Anda di halaman 1dari 114

Pretty soon you're going to

need this card to do a whole


load of important things in
Ireland - but why?
Applying for a passport and a drivers licence will soon require the
Public Services Card but thats only the beginning.
July 15, 17

File photo: an example of Ireland's Public Services Card


IN LATE MAY, the Department of Public Expenditure and
Reform confirmed that, from 17 June and September
respectively, a Public Services Card (PSC) will be required
for Irish citizens to apply for a driver theory test or passport.
That confirmation on 22 May came two days after the
launch of Leo Varadkars Fine Gael leadership campaign, a
campaign which saw Public Expenditure Minister Paschal
Donohoe rubber-stamped as one of the now-Taoiseachs
closest allies in Government. It also led to accusations that
the State was attempting to introduce what is in effect a
national identity card by stealth.
For many, the announcement would be the first they had
even heard of the PSC. For others, who had been a recipient
of a welfare benefit at any time since its introduction in
2012, the card would be relatively familiar all such
payments at the Department of Social Protection have been
processed using the card since that time.
But passports and driving licences (applications for a licence
are set to require a PSC from early next year) are just the tip
of the iceberg. The Governments plan is to introduce the
card for a whole host of services as part of a grander
strategy. Donohoe, meanwhile, insists that despite the cards
rollout nearly across the board it will be in no way
mandatory to carry one.
But some people in Ireland remain unconvinced the cards
pending universality is even legal.
What is in store for the Irish public?
The reasons for the States urgency in wishing to expand
usage of the card appears to stem from two things a
government decision four years ago to expand the Public
Services Card as a means to access all appropriate public
services by 2016, and the pre-purchase of three million such
cards by Social Protection.

Follow

JenMurnaneOConnor @JenMurnaneOConn
Public Services Card (PSC) ID Policy - TheoryTest.ie -
The official RSA Driver Theory Test
http://
fb.me/3iIJnPizy

7:28 PM - 14 Jun 2017

Public Services Card (PSC) ID Policy - TheoryTest.ie - The


official RSA Driver Theory Test
From June 16th, any person sitting the Driver Theory Test will be
required to present a Public Services Card (PSC) at the Test
Centre as proof of ID.
theorytest.ie
1 1 Retweet likes
Twitter Ads info and privacy
Source: JenMurnaneOConnor/Twitter

Follow

Malaria Trump @ConorMurray_18


What on earth is a public services card and why do I need
one to do my theory test
6:42 PM - 13 Jun 2017
1 1 Retweet 1 1 like
Twitter Ads info and privacy
Source: Malaria Trump/Twitter

As of 11 May 2017, just under 2.6 million such cards had


been issued to citizens. We should not miss out on
relatively straightforward means to push towards that (three
million) figure, an OGCIO (Office of the Government Chief
Information Officer, the main data service of the
Government, and a subsidiary of Public Expenditure and
Reform) email from November 2016 states.
Should the three million figure not be reached by end 2017,
the cost of the unused cards becomes payable in full.
It may well be the case that between the driving licence and
passport initiatives, the Department of Social Protection
(the department which issues the cards) will meet that
target.
The reasoning behind moving to one-card-for-all-services
has its roots in modern-day best-data-practice (that is, as a
safeguard against identity theft) an integration of all
departments and services under one umbrella. Naturally,
however, possessing such a card means having your
personal data on the books of multiple government
departments.
Big Brother, by accident or design, but Big Brother
nonetheless.
As of late last year, various government departments were
surveyed as to how applicable the use of the PSC might be
concerning their services.
Passport and drivers licence applications have already been
announced, as previously mentioned, but other identified
targets according to documents released to TheJournal.ie
include:
The Revenue Commissioners, with the PSC
potentially used to access online tax services
Education SUSI online college grants (from
April 2018), school transport services, Solas course
referrals, online teacher services
Transport Motor tax, change of car ownership
Agriculture access to agfood.ie
Department of Justice the national age card
Health Plans to authenticate patients identities
via a patient portal and the PSC by 2018
Prison services visitors to be required to carry
PSC as ID currently on trial at Midlands Prison
Portlaoise
Such changes may take time, but the fact remains that the
use of a Public Services Card to access multiple, crucial State
services is very close to being a reality. Which somewhat
gives the lie to the idea that possessing one will not be
compulsory.
Or, whats a public services card and why do I need one?
as an acquaintance who recently went to renew her drivers
licence told TheJournal.ie.
Cross-department cooperation
The various departments and state bodies involved in the
project to make various state services available only with a
Public Services Card have not always seen eye-to-eye,
meanwhile.
However, such differences tend to be the result of conflicts
arising over how best to implement the changes needed to
roll out the card, according to documents released to
TheJournal.ie under Freedom of Information by the
Department of Public Expenditure.

Those kinds of conflict are perhaps understandable given


the large-scale nature of a project involving so many
disparate people and agencies.
No issue seems to exist for the various departments
regarding the statutory nature, or legal standing, however of
the card itself.
The main issues seen have been between the Departments of
Foreign Affairs (DFA) and Public Expenditure and Reform,
and relate to when the announcement regarding the need for
a PSC in order to book a driving test or renew a passport
should be made, with residual concerns over our previous
experiences with DFA expressed by one Social Protection
employee.
Foreign Affairs chief concern regarding the card was the
possibility that requiring it would create an enormous
backlog in passport-applications (an eventuality that has
already come to pass via Brexit), with the situation further
complicated by that Departments announcement of a new
online-renewal system for passports in March of this year.
The released documents show that, rather than late May as
eventually transpired, Donohoe was initially slated to make
his announcement regarding the PSC expansion on 20
March.
Whispers from Foreign Affairs meanwhile suggest that the
leaking of the plans for the Public Services Card in May was
Donohoe doing a solo run.
Legal basis
Strife between civil service factions aside, when queried by a
journalist in early May as to the legal standing of the
Government requesting that applicants for the driver theory
test have a Public Services Card, Public Expenditures
response was that the issue is a State requirement.
You might note that the use of the Public Service Card for
access to public services is a Government Decision, one
Department civil servant said by email to a Road Safety
Authority (RSA) employee who had queried as to how best
to answer the media request.
STOP COMPLYING WITH THE NAZI's
For many, the announcement would be the first they had even heard of the PSC. For others,
who had been a recipient of a welfare benefit at any time since its introduction in 2012, the
card would be relatively familiar all such payments at the Department of Social Protection
have been processed using the card since that time.
But passports and driving licences (applications for a licence are set to require a PSC from
early next year) are just the tip of the iceberg. The Governments plan is to introduce the card
for a whole host of services as part of a grander strategy. Donohoe, meanwhile, insists that
despite the cards rollout nearly across the board it will be in no way mandatory to carry one.
But some people in Ireland remain unconvinced the cards pending universality is even
legal.""
TJ McIntyre
Source: Rollingnews.ie
The (card) is seen as an important step in increasing the
protection of personal data and data subject rights.
The State requirement in question pertains to the creation of
MyGovId, an online identity to match a citizens real world
identity based upon the Public Services Card (at present
MyGovId, which was launched in late March, is only
applicable online to Welfare services).
But the legality of the blanket-requirement for a the card is
categorically disputed by online data activists Digital Rights
Ireland (DRI).
Our position would be that the Public Services Card has
been introduced as an identity card by stealth, and that it
isnt allowed by law, says chair of DRI, law lecturer TJ
McIntyre.
The Government signed a contract to manufacture these ID
cards, and now its engaged in a mad push to meet the terms
of an ill-advised contract.
So the public is having as many of these cards as can be
mustered foisted upon them. And thats irrespective of the
fact that the population doesnt want them.
McIntyre and director of Data Compliance Europe Simon
McGarr recently appeared before the Oireachtas Justice
Committee to discuss the nature of the Governments draft
2017 Data Protection Bill.
In front of that committee, McGarr posited that the Public
Services Card does have a great deal of the appearance of a
national ID card scheme in its scope.
Much of his testimony stemmed from the 2015 Bara
judgement of the EU Court of Justice, which ruled that the
Romanian government had acted illegally with respect to
one of its citizens personal data by moving it between state
bodies (Romanias equivalent of Social Protection and the
Revenue Commissioners in that case) without first asking
permission.
The State has taken many concrete steps in recent years to
build not merely an ID database of which the Public Services
Card is the physical manifestation but also a series of
national databases intending to capture not merely all
citizens data but also data on people travelling through the
State, McGarr said.
On each occasion that these steps have been taken,
provision has been made to take the data which has been
collected from individuals by other agencies for other
purposes and apply it to this new purpose, this data-sharing
between bodies.
It seems to me that there has still been executive
reluctance to absorb fully the lessons of what European law
states on the limits of state data-sharing, he added.
In reaction, Independent TD Clare Daly summarised
McGarrs statements as suggesting that Ireland is on a
collision course and out of kilter with Europe on some of
these (data protection) issues.
McGarr acknowledged that was indeed his opinion.
This would seem to suggest that Ireland may integrate the
Public Services Card across its State functions, but the EU
may be far less enthused about any data-sharing between
public bodies.
And with one integrated card, how can such data sharing
even be avoided?
The legal quagmire for the Public Services Card may just be
beginning.

Caoimhghn Caolin (Cavan-Monaghan, Sinn Fein) Link to this:


Individually | In context
Apologies have been received from Deputy Alan Farrell. I ask
everyone to please switch off all mobile phones as they interfere
with the sound recording system.
The purpose of today's meeting is to conclude our pre-legislative
scrutiny of the general scheme of the Data Protection Bill 2017.
We have two tranches to our sitting today. The first of those will
address points to be raised. I extend a warm welcome to Dr. T.J.
McIntyre, a law lecturer in UCD and chair of Digital Rights
Ireland, and Mr. Simon McGarr, solicitor. On behalf of the
committee, I thank them for their attendance here today and
apologise for the slightly late start of our business. The format of
the meeting is that they will be invited to make an opening
statement, which will be followed by a questions and answers
session.
I remind those present of the situation with regard to privilege.
Witnesses are protected by absolute privilege in respect of their
evidence to the committee. If witnesses are directed by the
committee to cease giving evidence on a particular matter and
they continue to do so, they are entitled thereafter only to a
qualified privilege in respect of their evidence. Witnesses are
directed that only evidence connected with the subject matter of
these proceedings is to be given and they are asked to respect
the parliamentary practice to the effect that, where possible,
they should not criticise or make charges against any person, or
persons or entity by name or in such a way as to make him, her
or it identifiable.
Members, while they probably know it off by heart at this point,
should be aware that under the salient rulings of the Chair, they
should not comment on, criticise or make charges against a
person outside the House or an official by name or in such a way
as to make him or her identifiable.
I invite Dr. McIntyre and Mr. McGarr to make their opening
statements.
Add your comment
Dr. T.J. McIntyre:
I would like to make four points today on behalf of Digital Rights
Ireland. First, I thank the committee for the opportunity to
discuss the Bill. This is an area of law of immense importance
and the decisions taken in implementing the general data
protection regulation, GDPR, will be in place for many years to
come. After all, it is now nearly 30 years after the 1988 Act came
into effect and I suspect we will see this in place for something
close to the same time.
The first point I would like to make is on the structure of the Bill.
I know that previous witnesses have said the Bill is over-
ambitious in that it tries to do much in one document, and I
agree with that.
In particular, it would be desirable to separate the provisions the
Bill, specifically in Part 4, which implement the law enforcement
data protection directive and place them in a separate
instrument. This is because there is a significant overlap, or at
least a perceived overlap, between the two areas. I have already
seen a degree of confusion on the part of people reading the
heads of Bill who have read a section in Part 4 that appears to be
reflecting the General Data Protection Regulation, GDPR, when it
is not implementing it but rather the directive. There is a real risk
that the very similar language will lead to a degree of confusion
on the part of users.

The other point made by previous witnesses, in particular the


commissioner and Mr. Denis Kelleher was that the residual Parts
of the 1988 and 2003 Acts should be repealed and re-enacted as
a stand-alone instrument rather than being left in place. I
support that argument. It seems that if we leave any Parts of the
1988 and 2003 Acts in place, we will have a position where to
deal with certain matters, in particular those with an overlap
between public and private processing of data, we will have to
look to the 1988 Act, determine how it was amended by the
2003 Act, determine how that was amended by what would be
the 2018 Act and then look to the GDPR on top of that, possibly
while looking to other European instruments on top of that as
well. For example, these might include European instruments
regarding the Schengen information system. It seems that would
be a real recipe for confusion.

It would be greatly preferable to, as far as possible, deal with the


few aspects remaining in the 1988 Act in a short, separate and
stand-alone instrument. These are the aspects required of
Ireland under the 1981 Council of Europe privacy convention but
not dealt with under the GDPR or the law enforcement data
protection directive. This is something we will have to do in any
event. The Council of Europe convention on the protection of
personal data is in the process of being modernised and we are
at a point where we are very close to agreement on a final text.
This is something that will be implemented certainly in the next
couple of years in any event. It would be very useful at this point
to pre-empt that as far as possible by separating those
provisions.

The next point relates to article 80 of the GDPR, which deals with
representation of data subjects. A real problem in this area has
been that individuals can lack the expertise, knowledge, time and
money to enforce their legal rights. As members know, the Irish
legal system is expensive and difficult to navigate for lawyers,
never mind those people unfamiliar with it. Many of these rights,
if they are to be enforced, would involve a trip to either the
Circuit Court or the High Court at a cost that is simply beyond
the scope of the average individual. The GDPR aims to alleviate
that problem with a mandatory and two optional provisions with
article 80. The mandatory provision is that member states must
allow individuals to nominate a not-for-profit body to act on their
behalf to make complaints to a data protection authority, appeal
against decisions of a data protection authority, or take an action
against a controller, like an Internet service provider, where it
has abused personal data. The optional parts of the article are
that member states may allow individuals to nominate not-for-
profit groups to act on their behalf to seek damages and they
may allow not-for-profit groups to bring actions on their own
initiative without the need for an individual to nominate them to
do so.

It is very important that Ireland would take up the two aspects of


flexibility in the GDPR and it is rather disappointing the heads of
Bill do not address these points at all. The heads of Bill before us
now would exercise the discretion silently that would not take
advantage of these options. There are practical and principled
reasons it would be useful to make these changes. The practical
reason is that given Irish law does not allow for class actions, as
such, and there is no general provision for them, if individuals
are not able to nominate a representative body to bring an action
for damages on their behalf, there will be a multiplicity of claims
being brought before the courts that the courts simply are not
equipped to address. One might think about a data breach, for
example, such as the Yahoo compromise or the Ashley Madison
data breach, where there could be thousands, tens of thousands
or hundreds of thousands of individuals affected, some of whom
may be very seriously affected. In that context we can expect a
similar number of cases coming before the courts. The GDPR
gives us the option to effectively consolidate these cases if we
allow people to nominate not-for-profit bodies to act on their
behalf to bring a single action. Without that option - it is not an
option under the heads of Bill as they stand if individuals are
seeking damages - the individuals, if they have time, expertise
and knowledge to bring an action individually, will have to do so
individually.

The second reason is a principled one. It seems that if individuals


are not able to nominate not-for-profit bodies to bring an action
for damages on their behalf, and if not-for-profit bodies are not
able to bring an action in appropriate cases where an individual
complainant has not come forward, there will be a gap in
protection. In many cases, in particular discussing sensitive
personal data, individuals - even if they can be identified and
know they have been harmed - would be very reluctant or unable
to come forward. Individuals who find sensitive medical records
leaked, for example, or like with the Ashley Madison case, those
who find information relating to their sexual life has been leaked,
would be very often unwilling to become the public face of the
issue for very understandable reasons. Although we might be
able to identify an affected individual, that is not to say the
individual would be in a position to bring a complaint or action in
respect of the matter.

This is important from a principled perspective because in our


own litigation challenging data retention law, the High Court and
Mr. Justice McKechnie acknowledged that it was important that
Digital Rights Ireland would be able to bring an actio popularis,
an action on behalf of the wider population in respect of data
retention laws. This was a pressing issue of public concern and if
we were not able to do it, individuals would not have the financial
ability to bring the action by themselves. In an area where the
European Union was eventually found to have acted in a manner
that was entirely illegal, this would have gone unchallenged
because individuals simply did not have the resources to bring
these claims. As members will know from a number of hearings,
this is an exceptionally complicated area of law. We say it is
unrealistic and unfair to expect individuals to navigate these
waters without a guide. The two discretionary provisions in
article 80 are necessary to enable individuals to have an effective
remedy.

My next point does not appear on the speaking note that was
distributed but it relates to head 20 of the Bill, which would allow
for restrictions to be placed on controller obligations and the
exercise of data subject rights by means of statutory instrument.
We are concerned that head 20 appears to introduce a far-
reaching power on the part of each individual Minister to
effectively exempt particular forms of data processing from the
requirements of the GDPR in a way that might not be fully
consistent with fundamental rights. It is noticeable that in the
heads of Bill the Department acknowledges it would be desirable
for Departments to introduce limitations on these rights by
means of primary legislation but it suggests it is nevertheless
necessary to have a residual power by means of statutory
instrument to introduce these exceptions.

This power, certainly as drafted in heads of Bill, goes significantly


too far. In head 20, subhead 2(s), there are two typographical
errors but the second is the one to which I refer.
It states that a statutory instrument may be introduced which
will restrict controller obligations and data subject rights in
relation to important objectives of general public interest. What
are such objectives? They are defined in head 20, paragraph 2,
under the second subsection (s) as "such other important
objectives of general public interest of the Union or the State as
may be prescribed in regulations". In other words, we may have
regulations introduced where necessary for matters of important
general public interest. What are matters of general public
interest? They are matters which may be defined by the
regulations to be introduced to implement matters of general
public interest. Even in that aspect of the heads of the Bill there
is circularity in the definition.
More generally, there is a concern that we are creating a very
far-reaching power to carve out exemptions from the General
Data Protection Regulation, GDPR, without clear standards being
laid down in legislation to do so. It seems to me that if such a
far-reaching power is to be in place, there should be some
additional check on it. What that check might be is a matter for
the Oireachtas. It could be a requirement for a positive resolution
of the Houses before the exemption would come into effect. It
could be a sunset clause whereby any regulations introduced
under this provision have a finite lifespan and must either be re-
enacted in primary legislation or allowed to expire. It could be
some other mechanism for parliamentary or perhaps committee
scrutiny of particular classes of regulation. As this stands,
however, particularly in the context of a minority Government,
there is a risk that exemptions could be introduced by ministerial
order which might not pass full legislative scrutiny and certainly
might not command the support of the Houses of the Oireachtas.
I apologise that my final point is not included in the speaking
note provided to the committee. It concerns the position of data
protection officers, DPOs, and the protection they have if they
are victimised for doing their work. As the members know, under
the GDPR data protection officers are required to be
independent. Data controllers are not to interfere with the
independent exercise of their functions. However, the remedies
available for breach of this duty are sanctions imposed by the
Data Protection Authority on the data controller. They are not
remedies that are available to the data protection officer who
might have been victimised as a result. For example, if an
individual DPO is sacked for doing his or her job, there is no
remedy available to him or her under the GDPR itself or under
the heads of the Bill. It seems to me that it would be desirable to
provide some form of remedy.
DPOs already have recourse to a limited form of remedy in that
they might have the right to bring an action for wrongful
dismissal. As committee members will be aware, however, an
action for wrongful dismissal is a limited one in the sense that it
is quite expensive. It must be brought before the Circuit Court or
High Court as appropriate. It would be preferable to provide that
DPOs have available to them an action for unfair dismissal, which
is a much cheaper, easier, streamlined process that can be
brought before the Workplace Relations Commission and the
Labour Court.
The analogy here would be to the Protected Disclosures Act,
which creates a protection for those who are dismissed on the
basis of protected disclosure. There would in fact be an overlap in
that, in some cases, DPOs might make a protected disclosure
precisely in order to bring themselves within the scope of that
legislation, for example by notifying a matter to the Data
Protection Commissioner. It would be preferable to avoid the
need for them to artificially bring themselves under the purview
of the Protected Disclosures Act by explicitly providing that,
where an individual is dismissed on the basis of the exercise of
his or her functions as a DPO, an unfair dismissal remedy be
available to him or her.
That concludes my statement on behalf of Digital Rights Ireland.
I welcome further questions.

