC report where it seems ok with the PSC used to access benefits, it’s all the other stuff that wasn’t excluded under “transactions” where it became a problem.

        In case you’re curious, 262(1) defines “transaction”. It includes an application, a claim, a communication, a payment, or a supply of a service.

        It isn’t just paying for a service or receiving a payment. It allows for everyone in Schedule 5 to request a PSC before they even communicate with you or provide you with a service.

        It includes hospitals, colleges, schools and your local authority. Nothing appears to exclude them from requesting your PSC before providing a service. The reason this is confusing is that pitch behind “Specified Bodies” is to allow institutions to request PPS numbers for certain transactions. Given the overall wide, but limited in definition, brief of the 2005 Act the perception is that this is for processing or using forms of welfare and/or entitlements.

        However, passports and theory tests are not part of the Social Welfare Act. Therefore, we must assume the scope is wider than that and that section 263 can be applied to all transactions by all functions of the state.

        To be clear on the legislation:
        • SAFE is government policy, not law
        • SAFE does not state that PSCs are required
        • The 2005 Act does not say that PSC is the only way to demonstrate SAFE 2
        • The information on the PSC card does not appear to be fully covered by the specific details under the PSC in the 2005 Act
        • All functions of the state appear to be allowed to request a PSC for any transaction.

        It is not clear and it is not transparent legislation.That is where the illegality comes in. It is fine to have the PSC for welfare transactions, but it is where the scope has been extended beyond this that it isn’t clearly defined or justified.

        Clear and transparent is important, this is why the Data Commissioner has been involved. It’s why Data Protection comes up regularly. It has nothing to do with (well not that much) data breaches. As soon as data protection is brought up, perception immediately jumps to data losses. Laptops left in cars, thumb drives lost, idiots falling for email scams and giving away their login details. All that is important, but so is the actual law on data protection.

        The General Data Protection Regulations (GDPR) are extensive and compulsory. There is no transition period or allowance to transpose into local legislation as with Directives. EU regulations are set and become local law, even if the government does nothing.

        The headline issue of GDPR is the right to be forgotten, but a big focus is on the collection and processing of personal data. You can’t just collect and store data, you must tell people exactly what you will collect and why it is being collected.

        It isn’t good enough to list Specified Bodies and a vague definition of “transactions”. It must be spelled out exactly what transactions and why. Not only that, but collecting and storing data cannot be used for any purposes other than those stated.

        It appears that if it is a service that requires a PPS, they can require a PSC. But we don’t know. By law we are required to know. The list must be comprehensive, the list must state why that information is required, the list must state how the information will be used, stored, shared, removed and it must only be used for those purposes.

        If I run a business and install CCTV I’m perfectly entitled to do so to protect my assets and business. So I can install it (analogy to PSC for welfare), but I must tell you exactly why I’m using it and under what circumstances it will be used. If I don’t, if my CCTV policy is vague, I can’t use it. So if I only state that the CCTV is to be used with regards to theft, yet I catch you sleeping on the job. I cannot use the CCTV footage. I need to tell you I will be monitoring performance (less of a legal and business justification there). I can only use it in cases of theft.

        But also, if I leave it vague and open and don’t give a comprehensive and limited list of the circumstances it can be used, then my entire use of CCTV isn’t justified and is illegal. See PSC and the Welfare Act and all the bodies who can request it.

        The thing is that such clear and transparent policies on proof of identity do exist. Not only exist, but are easily found via google.

        The Department has spun the same justification about SAFE and the Welfare Act. But that is 1. demonstrably untrue, it isn’t a legal requirement and 2. Unclear and not transparent.

        TLDR: The DPC is right.

        1. Cian

          @Listrade: you specifically mentioned “An Post” as being a Specified body. An Post were removed from the list in 2007.

          An Post can read the Magnetic stripe for the purposes of accessing the PPS Number in connection with payments. Otherwise they are not involved.

          1. Listrade

            Fine. Out of the entire list of Specified Bodies, An Post may not be one. That completely devalues the entire argument that the state has not met GDPR requirements for who can access PSC and for what purposes.

            Interesting thing is though that they do provide very explicit details for PPS numbers on the Welfare website. So it can be done.

        2. Cian

          @Listrade: I’m not sure your CCTV analogy is fully correct.

          If I catch you sleeping on the job I can use the CCTV as evidence (even if I hadn’t told you I was going to use it for that purpose).

          However, separately you could sue me under data protection and privacy laws and would probably win something back.

  3. Ger

    Should anyone be surprised as the he far right in Europe rise again the FG would lead the Brazen charge to accumulate data on the population to what end?

  4. eoin

    This is really unbelievable, the government now has a facial-recognition quality photograph of 4 million people? Imagine if the there were public CCTV with facial recognition installed by the Department of Housing (and Local Government) or Dept of Justice (which includes the Gardai). Officialdom would be able to track any individual in a public space and see who they were associating with. Are these fuppers kidding us.

    1. Cian

      Guess what?

      The Department of Foreign Affairs has facial-recognition quality photographs of everyone that has a passport and has a time-series of how you have aged! And they have photographs of under 18s! I don’t know what % of the population… but I’d guess it is in the nineties.

      The Department of Transport has facial-recognition quality photographs of everyone that has a drivers licence – that 75+% of the over 17 population!

      If you have a problem with tracking individuals by CCTV – that boat has sailed. You need to get on to your TD to pass legislation to make CCTV-facial recognition illegal.

  5. eoin

    “Pejorative and sensationalist”, Regina doesn’t like being accused of an incoherent approach to the PSC.

    ” In the Draft Report, the DPC stated that amendments to legislation in this area have been effected in a “piece-meal fashion to match periodic shifts in policy” and that in this respect, the public has been left
    to search through the Social Welfare Consolidation Act 2005 (“SWCA 2005”) and a patchwork of successive amendments to find a legislative basis for the PSC, as functionality for the PSC has evolved to include access to many government services. However DEASP objects to the DPC’s use of such language in this regard (i.e. to describe the evolution of the SWCA 2005) and considers that it is “pejorative and sensationalist” and that DEASP states that the SWCA 2005 is single piece of legislation that underpins the PSC and which has been amended through standard legislative practice”

  6. eoin

    ““false and alarmist” Regina really doesn’t like the Commissioner

    “In light of the fact that SAFE 2 registration is undertaken exclusively by DEASP, the DPC’s view, as expressed in the Draft Report, is that this gives rise to the building of “something close to a central register of citizens”. However, the DPC notes that DEASP objects to this characterisation on the basis that it is “false and alarmist”; that a central register would require that all citizens, irrespective of age were recorded on a register; and that the PSC system is clearly not such a central register. Notwithstanding DEASP’s objections in this regard, the DPC considers that in circumstances where, as noted above, as of February
    2019, 3.2 million people had SAFE registered to obtain a PSC, and the personal data
    collected as a result of such registration – consisting of not only the PSI dataset but the underlying identity authentication documentation is held centrally and indefinitely by DEASP – (see discussion of such issues at Part 3.6), the characterisation of this being “something close to a central register of citizens” is fair.”

  7. Truth in the News

    What other democracy has a National Data Base to store facial recognition profiles
    of its citizens and then allowed this information to be shared with other agencies , who
    instigated all this, is there a way that they can be facially recognised and identified to
    all the citizens they forced to apply for cards to avail of state services they are entitled
    to without any such card, then we have the likes of Doherty still trying to justify it, is she
    in control of her Dept at all,,,,,,,then we have other branches of the Gov bombarding
    us daily that we have comply with the “Law”, and the so called exponents of Law and
    Order Fine Gael doing the direct opposite

Comments are closed.