Latest news with #PublicServicesCard
Irish Times
13-07-2025
- Health
- Irish Times
A large number of issues
Sir– Having mislaid my old European Health Insurance Card, I phoned the relevant HSE office in Bray for a replacement. Online replacement was not possible. As I was unable to quote my old EHIC (20 digit) number, I was advised to visit their office with my passport, plus a paper utility bill. My Public Services Card was not acceptable. I now have six 'unique' ID numbers supplied by the State, plus hospital patient, post code and ESB meter numbers. Surely, within a huge 20 character ID it must be possible to incorporate all of the above (with space for War and Peace)? – Yours, etc, READ MORE LIAM PLUCK, Co Wicklow.
Irish Examiner
09-07-2025
- Politics
- Irish Examiner
Government's appeal of fine over Public Services Card a 'waste of taxpayer's money', says expert
A data protection expert has claimed the Government's decision to take legal action against the Data Protection Commission over the Public Services Card will equate to a 'long drawn-out waste of taxpayer's money'. Daragh O'Brien, a data strategist and managing director of data protection consultancy Castlebridge, said the Government's challenge to the recent adverse decision by the commission regarding the public service card will in all likelihood end up before the Court of Justice of the EU, a process that will likely take several years and incur hundreds of thousands of euros in legal fees. Last month's decision by the DPC related to a four-year-long investigation into the alleged biometric nature of the PSC – the welfare benefits card used daily by millions of Irish citizens which can also be utilised to access separate State services. In addition to hitting the Department of Social Protection with a record €550,000 fine, the DPC ordered the department to cease processing biometric data — capturing the physical or behavioral characteristics of a person — with the card within nine months unless it could establish a valid legal basis for its doing so. Most experts had presumed the only way for the department to successfully comply with that order would be to pass legislation grounding the card's biometric nature within the law. Instead, the department on Monday lodged legal papers in the High Court objecting to the DPC's decision. 'It would seem that rather than take the time generously allowed by the DPC to cure the issues identified in their unpublished decision that gave rise to the fine and enforcement notice, the department has opted to fight,' Mr O'Brien said of the new legal action. It is not the first time the department has taken the legal route with the DPC in light of an adverse decision regarding the card. In 2019, the department appealed a previous decision by the commission ruling that the card could not be made mandatory for accessing public services, leading to a prolonged battle in the courts. 'I predict a long, drawn-out waste of taxpayer's money on a battle that will wind up in the CJEU with another loss for the State,' Mr O'Brien said. A spokesperson for the department said that the decision to appeal had been taken on consultation with the Attorney General. 'The department believes that its processing of biometric data is compliant with data protection law,' they said. Read More
The Journal
12-06-2025
- Politics
- The Journal
Department of Social Protection fined €550k for unlawful database of millions of Irish people's faces
IRELAND'S MAJOR DATA watchdog has fined the Department of Social Protection €550,000 following a major investigation into its use of facial recognition technology linked to the Public Services Card. The Data Protection Commission (DPC) inquiry, launched in July 2021, examined the DSP's 'SAFE 2′ registration process, which requires applicants to submit biometric facial data used for facial matching as part of their card application. The Public Services Card is needed for accessing many welfare and public services, including applications for Child Benefit, Jobseeker's Benefit and driving licences. A sample Public Services Card. Department of Social Protection Department of Social Protection 'SAFE 2′ registration has led to the Department of Social Protection holding biometric facial templates for about 70% of Ireland's population, making it one of the largest biometric data collections in the country. The DPC inquiry found that the Department did not have a valid legal reason to collect or keep this sensitive facial data. According to the DPC, the Department also failed to clearly inform people about how their data would be used, and the Department's privacy risk assessment was 'incomplete'. As well as the €550,000 fine, the data watchdog ordered the department to cease processing biometric data for 'SAFE 2′ registration by March next year, unless a lawful basis is identified. Deputy Commissioner Graham Doyle said that the DPC decision 'does not challenge the principle of SAFE 2 registration itself'. 'The technical and security measures in place for handling biometric data are sound,' Doyle said in a statement. Advertisement 'Our concerns relate to whether the legal framework and the way the Department of Social Protection operates the system meet the requirements of data protection law. We found clear gaps in that regard.' The DPC emphasised the need for a clear and precise legal basis when processing such sensitive data, as required by European privacy laws (GDPR), to protect individuals from arbitrary interference with their privacy rights. The DPC's decision was made by Data Protection Commissioner Dale Sunderland, and was notified to the Department of Social Protection this week. The Department of Social Protection has yet to comment on the ruling. 