Caoimhghn Caolin (Cavan-Monaghan, Sinn Fein) Link to this:


Individually | In context
We will take both opening statements first and questions
afterwards. I thank Mr. McIntyre for his very informative
contribution which expanded on the points he had already
provided to us. I now invite Mr. McGarr to make his opening
remarks.
Add your comment
Mr. Simon McGarr:
I thank the committee for the opportunity to address it on the
heads of the Bill. This legislation, together with the
implementation of the GDPR, will mark a watershed in respect of
the relationship between the State and its citizens. I will address
three major points and will pick up some of the threads from Mr.
McIntyre's submission.
First I will address head 23, a proposal in respect of State
agencies, public bodies and administrative fines. It provides for
administrative fines to be imposed on public bodies or authorities
solely in respect of occasions on which they act as an
undertaking. The effect of this exemption is to make sure they
are not liable to fines on all other occasions when they are not
acting as an undertaking. The result is to exempt public bodies
and State agencies from administrative fines. The committee will
have heard from the Data Protection Commissioner and other
witnesses already. I echo them in saying that this is a very
unwise course of action for the State to have taken.
State agencies will not have the same level of accountability as
commercial bodies. Between State agencies, a tally in respect of
fines over the course of years is a very good initial indicator of
any structural or institutional difficulty that may be arising. Such
a difficulty is easy to see as the fines build up, should there be
repeated fines, and therefore it is less likely that long-term
structural difficulties will develop. Administrative fines are cost-
neutral for the Exchequer as a whole. The fines levied on public
agencies go back into the Central Fund. There is not really a cost
saving exercise here for the State or the Exchequer.
The proposed provision requires a legally very complex test to be
carried out on each occasion that the Data Protection
Commission thinks it is necessary to do so, before any
administrative fines could be levied. On every occasion, there
would have to be an examination of whether elements of public
authority were acting as an undertaking before an administrative
fine could be levied. In the explanatory note to the heads of the
Bill, it is acknowledged that this is a complicated matter. It
cannot be said that a particular State body is an undertaking in
all its activities. The example given in the explanatory note is
that the HSE in the provision of ambulances is sometimes an
undertaking and is sometimes not. This is a high legal threshold
for the regulator to have to get over every time it must decide
whether it is possible to exercise legal powers. It also introduces
the potential of a challenge by the public body to every such
effort to exercise those powers, in respect of whether it is acting
as an undertaking.
It seems that there is very little by way of compelling reasons for
providing this exemption for the State bodies. Certainly there is
nothing set out in the explanatory note as to why State bodies
ought to be exempt as a matter of policy. There are very clear
reasons for having State bodies subject to the same regulatory
system as the rest of civil society. Our recommendation is that it
would be better if article 83(7) was implemented without any
restrictions on the administrative responses available to the Data
Protection Commissioner, including such fines as the commission
found appropriate in respect of breaches of citizens' personal
data privacy.
Head 91 deals with the requirement giving effect to the general
data protection regulation, GDPR, that there should be a right of
compensation for financial and non-financial loss arising from a
breach of the regulation. Article 82 of the regulation is phrased in
such a way as to say that there "shall" be provision made for the
recovery of compensation for material and non-material loss. The
wording of the article is such that precedent would suggest that
when a European legislative provision states there shall be
provision, it indicates that a further step is likely to be necessary
on the part of the member state in order to give force to that
intention.
The heads of Bill recognises there is a right of action but on
examination it does not explicitly create a right of compensation
by a data subject for a breach of their rights. The result would be
that there is a question whether the State would have complied
with the requirement that there shall be a provision for the
recovery of compensation.
This has unattractive features from the point of view of potential
data subject citizens where there might have been a breach of
their rights. It will also leave the State open to potential claims
from people who find that they were unable to enforce their
rights as it is a requirement under European law that if a person
has not been able to recover their compensation that should
have been provided for under European law, as a result of a
failure by the State that per the Frankowicz case they have a
right to recover such damages as they would have recovered
from the third party from the State. The result is that by not
implementing an explicit statement saying that there is a right of
compensation as opposed to a right of action, the State may hold
itself open to any of the damages that would have otherwise
fallen on private third parties who were breaching the data
protection rights. For all those reasons, we recommend that it
would be better to see the intent of Article 2 of the regulation
and Article 56 of the directive being made explicit by way of an
explicit legislative recognition of the right of recovery of
compensation for both material and non-material damages.
Dr. McIntyre has dealt with the separate implementation of
regulation and directive but I would like to add that the current
general scheme of the Data Protection Bill seeks to do three
separate things: to largely, but not completely, replace the
existing data protection Acts under head 5; to legislate for a
small number of matters in the GDPR which have been left to
member states such as the Internet age of consent and other
matters; and to transpose entirely by way of part 4 of the heads
of Bill, Directive 216/680 in respect of national security. We do
not think it is a good idea to attempt to do those three things
because this legislation must be passed and it is on a deadline.
The GDPR comes into force in May of next year and by running
the implementation measures in respect of the GDPR together
with the complicated matters in transposing a directive and the
partial repeal of the data protection Acts, we run the risk from a
practical point of view of either legislative gridlock preventing the
matter from progressing at the required speed, or of the matter
passing without the necessary scrutiny in respect of one area of
the Bill because there is such a pressing deadline in respect of
other areas. For those reasons, we recommend that it is better to
address the transposition of Directive 216/680 by way of a
specific legislative instrument separately. This would allow any of
the necessary residual elements required from the data
protection Acts for that transposition, or as a result of the
requirements of the State as a member of the Council of Europe,
to be dealt with separately in another issue. This would then
allow for the full repeal of the existing data protection Acts which
are intended for partial repeal under head 5 and their
replacement by the GDPR in Irish law.
We think it would be a good idea if the GDPR is reproduced as
either an annexe or appendix verbatim in the final Bill, together
with a few domestic legislative variations which are provided for
under the regulation. As well as providing clarity for users and
the courts in the consideration of what is quite a complex area of
law I am sure every lawyer says their pet subject is a complex
area of law but I hope the committee will agree that this one
does seem to meet the bar for that description. It also
significantly reduces the chance of any legislative uncertainty as
to what provisions are being applied by the court at any given
moment. Therefore, the likelihood of challenges to the
interpretation by the new Data Protection Commissioner before
the courts is reduced. That is a valuable aim in itself. The Data
Protection Commission, which is set up, will be a new body
exercising significant new powers and it is important for building
up confidence in that body, but also in respect of the courts
relationship with that body as a place of appeal from its decision
making, that exactly the laws it is working under and exactly the
powers it is implementing are as clearly set out by the
Oireachtas, in advance of the commencement of the commission
in order to allow the commission to fully exercise its rights
without the fear of constant challenge, which we have seen in
previous regulatory systems which have been introduced.
Particularly where large amounts of financial administrative fines
are at stake there is an incentive for judicial challenge. That is
always available for people to take and if bodies or individuals
feel they have not been treated properly by the Data Protection
Commission, it is right that they should be able to take the
matter to the courts. We are suggesting, however, that in order
to make sure that those appeals are minimised, it is best that the
law the decisions are taken under is as clear as possible for all
users.
I want to deal with a couple of matters that Dr. McIntyre has
raised, specifically the exemption carved out to give the Ministers
powers to effectively grant an exemption to anybody on any
matter they think relevant. I think that is under head 20. This is
a matter that has been live before the European courts in recent
years. In 2015, the Bara judgment dealt with a data sharing
provision by the Romanian Government on foot of legislation
which the European Court of Justice said was not acceptable on
the basis that it had shared this data between two government
agencies and that doing this without the prior knowledge of the
data subjects was contrary to the charter of fundamental rights
and the data protection directive. This is significant because it
means that even when the matters are provided for by
legislation, the State does not have a free hand to pass any such
legislation that it wants to in order to carve out exceptions from
a matter that is underpinned by the charter of fundamental
rights. In passing any such exemptions, it must give
consideration to the questions of necessity or proportionality.
The heads of Bill take no account of these limitations on the
national member state's executive powers. They deal with a very
wide range of stated and a general catch-all unstated basis on
which these powers could be exercised, including such things as
maintaining registers for reasons of general public interest. This
seems to be a general right to build databases in respect of the
population. Whether these provisions, if they were passed into
legislation, would pass scrutiny before the European Court of
Justice I could not say for sure, but certainly some provisions
that are foreseen as being carved out by head 20 would fall foul
of the same legal arguments that struck down the Romanian
legislative provisions on data sharing. I know the Data Protection
Commissioner has issued a guidance note to State agencies on
data sharing following the Bara judgment and the State has
received guidance from its legal advisers in respect of the
desirability of passing such data-sharing exemptions from the
data protection directive by way of primary legislation. It is
important that if the State is to provide for certain matters to be
dealt with and if primary legislation is required in order to ground
an exemption from the data protection directive on a lawful
basis, which is a provided for in the directive, it should not
provide for non-primary legislative means.
It seems like a recipe for challenge and, in all likelihood, a recipe
for the Data Protection Commissioner to have to deal with a
repeated number of complaints and challenges to actions of the
State. There have been recent examples in respect of the
primary online database where certain databases were rolled out
with very long or indefinite retention periods involving holding
the data of five year olds indefinitely and those matters have had
to be rolled back following the engagement with the Data
Protection Commissioner as to what was and was not appropriate
under European law. I do not think we should allow for an
unqualified right of a Minister to provide for exemptions from
European law at the stroke of a pen by way of a statutory
instrument regardless of whether that is attractive to the
Executive as a method of providing for regulatory activity. It
should be the case that we should go by way of primary
legislation if there is to be a reliance upon the lawful basis
exemptions from the data protection directive. That is all I
wanted to say on that matter.
Jim O'Callaghan (Dublin Bay South, Fianna Fail) Link to this:
Individually | In context
I thank Mr. McGarr and Mr. McIntyre for attending the committee
meeting. Listening to both of them and their views as to what
areas in the legislation could be improved has been informative. I
will make a few comments about the structure of the Bill because
both Mr. McGarr and Mr. McIntyre raised it. They are correct in
stating that it would be preferable if the 1988 and 2003 Acts
were repealed in order that people who want to know what the
law on data protection in Ireland is could come to one new piece
of legislation and see it there rather than have to go back to
legislation from 14 years ago and from 1988. I had not been
aware of the potential for confusion that can arise from the
inclusion of Part 4. There may be logic in trying to separate the
GDPR legislative basis from the other one. That is really a matter
for Government. It will be difficult for us to do that as a
committee by way of an amendment, but it is an interesting
point and something to which I will give further consideration.
In respect of the point made by Mr. McIntyre about the
representation of data subjects, I would have thought there is a
legitimate concern on the part of data controllers, the Oireachtas
and Government that this could become an overly litigious area.
While there are people who have minor data breaches and who
are perfectly entitled to have them ruled upon, there could be a
concern on the part of the Legislature or Executive that it will
involve lawyers taking cases, and even though there is minimal
compensation to be paid, it will result in a lot of costs. I can
understand why that is a legitimate concern.
I am interested in the reference to the non-profit entities. I
looked at the definition of a non-profit entity in Article 80. Will
the witnesses provide us with further explanations? What would
be a non-profit entity in an Irish context? Obviously, Digital
Rights Ireland would probably be one. Will Mr. McIntyre give us
other examples?
Add your comment
Dr. T.J. McIntyre:
Yes. In fact, Digital Rights Ireland might not be the best example
because I would envisage that this is an area where there might
be consumer rights groups bringing actions. I believe this is
common in Germany. Data protection rights are an aspect of
consumer rights, and if a consumer rights body is active in the
area of the protection of consumer privacy, there is no reason it
could not bring an action. I would envisage that trade unions
might fall into that category as well if they are protecting the
privacy of employees at work. The National Union of Journalists
might fall into that category if it was protecting the privacy of
journalists from surveillance by the State. It seems to me that it
would not be limited to traditional civil rights groups but has a
wider application.
The Deputy's point regarding the possibility of burdensome
litigation is a fair one. However, it is one that has already been
addressed to a large extent. The existing provisions deal with
that. The fact the Data Protection Commissioner has the
discretion not to entertain claims that in current language are
termed "frivolous and vexatious" represents an important
safeguard that is already in place. One can add to that the
requirement there be a filter here. The provision that only
qualifying non-profit entities get to bring these actions is an
important one. I do not think many bodies would be set up with
these objectives and have this track record. It is ultimately open
to the court to decide if the particular body qualifies.

Mick Wallace (Wexford, Independent) Link to this: Individually | In


context
A report carried out last year by the International Network of
Civil Liberties Organisations, INCLO, called Surveillance and
Democracy: Chilling tales from around the World, highlights the
dangers of secretive international information-sharing
agreements between intelligence agencies along with the
problem of domestic surveillance. There are reports of people
being put on secret fly lists, based on harmless email exchanges,
state security agencies using intimidation tactics against peaceful
protesters and national surveillance databases containing
sections dedicated specifically to human rights activists. There
are concrete cases of where individuals' human rights have been
violated by the state. In light of the recent moves to introduce a
national identity card and the potential to put so much
information on this card, obviously we are aware of the fact that
a lot of information can also be put on our passports. The Data
Protection Commissioner is on record as saying that with regard
to identity cards, the individual concerned has a right to know
exactly what data are recorded on the card. Would Mr. McGarr
accept what I have said as valid?
Add your comment
Mr. Simon McGarr:
On the specific question in respect of the public services card, it
does have a great deal of the appearance of a national ID card
scheme in its scope, and that scope is increasing regularly to the
point that one is no longer able to apply for a driving licence for
the first time without having a public services card. People who
are applying for their first passport must first take up a public
services card. That is a subsection of a wider question, which is
relevant to the Bara judgment, which is that the State has taken
many concrete steps in recent years to build not merely an ID
database of which the public services card is the physical
manifestation but also a series of national databases intending to
capture not merely all citizens' data but also data on people
travelling through the State by way of the passenger name
recognition database, PNR, and on all residents, who may not
necessarily be citizens, of course, by way of the individual health
identifiers database. On each occasion that these steps have
been taken, provision has been made to take the data which has
been collected from individuals by other agencies for other
purposes and apply it to this new purpose, this data-sharing
between bodies. This is again exactly the matter that was before
the Court of Justice of the European Union, CJEU. It is again
exactly the matter in which the Romanian Government was found
to have acted unlawfully in transferring its data between its
equivalents in Romania of our Department of Social Protection
and Revenue Commissioners. It seems to me that despite the
Data Protection Commissioner producing an excellent briefing
note for the State on these matters, there has still been, shall we
say, executive reluctance to absorb fully the lessons of what
European law states on the limits of state data-sharing.
Nonetheless, what we can see here and in other recent proposed
legislation, including the proposed data-sharing Bill, is that there
is an effort by the State to continue to provide a backstop for its
projects that are under way and on which a great deal of money
has been spent while at the same time not fully addressing head
on the question of citizen's rights in respect of data-sharing. That
is not an attractive way for the State to have acted. In particular,
notwithstanding the very legitimate reasons there may well be,
for example, in the health sphere, for creating databases which
can contribute to public safety and to health safety, the level of
trust that is required to allow databases of that sort to be built
must be built first on the understanding of the citizenry as to
what is being done and must be built up in order that they know
it is being done in the right way and that they trust it is being
done in the right way. Internationally what we have seen is that
if trust is not built first and there is an administrative push to
collect the data and explain it to people later, very expensive and
substantial projects fail completely. I am thinking of the NHS
care.data project, which was a centralised health records scheme
that failed completely after the expenditure of million of pounds
sterling in the UK as a result of a basic failure of public trust in
how the data were going to be managed. I am thinking of the
Australian identity card scheme and public identity register which
effectively came to creaking halt once the Australian people lost
trust in the scheme as it was being provided for.
These matters are not tidying-up matters. It is not a matter of
going back and explaining it to people afterwards. If trust is not
built into the scheme from the start, if the necessary
explanations cannot be provided, and if people do not think their
legal rights to their data privacy are being respected, potentially
very valuable public schemes become hamstrung from the very
start. It is not merely counterproductive from an administrative
point of view and in terms of the loss of time and money. It is
also very destructive of the relationship between the state and
the citizen
https://www.kildarestreet.com/committees/?id=2017-07-
05a.202&s=simon+mcgarr#g203
Government launches MyGovID a safe secure
online identity for government services in Ireland
Revenues myAccount and Social Protections MyWelfare
online services now available further services planned
Minister for Public Expenditure and Reform, Paschal Donohoe
T.D. and Minister for Social Protection, Leo Varadkar T.D. today
launched MyGovID a safe and secure way to access Irish
government services online.
MyGovID gives citizens a secure single sign on to their public
services. It is built on the Public Services Card, linking a real word
identity to an online identity. It can already be used to access
Revenues myAccount services and MyWelfare.ie online
services from the Department of Social Protection, including
Maternity and Paternity Benefit applications. Other government
services will follow in the months ahead, including Passport
applications and driving licences.
There are already 170,000 registered MyGovID account holders
and Ministers Donohoe and Varadkar are urging people to sign up.
Commenting at the launch, Minister for Public Expenditure and
Reform, Paschal Donohoe T.D., said: MyGovID represents a
significant and important investment by the Irish government in
bringing safe and secure online government services to people
throughout Ireland. Built by the Department of Social Protection,
and designed for sharing and integration across Government
departments and public bodies, MyGovID represents a move
towards the joined-up government that citizens seek both in their
digital and day-to-day interactions with public services. Todays
launch of MyGovID represents the beginning of a journey to more
efficient and more convenient online government services in
Ireland.
Commenting at the launch, Minister for Social Protection Leo
Varadkar T.D., said: With MyGovID we are making life easier for
all our citizens by giving them access to key services and benefits
from their laptop, mobile phone or tablet. You can already apply for
Maternity or Paternity Benefit using MyGovID and the range of
services is being expanded all the time. The plan is that eventually
all Government services will be available online through
MyGovID. I strongly encourage people to visit www.MyGovID.ie
and explore the range of public services that are already available.
I also encourage people to apply for a Public Services Card if they
dont already have one. The Public Services Card is becoming
ever more important as, over time, many government services in
Ireland will require you to hold a Public Services Card. Almost 2.5
million people In Ireland already use their Public Services Card to
safely access a variety of government services. With the launch of
MyGovID, a Public Services Card now brings the added benefit of
secure access to a range of online government services.
Commenting at the launch, Barry Lowry, Government Chief
Information Officer (GCIO), said: The Office of the GCIO, part of
the Department of Public Expenditure and Reform has been
working in partnership with the Department of Social Protection to
implement a Public Services Card that is safe, secure and robust,
and that combats fraud and identity theft. Linking the Public
Services Card to MyGovID means that Government and public
bodies can safely offer a range of high value public services online
and that MyGovID users can access online public services
assured that their personal data is secure.
OGCIO and the Department of Social Protection are currently
working closely with the Road Safety Authority and the Passport
Office to enable driving licences and passports to come on board
within the coming 12 months. As these, and indeed more services
come on-stream with the Public Services Card and MyGovID, we
will doubtlessly unlock significant economic and social benefits for
Irish society.
ENDS
Notes to Editors:
Public Services Card
A Public Services Card holds a persons unique identity and
provides safe and easy access to public services in Ireland. Almost
2.5 million people in Ireland already use their Public Services Card
to safely access a variety of government services, including Travel,
Revenue and Social Welfare services and over 10,000 new public
services cards are issued every week in Ireland.
It is essential that people can keep their identity safe; their
transactions with government secure and prevent fraud. For this
reason, most government services in Ireland will, over time,
require you to have a Public Services Card. You can currently
register for Public Services Card from over 100 locations
throughout Ireland. A Public Services Card is also fundamental to
a verified MyGovID account, as it allows for a safe linking of a
persons identity and their online identity for government services
in Ireland.
MyGovID
MyGovId provides users with a safe secure online identity for Irish
government services. A MyGovId account will act as a secure
single sign on identity for multiple online government services
across a variety of government and public sector organisations.
Users can already access a range of social welfare services and
Revenues MyAccount service using a MyGovID account.
Eventually, all government online services will migrate to the
secure MyGovID platform.
https://www.mygovid.ie

EU eGovernment Action Plan 2016-2020


By 2020, public administrations and institutions of the European
Union should be open, efficient and inclusive, providing borderless,
personalised, user-friendly, end-friendly, end-to-end digital public
services to all citizens and businesses in the EU. Innovative
approaches are used to design and deliver better services in line
with the needs and demands of citizens and businesses. Public
administrations use the opportunities offered by the new digital
environment to facilitate their interactions with stakeholders and
each facilitate their interactions with stakeholders and each other.
http://www.per.gov.ie/en/government-launches-mygovid-a-safe-secure-online-
identity-for-government-services-in-ireland/

Irish adults will be able to


renew their passports online
from Thursday
First time applicants and children will still have to use the current
system.
Mar 28th 2017

Image: Shutterstock/Rawpixel.com
IRISH ADULTS BOTH in the country and across the world
will be able to renew their passports online from Thursday.
The Online Passport Application Service (OPAS) will be
available on the Department of Foreign Affairs website.
The new service is only for the renewal of adult applications,
first time applicants and children will have to use the
current system.
In a statement the Department of Foreign Affairs said,
People can apply via the Departments website using their
PCs, tablets or mobile phones.
The service will be convenient, secure and it will offer faster
and more predictable turnaround times.

The initiative is part of the passport reform programme


which is modernising Irelands passport systems and
controls.
http://www.thejournal.ie/adults-passports-online-3311202-Mar2017/
Minister Howlin launches new Office of the Government Chief
Information Officer (OGCIO)

The Minister for Public Expenditure and Reform, Brendan Howlin, T.D., has announced
the establishment of the Office of the Government Chief Information Officer (OGCIO) at
the Department of Public Expenditure and Reform.

The establishment of the OGCIO follows the appointment of Mr Bill McCluggage as


Government Chief Information Officer in June 2013.

Minister Howlin said the establishment of the OGCIO is an important development in


Governments ongoing commitment to maximising the potential benefits of ICT in
improving the efficiency and effectiveness of Public Service delivery

The Government CIO is responsible for developing and implementing an ICT Strategy for
Government that ensures an integrated approach to the exploitation of ICT across all
Departments and Public Service Bodies, accelerating the delivery of digital services
across Ireland and a transformation I the use of the Governments information
assets. The OGCIO will remain responsible for coordinating the implementation of the
existing eGovernment and Cloud Computing Strategies.

Minister Howlin said this new organisation will, when fully resourced, allow Bill and his
team to lead, manage and direct across Government Departments to define and
implement an enterprise-wide ICT strategy to support the Reform agenda and improve
the overall performance of the public service.

Mr. McCluggage said I look forward to leading the team here at the OGCIO, and working
with colleagues across the Public Service, to deliver real transformation in the way public
services use ICT and the development of new and improved digital public services. The
work of the OGCIO has a valuable role to play in delivering real reform of Public Services
and I intend to ensure we step up to the challenge.

Ends

23 July, 2013

Note for Editors


Role of Government CIO

The Government CIO, Mr. Bill McCluggage, leads the cross-organisational CIO Council
in devising and implementing an ICT strategy and is currently responsible for all IT
operations in the Department of Public Expenditure and Reform.

CMOD

The Office of the Government Chief Information Officer (OGCIO) replaces the previous
Centre for Management and Organisation Development (CMOD).

Responsibilities of OGCIO

The Office of the OGCIO has a wide remit and is responsible for ICT Strategy
development of the Public Service; Government Networks; eGovernment Systems
Development; eGovernment Policy; EU and International engagement; ICT Metrics; plus
delivery of an IT Shared Service to the Departments of Public Expenditure and Reform,
Finance and the HR Shared Service Peoplepoint.

http://www.per.gov.ie/en/minister-howlin-launches-new-office-of-the-
government-chief-information-officer-ogcio/

Public Services Card (PSC) ID


Policy
Important Update to the ID Policy for all
Theory Test (including CPC Step 1 & 2)
exams
From June 16th, any person sitting the Driver Theory Test
will be required to present a Public Services Card (PSC)
at the Test Centre as proof of ID.
At the time of booking the test, applicants will be asked to
confirm that they possess a Public Services Card.
In the test centre, the only acceptable form of ID will be
the Public Services Card. The card will be used to verify
name, PPS number and identity of the person attending
for the test.
Applicants will need to ensure that the spelling of the
name in which they book their test matches exactly the
spelling of their name on the card.
Theory Tests can be taken at 41 test centre locations
around the country as part of the RSAs driver testing and
licensing process.
For more information on how to obtain a Public Services
Card, we would encourage you to visit the Department of
Social Protection website.
From the 1st June 2017, in order to book a theory test (or
CPC Exam) you will need the 12 digit number from the
rear of the card.
Sample Public Services Card
http://www.theorytest.ie/driver-theory-test/public-services-card-psc-id-policy/

Updated ID Policy
Updated Identification Requirements
Policy
With effect from 30th September 2014, Identification
Requirements will change for those candidates taking the
Category C and Category D Driver Theory Tests, as
detailed below.
Please be advised if you do not bring the required
identity documents with you for testing, you will not
be allowed to sit your test and you will lose your fee.
You must bring one of the following, plus two identical
colour passport-sized photographs that conform to
the required standards :
A current Category C or D Irish Learner Permit
A full current Category C or D Irish Driving Licence, (or
one from an EU/EEA member state or Switzerland)
A full current Category B Irish Driving Licence (or one from
an EU/EEA member state or Switzerland)
http://www.theorytest.ie/updated-dtt-id-reqs-from-april-2013/

Policy & Customer Charter


Find out the standards of service and customer
facilities provided by Prometric for the Official Driver
Theory Test booking service.
Policy
The Official Driver Theory Test service is operated by
Prometric Ireland Ltd. on behalf of the Road Safety
Authority (RSA). It is part of the RSAs driver licensing and
testing process designed to help both new and
experienced drivers be safe, courteous and informed road
users.
Our aim is to provide a professional, efficient and
courteous testing experience that meets the needs of the
driving public by providing our customers with:
24 hour online booking and information service
Telephone booking and information service available
Monday to Friday from 8AM to 6PM (excluding public
holidays)
Flexible payment options online or via telephone
Purpose built, candidate friendly and easily accessible
Test Centres
Test Centres with flexible opening times
Disabled access at all our Test Centres
Lockers for securely storing your belongings during your
theory test
Clean, smoke free and safe reception, waiting areas and
testing rooms
Toilet facilities (one of which is suitable for disabled
persons)
Standards of service
When you come into contact with our Test Centre staff,
they will:
Display the highest levels of courtesy and respect
Handle your requirements promptly
Show sensitivity, patience and understanding in dealing
with any issues you may have
Provide you with their name when asked Test Centre
staff carry a photo ID badge at all times
We aim to:
Provide a high quality, reliable Driver Theory Test
service
Accept bookings online, via telephone and by post
Give candidates with special needs, who cannot
complete their internet booking, a call back within 24
hours where the booking is outside of a working
day, the call back will be on the next working day
Acknowledge all candidate emails within 2 working days
Offer appointments to 94% of candidates at the Test
Centre of their choice within 2 weeks of their
preferred date
Offer testing sessions fortnightly at fixed Test Centres
with at least one weekday (9AM to 5PM), one
evening (5PM to 7.15PM) and one Saturday (9AM to
5PM), excluding public holidays.
Offer testing sessions at least one Saturday (9AM to
5PM) per month at mobile Test Centres and, for
mobile Test Centres with less than 250 theory tests
per annum, at least every 2 months and once on a
weekday, once on a weekend evening and once on a
weekend at least every 6 months.
Send a test appointment confirmation in writing or via e-
mail within 5 working days if you require special
arrangements
Answer 80% of calls processed by the automatic
Candidate Services line within 30 seconds
Issue all refunds and any compensation within 10
working days of receipt of a valid claim or
determination that refund should be made
Provide an average candidate waiting time before
commencement of test of no more than 15 minutes
Provide a Pass Certificate, where applicable, to
successful candidates at the end of the theory test
Provide candidates who fail a theory test with information
in writing about general topic areas of weakness
this applies specifically to Driver Theory Tests for
categories A, B, C, D, CD, BMT & TMT
If it is necessary for Prometric to cancel a test
appointment for any reason we will provide you with
at least 5 working days notice and offer you a new
appointment within 5 working days of the test date
If Prometric provide less than 5 working days notice of a
cancelled test appointment we will offer you a free
appointment and provide compensation equal to 50%
the test fee.
Details of our Compensation Scheme are available at
each Test Centre.
We strive to continually improve our services and in
particular, we aim to provide test appointments in a
prompt and efficient manner.
Listening to you
We are always happy to hear what you think about our
service and ideas for how we can improve it. We consult
with representative organisations to advise them on our
performance and listen and implement any views or
comments made. We welcome your comments both
complimentary and critical. Feedback forms are available
at each Test Centre.
Keeping you informed
We tell customers in advance about changes regarding:
Test procedures that may affect them
Test Centre locations and opening hours
Applicable test fees
Test preparation publications aimed at preparing
candidates for their test
If things go wrong
Where our service has not been as good as you expected,
we want to know so that we can do something about it and
get it right next time. If you have a complaint please make
this known at your Test Centre or call our Candidate
Services Team on 1890 606 406 or e-mail us at
theorytesthelp@prometric.com. Alternatively, you can
write to our Candidate Services Manager at: Driver Theory
Test, PO Box 15, Dundalk, Co. Louth.
We will co-operate with individuals or organisations that
act for you. Our Candidate Services Manager will be
pleased to help you with information about a particular
issue or difficulty.
We:
Regularly check that all complaints are dealt with
promptly
Examine trends in case we need to make any changes
Decisions about your test
If you think that we have made the wrong decision, speak
to our Test Centre Administrator or Manager before
leaving youre the centre and request that we re-mark your
theory test.
You must:
Appeal, in writing, within 10 working days of your exam
Provide a cheque/postal order of 15.00 as a service fee
When we get your appeal, we will re-mark your theory test
and give you the result within 5 working days.
Our Candidate Services Team will conduct the re-marking
of your theory test. If it is found that the original marking
was wrong we will:
Issue you with a new Driver Theory Test certificate
Refund the fee of 15.00

http://www.theorytest.ie/policy-and-customer-charter/
Applying for a passport or
driving licence? You'll soon
need a Public Services Card to
do so
The Department of Public Expenditure and Reform confirmed that the
card will be needed to apply for a passport from autumn of this year.
May 22nd 2017

A sample Public Services Card


CONCERNS HAVE BEEN raised that the government is
attempting to introduce a national identity card by stealth.
This comes after it was confirmed that anyone applying for a
passport or driving licence in the future will need to have a
public services card.
The Department of Public Expenditure and
Reform confirmed that the card will be needed to apply for a
passport from autumn of this year.
The public services card (PSC) was first introduced in 2012
and rolled out to people getting social welfare payments.
Since its introduction, the State has been expanding the
services for which it is needed.
Last year, it became necessary for all first time passport
applicants under the age of 18 who are resident in Ireland to
have a Public Service Card. It also became a requirement for
all applicants for a certificate of naturalisation aged 18 or
over to have a card.
Following an article today in the Irish Times, its been
announced that anybody applying for a passport for the first
time or renewing their passport will need to have a Public
Services Card from this autumn.
A PSC will also be needed for anyone applying to take their
Driver Theory Test from June. Anyone applying for a driving
licence will also soon be required to have a PSC.

National identity card


Speaking this morning on Newstalk Breakfast, data-
protection expert Darragh OBrien said that the PSC was
creating a national identity card by stealth.
The creation of a national identity card is being done by
stealth without appropriate debate and transparency, said
OBrien.
One of the reasons there is concern around this is that the
amount of sharing of data that has to happen in various
government departments to ensure this card exists is quite
large.
In a statement, a spokesperson for the Department of Public
Expenditure and Reform said that the card was the most
effective way to enhance protection against fraud and
identity theft and to uphold the integrity of the Irish
passport.
Furthermore, the use of the PSC to access public services is
a fundamental enabler for the protection of personal data,
ensuring the use of such data is accurate, minimised,
transparent, and in line with data protection principles,
they said.
The spokesperson denied that it will ever become
compulsory to have a PSC.
However, Government has an obligation to deploy the most
robust means of online and physical identity verification
possible to ensure that it is doing all it can to reduce fraud,
personation and the risk of identity theft in the
delivery/accessing of public services, they said.
In relation to people living in Northern Ireland, the
spokesperson said that there are over 100 Intreo offices in
Ireland where people can go to apply for the PSC.
Many of these will be convenient to Northern Ireland
residents, should they choose to use them, the
spokesperson said.
http://www.thejournal.ie/public-services-card-passport-3402471-May2017/

Applying for a passport? New


measures to combat identity
theft are being introduced
New measures by the Passport Service of Ireland will be introduced at
the end of the month.
Mar 10th 2016

NEW MEASURES AROUND getting a passport are being


introduced in order to combat fraud and identity theft, the
Passport Service of Ireland said today.
The measure will require anyone over the age of 18 applying
for a passport for the first time to present a photocopy of
their public services card (PSC) for identification purposes.
Any adult whose last passport was issued prior to 1 January
2005 and has since been stolen, lost or damaged, will also
required to present their PSC when applying for a new one.
The new measures will take effect from 29 March of this
year.
The Department of Foreign Affairs said that the measure is
being introduced to protect against identity theft.
The measure is an important step considered necessary to
enhance protections against fraud and identity theft and to
uphold the integrity of the Irish passport, the department
said in a statement.
It will also ensure that the identity of first-time applicants
for Irish passports continues to be verified to a high
standard.
Any adult who had a passport that was issued after 2005, or
any child under the age of 18 applying for a passport will not
need to present their card.
Whats a public services card?
The public services card is issued by the Department of
Social Protection and is the main identity document for
people needing to access public services in Ireland.
The card was introduced in 2012 as a means of having one
form of identification for citizens when dealing with the
various public bodies of the State.
It is used mainly by people securing social welfare payments
and free travel through the Department of Social Protection.
You can get a public services card (free) through your local
Department of Social Protection office. You can get more
details about how to register here.
Will this affect me?
It depends. The new requirement will only impact adults
applying for passports for the first time or people who need
a new passport after their last one was stolen, lost or
damaged and was issued before 2005.
It is unclear as of yet if the measure will be extended to
apply to all new passports in the future. But until then,
adults affected should be in the minority.
Anyone who has a public services card will not have to
submit other photo identity or additional proof of name
when applying for a new passport. Your original birth
certificate will still be necessary.
http://www.thejournal.ie/passport-new-measures-2652328-Mar2016/

Man was paid 12,500 to


process passports for South
African and American
nationals
He also processed passports for Moldovan and Vietnamese nationals.
He will be sentenced next month.
Feb 29th 2016

A CLERICAL OFFICER who was paid 12,500 to process


five passports for people who were not entitled to them will
be sentenced next month.
Barry Kindregan (36) also organised passports for two other
people but never received the agreed payment for them.
Kindregan of Downside Heights, Skerries, Dublin pleaded
guilty at Dublin Circuit Criminal Court to four sample
charges, including possession of a false passport and three
charges of corruptly agreeing to accept a sum of money in
cash as a reward for providing a passport on dates between
August 1, 2012 and July 2013.
He has no previous convictions.
Approached by a colleague
He had been working as an officer in the passport office
since 2007 when a colleague approached him in August
2012 and sought advice for people in South Africa who
wanted to get Irish passports.
Kindregan said they would have to look for a foreign birth
registration but the colleague spoke to him again some time
later and admitted the people in question wouldnt be
entitled to such registration.
She asked him if he would be interested in producing
passports for them for cash.
Kindregan later told garda in interview that he considered
the proposal for a few days before he agreed to process the
applications.
He ultimately delivered seven completed passports for
South African, Vietnamese, American and Moldovan
nationals, back to his colleague.
He admitted that he only checked supporting
documentation to make sure the name was spelled properly
and acknowledged that he knew the applicants werent
entitled to Irish passports.
Judge Melanie Greally said she needed time to consider the
case and remanded Kindregan on bail to 11 March next.
Agreement
Detective Garda Joanne OSullivan told Cathleen Noctor BL,
prosecuting, that an agreement had been reached between
Kindregan and his colleague that he would get 1,250 at the
start of the application for the passport and a final 1,250
when it was completed.
She agreed that he never received the payment for the first
two passports and he contacted garda himself, following his
arrest for the first two passports, to admit that he had
processed a further five.
Det Garda OSullivan agreed with Ronan Kennedy BL,
defending, that his client was not the prime mover in the
operation and was used to facilitate another person. She said
she believed he was manipulated and deliberately targeted
because of his known IT skills.
Genuinely remorseful
Det Garda OSullivan accepted that Kindregan co-operated
fully with the garda investigation, was genuinely remorseful
and was unlikely to come to garda attention in the future.
She agreed that he lost his job in the passport office but had
since secured new employment.
Kennedy told Judge Greally that his client wanted to
apologise from the bottom of his heart and it was a gross
understatement to say he was deeply ashamed of himself.
He let down the State, who provided him with a good
position, his work colleagues, whom he respected and liked
in the office and his family.
There isnt a day goes by that he doesnt regret his actions.
No matter what penalty the court imposes this is something
he has to live with for the rest of his days, Kennedy said.
Counsel said there were about 30 people from all over the
community in court in support of Kindregan bearing
testimony to his character.
http://www.thejournal.ie/court-man-paid-to-process-passports-2633870-
Feb2016/

Concern in Passport Office as


66,000 applications
outstanding (and the number's
growing)
The number of applications outstanding has been consistently on the
rise in recent times in the wake of the Brexit vote.
Jun 22nd 2017

Source: Shutterstock/Astroette
A SIGNIFICANT BACKLOG in passport applications has
developed at Irelands Passport Office.
Figures released to TheJournal.ie by the Department of
Foreign Affairs (DFA) show that currently 65,916
applications are outstanding (ie awaiting process).
This represents an increase from the 60,404 such
applications that were outstanding at this time last year.
The single greatest reason for the backlog would appear to
be Brexit.
Since the UK voting to leave the EU in June 2016,
applications for Irish passports have increased to a huge
extent from eligible citizens living in Britain hoping to avoid
issues with free travel (and employment) throughout the
union once Brexit becomes official in March 2019.
Last year saw a 33% increase (33,008) year-on-year of the
number of applications received from Northern Ireland and
mainland Britain.
The first five months of 2017 have seen that trend explode
with a staggering 55% increase in the number of
applications received from this time last year (29,792
additional applications received year-on-year until end May
2017).
Its understood that there is a deal of concern within DFA
regarding the ongoing backlog in the process of applications,
although waiting times currently vary depending upon the
manner of application.
TheJournal.ie contacted DFA for a statement in relation to
this matter. A response had not been received at the time of
publication.

Source: DFA
The 66,000 applications currently outstanding are totalled
from applicants in Ireland, Northern Ireland and Great
Britain, and via DFAs online passport renewals service.
The breakdown of outstanding applications at present is:
Irish applicants 43,274 (66%)
Northern Irish applicants 10,288 (16%)
British applicants 8,609 (13%)
Online renewals 3,745 (5%)

Separate to the 66,000 applications waiting to be processed,


nearly 97,000 such applications were received last month, a
7.6% increase on the same month in 2016.
The lowest number of applications received and registered
this year was in January 70,771 (a massive 33% increase
on the previous years total of 53,175).
In the last three months there have never been fewer than
85,000 applications received.
With the current outstanding total of 66,000, this suggests
that applications are being received at a faster rate than the
Passport Office can deal with them.
Waiting times
This does not as yet suggest that the backlog is creating a
situation where applicants are having their passports
significantly delayed.
However, the average waiting times for applications vary
depending on how and from where they were applied for.
When applying (by mail, the only means to do so is via the
Passport Express option through a post office all other
mail applications are returned), people are strongly advised
to get their applications in six weeks prior to travelling.
Passport renewals typically take 14 working days, while first
time applicants can expect a minimum wait of 20 days (four
weeks).
Emergency applications meanwhile necessitate an
appointment with the Passport Office in either Cork or
Dublin.
The wait-time on online renewals (new applications can only
be made via post) is significantly shorter at just 10 working
days (not counting postage times).
Applications traditionally spike prior to, and during, the
summer months as people ready themselves for travelling
abroad on holiday.
Last year, 733,060 were issued in total, a 15% increase on
the 635,600 figure from just five years ago in 2012.
Backlogs regarding such State-issued documents or
payments are not uncommon, with staffing issues often to
blame.
In recent times the Department of Social Protection, for
example, has struggled with a backlog in the payment of
maternity benefits which has seen many women having
given birth for a number of weeks before receiving their
payments.
http://www.thejournal.ie/passport-applications-outstanding-3454074-
Jun2017/
Doctor Daddy had a few bob so young Leo Eric's secondary-level
education took place in Palmerstown at The King's Hospital, which is a
fee-paying school operated under the ethos of the Church of Ireland.
During his secondary schooling Leo Eric joined Fine Gael. He was
admitted to Trinity College, Dublin, where he briefly studied law. He
later switched to medicine. At TCD he was active in Young Fine Gael
and served as vice-president of the Youth of the European People's
Party, the youth wing of the Christian Democrat group, a right wing
neo-liberal get-together for spoiled wealthy kids who are encouraged
by their daddies and mammy's to get into a career in politics - where
millionaires are made. Young Leo discovered Twitter and tweeted his
way to the top, becoming Taoiseach because he promised goodies to all
his Blueshirt buddies.
Problem now for young Leo Eric is that he's Taoiseach and he hasn't a
clue what to do. And neither have his promoted pals. Still, Meehole will
keep the show on the road for the boy scouts (for they are mostly boys).
Poor Terri Prone has her work cut out getting spoiled brat Leo Eric to
keep his big mouth shut. Still, with everybody going on holiers until
September 20th Leo Eric can lie low and not get into spats with
socialists and that thug Paul Murphy. And sure by September 20th the
bright Murphy, Eoghan might have got those darned families out of the
bloody hotels and into the Family Hubs - so that Leo Eric can
concentrate on which socks to wear.
True the criminal bunch wont return till 20/9 but ALL the SITUATIONS they're running from now will still be
waiting when they return. Doherty's little problem wont certainly go away. The Flip flops credibility wont
increase & Leo still wont be a properly elected leader.