'More than a decade late' The Irish Council for Civil Liberties (ICCL), which has campaigned against the use of facial recognition in the Public Services Card for more than 15 years, welcomed the decision but described it as 'more than a decade late and inadequate.' Joe O'Brien, ICCL's Executive Director, said the ruling 'vindicates the actions taken by ICCL and Digital Rights Ireland against the Department of Employment and Social Protection'. He said the ruling also confirmed what they had long argued – that the Department unlawfully collected facial records from millions without proper legal grounds or clear explanation. 'The Public Services Card, which was estimated to have cost the State €100 million, trespassed upon human rights and infringed EU and Irish law,' O'Brien said. 'The Department effectively created a de facto national biometric ID system by stealth over 15-plus years without a proper legal foundation. This illegal database of millions of Irish people's biometric data must be deleted.' Olga Cronin, Senior Policy Officer at ICCL, criticised the mandatory nature of the facial recognition process. 'The Department unlawfully forced vulnerable people to give it their biometric data before it would help them,' Cronin said. 'It demanded data from people who needed its help to put food on the table. We should not have to trade our biometric data to access essential services to which we are already legally entitled.' Readers like you are keeping these stories free for everyone... A mix of advertising and supporting contributions helps keep paywalls away from valuable information like this article. Over 5,000 readers like you have already stepped up and support us with a monthly payment or a once-off donation. Learn More Support The Journal
Irish Independent
12-06-2025
- Politics
- Irish Independent
Government fined €550,000 by privacy regulator and warned over facial scans for Public Services Card
The Government department has also been ordered to stop the practice and cease using its biometric database by April of next year, unless it finds a correct legal basis under which to do it. The Department, the regulator said, holds biometric data on at least 70pc of the population here. It has been engaged in the 'ongoing collection, storage and processing of highly sensitive personal data, including biometric data consisting of facial templates, on a large scale', according to the DPC. The Public Services Card has been a privacy battleground between the Government and the regulator for years. While ministers and civil servants insist that it's necessary to bring more efficiency into public services, with facial scans being required to protect against fraud, critics have consistently labelled it an attempt to introduce a national identity card through the back door. In 2017, the then Social Protection Minister, Regina Doherty, infamously described it as being 'not compulsory but mandatory'. In 2021, the Irish privacy regulator began an investigation into what the Department was doing with regard to biometric facial templates and its usage of associated facial matching technologies as part of the registration process for the Public Services Card. The registration process, known as 'SAFE 2 registration', typically involves the submission of a digital photo of someone to make sure they're not already registered or claiming benefits under another identity. Under European GDPR law, biometric data is categorised as 'special category data' to which higher protections and safeguards must be applied. 'SAFE 2 registration is mandatory for anyone who wishes to apply for a Public Services Card,' said the DPC. ADVERTISEMENT 'Persons who do not submit to such processing cannot access DSP services, including welfare payments.' However the Department said it believes there is a legal basis to operate the process, but that the legal provision is 'not in it view, clear and precise enough to satisfy the requirements of the GDPR'. it said that it 'will carefully consider the DPC decision report, in conjunction with colleagues in the Attoreny General's Office with a view to determining an appropriate response within the nine-month timeframe'. It said that depending on the outcome, it may appeal any enforcement notice or work to rectify the issues as perceived by the DPC. The Department said that the DPC 'did not find any evidence of inadequate technical and organisational security measures. "There are no examples of any person suffering damage or loss as a result of SAFE registration.' It insisted that the process has led to a reduction in identity fraud and offered 'security and customer service benefits'. There are no immediate implications for users of the card or MyGov ID, according to the Department, and during the nine-month period the process will continue. The regulator had looked at whether the Department of Social Protection had a 'lawful basis' for collecting and retaining biometric data 'for the purposes of conducting facial matching' as part of this SAFE 2 registration. It also examined the Department had complied with transparency obligations and had carried out an adequate Data Protection Impact Assessment (DPIA) as part of SAFE 2 registration. It found the Department liable on all counts, by 'failing to identify a valid lawful basis for the collection of biometric data in connection with SAFE 2 registration' and, thus, incorrectly 'retaining biometric data collected' as part of the process. The watchdog said that it also 'failed to put in place suitably transparent information' to citizens and failed to include certain details in the DPIA it carried out. 