Unusually high
number of people'
seeking Irish
passports, Northern
Ireland's Post Office
says after EU vote

There has been a surge in Irish passport applications in Northern


25 JUNE 2016
T he fallout from the Brexit vote has sparked an

"unusually high number of people in Northern Ireland


seeking Irish passport applications".
As world politics and money markets reeled from the
poll, there also was a surge in online interest in Irish
passports and moving to Ireland.
While the UK as a whole voted to leave the EU in
Thursday's referendum, Northern Ireland voted to
remain by a majority of 56 percent to 44 percent.

The Irish Department of Foreign Affairs said there had


been "an increase in queries in respect of entitlements
to Irish passports" on Friday.
However, it added that "reports of queues outside
passport offices are incorrect and the passport offices
in Dublin and Cork are operating as normal".
In a statement, the Post Office in Northern Ireland said:
"We have seen an unusually high number of people in
Northern Ireland seeking Irish passport applications,
though we do not have exact numbers or a breakdown
by branch."
Data from Google showed queries on citizenship in the
Republic began to increase on Thursday evening and
peaked in the early hours of the morning.
Likewise from lunchtime on referendum day searches on the web for information about moving to Ireland began to heat up
and peaked in the early hours of Friday.

GoogleTrends said UK searches for "getting an Irish passport" jumped more than 100% after the Brexit result came through.

And while the data analysts would not reveal the exact number of searches for information on the Republic's citizenship
rules, they said most interest was shown in Northern Ireland with the normally unionist heartland of Holywood, Co Down,
taking top spot.
Figures from Ireland's Department of Foreign Affairs earlier this month showed the total
number of Irish passport applications from Britain this year is 3,334 - up very slightly from
3,239 over the same period last year.

Officials also cautioned that there have been significant fluctuations in recent years and
applications from Britain were only a fraction of what they were from 2007-09.

A Senator in the Irish parliament, Neale Richmond, urged passport officials to be ready for
the so-called Cascarino effect, recalling Jack Charlton's tactic of picking British footballers
with Irish heritage when he managed the Republic of Ireland.

Mr Richmond, who has two English cousins who recently applied for Irish passports, said:
"British citizens with Irish grandparents applying for Irish passports could now move from a
torrent to a flood."

In Northern Ireland, which voted to remain in the EU along with Scotland, Deputy First
Minister Martin McGuinness called for a referendum on a united Ireland, while Nicola
Sturgeon, the Scottish First Minister, said a second independence referendum was highly
likely in the next two-and-a-half years.

http://www.telegraph.co.uk/news/2016/06/24/unusually-high-number-of-
people-seeking-irish-passports-northern/

Changes to the application process


for Irish passports and driving
licences are on the way

BY CONOR HENEGHAN
Minister for Public Expenditure Paschal
Donohue said that the changes would be
introduced due to the increase in acts of
terrorism over the last several years.
Irish citizens applying for Irish passports will have to
produce the States public service card from autumn of
this year onwards and all applicants for Irish driving
licences will be required to do so from next year onwards.
According to The Irish Times, it has been confirmed that
the card will be a requirement in the application process
for both the passport and driving licence, with Minister for
Public Expenditure Paschal Donohue telling the paper that
the reasons for introducing the requirement were very
simple.
https://www.ireland.co.nz/wp-
content/uploads/2016/04/CURRENT-passport-fees-and-
guidelines.pdf

Given the increase in acts of terrorism over the last


several years, every democratic country should be obliged
to deploy the most robust means of authenticated travel
across borders that it has available, Donohue said.
The Public Services Card (PSC), which was introduced in
2012, was initially rolled out to people getting social
welfare payments but has since been rolled out to other
public services.
It is usually issued when someone is allocated a PPS
number and 2.5 million cards have been issued to Irish
citizens since it was introduced. Each card is linked back
to a biometric facial recognition database controlled by the
Department of Social Protection.
https://www.joe.ie/news/irish-passports-588978
GENDER RECOGNITION BILL 2013 EXPLANATORY MEMORANDUM ... attaining
a PPS number and getting married). ... passports and driving licences,
https://genderidentitywatch.files.wordpress.com/2013/07/explanatory-
memorandum.pdf
The Identity Card That Most
Assuredly Isnt An Identity Card
MAY 2017
Loughlin ONolan & Elaine Edwards
TL;DR: The Irish state is building a national identity register with no
discussion or debate. Whether this register is being created by accident or
design, the lack of debate is alarming. The justifications for doing so are
opaque and vague, where justifications can be found at all. This project is
proceeding right now, and there is a financial incentive for elements of it to
be done as quickly as possible, reducing further the possibility of any
discussion. The Department of Public Expenditure has fought to protect
records that might reveal what the Data Protection Commissioner has been
saying behind the scenes about the project, arguing successfully to the
Information Commissioner that it would be contrary to the public interest to
disclose them. A department that is processing the personal data of every
citizen in the state from birth to death is arguing that it is contrary to the
public interest to disclose records about a giant biometric database it has
established with no public debate or scrutiny.
Some key interacting issues here are information, consent and trust.

The state should, with some legal exceptions, only acquire, store and
process citizens personal information with the full informed consent
of each citizen.
The state must inform citizens about any plans to use their personal
data in any way other than the purpose for which it was acquired. Clear
information about these other purposes must be provided at the time
and place at which the data is acquired.
Whether legally or illegally obtained, personal data has a long and
persistent life and those who control access to it will change.
For data protection purposes the state is not a monolithic entity. If one
department intends to share personal data with another, it must
inform citizens fully about this when it collects this data.
Informed consent such as this leads to trust and empowered decision
making by individuals. Citizens can choose whether they wish to trust
the state with their personal data, in which context and for how long.
In addition to this the government and a range of public bodies have
fairly extensive powers to demand personal data from other bodies
without consent, where the individual involved might never be aware
of it and doesnt have to give consent.
The various state bodies involved have to earn trust from citizens. In
order to earn trust, full information about uses and safeguards around
personal data must be provided.
If the state seeks to short-circuit this relationship built upon trust by
forcing people unwittingly or unwillingly onto the register, citizens will
suspect the state cannot give enough assurances that the state is a
trustworthy guardian of their personal data.

Privacy campaigners have expressed concern that a plan by the Government to make
all citizens applying for a passport and a driving licence first obtain a State-issued
public services card represents the introduction of a national ID card by stealth.
Minister for Public Expenditure and Reform Paschal Donohoe confirmed that all
passport applicants will be required to have a Public Services Card (PSC) from the
autumn, although he insisted it is not and will not be compulsory for citizens to get the
card.
Not calling the Public Services Card an identity card is the thinnest of
rhetorical cover and it is surprising that this has gone on mostly unquestioned
for several years until it hit the front page of the Irish Times last Monday. If
the state wants to introduce a national identity card it should let citizens
know and make its arguments as to why it feels this is necessary.
Responding to the Irish Times story, former justice minister and current
Senator Michael McDowell said he has always been opposed to national
identity cards and remains so.
The executive director of the Irish Council for Civil Liberties Liam Herrick said
that the government should propose such a measure through primary
legislation and facilitate a national debate on such a measure.
In such a debate ICCL would argue that ID cards are an ineffective, expensive
and intrusive mechanism to advance the stated public policy objectives. We
note that plans to introduce a national ID card system in the UK were
abandoned in 2010 for these reasons.
Dr. Dennis Jennings, the only Irish inductee into the Internet Hall of Fame and
the closest thing Ireland has to a Tim Berners-Lee, was before the joint
Oireachtas Committee on Finance on Tuesday and was scathing in his
criticism of the way the state is going about introducing the Public Services
Card.
The current situation where the Department of Public Expenditure
and Reform is trying to introduce 3 million Public Services Card,
using data sharing from multiple sources under the provisions of a
very old and out-of-date (from a privacy perspective) Social
Welfare legislation is, I think, truly shocking, and a gross breach of
this principle and of the trust that is required.
http://myprivacykit.com/project
s/the-identity-card-that-most-
assuredly-isnt-an-identity-card/
INTERNET HALL of FAME PIONEER

Dennis Jennings
As the first Program Director for Networking at the US National Science Foundation
(NSF, 1985-86), Dr. Jennings was responsible for the design and development of the
NSFnet Program. Jennings developed a vision of an open network of networks an
Internet designed to serve all of US research and higher education.

Jennings selection of the DARPA TCP/IP Internet protocol suite, and his insistence on
its deployment across NSFnet, was a key contribution. The NSFnet Program stimulated
the development of many regional research and education networks, and it connected
them to campus networks, to supercomputing centers and their networks, and to the first
(interim) NSFnet backbone (and later to US federal agency networks, and international
research and education networks). NSFnet eventually became a major part of the Internet
backbone.

As Director of Computing Services at University College Dublin (UCD, 1977-1999),


Jennings served on several national and international research and academic networking
initiatives in Ireland and Europe. He was responsible for the development of the .ie
domain name services.

In the 1990s he became interested in angel investing, and he left UCD in 1999 to pursue
his commercial interests. He served on the Board of ICANN (2007-2010), and chaired the
Irish National Centre for High-end Computing Oversight Board (2006-2012). Jennings
earned a PhD in Physics (Astrophysics) from UCD in 1972.

https://www.youtube.com/watch
?v=L08YD3fOSqU
Public services card a gross breach of citizens trust

Dr Dennis Jennings says individuals must be given


access to data the State holds on them
Tue, May 23, 2017, 18:00 Updated: Tue, May 23, 2017, 18:03
Elaine Edwards

Dr Dennis Jennings told the Joint Oireachtas Committee on Finance public confidence in the data
protections provided by Government systems was required before making an ID system compulsory.

AddThis Sharing Buttons


Share to FacebookShare to TwitterShare to Email App

The rollout of three million public services cards to citizens using out-of-date welfare legislation from
a privacy perspective is truly shocking and a gross breach of the trust required between the citizen
and State, an Oireachtas committee has heard.

Irish physicist Dr Dennis Jennings told the Joint Oireachtas Committee on Finance that public
confidence in the data protections provided by Government systems was required before making an ID
system compulsory.

The Government has been issuing public services cards to citizens since 2012, with more than 2.3
million provided to date.

Ministers have confirmed all citizens applying for a passport or a driving licence in the future will be
required to have the card, although they insist the card is not compulsory.

The cards infrastructure is built on a database controlled by the Department of Social Protection.
Citizens may access some State services through the recently launched online portal MyGovID, which
is built on the same database.

State on collision course with EU court over data sharing


Data protection ministry lost in Pat Breens vast portfolio
Many genetic testing sites fail to outline privacy implications

Dr Jennings, a delegation from the privacy advocacy group Digital Rights Ireland and data protection
barrister Dr Denis Kelleher addressed the committee at a session examining the general scheme of the
new Data Sharing and Governance Bill.

Dr Jennings, who made a major contribution to the development of the global internet in the 1980s,
said current identity mechanisms, including passports, driving licences, medical cards and PPS
numbers were all, in his view, poor substitutes for what is actually required.

Public confidence

General buy-in to the use of unique identifiers can and will be achieved by the State offering
compelling value propositions, better, faster, slicker, more convenient, more accurate, more efficient
services, so that in due course, when public confidence in the data protection provided by the systems
has been established, the identification system may be made compulsory, he said.

Giving citizens access to their own data must be an integral part of it from the very beginning.

Data protection consultant Daragh OBrien said the Bill was a missed opportunity to learn from prior
experiences.

He said we had seen recent cases where the careless handling of information had resulted in a fact
being created, and a process put in train, that impacted on the private life of at least one
whistleblower.

We have also seen a constant procession of cases before the Data Protection Commissioner and the
courts where data has been accessed inappropriately and without authorisation.

Dr Kelleher said that to comply with the new EU General Data Protection Regulation, data sharing by
the state required a law, he said.

The model used in the proposed Bill was one of memorandums of agreement between government
departments.

Vice-chairman of the committee Senator Gerry Horkan (FF) said if the legislation was not fit for
purpose as far as the delegation was concerned it should be sent back to the Department of Public
Expenditure saying improve your efforts.

https://www.irishtimes.com/news/politics/public-services-card-a-gross-
breach-of-citizens-trust-1.3093672
Facial-recognition software and our fear of Big Brother

Identity technology makes us feel more secure at


airports. But more watched in private
Thu, Apr 27, 2017, 05:07

Chris Horn

Some employees and passengers at certain international airports accept their faces being photographed
for security. Photograph: Qilai Shen/Bloomberg

AddThis Sharing Buttons


Share to FacebookShare to TwitterShare to Email AppShare to LinkedIn

John de Mol is a Dutch entrepreneur and media tycoon, who has been listed as one of the 500 richest in
the world. His influence here in Ireland is chiefly through the reality TV series Big Brother, which he
created in 1997. Some 20 years later, there have been several hundred seasons of the Big Brother
franchise in over 50 countries worldwide.

The shows name derives from George Orwells book Nineteen Eighty-Four, in which Big Brother is
the leader of a totalitarian state wielding absolute power over its citizens, not least by telescreens which
continuously observe its inhabitants.
Fortunately, we do not live in a totalitarian society. Nevertheless, the State is increasing its surveillance
over us. The Garda Automatic Number Plate Recognition system was first introduced in 2008. Garda
cars fitted with the equipment can continuously and automatically scan number plates, and verify that
the vehicles so identified are taxed. Speeding vehicles are also identified.

In principle, the system can also verify that vehicles are insured, but full integration with accurate data
from insurance companies may yet take until 2019. Paper disks on windscreens for tax, NCT and
insurance could then become a thing of the past. As the system has been further developed, it can
automatically detect stolen vehicles, and vehicles associated with criminal suspects. During recent
court cases, the Garda has reported cars of interest being automatically identified by the system near
the scenes of crimes.

Fraudulent identity

In 2015, the Department of Social Welfare introduced facial-recognition software which automatically
scans photographs of new applicants against the departments internal database of existing claimants.
Any match is then a potential case of fraudulent identity, and is brought to the attention of the
departments special investigation unit. A number of successful court prosecutions have been taken,
and more cases are listed.

Passengers through some international airports accept their faces being photographed during security
and then checked again before boarding. International travellers to the US likewise have their faces
scanned by customs and border control. The Trump administration has now announced its Biometric
Exit programme. Every visa holder leaving a US airport will automatically have a high-quality
photograph of their face scanned against the federal visa application database. If there is no match, then
the visitor may have entered the US illegally.

Furthermore, the same technology could be used to check the FBI database and other databases of
interest at the state or federal level. Thus, in the same way that the Garda system can automatically and
continuously check number plates against databases of criminal- and security-related activity, so might
many airport systems automatically and continuously review facial scans. In fact, there is little
technical challenge to doing likewise using any security-related video feeds, including from good-
resolution CCTV systems widely deployed in urban areas. Automatic verification of identity can
catalyse continuous law enforcement.

State surveillance

And so, while we have been watching Big Brother, Big Brother is increasingly watching us, with
implications for law enforcement and civil rights. But in addition to surveillance by state authorities,
the reality TV show is becoming real: not only can we watch and learn about strangers in a custom-
built house, but we can potentially watch and learn about strangers in the real world too.

The Google Glass project offered a computer display mounted as a pair of eyeglasses. Google stopped
its prototype Glass project in 2014, but not before some software developers had created facial-
recognition-based apps for Glass which could identify random strangers.

Just last month, a UK ad agency announced a new app, Facezam, which would let you to take a photo
of a random stranger with your smartphone, and then identify them from Facebook accounts.

Facebooks technology facilitates such automated searches, because the hundreds of millions of its
users are explicitly encouraged to identify and tag friends and family members in the photos which are
uploaded into Facebook.

Apps which exploit Facebooks facial-recognition algorithm such as Facezam violate the social
media firms current privacy norms and are consequently likely to be disallowed. In fact, Facezam
turned out to be a publicity hoax, aiming simply to draw attention to the ad agency concerned.
On the other hand, a Facezam equivalent already exists and is not at all a hoax. The Findface app uses
the Russian social network VK to recognise strangers from photos, provided those strangers are users
of that particular social network.

Facial-recognition algorithms have reached a level of accuracy whereby identification of strangers is


entirely feasible from photos and live video feeds. The only prerequisite is having access to a suitably
big data collection of facial photos.

John de Mol has made a lot of money from his Big Brother reality TV brainchild, but it is not his only
reality TV concept. Among other titles, he created Fear Factor in which contestants are challenged to
overcome their instinctive fears. Our own fascination with identifying and watching complete strangers
is becoming scary.

https://www.irishtimes.com/business/innovation/facial-recognition-
software-and-our-fear-of-big-brother-1.3061827

Legal experts say biometric exit practices at airports may be


violating privacy laws

By Justin Lee

July 13, 2017 -

The use of facial recognition technology at U.S. airports is raising concerns among some legal experts,
who argue that the program may violate specific privacy rights and that Congress has not fully
authorized it, according to a report by MIT Technology Review.

The U.S. Department of Homeland Security has partnered with airlines such as JetBlue and Delta to
implement recognition systems at New Yorks JFK International Airport, Washingtons Dulles
International, and airports in Atlanta, Boston, and Houston, with plans to expand to other airports this
summer.

The practice is part of a Congress-mandated initiative that ordered DHS to implement a biometric
system for recording the entry and exit of nonU.S. citizens at all air, sea, and land borders. The
initiative was fast-tracked earlier this year by President Trumps executive order.

In the past couple months, U.S. Customs and Border Protection began scanning the faces of all
travelers boarding a daily flight to Tokyo from George Bush Intercontinental Airport in Houston, and
on flights leaving Dulles for the United Arab Emirates.
Delta will soon begin testing its eGates facial recognition system for travelers flying out of Atlanta and
Boston, while JetBlue will trial a similar system for travelers flying out of Boston to Aruba. The data
from both airlines programs will be sent to CBP.

For both programs, airline-owned cameras at the gate capture passenger photos and compare them with
the passport and visa photos associated with the identities of the passengers on a given flight manifest.

Harrison Rudolph, a law fellow at Georgetown Laws Center on Privacy and Technology, said that
people should not be fooled by the CBPs use of the term testing.

He said the technologies are operational in that the agency is already using these systems to generate
biometric exit records for foreign nationals.

Advertisement

In addition to foreign nationals, CBP is also scanning the faces of U.S. citizens. For instance, only
travelers with U.S. passports are able to participate in JetBlues self-boarding program in Boston.

Rudolph and other privacy advocates say that Congress has never fully authorized the routine
collection of facial scans from U.S. citizens at the border.

Weeks after announcing the executive order, the Trump administration revised the order to clarify that
the biometric exit program did not include U.S. citizens.

Both JetBlue and Delta have said that the facial recognition identity check is optional, however, it is
unclear if this also applies to foreign nationals.

Meanwhile, DHS said that if a U.S. citizen does not want to participate, an available CBP officer may
use manual processing to verify the individuals identity.

It is still unclear as to what the CBP does with the information after the agency collects it at the gate
and verifies a travelers identity, but DHS claims that all data relating to the images is deleted within
14 days.

http://www.biometricupdate.com/201707/legal-experts-say-biometric-
exit-practices-at-airports-may-be-violating-privacy-laws

If You Get Your Face Scanned the Next Time You Fly, Heres
What You Should Know

We arent entirely sure what the government is doing


with the images.
by Mike Orcutt

July 13, 2017

Were willing to do a lot to make the airplane boarding process smoother, but privacy experts say we
might want to think twice before agreeing to let a camera at the gate scan our faces.

Facial-recognition systems may indeed speed up the boarding process, as the airlines rolling them out
promise. But the real reason they are cropping up in U.S. airports is that the government wants to keep
better track of who is leaving the country, by scanning travelers faces and verifying those scans
against photos it already has on file. The idea is that this will catch fake passports and make sure
people arent overstaying their visas.

The practice is raising concerns among some legal experts, who say that the program may violate
individual privacy protections and that Congress has not fully authorized it.

The U.S. Department of Homeland Security has partnered with airlines including JetBlue and Delta to
introduce such recognition systems at New Yorks JFK International Airport, Washingtons Dulles
International, and airports in Atlanta, Boston, and Houston, among others. It plans to add more this
summer. The effort is in response to a years-old mandate from Congress that DHS implement a
biometric system for recording the entry and exit of nonU.S. citizens at all air, sea, and land ports of
entry. Earlier this year, President Trump fast-tracked that mandate via executive order.

As facial-recognition technology has improved significantly in recent years, it has attracted the interest
of governments and law enforcement agencies. Thats led to debates over whether certain uses of the
technology violate constitutional protections against unreasonable searches (see As It Searches for
Suspects, the FBI May Be Looking at You). Privacy advocates also point out that research has shown
the technology to be less accurate with older photos and with images of women, African-Americans,
and children (see Is Facial Recognition Accurate? Depends on Your Race).

Last month, U.S. Customs and Border Protection began scanning the faces of people boarding a daily
flight to Tokyo from George Bush Intercontinental Airport in Houston. In May, it began doing the
same for a flight leaving Dulles for the United Arab Emirates. In Atlanta and Boston, Delta will soon
begin testing what it calls eGates, which scans passengers faces before they can board the plane.
JetBlue says it is testing a similar system in place for a flight out of Boston headed to Aruba. The data
from those programs goes to CBP.

In each case, airline-owned cameras at the gate capture passenger photos so they can be compared with
the passport and visa photos associated with the identities of the people on a given flight manifest.
Dont be fooled by the term testing, says Harrison Rudolph, a law fellow at Georgetown Laws
Center on Privacy and Technology. They are operational, at least in the sense that CBP is already using
these systems to create biometric exit records for foreign nationals, he says.

Recommended for You

1. First Object Teleported from Earth to Orbit


2. Scientists Used CRISPR to Put a GIF Inside a Living Organisms DNA
3. Another Price Slash Suggests the Oculus Rift Is Dead in the Water
4. The Truth about Chinas Cash-for-Publication Policy
5. U.S. to Fund Advanced Brain-Computer Interfaces

Rudolph and others are raising alarms because as part of the process, CBP is also scanning the faces of
U.S. citizens (in fact, at this point only customers with U.S. passports can participate in JetBlues self-
boarding program in Boston). They say Congress has never expressly authorized the collection of
facial scans from U.S. citizens at the border routinely and without suspicion. The Trump administration
revised his executive order to clarify that the biometric exit program did not pertain to U.S. citizens.

As it is still early in what appears to be a broader effort to deploy facial recognition in airports across
the country, we dont yet know how easy or difficult it will be for travelers to avoid. Both JetBlue and
Delta say people can opt out, but it is not clear if that applies to foreign nationals. According to DHS, if
a U.S. citizen asks not to participate, an available CBP officer may use manual processing to verify
the individuals identity.

No matter whose face is being scanned, though, we dont know much about what happens to the
information after CBP collects it at the gate and verifies a passengers identity, but DHS says that all
data pertaining to the images is deleted within 14 days.
https://www.technologyreview.com/s/608255/if-you-get-your-face-
scanned-the-next-time-you-fly-heres-what-you-should-know/

State on collision course with EU court over data sharing

Final submission to Oireachtas committee on


proposed Bill to implement EU regulation
Wed, Jul 5, 2017, 14:21
Elaine Edwards

An example of the public services card.

AddThis Sharing Buttons


Share to FacebookShare to TwitterShare to Email AppShare to LinkedIn

The State appears to be on a collision course with European law over its handling of major projects
involving personal data, an Oireachtas committee has heard.

Pre-legislative scrutiny of the general scheme of the Data Protection Bill 2017 concluded at the Joint
Committee on Justice and Equality on Wednesday.

The proposed legislation must be in place by May next year to give effect to the new European Union
general data protection regulation and an associated directive on sharing data for law-enforcement
purposes.

Legal experts have been making submissions to the committee over several sessions with a view to
shaping the draft legislation. The office of the Data Protection Commissioner has also given its views.
Law lecturer and chair of Digital Rights Ireland (DRI) Dr TJ McIntyre, and the organisations solicitor
Simon McGarr appeared before the committee on Wednesday.

Independents 4 Change TD Mick Wallace asked the delegations views on a number of issues,
including oversight of state surveillance, and the rollout of the public services card project here.

He also asked if the new legislation squared with the ongoing health identifiers project being rolled out
by the Health Service Executive, which will assign each citizen a number that will track them from
birth to death.

Mr McGarr said the card needed to be considered as part of the wider question of judgment by the
Court of Justice of the European Union, known as the Bara judgment.

In that 2015 case, the Romanian government was found to have acted unlawfully by transferring a
citizens personal data from one public body to another without notifying the citizen first.

Mr McGarr said the State had taken a lot of concrete steps in recent years to build not merely an ID
database, of which the public services card was merely the physical manifestation, but also to build a
series of national databases.

If it was the case that the legislation underpinning the health identifiers did not comply with European
law following the Bara judgment, every single resident of the State would have a claim on the State if
their rights had been breached, even if they had suffered no financial loss.

Fines

I think that the risk that the IHI [Individual Health Identifier] database poses to the exchequer and also
again to the relationship of trust between the State and its citizens is such that it would be very valuable
for the matter to come under extremely close scrutiny between now and the implementation of the
GDPR [General Data Protection Regulation] in May 2018, Mr McGarr said.

Independents 4 Change TD Clare Daly said she believed Mr McGarrs comments were a polite way of
saying: Were on a collision course really and were out of kilter with the rest of Europe on some of
these issues.

DRI shared concerns also voiced by the Data Protection Commissioner that the proposed Bill would
seek to exempt public bodies from substantial fines provided for in the regulation.

It suggested explicit recognition of the right to compensation for both material and non-material
damages should be written into the Bill, and also said the Government should implement an option that
would allow individuals nominate not-for-profit bodies to take a single action on their behalf where
their data had been abused.

https://www.irishtimes.com/business/technology/state-on-collision-
course-with-eu-court-over-data-sharing-1.3144218
Government continues data-sharing projects despite EU ruling

Question marks remain over whether the various


departments have a legal basis for sharing citizens
data
Thu, Dec 8, 2016, 05:15

Elaine Edwards Follow @@ElaineEdwardsIT

Data dilemma: the MyGovID online platform for citizens to access State services, which last week won
an award in the Civil Service Excellence and Innovation awards, appears to ignore the European Court
of Justice ruling in the Bara case.

Three years ago, the Government embarked on a grand scheme to consult with the public service,
government departments and members of the public on how the personal data of citizens might be
shared to improve and streamline State services.

Even in a rapidly expanding environment for private and public services online, it was an ambitious
proposal, but it remained almost entirely under the radar apart from being noted by a tiny cohort that
might be unkindly referred to as the privacy geek community.

One high-level observer said the public should be properly informed about the grand bargain
involving the trading of their personal data for the benefits they get from the State.
Such arrangements may, under recent plans, include the sharing of sensitive health information for so-
called health solutions for the general public. Delivered via apps or through other routes, these
services might be processed by third parties, such as multinational corporations with their headquarters
outside the EU namely the US which does not generally provide the same fundamental rights
protections as the EU for personal data. There are ongoing concerns (to say the least) in the EU over
the processing of citizens personal data which may be accessed by US national security authorities or
by other law enforcement authorities, with minimal scrutiny.

Hacking, for identity theft and data fraud, in particular in the health sector, is a growing and ever-
present threat, with some studies suggesting health data breaches take up to twice as long to detect and
also that health data is also worth up to 10 times as much as other data on the black market.

Ruling scuppers plan

But back to Ireland: following a public consultation in late 2014, a draft piece of primary legislation
that would cover government data-sharing projects was drawn up and approved by the Government in
the middle of 2015. But in October of last year, a ruling by the Court of Justice of the European Union
in the Romanian case of Smaranda Bara, appeared to blow much of that plan out of the water.

In that case, the Luxembourg-based court held that the requirement of fair processing of personal data
meant a public administrative body had to inform citizens of the fact that their data would be
transferred to another public administrative body for other purposes.

At the recent re:Publica conference in Dublin, Dr Dennis Jennings, who sits on the Governments open
data governance forum, said he had informed the Government that much of its plan for sharing
citizens data, under that draft legislation, would be illegal under the Bara ruling. The legislation is
back at the drawing board, but has not yet been before the Oireachtas.

The Data Protection Commissioner, who is responsible for ensuring the processing of citizens
personal information is in compliance with the law, issued guidance on the Bara ruling.

Helen Dixons office said that the public policy objective being pursued by a particular data sharing
arrangement without consent should be explicit and that an assessment should be made as to whether
the likely benefits of the sharing justified the overriding of the individuals data protection rights.

Public sector bodies should consider the potential benefits and risks, either to individuals or society, of
sharing the personal data, her office said.

In theory, that should have sent the Governments data-sharing project, driven mainly by the
Department of Public Expenditure and Reform and the Department of Social Protection, back to the
drawing board. The drafting of legislation is still under way.

Yet a number of massive Government data-sharing projects have continued apace almost as if the
European ruling in Bara had not happened.

Active Government projects currently include the HSEs eHealthIreland divisions project to create an
individual health identifier for every person in the State and the creation of a database on every primary
school pupil.

The Department of Social Protection has a plan, in conjunction with the Department of Public
Expenditure, is to issue every adult in the State with a public services card by the end of this year.
The Government has a contract with a private provider to fulfil a requirement to issue three million
cards and has already issued around two million, but is short of the number it is required to issue. It
appears to be desperately trying to get them out the door, through means such as issuing cards to
customers using their passport details from the Department of Foreign Affairs.
At least 431,000 public services cards have been issued in this way, according to the Department of
Social Protection. Both departments insist the legal basis for sharing personal data resides in the Social
Welfare Act of 2005.

Yet question marks remain over whether the legislation cited by both those departments provides a
legal basis for sharing citizens data.

Records released under the Freedom of Information Act reveal that the MyGovID project an online
identity management system for members of the public launched in February, was still in need of
appropriate communications, governance and standards two months later.

Privacy impact assessment

Separately, the HSE was warned by the Data Protection Commissioner that a privacy impact
assessment on the implementation of the individual health identifier for every citizen did not cover the
creation of new databases, such as a national diabetes register.

The DPC also said serious consideration must be given to its guidelines in relation to data sharing in
the public sector, and in particular around the issue of transparency.

In comments on the draft of the HSEs privacy impact assessment for the health identifier project, the
Data Protection Commissioners office said the 82 submissions received on the public consultation was
a somewhat disappointing return given that this project will affect every citizen of the State.

Records released under the Freedom of Information Act said that while there was no indication as to
the identity of the respondents to the consultation, it appeared that the majority of responses are from
individuals within the health sector, which may lead to a distorted view of the privacy risks for
individuals associated with the project.

While the office recognised there had been a concerted effort by eHealthIreland and the HSE to
promote and discuss the health identifier project, it said the lack of public knowledge regarding the
legislation and its impact was a risk in itself.

The Department of Social Protection has control of the MyGovID online identity management project
launched in February. As of March, it had already given presentations to the Revenue Commissioners,
the Department of Transport, the Road Safety Authority, Solas, the Department of Education, the
Immigration and Naturalisation Service, the Private Residential Tenancies Board, the Department of
Health and the Passport Office, clearly with a view to them accessing the service.

The Garda Vetting Unit, which assesses people for certain job applications, has drafted a business case
for access to the system.

Earlier this week the Governments MyGovID online platform for citizens to access State services
through an online identity management platform won an award in the Civil Service Excellence and
Innovation awards.

Daragh OBrien, managing director of Castlebridge Associates, a consultancy firm on data governance
and data protection issues, said the new General Data Protection Regulation, various judgments of the
Court of Justice of the European Union, as well as the EU Charter of Fundamental Rights, made it clear
that data collection on a grand scale must be both necessary and proportionate.

Nothing exemplifies the failure of the Irish public service to recognise that data protection law exists,
and has evolved, more than the celebration of an award for a project that on the face of it appears to
ignore the Court of Justice ruling in the Bara case, he said.
In relation to the MyGovID project, he said that building governance controls after a department had
built a massive database of citizens information was the equivalent of blocking the door after the
horse has bolted.

As of October, the Data Protection Commissioner was still reviewing the documentation pertaining to
the health identifiers project, which was presented as a fait accompli by the HSE in the summer.

https://www.irishtimes.com/business/technology/government-continues-
data-sharing-projects-despite-eu-ruling-1.2896362

Serious concern over exemption of public bodies from data


protection fines

Commissioner raises issues over proposals for


implementation of new EU regulation
Thu, Jun 15, 2017,
Elaine Edwards

Helen Dixon, Data Protection Commissioner. Photograph: Cyril Byrne

It is a serious matter of concern that legislation proposed by the Government seeks to exempt public
bodies from fines where they breach data protection rights, the Data Protection Commissioner has said.

Stream Keywords: eu government,bodies eu,eu fines,commissioner data,fines government,bodies


fines,data protection,bodies government,commissioner protection

It is a serious matter of concern that legislation proposed by the Government seeks to exempt public
bodies from fines where they breach data protection rights, the Data Protection Commissioner has said.
Helen Dixon and two deputy data protection commissioners attended the Joint Oireachtas Committee
on Justice and Equality on Wednesday for pre-legislative scrutiny of a new data protection Bill.
The general scheme of the Data Protection Bill 2017 outlines legislation that would give effect to the
new EU General Data Protection Regulation (GDPR), as well as an EU directive on the sharing of
personal data for law enforcement purposes.
Fines of up to 20 million or 4 per cent of annual worldwide turnover may be imposed on bodies that
breach the regulation, depending on the circumstances.
The regulation, along with a new electronic privacy regulation protecting communications by phone
and email and electronic means will take effect across the union from May 25th next year.
Ms Dixon said that in general terms, her office welcomed the new legal regime for data protection law
in Europe and the important additions to her toolkit as an enforcer.
Its undoubtedly the case that there will be investigations where a punitive fine is warranted in order
to deter organisations from failing to invest in compliance and to deter them from creating risks for
consumers and individuals, she said.
The very purpose of punitive fines provided for in the new EU law was to act as a deterrent to all types
of organisations, Ms Dixon said.
Her office saw no basis on which public bodies or authorities would be excluded, particularly given
that arguably higher standards in the protecting of fundamental rights are demanded of those entities.
The heads of the Bill as published propose that public bodies would only be subject to administrative
fines where they were acting as undertakings, namely where the services they were providing were in
competition with other bodies in the private sector.
Ms Dixon said the workload proposed for the DPC in making assessments of whether public bodies
were engaged in activities that would compete with the equivalent private sector bodies would take her
office away from its substantive role in relation to data protection.
Her office, she said, occupied a unique position as a supervisory authority in Europe as its remit
covered the largest global internet companies that had their European bases in Ireland.
A comprehensive toolkit as an enforcer was a necessity.
Ms Dixon noted the new EU regulation was intended to represent a clean slate with regard to data
protection legislation in Europe, and yet there was no guarantee that the existing Irish data protection
acts of 1988 and 2003 would be repealed.
She said her office considered that their retention, and a patchwork presentaiton of Irish law, ran the
risk of creating legal uncertainty in terms of precisely which provisions of the law would apply, and in
what circumstances, after May 2018.
The commissioner also raised an issue regarding the handling of complaints from individuals under the
GDPR, noting it introduced changes in relation to the manner in which supervisory authorities must
deal with complaints from individuals about alleged infringements of their rights. She said it was
important to note in this context that the supervisory authority was required to investigate a complaint
to the extent appropriate.
Our aims in these circumstances will be to ensure that our resources are deployed in a way that
maximises them, pursues investigations in cases of the most grave or enduring infringements on an
objective and priority basis, she said.
Independents 4 Change TDs Clare Daly and Mick Wallace raised concerns about Government projects
such as Public Services Cards and Individual Health Identifiers and whether the manner in which they
were being rolled out was compatible with EU law.
Seamus Carroll of the civil law reform division in the Department of Justice and Equality said he did
not want to be drawn on the details of health legislation which was being considered separately.
But he said that for the future, there must be a lawful basis for the processing of personal data and there
must also be greatly increased transparency.
Ms Dixon will address the Data Summit hosted by the Department of the Taoiseach at the Convention
Centre in Dublin on Thursday morning.
It will be opened by newly elected Taoiseach Leo Varadkar, with an introduction by Minister for
European Affairs, the EU Digital Single Market and Data Protection Dara Murphy.
The event spans Thursday and Friday and is supported by a range of partners, including all the main
multinational data firms in Ireland, Enterprise Ireland, IDA Ireland, Science Foundation Ireland and the
American Chamber of Commerce Ireland.

http://www.irishtimes.com/news/politics/serious-concern-over-exemption-of-public-bodies-from-data-
protection-fines-1.3120643
Dixon: Data Protection Bill 2017 exemptions a 'serious matter
of concern'
Ireland Data Protection Commissioner Helen Dixon spoke out against proposed
legislation seeking to exempt public bodies from penalties when violating data
protection rights, saying its a serious matter of concern, The Irish Times
reports. The Data Protection Bill 2017 would give effect to the EU General Data
Protection Regulation and the EUs directive on sharing data for law enforcement
purposes and states that public bodies would only be given fines if they are
acting as undertakings, specifically when the services they are offering are in
competition with others in the private sector, the report states. Dixon said the
legislations fines are meant for all organizations, and her office saw no basis on
which public bodies or authorities would be excluded, particularly given that
arguably higher standards in the protecting of fundamental rights are demanded
of those entities.

https://iapp.org/news/a/dixon-speaks-out-against-proposed-data-
protection-bill-2017-exemptions/

Confidentiality: good practice in handling patient information


(2017)
This guidance came into effect on 25 April 2017

This guidance sets out the principles of confidentiality and respect for patients privacy that all
doctors are expected to understand and follow. It also sets out the responsibilities of doctors for
managing and protecting patient information.

http://www.gmc-uk.org/Confidentiality___Key_legislation.pdf_70063869.pdf

Our core guidance, Good medical practice, makes clear that patients have a right to expect that their
personal information will be held in confidence by their doctors.

This guidance outlines the framework for considering when to disclose patients personal information
and then applies that framework to:

a. disclosures to support the direct care of an individual patient

b. disclosures for the protection of patients and others

c. disclosures for all other purposes.

Doctors must follow all our guidance: serious or persistent failure to do so will put their registration at
risk.
http://www.gmc-uk.org/guidance/ethical_guidance/confidentiality.asp

What is the Public Services Card (PSC)?

The Public Services Card (PSC) helps you to access a range of public services easily. Your identity is
fully authenticated when it is issued so you do not have to give the same information to multiple
organisations. It was first introduced in 2011 and was initially rolled out to people getting social
welfare payments. It is now being rolled out to other public services.

The front of the card holds a persons name, photograph and signature, along with the card expiry date.
The back of the card holds the persons PPS number and a card number. It also holds a magnetic stripe
to enable social welfare payments such as pensions to be collected at post offices

If the person holding the card is entitled to free travel, the card will display this information in the top
left-hand corner. If FT-P is written on the card the holder is personally entitled to free travel. If FT+S is
written on the card the holder can travel with their spouse, partner or cohabitant. If FT+C is written on
the card the holder can have a companion (over 16) travel with them for free (because they are unable
to travel alone for medical reasons).