'In light of the infringements identified above, the DPC has reprimanded the DSP, issued administrative fines totalling €550,000 and issued an order to the DSP requiring it to cease processing of biometric data in connection with SAFE 2 registration within nine months of this decision if the DSP cannot identify a valid lawful basis,' said the privacy regulator. However, the regulator did not suggest there was any security risk to the sensitive facial scans stored. 'The DPC did not find any evidence of inadequate technical and organisational security measures deployed by the DSP in connection with SAFE 2 registration in the context of this inquiry,' said Graham Doyle, deputy commissioner of the DPC. 'It is important to note that none of the findings of infringement identified, nor the corrective powers exercised by the DPC, pertain to the rollout of SAFE 2 registration by the DSP as a matter of principle. "This inquiry was concerned with assessing whether the legislative framework presently in place for SAFE 2 registration complies with the requirements of data protection law and whether the DSP operates SAFE 2 registration in a data protection-compliant manner, and the findings announced today identify a number of deficiencies in this regard.'
Irish Times
12-06-2025
- Irish Times
Department of Social Protection fined €550,000 over facial scans
The Department of Social Protection has been fined €550,000 after data protection watchdogs found 'a number of deficiencies' in its compliance with European data privacy rules concerning the use of facial scans in issuing Public Services Cards. The Department was also ordered to come up with a valid lawful basis for the use of facial scans and facial matching software for the registration of Public Services Cards within nine months, or it must stop using it. The decision is the result of an inquiry that the Data Protection Commission commenced in July 2021, examining the department's processing of biometric facial templates and the use of facial matching technologies as part of the registration process for the Public Services Card. The department uses Safe 2 registration to verify identity when accessing public services. The process involves a photo of the applicant, which is then run through software to check against images used in other Safe 2 registrations. This is designed to prevent duplicate registrations. READ MORE The registration is mandatory for applying for a Public Services Card, of which 3.2 million are in existence, and is necessary for certain services, including welfare payments. [ 'No legal basis' for photo database created using Public Services Card Opens in new window ] However, that means there is ongoing collection, storage and processing of sensitive personal data on a large scale by the DSP, which requires precise legal justification, the DPC said. The inquiry looked at whether the DSP had a lawful basis for collecting biometric data for conducting facial matching as part of Safe 2 registration, if it could retain that data, if it complied with transparency obligations, and if it had carried out an adequate Data Protection Impact Assessment. The DPC found the department had infringed data protection regulations on a number of fronts. In its decision, the regulator said it failed to identify a valid lawful basis for the collection of biometric data for Safe 2 registration at the time of the inquiry. As a result, it also infringed GDPR by retaining biometric data collected as part of Safe 2 registration. The DPC also penalised the department for infringing its obligations on transparency, and for failing include certain details in the Data Protection Impact Assessment that it carried out. The DPC said it had reprimanded the Department of Social Protection and issued the administrative fines. The department must also stop biometric data in connection with Safe 2 registration within nine months of this decision, if it cannot identify a valid lawful basis for the data collection. 'It is important to note that none of the findings of infringement identified, nor the corrective powers exercised by the DPC, pertain to the roll-out of Safe 2 registration by the DSP as a matter of principle. The DPC did not find any evidence of inadequate technical and organisational security measures deployed by the DSP in connection with Safe 2 registration in the context of this inquiry,' said deputy commissioner Graham Doyle. 'This inquiry was concerned with assessing whether the legislative framework presently in place for Safe 2 registration complies with the requirements of data protection law and whether the DSP operates Safe 2 registration in a data protection-compliant manner, and the findings announced today identify a number of deficiencies in this regard.' A previous inquiry into the processing of personal data in connection with the issuing of Public Services Cards was concluded in 2019, with the department initially appealing the DPC's decision before withdrawing the action and coming to an agreement with the watchdog.