Why do I need a PSC?

The PSC is currently a requirement for the following;

Access to Social Welfare Services (including Child Benefit and Treatment


Benefits)
First time adult passport applicants in the state
Replacement of lost, stolen or damaged passports issued prior to January
2005, where the person is resident in the State.
Citizenship applications
Driver Theory Test Applicants
Access to high value or personal online public services, e.g. Social Welfare
and Revenue services, via MyGovId, the mechanism for accessing public
services online. To learn more about MyGovID click here.

How do I get a PSC?

Face-to-face registration for a Public Services Card is called SAFE (Standard Authentication
Framework Environment) registration.

SAFE registration takes about 15 minutes to complete (once all documents are presented). During this
appointment your photograph will be taken and your signature recorded for your new Public Services
Card, which will be posted to you. You will also be asked for the answers to some security questions.

You must bring certain documents with you to your appointment to prove your identity and address.
You should also bring your mobile phone, if you have one. Having your mobile phone with you when
you are SAFE registered means that we can pair that mobile phone number with you. This makes it
much easier for you to verify your MyGovID account which is required should you wish to access
public services online in the future.

Ordinarily, to get a PSC, a person must attend a face to face interview at a DSP Office. However in
certain circumstances and subject to a persons consent a PSC can also be issued based on information
provided to another state body, such as in a drivers licence application. Accordingly this Department
intends to write to certain persons who applied for a driving licence and in doing so has provided the
Road Safety Authority with personal information and a photograph. These people will be offered the
opportunity to complete the SAFE registration process without attending a DSP office. See Privacy
Impact Assessment on the use of RSA Driving Licence data here.

A PSC is usually issued to adult applicants for PPS numbers.

If you dont yet have a PSC you can make an appointment to get one either by using MyWelfare.ie or
by calling into your local Intreo Centre or social welfare local office. Details of the Department of
Social Protections offices can be found here: http://www.welfare.ie/en/Pages/Intreo-Centres-and-
Local-and-Branch-Offices.aspx

Why might I need one in the future?


The Public Services Card (PSC) infrastructure is the Governments standard
identity verification scheme, which is to be used for access to all public services
where appropriate. The list of commitments by Departments and Government
Offices to adopt the PSC and MyGovID infrastructure for specified public services
within the listed timeframes is here.
Lost or damaged Public Services Cards

If your Public Services Card is lost, stolen or damaged, you should immediately contact the Public
Services Card Helpdesk at 1890 837000.

Questions

If you have general questions about the card or the registration process you can use the Department of
Social Protections online query form or contact:

Client Identity Services

Department of Social Protection


Shannon Lodge
Carrick-On-Shannon
Co. Leitrim

Tel: (071) 9672616

Locall:1890 927 999


ID cards on the cards for Ireland

Public Services Card needed for licenses, passports

Irish citizens applying for a new passport or a driving license will also have to hold the States Public
Services Card (PSC).

Although Irish Ministers insist that the cards are not compulsory, the new requirements mean that, for
anyone who wishes to travel or drive, they effectively are.

Those applying for a passport will be required to produce the PSC from the autumn while it will be
needed for driving license applications from next year.

Since 2011, the card has been issued to 2.3 million Irish citizens. It is underpinned by a biometric facial
recognition database controlled by the Irish Department of Social Protection. Recently it has been
given to people claiming social welfare benefits and, although a policy of non-obligation has been
maintained, the Irish Government has been keen to encourage all citizens to sign up.

The new measures will go some way towards hitting its target of having three million people registered
by the end of 2017.
Paschal Donohoe, Irish Minister for Public Expenditure, explained that the reason for the change in
procedure was to do with the safety of Ireland and its citizens.

Given the increase in acts of terrorism over the last several years, every democratic country should be
obliged to deploy the most robust means of authenticated travel across borders that it has available, he
told The Irish Times. It is not, and will not be, compulsory to have a PSC.

However, Government has an obligation to deploy the most robust means of online and physical
identity verification possible to ensure that it is doing all it can to reduce fraud, personation and the risk
of identity theft in the delivery or accessing of public services.

Mr Donohoe said that the process behind the card has a legislative underpinning but others are
unconvinced.

TJ McIntyre, chairman of civil liberties group Digital Rights Ireland and a law lecturer at UCD,
described them as very concerning.

It appears to be a policy of introducing a national ID card by stealth, in a way which appears to be


illegal, he said.

http://www.theirishworld.com/public-services-id-cards-ireland/

Irish citizens applying for a passport will be required to


produce ID cards
The changes will be coming in from the Autumn

Irish passports

Irish citizens applying for a passport will be asked to produce a public service card from Autumn.

The card, which has been issued to 2.3 million people since 2011, is supported by a recognition
database controlled by the Department of Social Protection.
People will also need the card for when applying for driving licenses from next year.

Minister for Public Expenditure and Reform, Paschal Donohoe TD (Image: Collins
Photo Agency)

Public Expenditure Minister Paschal Donohoe told The Irish Times: "Given the increase in acts of
terrorism over the last several years, every democratic country should be obliged to deploy the most
robust means of authenticated travel across borders that it has available."

The Minister stressed that the card will not be compulsory despite the fact it will be vital for getting
both a passport and a driving license.

He added: "It is not and will not be compulsory to have a PSC.

However, government has an obligation to deploy the most robust means of


online and physical identity verification possible to ensure that it is doing all it
can to reduce fraud, personation and the risk of identity theft in in the
delivery/accessing of public services."
The Road Safety Authority recently announced that anyone taking the driver
theory test would also be required to have the card from next month.
http://www.irishmirror.ie/news/irish-news/irish-citizens-applying-passport-
required-10474180
Irish tourists travelling to the US could have to hand over
passwords to their social media accounts
New Trump plans could make things a lot more difficult

ByCormac O'Shea

5 APR 2017

US President Donald Trump shakes hands with the Taoiseach of Ireland Enda
Kenny (L) during a meeting in the Oval Office of the White House in Washington,
DC, March 16, 2017

Irish tourists heading to the United States may have to give over their social media passwords before
getting a Visa to enter.

President Trump's new extreme vetting orders would make travelling to the US for Irish tourists a lot
more difficult.

Under Trump's orders homeland security have announced new plans to up demands to get visa
demands for tourists, immigrants and refugees.

This new vetting would apply to all countries under the Visa waiver programme which includes
France, the UK and Ireland.

Under the Visa waiver programme citizens of 38 countries to travel to the States for 90 days without a
Visa under certain stipulations.

Irish visitors could be asked to hand over their passwords for social media accounts and their mobile
phones if they wish to get in.
According to The Wall Street Journal people's public as well as private posts on social media would be
examined.

Not only that, but the person's financial information and political ideologies could be examined as part
of the vetting.

These highly controversial ideologies examinations were discussed by Trump during his campaign.

Questions in this test may involve whether or not they value "sanctity of human life" and if they
believe in "honor killings".

Speaking to The Journal, Gene Hamilton, a top aide to Homeland Security Secretary John Kelly said it
is important to know the reasons why people are travelling to The States.

He said: " If there is any doubt about a persons intentions coming to the United States, they should
have to overcome really and truly prove to our satisfaction that they are coming for legitimate
reasons."

The proposals have come in for a lot of criticism including being blasted by the Center for Democracy
a Technology who said it was an invasion of privacy.

In a statement they said: "This proposal would enable border officials to invade people's privacy by
examining years of private emails, texts and messages.

"It would expose travellers and everyone in their social networks, including potentially millions of US
citizens to excessive, unjustified scrutiny.

"And it would discourage people from using online services or taking their devices with them while
travelling, and would discourage travel for business, tourism and journalism."

http://www.irishmirror.ie/news/irish-news/irish-tourists-travelling-could-
hand-10162427

Irish citizens will require biometric ID card when applying for


passports, drivers licenses
By Justin Lee

May 24, 2017 -

The Irish government will make it mandatory for all citizens to show their public services card (PSC)
when applying for a passport and drivers licence, starting in autumn and 2018, respectively, according
to a report by The Irish Times.

The identity card was initially launched in 2011 to social welfare recipients, and has since been issued
to 2.3 million citizens.

The card is supported by a facial recognition database run by the Department of Social Protection.

Given the increase in acts of terrorism over the last several years, every democratic country should be
obliged to deploy the most robust means of authenticated travel across borders that it has available,
said Minister for Public Expenditure Paschal Donohoe.

He added that the current passport system was very good but that the SAFE registration process met
the highest international standards.
It is not, and will not be, compulsory to have a PSC, he said. However, government has an
obligation to deploy the most robust means of online and physical identity verification possible to
ensure that it is doing all it can to reduce fraud, personation and the risk of identity theft in the
delivery/accessing of public services.

All forms of data processing for the ID card and the online digital identity system is supported by
legislation, Donohoe said.

There has also recently been a few legislative proposals which establish further obligations on public
organizations that go beyond the requirements of the Data Protection Act, which protect the privacy
rights of citizens.

https://www.mygovid.ie/

Donohoe said that it was essential that people know and trust that their data is fully protected.

The government has a contract with a private supplier to manufacture the cards, working towards the
goal of issuing three million cards by the end of 2017.

Meanwhile, many privacy advocates are troubled by the news that the cards were to become
compulsory for travel and driving documents.

Dr. TJ McIntyre, a UCD law lecturer and chairman of civil liberties group Digital Rights Ireland, said
the expanded requirements were very concerning.

It appears to be a policy of introducing a national ID card by stealth, in a way which appears to be


illegal, he said.

The countrys Road Safety Authority recently announced that all applicants taking the driver theory
test would be required to have the card from June, as well as confirmed that all applicants for a driving
licence will require the card from early next year.

http://www.biometricupdate.com/201705/irish-citizens-will-require-
biometric-id-card-when-applying-for-passports-drivers-licenses

MyWelfare
MyWelfare is a new website that is owned and maintained by the Department of Social Protection.
MyWelfare provides the following services:

Appointment Services

Appointments for Personal Public Service (PPS) Number


Appointments for Public Services Cards (PSC) Registration

Jobseeker Services

Apply for Jobseeker's Payment


Close your Jobseeker's Claim
Request a Jobseeker's Holiday
View Claims and Benefits Information
Request Payment Statement
Children and Families

Apply for Maternity Benefit Payment


Apply for Paternity Benefit Payment
Close your Benefit Claim
View Claims and Benefits Information
Request Payment Statement

https://www.mygovid.ie/en-IE/MyGovIDVerified

Synthetic identities: more real than you think

By Ryan Wilk

July 11, 2017 -

This is a guest post by Ryan Wilk, vice president of customer success at NuData Security, a
MasterCard company.

When a family member dies, there are myriad things to look after from closing bank accounts, sorting
belongings and notifying everyone they did business with. It would feel like the worst that could
happen just did until you find out that your elderly relative had defrauded companies and individuals
for hundreds of thousands of dollars!

While that may sound like a ridiculous movie plot, this scenario is becoming reality more often than
you think. To identity thieves, obituaries are nothing more than another source of data.

Synthetic identity fraud is a rising trend, one that has the potential to threaten the CNP industry, where
fraud exposure is expected to hit $71 billion annually by 2020.

Bad actors access genuine identity data, either through hacking or purchase on the Dark Web, and use
it to build artificial identity profiles. One common ploy is to access social security numbers (SSNs) of
children through school or health insurance records filled out by parents. Another means is to access
SSNs of deceased people (known as ghosting), with no one available to contradict the usage.

Using childrens information is advantageous to bad actors as the crime may not be discovered for
many years when the then-young adult applies for credit and is denied based on past fraudulent
behavior. Unfortunately, we wont know that magnitude of this damage for another 10 or 20 years.

Synthetic identity fraud can also be created via collusion schemes, called furnishing. Fraudsters set up
a company with the soul purpose of making sales to synthetic identities they have created themselves.
An applicant synthetic identity applies for and is granted credit for the purchase of a high-end
product from the furnishing merchant. Each month the furnishing merchant reports an on-time
payment from the synthetic identity. This continually boosts the credit score of the synthetic identity
and it can eventually be used for other financial fraud once the bad actor knows the identity has value.

Advertisement

Thieves steal the identities of nearly 2.5 million Americans annually, including people of all ages from
newborns to seniors, according to the IDTheftCenter. The stolen SSNs often are assigned fictitious
birthdates of people in their 20s to give the appearance of someone starting to establish credit.

Using these IDs to start building credit history is easier than you might think. Applying for credit, even
if the application is declined, starts a file with credit reporting agencies. After two or three applications,
and perhaps success with a small account, the file grows and eventually a credit record is established.

Aite analysts believe synthetic identity fraud is under-reported and that financial institutions write off
bad debt without discovering the applicants were not real people. Even so, Aite recently reported that
13% of checking account application fraud and 9% of credit card application fraud involved synthetic
identities.

Until recently, synthetic identity fraud was almost impossible to detect. Making use of behavioral
biometrics is the most effective method to identify the creation and use of synthetic identities. While
the data points entered by individual bad actors may pass the traditional PII checks, knowing the
underlying behavior of the user creating the account provides a new insight into the types of behavior
risk present at the time of account creation.

DISCLAIMER: BiometricUpdate.com blogs are submitted content. The views expressed in this blog are
that of the author, and dont necessarily reflect the views of BiometricUpdate.com.

European Association for Biometrics announces EAB-RPC 2017

By Stephen Mayhew

July 12, 2017 -

The fourth annual EAB Research Projects Conference (EAB-RPC) will take place September 18-19 at
the Fraunhofer IGD research institute in Darmstadt, Germany.

The conference is organized by the European Association for Biometrics (EAB) in cooperation with
the Joint Research Center (DG-JRC) of the European Commission, through its Cyber and Digital
Citizens security unit. The EAB-RPC 2017 will be co-located with the EAB Research Awards and the
IEEE BIOSIG Conference, later that same week. The conference is currently the largest event on
research funded by the European Union in the area of biometrics and identity management.

EAB-RPC will include the participation of numerous EU-funded research projects including: ARIES;
iBORDERCtrl; PYCSEL; AMBER; LIGHTest; ABC4EU; HECTOS; BODEGA; PROTECT; SWAN;
INGRESS; FastPass, and; Tabula Rasa. Researchers and industry participants will present advances
made in these projects, updates on how finished projects are being currently used and provide insight
into the future of biometric research.

The conference will offer a holistic and comprehensive perspective of the status of biometric and
identity management technology in Europe with the participation of the following stakeholders: end-
users (Frontex, ENFSI, ENLETS); policy makers (DG Home), and; managers of large IT systems (eu-
LISA, SIS-II and Eurodac).

All the projects in the conference are engaged in one of the objectives driving the EUs policy
development in order to reach a more secure society: fight crime, illegal trafficking and terrorism;
strengthen security through border management; provide cybersecurity; increase Europes resilience to
crises and disasters; ensure privacy and freedom including the internet and enhance the societal
dimension of security; enhance standardization and interperability of systems.

http://www.biometricupdate.com/201707/european-association-for-
biometrics-announces-eab-rpc-2017

Call for legislative action to enable accessibility to


data for testing biometric products and systems in the
EU/Request for uniform guidelines
http://www.eab.org/files/documents/2017-02-
23_EAB_Letter_on_Biometric_Data_in_EU.pdf?ts=1500143726316

NEW LAW: Irish citizens applying for a passport will be required to

Irish citizens applying for a passport will be asked to produce a public


service card from Autumn.
The card, which has been issued to 2.3 million people since 2011, is
supported by a recognition database controlled by the Department of
Social Protection.
People will also need the card for when applying for driving licenses
from next year.

Provided by Trinity Mirror Plc Credits: Collins Photo Agency


Public Expenditure Minister Paschal Donohoe told The Irish Times:
"Given the increase in acts of terrorism over the last several years,
every democratic country should be obliged to deploy the most
robust means of authenticated travel across borders that it has
available."
The Minister stressed that the card will not be compulsory despite the
fact it will be vital for getting both a passport and a driving license.
He added: "It is not and will not be compulsory to have a
PSC."However, government has an obligation to deploy the most robust
means of online and physical identity verification possible to ensure that it is
doing all it can to reduce fraud, personation and the risk of identity theft in
in the delivery/accessing of public services."
The Road Safety Authority recently announced that anyone taking
the driver theory test would also be required to have the card from
next month.
https://tosabod.blogspot.ie/2017/05/new-law-irish-citizens-applying-for.html
FREEDOM OF MOVEMENT (COMMON TRAVEL AREA)
(TRAVEL DOCUMENTATION) BILL 2014
http://www.oireachtas.ie/documents/bills28/bills/2014/5014/b5014d-
memo.pdf
FRAUD ALERT - Invoice Re - direction Fraud
http://www.garda.ie/Documents/User/Invoice%20Redirection%20Fraud%20A
lert1.pdf

Pupil Registers, Ireland

T he Department of Education has made repeated attempts to acquire

highly detailed personal information about primary school students to add to


its Primary Online Database. The department initially planned to hold this
information until the individuals were thirty years old. The department on
occasion threatened to withdraw funding from schools which did not comply
with these requests.
This information included

First and second names


PPS number
Mothers maiden name
Date of Birth and gender
Full address
Mother tongue
Ethnicity
Religion
Irish language exemptions
Enrolment date, teacher / class details
Previous school / pre-primary education
Learning support details

Simon McGarr and some alarmed and determined parents fought a long and
tedious battle with the Department of Education over the legality of this
Primary Online Database which wound its way through refusals of Freedom
of Information requests, abrupt changes to the terms for which information
would be held and an intriguing attempt by the department to claim that the
Data Protection Commissioners office had approved the entire thing (thats
not what the Data Protection Commissioners office does.) Some highlights
are below and you can read more in Simons archive of the whole (as yet
unfinished) affair.

Information Commissioner
orders release of POD
documents
MARCH 11, 2016 POD SIMON MCGARR 0
The Information Commissioners office has now published their
binding decision in my appeal against the Department of
Educations and Skills refusal to release certain documents
relating to POD to me on foot of an FOI request.
With the exception of one document (of which more shortly) all
of the Department of Educations refusals have been
overturned. In fact, release had been refused repeatedly, once
on the basis that they were about something that the department
was thinking about doing in the future and then, when I
appealed, again on a whole new basis that it wasnt in the
interest of public administration as if they released them, it might
get in the way of the Department doing what they wanted.
The Information Commissioner has said that the Department
failed to consider whether the public good in access to
information might overrule the departments convenience and so
the basis for the refusal was invalid.
That doesnt mean that I have the papers in my hand yet. The
Department can still put off the evil day of transparency. When I
rang their FOI section to ask what their expected timeline for
release was, I was told they could take the full eight weeks.
When I pointed out that the maximum time allowed for them to
enter an appeal is 4 weeks, that changed to 4 weeks.
Basically, it seemed, whatever the longest possible time to delay
release is, thats what I could expect.
In the end, this is going to draw to a close by the start of April.
And, it seems, the Minister for Education will still be in office
while we can compare her public statements-asserting support
by the DPC for the POD project- to the actual correspondence
between them.
Finally, there was one document I wasnt given access to by the
Information Commissioner. The OIC decided that the
Department could assert legal privilege over the Data Protection
Commissioners own legal advice, which had been shared with
them. Normally, sharing your legal advice with a third party
means youve waived your rights to legal privilege.
However, the Information Commissioner found that was not the
case here. The basis of that decision was that the Data
Protection Commissioner (the regulator for this topic) and the
Department of Education and Skills (the regulated data
controller) were, when dealing with PODs terms, engaged in a
joint activity.
I am satisfied that the disclosure was limited to a party with a
common interest. Therefore, I am satisfied that legal
professional privilege has not been waived
Which is perhaps a more interesting statement regarding
relationship between the regulator and the state body it
regulates than whatever the letter might have said.

http://www.tuppenceworth.ie/blog/category/pod/
Mr G and Department of Education and
Skills (FOI Act 2014)
Whether the Department was justified in its decision to part grant a request for access
to records relating to the Primary Online Database
Conducted in accordance with section 22(2) of the FOI Act by Stephen
Rafferty, Senior Investigator, who is authorised by the Information
Commissioner to conduct this review
Background
On 27 May 2015, the applicant made a request to the Department for "any and all
documents, including but not limited to observations, letters, emails and/or submissions
whether held in paper, electronic or any format relating to the Primary Online Database
between the Department and Minister for Education and Skills and the Data Protection
Commissioner and/or her Office."

On 26 June 2015, the Department informed the applicant that it had decided to part grant
his request. On 27 June 2015, the applicant sought an internal review of the decision. On
14 August 2015, the Department affirmed its original decision to part grant the request,
but varied the exemptions relied upon. On 2 December 2015, the applicant sought a
review of the Department's decision by this Office.

I have decided to conclude this review by way of a formal binding decision. In conducting
this review, I have had regard to the contents of the relevant records, to the submissions
of the parties and to the provisions of the FOI Act.

Scope of the Review


In referring to the records at issue, I have adopted the numbering system used by the
Department in the schedule of records it forwarded to this Office for the purposes of the
review. This review is concerned with whether the Department's decision to refuse
access records 11, 12, 17, 18, 27 and 29 was justified.

Findings
The records at issue relate to engagement between the Department and the Office of the
Data Protection Commissioner (the DPC) in connection with the establishment of the
Primary Online Database (POD). This is an individualised database of primary school
pupils that has been developed by the Department. The Department refused access to
five records under section 30(1)(c) of the FOI Act, and to one record under section
31(1)(a).

Section 30(1)(c)
This is a discretionary exemption which allows an FOI body to refuse a request if access
to the record could reasonably be expected to "disclose positions taken, or to be taken,
or plans, procedures, criteria or instructions used or followed, or to be used or followed,
for the purpose of any negotiations carried on or being, or to be, carried on by or on
behalf of the Government or an FOI body". It is subject to a public interest balancing test
contained in subsection (2).

The records at issue relate to engagements between the Department and the Office of
the DPC in connection with the data to be collected and retained on POD. In its
submission to this Office, the Department stated that negotiations between the two
bodies related, in particular, to the retention policy for information stored on POD and the
question of whether identifiable information was necessary in order for POD to function. It
stated that the discussions resulted in maintaining the use of identifiable information on
POD and the revision of the age at which the information would be anonymised
downwards from 30 to 19 years. The Department stated that at the time of the FOI
request, it was in the process of communicating the changes to schools and, through the
schools, to parents.

I accept that the records at issue can be described as relating to a negotiation between
the Department and the Office of the DPC in so far as both bodies were involved in
discussions with a view to reaching agreement on matters relating to the nature of the
data to be captured and retained on POD. As such, I also accept that granting access to
the records could reasonably be expected to disclose positions taken by the Department
for the purpose of that negotiation and that section 30(1)(c) therefore applies.

However as I have outlined above, that is not the end of the matter as section 30(2)
provides that section 30(1) shall not apply where the body considers that the public
interest would, on balance, be better served by granting than by refusing the request. On
this point, the Department stated that "[I]t was felt that the release of these documents
could generate confusion as to the Department's current position on these matters, and
that on balance the public interest was best served by refusing to release the documents
in question."

In Case No. 98166 (X & Department of Enterprise, Trade and Employment), the then
Commissioner stated the following in respect of the corresponding provision of the FOI
Act 1997 (section 21):

"While section 21(1)(c) makes no distinction between disclosures which have the
potential to prejudice current or future negotiations in some way or to cause some other
harm and disclosures which do not, it seems to me that such a distinction should be
made in applying the public interest test in section 21(2) to records which disclose
positions taken etc. for the purposes of past negotiations. Put simply, if release of such
records cannot harm current or future negotiations or cause any other harm, then the
public interest in openness in the workings of Government means that, in the absence of
any other applicable exemption, the records should be released. On the other hand, if
access to records which disclose positions taken etc. for the purposes of past
negotiations could reasonably be expected to prejudice current or future negotiations or
cause some other harm, then this is a matter which must weigh heavily in the application
of the public interest balancing test."

In this case, I understand that following its discussions with the Office of the DPC, the
Department revised elements of POD, including the retention policy for identifiable data.
This revised position was communicated to schools by means of circular number
0025/2015, which issued on 15 April 2015. I am not aware that the release of the records
at issue could harm current or future negotiations or, indeed, give rise to any other
specific harm, and the Department has not drawn my attention to any such potential
harms. While the desire to avoid public confusion as to its position on the capture and
retention of data on POD may have been a relevant consideration at the time the records
were created, it seems to me that this concern is now moot.

On the other hand, section 11(3) of the FOI Act specifically requires bodies, in performing
functions under the Act, to have regard to, among other things, the need to achieve
greater openness in the activities of FOI bodies and to promote adherence by them to the
principle of transparency in government and public affairs. Accordingly, I find that, on
balance, the public interest would be better served by the release of the records at issue.

Section 31(1)(a)
The Department relied upon section 31(1)(a) in refusing access to record 29. Section
31(1)(a) is a mandatory exemption that requires FOI bodies to refuse access to records
that would be exempt from production in proceedings in a court on the ground of legal
professional privilege.

Legal professional privilege enables the client to maintain the confidentiality of two types
of communication:

confidential communications made between the client and his/her professional legal
adviser for the purpose of obtaining and/or giving legal advice (advice privilege) and

confidential communications made between the client and a professional legal adviser or
the professional legal adviser and a third party or between the client and a third party, the
dominant purpose of which is the preparation for contemplated/pending litigation
(litigation privilege).

The record is a letter from the DPC to the Department relating to the nature of the data
that the Department proposed for retention on POD. It recounts legal advice received by
the DPC from her external legal advisers in respect of some of the proposed data fields
in POD. In his request to the Department for an internal review, the applicant argued that
if the Office of the DPC has outlined a legal position to the Department which was
disclosed to it, privilege has been lost over same. I take this as an argument that the
Office of the DPC has, in effect, waived privilege.

The Department argued that the legal advice contained in the letter was shared in
confidence, and the letter was marked as confidential. It argued that the DPC never at
any point waived her right to legal professional privilege. In considering this issue, I have
had regard to the following comments of Finnegan J. in Redfern Ltd. v. O'Mahony [2009]
IESC 18, [2009] 3 I.R. 583:

"It is accordingly clear that privilege may be waived by disclosure. If the document comes
into the public domain privilege will be lost. It will not, however, be lost where there is
limited disclosure for a particular purpose or to parties with a common interest."

It seems to me that the Office of the DPC disclosed the legal advice it had received on a
limited basis and for a specific, limited purpose, namely with a view to reaching
agreement with the Department on the nature of data to be captured on POD. I am
satisfied that the disclosure was limited to a party with a common interest. Therefore, I
am satisfied that legal professional privilege has not been waived, and I find that the
Department was entitled to refuse access to the record under section 31(1)(a).

Decision
Having carried out a review under section 22(2) of the Act, I hereby vary the decision of
the Department. I find that record numbers 11, 12, 17, 18 and 27 are not exempt from
disclosure and should be released. I find that record number 29 is exempt from release
under section 31(1)(a).

Right of Appeal
Section 24 of the FOI Act sets out detailed provisions for an appeal to the High Court by
a party to a review, or any other person affected by the decision. In summary, such an
appeal, normally on a point of law, must be initiated by the applicant not later than eight
weeks after notice of the decision was given, and by any other party not later than four
weeks after notice of the decision was given.

Stephen Rafferty
Senior Investigator

http://www.oic.gov.ie/en/Decisions/Decisions-List/Mr-G-and-Department-of-
Education-and-Skills-FOI-Act-2014-.html

The Department of Education and the


Data Protection Commissioners
exchanges on POD
MARCH 21, 2016 POD SIMON MCGARR 0

The documents below were withheld by the Department of Education following an FOI request. The
Department produced an array of reasons for their refusal to release the below docs, which the Office
of the Information Commissioner ultimately decided were invalid.
Here then, is the exchange of documents between the Department of Education and Skills and the Data
Protection Commissioners office which the Department did not want you to read.

https://www.scribd.com/doc/305489292/OIC-POD-FOI-Release-From-
Department-of-Education

1st-Reply-letter-to-DPC-email-of-April-2016-copy_Redacted
http://www.tuppenceworth.ie/blog/wp-content/uploads/2016/06/1st-Reply-
letter-to-DPC-email-of-April-2016-copy_Redacted.pdf

Final-2nd-Letter-re-FOI-docs-sent-to-DPC-PDF-format-_Redacted
http://www.tuppenceworth.ie/blog/wp-content/uploads/2016/06/Final-2nd-
Letter-re-FOI-docs-sent-to-DPC-PDF-format-_Redacted.pdf
Letter-to-Simon-McGarr-01-06-2016_Redacted
http://www.tuppenceworth.ie/blog/wp-content/uploads/2016/06/Letter-to-
Simon-McGarr-01-06-2016_Redacted.pdf
An interview giving the story so far
APRIL 11, 2016 GENERAL / POD SIMON MCGARR 0

The benighted story of the Department of Educations perennially unraveling Primary Online
Database of 5+year olds has been bouncing along for over a year now. If you were to scroll
through a years worth of this blogs posts youd have a pretty good picture of what happened
when, but you might also expire with tedium.
Itd be a race to see which would happen first.

To spare you from competing against your own boredom threshold for your life, you can now
listen to me explain the whole thing, end to end in 25 mins or less.

Rossa McMahons Adventures in Information podcast on FOI, data protection and


uncovering stuff starts by asking me questions on POD and what was wrong with it.
Rossa is a knowledgable interviewer, and he helped me tell the tale by asking questions I
forget need to be answered.

The link to the interviews page, choc full of bonus links about everything we mention along
the way is: https://adventuresininformation.com/2016/04/03/episode-1-the-pod/
And the links to the Podcast feed (because youre going to want to know what he comes up
with next) are
Minister considers partial backtrack on pupil PPS database

Minister for Education, Jan O'Sullivan.

The Minister for Education, Jan O'Sullivan, is to review a new schools database which would have
held personal details about primary students until they reach the age of 30.

Letters have been distributed to parents in recent days informing them of the new Primary Online
Database which contains details such as a child's PPS number and ethnicity.

The Department says the information will be used to 'formulate education policy' into the future.

However, Minister O'Sullivan has said she is prepared to reconsider the length of time the data is kept,
admitting that keeping records until a former pupil turns 30 might be excessive.

She said: "That is an area of it that I would be happy to examine."

Meanwhile, The Department of Education has announced building work is now underway on four new
schools being completed by the private sector.

The State will pay back for the four schools in: Skibbereen in Cork; Dundalk in Louth, Tulla in Clare,
Carrick-on-Suir in Tipperary - over 25 years.
The funding for the projects is being provided jointly by AIB and the German Bank KfW.

Minister O'Sullivan says this is a cost-effective way to build schools which will "provide places for
nearly 3,000 children".

She said: "Its a very positive programme, weve had a number of other bundles delivered on a similar
basis and I know from talking to the schools that theyre very happy with the way this process has
worked."

http://www.irishexaminer.com/breakingnews/ireland/minist
er-considers-partial-backtrack-on-pupil-pps-database-
657250.html

MINISTER MUST NOT USE PRIMARY ONLINE DATABASE TO


CUT FUNDING McCONALOGUE
written by stephen February 11, 2015

Fianna Fil Spokesperson on Education Charlie McConalogue has called on the Education
Minister to clarify whether schools will be penalised if parents refuse to grant permission for
their childrens information to be stored on the Departments Primary Online Database.

Charlie McConalogue TD

In response to a Parliamentary Question on the issue, Minister Jan OSullivan states that from the
2016/17 academic year it is intended that teacher allocations and capitation grants will be made on the
basis of POD data.

Deputy McConalogue said he is seriously concerned that the Minister is using the threat of capitation
and teacher number reductions as a means to force parents to hand over their childrens personal details
for this new centralised database.

Schools already have the necessary information and documentation regarding students on file, but this
new database encompasses students racial profile, psychological assessments, medical and disability
needs, religion, and PPS number. This information will now be retained by the department until the
students reach 30 years of age.

Parents legitimately have concerns about this level of information being stored on a national database,
and the Data Commissioner has also raised a red flag after it emerged that the Department had begun
collecting data from schools before informing the Commissioner. Despite these concerns, the Minister
is pressing ahead with the process, and now appears to be using the database as leverage for teacher
numbers and capitation grants.

The Inishowen-basd TD said this situation is completely unacceptable and unfair.

The Minister is effectively threatening to withdraw capitation funds and to reduce teacher numbers,
despite the fact that parents have genuine concerns about this database. They are now being forced into
a choice between handing over their childrens personal information or see the number of teachers in
their schools cut and the amount of funding allocated to the school reduced. This could see hundreds or
even thousands of schools penalised as a result of legitimate parental concerns.

The Minister must take the concerns of parents and the Data Protection Commissioner on board
before forcing through these measures, instead of threatening the future of schools across the country.

http://www.donegaldaily.com/2015/02/11/minister-must-
not-use-primary-online-database-to-cut-funding-
mcconalogue/

Minister to reconsider keeping data on school children until


theyre 30

The Departments plans for a national database have


come under fire.
Jan 8th 2015,
MINISTER FOR EDUCATION is willing to review plans to store sensitive data on school children
until theyre 30.

Information on students including PPS numbers will be stored in the new Primary Online Database.

The childs name, address, date of birth, nationality and mothers maiden name, plus non-compulsory
fields such as ethnic or cultural background, religion, and need for learning supports would all be kept
by the Department on secure servers.

It also includes a space for notes.

It has proposed that this data could be shared with other Government Departments, but staff would
have limited access.

Worrying overreach

Security experts have raised concerns over the database, calling it a worrying overreach of the State.

Under the current scheme, data could be stored until the child is 30.

However, speaking today to Newstalks Lunchtime, Minister Jan OSullivan said it was something she
was willing to look at.

The reason for keeping the data for 30 years I presume is because we want to ensure that we have the
necessary information in terms of planning etcetera, but look, that is an area I would be happy to
examine.

She noted that database was supported by parents, teachers, and school management groups, and the
data protection commissioner has been consulted.

The purpose of this is to really ensure that, for example, children dont drop out after primary school
and maybe never progress to post-primary, the Minister explained.

Source: Simon McGarr/Twitter

Special advisor to Europols Cybercrime Centre, Brian Honan, raised concerns over what the
information could be used for in future.

Source: Simon McGarr/Twitter

Simon McGarr @Tupp_Ed

Problem 3) Storing all details of a primary school pupil until they're 30 is excessive data retention.

1:59 PM - 7 Jan 2015

Concern over personal info database for every primary


student
06/01/2015

Concern is being expressed about a new Primary Online


Database being established by the Department of Education.
Under the plan, all children's PPS numbers along with details
of their religion and ethnic backgrounds will be included on the
database, which the Department said will be used to develop
education policy into the future.
Parents of all primary school children are being sent letters
outlining how the new POD will work and what information will
be stored, the letter states that the information will be kept
until the child reaches the age of 30.
Solicitor and digital rights expert Simon McGarr said parents
need much more information about the database before it is
implemented.

"They themselves say they will be sharing the data with the
Department of Social Protection and other agencies," McGarr
said.
"If they intend to hold it until the children are 30, that data will
be sitting around in a database gradually every year collecting
up the personal data of every citizen being educated.
"This is not a small thing - and I think more debate and more
reflection by the department is needed."
The Department of Education's website says the scheme "has
been thoroughly piloted with a selection of schools" and
"extensively discussed with the education partners and
management bodies."
It says it will share the information with Social Protection, the
HSE, and National Council for Special Education.
The data collected will include:
First and second names
PPS number
Mother's maiden name
Date of Birth and gender
Full address
Mother tongue
Ethnicity
Religion
Irish language exemptions
Enrolment date, teacher / class details
Previous school / pre-primary education
Learning support details
In its documentation, the Department says it is compulsory for
parents to register their children. In the event a PPS number is
not available for a student, the Department will use the
mother's maiden name to look up Department of Social
Protection records.
The Department also reports that only information on ethnic
and religious background requires the consent of a parent of
guardian.
"All other information was deemed by the Data Protection
Commissioner as nonsensitive personal data and therefore
does not require written permission from parents for transfer
of the information to the Department," the letter to parents
says.
The Department claims the database will eliminate the
existing annual school census, facilitate transfers between
schools, and keep track of students who do not go on to
secondary school.
http://www.breakingnews.ie/ireland/concern-over-personal-info-database-for-
every-primary-student-656963.html

Fair Processing Notice to explain how the personal data of pupils in


primary schools on the Primary Online Database (POD) will be recorded,
processed and shared.

http://www.education.ie/en/Publications/Statistics/Primary-Online-Database-
POD-/POD-Fair-Processing-Notice.pdf

Updating and simplifying the manner in which schools can maintain pupil enrolment
and attendance records (Clarleabhar, Leabhar Rolla and Leabhar Tinrimh Laethuil)
following the introduction of the Primary Online Database (POD)

https://www.education.ie/en/Circulars-and-Forms/Active-
Circulars/cl0033_2015.pdf
Primary Online Database (POD)
The Primary Online Database (POD) is a nationwide individualised database of primary school
pupils, facilitating the monitoring of educational progress as pupils move through the primary
education system and on to post primary. The system allows schools to make online returns to the
Department of Education and Skills (DES) and provides the Department with the comprehensive and
in-depth information needed to develop and evaluate educational policy.

What is it used for?


https://www.education.ie/en/Publications/Statistics/Primary-Online-Database-
POD-/
Parents cannot withhold kids PPS numbers
Friday, January 16, 2015
by Caroline ODoherty
Parents have been told they will be unable to withhold their childrens PPS numbers from a
controversial new Department of Education database as the information will be found from the
Department of Social Protection instead.

The new primary online database (POB) requires that primary schools hand over PPS numbers for
all their pupils, to be held by the department and shared with other state agencies until the child
is 30 years old.

However, not all primary schools collect PPS numbers when enrolling pupils and, in cases where
parents are asked but refuse to provide the information, the department has said it will use the
mothers name to seek the childs number through Social Protection.

All primary schools require a childs birth certificate for enrolment and the certificate carries
details of the childs mother and her married and maiden names. Schools will be required to
provide the mothers maiden name to the POB in cases where they do not have the childs PPS
number.

According to the Department of Education, this is because: If a school cannot get the childs PPS
number, we will have an arrangement in place to obtain the PPS number from the Department of
Social Protection by matching the childs details with the mothers maiden name.

Ironically, the childs own name is not a compulsory feature of the POB, as the PPS number is
considered the key to all the associated data although pupils names are requested to help verify
and validate the PPS.

The only information parental consent is required for is a childs religion and ethnic or cultural
background. Other personal details about a child, their progress through the school system, their
use of learning supports, psychological assessments and the language spoken in the childs home
will be collated without consent.

The department has said there will be no consequences for schools if parents do not provide
information on their childrens religion as this question is being asked for statistical purposes
only.

However, it warns that if information is not supplied about ethnic and cultural background, it will
be harder to target resource allocation to schools with children who may need extra language
classes and other supports.

It also warns that if information is not provided about Traveller children under this heading,
schools could lose out on the higher capitation grants available where Traveller pupils are
enrolled.

The parents of more than half a million children are currently receiving letters from their schools
explaining the need for the data collection, which is meant to be completed by March and updated
on an ongoing basis afterwards.

The project has come in for criticism over its intention to hold the information from the time a
child enters school until they turn 30.

Education Minister Jan OSullivan has already said she will look again at whether it is necessary
to hold the information so long.

However, further doubts have been raised over the plan following warnings the move could
breach data protection laws.
A leading solicitor said that, under the Data Protection Act, information gathered should be
limited to only what is necessary, it should be gathered for very particular circumstances, and it
should not be retained for longer than necessary.

Simon McGarr, an expert in digital rights, said the plans which involve sharing the information
with various state bodies and holding on to it until pupils are at least 30-year-old seemed
excessive.

http://www.irishexaminer.com/ireland/parents-cannot-withhold-kids-pps-
numbers-307299.html

Irish Water will be asking for your PPS number and theyll be
doing so within weeks

The company accepts that this is an unusual


territory for a utility to be in.
Jul 15th 2014

Image: Shutterstock

IRISH WATER WILL begin asking for peoples PPS numbers in the next couple of weeks as it
prepares to begin the roll-out of water charges from next year.

Speaking on RTs Morning Ireland, Irish Waters Elizabeth Arnett said that the company realises that
it is unusual for a utility to ask for this kind of detail but that they are doing so to ensure people
receive the allowances they are entitled to:

This is an unusual territory for a utility to be in but we have been charged by


Government to assign allowances per household so each household is to receive
30,000 litres for free and every child in the state is to have free water.
So in assigning those Government allowances we are looking for the PPS numbers to get that right.
Its not unusual for PPS numbers to be asked for in the context of Government benefits, she added.

Enda Kenny recently reiterated his pledge that water services for children will be free and stated that
the average household charge will not exceed 240 per year.

Arnett says that Irish Water wants to make sure that people get the allowances theyre entitled to in an
easy, transparent and accountable way.

She adds that the company has been working with the Data Protection Commissioner as it begins to
engage directly with customers:

As you can imagine a utility like ours will hold a lot of data from our customers. So we have an
ongoing engagement with the Data Protection Commissioner to ensure, first of all that we have the
appropriate authority to ask these kind of questions and also appropriate systems and internal systems
in place to ensure that we handle this data in the most appropriate way. ENDA KENNY HAS insisted
that the government will not renege on its promise to provide water services to children for free.

Speaking during Leaders Questions today, the Taoiseach said he could also confirm the average
household charge will not exceed 240 per year.

Deputy Peadar Tibn pushed the Fine Gael leader for more details following Irish Waters failure to
publish the charges during yesterdays farcical Oireachtas committee hearing.

He criticised the government for allowing the process to be shrouded in secrecy.

The Sinn Fin TD added that this denial of information has led to a widespread belief that the charges
would creep higher than what was originally suggested.

The direction given by government through the Minister to the Environment to the regulator is that the
average bill for the regular household is 240. The second element of the instruction is that children are
free in terms of use of water, replied Kenny.

However, he did seem to indicate that the mooted 38,000 allowance for children may be cut. He
explained that this generation of children are more savvy at conservation techniques because of the
Green Flag initiative in schools and may not require the same amount as previous studies suggested.

He concluded that the governments policy decision on free water for children will not change.

Toibn also used the opportunity to reference Minister Ruair Quinns resignation today, implying that
the timing of the statement was an intentional slight of the Taoiseach.

I think it is an interesting insight into the state of disarray in the Labour party when Ruair Quinn
resigns two days before a leadership battle. And also that he gives his resignation speech at the same
time as Leaders Questions a snub to the Taoiseach.

Kenny was also called upon by Michel Martin to confirm a number of details about the collection of
the property tax for this year.

He said that government decided and agreed that local authorities should retain 80% of the money
collected in 2014.

He also reminded Fianna Fil that its representatives in council could look to reduce the charge by
15%.

Councils have been starved and were shafted by government last year, Martin claimed, asking for
some honesty from the coalition.
Kenny said it is possible for a number of authorities to reduce the charge because of the volume and
value of properties in their area.

The Taoiseach also insisted there is no big division between Fine Gael and Labour on the issue,
urging the Fianna Fil leader to not believe everything he reads in newspapers.

rish Water and your PPS number.

So it has been (more or less) confirmed that Irish Water (a private unlimited
company) will be seeking your Personal Public Service Number. Note the word,
personal. Irish Water claims that this will help ensure that those who will need
allowances will be able to get them speedily without too much hassle. But is this
true? Or more to the point, is this necessary or even legal?

Your PPS number is given to you and you alone. The only times you are required
to use your PPS number is in cases of taxation or in cases of claiming social
welfare. Under no circumstances are you to use your PPS number to aid or assist
a private company. Imagine if you were signing up for oh lets say a new Meteor
phone contract. Would you give Meteor your PPS number? If Meteor asked,
wouldnt you consider that as being wrong or possibly illegal?

Irish Water, created to appease the IMF/EU/ECB, have already proven they are
not a semi state organisation by responding to the question what if the people
of Ireland start to be very conservative with their water use? with this reply if
that happens, we will simply increase our costs! .. even the state (as much as it
likes to think its place is one place higher than any God) cant do that.

The notion that surrendering your PPS number is to help people who will
require allowances is pure and utter nonsense. If that is the case, why are the
social welfare not dealing with the allowances? If Irish Water truly is as
advertised, a semi state company, wouldnt it be more prudent to use the social
welfare? After all, the social welfare are best suited. They already know who are
the poorest in society and they pay the child benefit to every single family with
children under the age of 18. Using social welfare to distribute these allowances
would also cancel out any concerns about a company (semi private or fully
private) having access to legally protected data, such as your PPS number.

As things currently stand, legally you are not obliged to give Irish Water your
PPS number or those of your children. This is something that no doubt will
inevitably see its day in court. The only reason why a company (fully private or
not) would want access to your PPS number in Ireland would be because of the
states new approach to taxation. In that we dont care if you disagree, we will
simply take it at source . . . One might call me a conspiracy theorist now but who
thought the state would give revenue the power to take your property tax from
source?

On top of all of this are the FACTS that Ireland has being paying for her water
supply since the 70s through basic general taxation, since the 90s Ireland has
being paying twice for water, the second charge was levied and still is on
motorists through road tax (yes road tax pays for water) so you were paying
twice already. The kicker is simple and completely over looked by all concerned.
Those motor taxes and general PAYE taxes will not come down with the
introduction of Irish Water.

So you will be paying three times for your water. The third payment to a
company that already insists that its prices will need to go up due to lack of
funding from the state. A company that before it has even started has already cut
by 60% the allowances. A company that wishes for revenue to take from your
source. A company that has NO competition and will fully control water services.
A company that is boarded by ex Fine Gael and Labour tds. A company that is in
every way shape and form as corrupt as the state that created it.

Your PPS number is personal. Would you give it to Meteor? Why then, will you
give it to Irish Water?

http://www.thejournal.ie/irish-water-pps-numbers-1571854-Jul2014/

Kenny says Irish Water (and your PPS number) will not be
sold

Aoife Barry
TheJournal.ie30 September 2014

Kenny says Irish Water (and your PPS number) will not be sold

Irish water will not be sold, the Taoiseach said today, when asked about the security of peoples PPS
numbers.

He made the comment in the Dil during Leaders Questions, when questioned by Deputy Catherine
Murphy of the Technical Group.

She said that potentially Irish Water will have a more complete set of data available to them than any
Government department, which she called crazy.
Fair charges

Irish Water is a public entity it will not be sold, replied the Taoiseach.

It is prescribed in law that the information in regard to PPS numbers will be used solely and
specifically for the purpose intended to determine accurately the household and allowances in respect
to households and where there are children involved.

Murphy countered: Who is to say into the future that it cant and wont be sold? Legislation changes
all the time. Dont think people believe it cant be sold.

The Taoiseach said that there is protection of the data in respect of PPS numbers held by Irish Water.

On its website, Irish Water has a data protection notice which says:

Irish Water may keep the customers data for a reasonable period after the customer ceases to be
supplied with Water Services but will not keep it for any longer than is necessary and/or as required by
law.

Murphy also accused the Taoiseach of managing to pull off another stroke with the introduction of
charges tomorrow.

She said that if the point of water charges was to conserve water, then everyone in the State would have
been given a free allowance.

She said that if people dont supply their PPS numbers, they will essentially be fined.

Murphy said that she has repeatedly had people say to me they feel like theyre living in a
dictatorship.

The Taoiseach said the Government aims to make water charges as fair as possible.

He was heckled by other members of the Dil while he spoke, one of whom shouted thats rubbish,
absolute rubbish at him.

https://uk.news.yahoo.com/kenny-says-irish-water-pps-
number-not-sold-153908007.html

Data Protection
Background

Irish Water was established under the Water Services (No. 1) Act 2013 for the purposes of providing
water services functions, which include the provision of water and collection, treatment and disposal of
wastewater from domestic and non-domestic customers. The Water Services (No. 2) Act 2013 obliges
Irish Water to charge customers for the provision by it of water services. This Data Protection Notice
sets out Irish Waters procedures for the fair collection and processing of personal data required for
Irish Water to perform its statutory functions.

Collection of Customer Personal Data


In order for Irish Water to provide the customer with water services, and to enable Irish Water to
establish and manage the relationship with that customer, Irish Water needs to collect and use data
relating to the customer. Irish Water collects information when its customers contact us (such as by
phone, e-mail or letter), for example, to open or transfer an account, or to make a complaint. Irish
Water may collect information from local authorities, who were responsible for water services in
Ireland before 1 January 2014, and who now provide water services on Irish Waters behalf.

This data is used to manage and administer the customer account and for operational reasons, to
include

determining who is the customer account holder for each address;


determining whether a customer is an owner or a tenant so that Irish
Water can revert the customer account to the owner if a tenant moves
out;
utilising information on water and wastewater services to determine who
is a customer;
calculating the correct tariffs and caps, and billing the customer;
complying with Code of Practice requirements, for example, if a customer
is a vulnerable customer;
responding to and managing operational issues, for example, issues with
drinking water quality, pipes or meters;
carrying out assessments, statistical analysis or research and
development processes, so that we can review, develop and improve
appropriate tariffs, services and conservation measures.

The provision of contact details (other than name and address) is optional, and will be used for
outbound communication to customers including outage notification and general account management.
Information may also be processed to assess a customers ability to pay in the event of arrears on an
account, so that Irish Water can treat those having genuine difficulty in making payment
sympathetically.

In addition, data provided by the customer may be used for marketing purposes, and this is explained
further below.

Verifying Customer Information

Following the Government decision of 19 November 2014, PPS Numbers are no longer required as
part of customer applications; Irish Waters arrangements are based on self-declaration and appropriate
audit.

On occasion, for example where a customers water usage varies significantly from that which is
typical for their occupancy configuration, Irish Water may ask customers to provide evidence in
support of the occupancy declaration they made in the application process. Proof may be sought, for
example, to ensure that children are still under 18 years old and so eligible for the Childrens Water
Allowance.

Customers may provide such evidence in a number of different forms. Any evidence provided by
customers in those circumstances will be retained only for as long as it takes for Irish Water to verify
the customers account details.

All PPS Numbers provided prior to 19 November 2014 have been removed from Irish Waters
systems.

Sensitive Personal Data Special Services and Priority Services


Customers may provide sensitive medical information to Irish Water if they wish to register on Irish
Waters Special Services Register and/or Priority Services Register. Customers may provide
information such as whether they are elderly, deaf or hard of hearing, blind or visually impaired,
mobility impaired, suffering from mental illness, have an intellectual disability or have an illness that
requires a higher than normal water supply requirement. This information will be used to provide bills
and communications in alternative formats, and to contact those customers at particular times, for
example, when there is a supply interruption, to adjust the customers bill appropriately or to offer
alternative water supplies. Sensitive personal data provided by a customer may also be used to put in
place special arrangements for a customer, for example, during site works or in relation to a drinking
water incident. Irish Water has put in place procedures to minimise the amount of sensitive personal
data being recorded by it.

Data Processing

Irish Water may keep the customer's data for a reasonable period after the customer ceases to be
supplied with water services but will not keep it for any longer than is necessary and/or as required by
law, whether under the Data Protection Acts 1988 and 2003 or otherwise.

Irish Water may share the customer's data with authorised agents or third parties who act on behalf of
Irish Water, including local authorities, in connection with the activities referred to above, pursuant to a
contractual relationship. Irish Water continues to be the Data Controller for this data and these
authorised agents act as Data Processors on our behalf. Such agents or third parties are only permitted
to use the customer's data as instructed by Irish Water. They are also required to keep the customer's
data safe and secure.

Irish Waters data centres are located in Ireland. On occasions, mainly to resolve system issues, Irish
Water may require technical support from outside the European Economic Area (EEA). While this
does not involve storing data outside the EEA, it may involve technical support accessing Irish Waters
system remotely from outside the EEA, with a possibility that it may view customer data while trying
to resolve the issue. Technically, under data protection law, this is deemed to be a transfer of data as
the data can now (temporarily) be viewed outside the EEA. In all cases, any such activity is supported
by a contract which includes data protection clauses which are binding on the technical support agent.
Irish Water has included reference to this activity in its customer information for reasons of
transparency.

Irish Water may also disclose customer data if it is under a duty to disclose or share customer data in
order to comply with any legal obligation, or in order to protect the rights, property, or safety of Irish
Water, its customers or others. Irish Water will also disclose customer data if it is required to disclose it
in order to comply with any applicable law, a summons, a search warrant, a court or regulatory order,
or other valid legal process.

From time to time the customer may speak to employees of Irish Water (or agents acting on its behalf)
by telephone. To ensure that Irish Water provides a quality service, the telephone conversations may be
recorded. Irish Water will treat the recorded information as confidential and will only use it for staff
training/quality control purposes, and for confirming details of the conversations with Irish Water.

If the customer requests that Irish Water communicates with him/her by email, the customer is solely
responsible for the security and integrity of the customer's own email account. Unfortunately, the
transmission of information via the internet is not completely secure. Consequently, while Irish Water
will take all reasonable security measures, Irish Water cannot guarantee the privacy or confidentiality
of information relating to the customer being passed via the Internet; any transmission is entirely at the
customer's own risk.

For further information on data collected on our website, please see our Privacy Statement.

Non Customers
From September 2014, Irish Water mailed all households in Ireland with an application pack, using
names and addresses based on information received from multiple sources. As there is no one central
list of all households in Ireland that are connected to the public water main and/or public sewer, Irish
Water was unable to refine its mailing to Irish Water customers only. Therefore, Irish Water asked all
recipients of application packs to respond to confirm whether they are or are not a customer of Irish
Water. If someone declares themselves not to be a customer, certain information is required in order to
confirm that this declaration is correct, and to verify that that person is not in fact using water services
provided by Irish Water. Such information will be held until Irish Water has validated that that person
is not a customer. The information required in those circumstances is as follows:

Name
Supply Address
Whether that person is a Tenant or Owner
Type of water supply
Type of wastewater service

Any person who is declaring themselves as not being a customer will not have to submit the following
details to Irish Water:

Number of occupants in the household


Contact information
Vulnerable services requests
Direct Debit details

Access Requests

The customer, or other person whose data is held by Irish Water, has a right to ask for a copy of that
persons data, which is held by Irish Water (under legislation Irish Water is entitled to charge a
nominal administration fee for this). If the customer or other person wishes to avail of this right, a
request must be submitted in writing to Irish Water, Data Protection Officer, PO Box 6000, Talbot St,
Dublin 1 or via email to dataprotection@ervia.ie .

In order to protect privacy, the person making the request may be asked to provide suitable proof of
identification. If any of the details are incorrect that person is entitled to notify Irish Water to amend
such details. If data held by Irish Water relating to a person is incorrect that person is entitled to notify
Irish Water to amend such details. You can download an Access Request form here.

Marketing

Irish Water and/or authorised agents acting on behalf of Irish Water may wish to contact the customer
by text message, email, post, landline or in person about water related products or services which may
be of interest to the customer ("Marketing Purpose"). For the avoidance of doubt, Irish Water will not
sell or provide personal data to third parties for marketing use. Irish Water will not use personal data to
market non-water or wastewater related products or services.

If the customer does not wish to be contacted for Marketing Purposes as set out above, the customer
may exercise a right of opt-out by either writing to Irish Water at FREEPOST, Irish Water, Data
Protection Officer, PO Box 6000, Talbot St, Dublin 1 or via email to dataprotection@ervia.ie or by
calling Irish Water on LoCall 1850 448 448. The customer may opt out at the time when Irish Water
collects their data or at any time thereafter.

Queries

Where a customer (or non-customer) has any queries in respect of personal data he/she should contact
Irish Water on LoCall 1850 448 448.
https://www.water.ie/data-protection-notice/

Demand f
I am opposed to water
charges and will not pay the 374 47.46%
charges

I am opposed to water
charges *but will* pay the 188 23.86%
charges

I support water charges and


201 25.51%
will pay the charges

I don't care one way or the


other but damn that
KERSPLAT lad is seriously
handsome 25 3.17%

PPS Numbers by Irish Water raised serious questions over


Data Protection
Oct 1, 2014

Richard Boyd Barrett, TD, People Before Profit Alliance, raises with the Minister the demands for PPS
Numbers by Irish Water and the serious questions over the implications for Data Protection in the Dail
on Oct 1st 2014.

https://www.youtube.com/watch?v=BKWlbjhqv4M

Irish Water to request customer PPS numbers


14/07/2014

Details have emerged of some of the personal information that Irish Water will request from
householders.

An "allowances application form" will be sent out from September, in advance of the charges
beginning the following month.

The four-page document requests a range of personal information from the name and address, to the
PPS number of the householder and those of up to six children living at the property.

It will also ask questions about whether the householder is a homeowner or tenant.

The first bills for water usage are due to be sent out in January.

http://www.breakingnews.ie/ireland/irish-water-to-request-customer-pps-
numbers-636240.html

What a mess: Irish Water, Minister Kelly & the Data


Protection Commissioner
by Stephen on Sep 29, 2014

Ive been inundated with calls from constituents who are concerned about giving their PPS numbers to
a private company. I am also very uncomfortable with Irish Waters approach to providing customer
details to third parties for marketing purposes. So I got onto the Data Protection Commissioner and the
Minister for the Environment, Community and Local Government, Alan Kelly. The Minister informed
me that the Government made it legal for Irish water to request PPS numbers under section 20 of the
Social Welfare and Pensions Act 2014, and assured me that Irish Water is fully compliant with data
protection requirements.

However, the Data Protection Commissioner isnt so sure. I have written confirmation from the Data
Protection Commissioners office that states it is likely that we will be asking them (Irish Water) to
make certain amendments, and in relation to marketing preferences We will likely require an
amendment to the marketing reference in the data protection notice.
So whats going on? Im not sure, but I am calling on the Minister to make Irish Water liaise with the
Data Protection Commissioner to ensure all required changes are made before any Irish citizen is asked
to hand over information, or incurs any cost for non-compliance. I am also calling on Irish Water to
delete all PPS numbers of all customers and their children once theyve used them to verify the free
allowances available to each household.

The Data Protection Commissioner is in ongoing communication with Irish Water on a number of
issues and has asked it to be more transparent in relation to the disclosure of personal data to
outsourced functions and the protection and purposes of such disclosure. For claritys sake, heres
some of the answers the Data Protection Commissioners office gave me in response to constituents
questions.

Question: Is it safe for Irish Citizens to give their PPS numbers to Irish Water?

The collection of the PPSN for use by Irish Water in verifying occupants of a household (including
children) is provided for in legislation and this has the effect of setting aside data protection legislation
in relation to the request for and use of the PPSN for this purpose. However, the remaining obligations
contained in the Data Protection Acts e.g. keeping data safe and secure etc, still apply to Irish Water
and their holding of personal data generally.

Question: Once the PPS numbers have been used for any verification purposes by Irish Water,
should Irish Water should destroy the PPS numbers?
The Data Protection Acts require that an organisation only keep personal data for as long as is
necessary for the purpose for which it was collected. An organisation therefore has to be able to justify
its retention of personal data. We understand that the following is an extract from Irish Waters entry
on the Register of PPSN Users held by the Department of Social Protection: Retain it no longer than is
necessary for the specified purpose or purposes. Irish Water is in the initial stages of gathering PPSN
details from customers. Irish Water will remove individual PPSN details from our systems when the
PPSN is no longer required to support a claim for a water allowance.

Question: Is it acceptable for Irish Water to operate an opt out policy in relation to marketing,
under what circumstances is it not acceptable, and if people are finding it difficult to opt out,
what should they do?
It is our understanding that a prominent marketing opt-out is provided in the application forms
circulated by Irish Water. The basic rule that applies to direct marketing is that an organisation needs
the consent of the individual to use their personal data for direct marketing purposes. As a minimum,
an individual must be given a right to refuse such use of their personal data both at the time the data is
collected (an opt-out) and, in the case of direct marketing by electronic means, on every subsequent
marketing message. The opt-out right must be free of charge.

Let us for a moment assume that the IW folks did not ask for PPS nos as a condition of the payment of
a Government/Tax payer subsidy to individuals.
Then everyone could claim 8 children under 6 and IW would have no ability to check and the state
would be paying out a fortune. The public would be horrified and ask why this incompetent bunch
should be trusted with any information or with supplying water.
The PPS no is the way the state identifies individuals. If an individual is going to be the recipient of a
state service then it is correct that the PPS no is used.

I can understand that people do not want to pay for water.


I can understand that this is the straw that broke the camels back.
I can understand that the implementation of IW was seen to be incompetent and over priced (I
dont accept that).

I cannot understand how anyone fail to realise that the payment of Tax Payers money needs to be
controlled and that collecting PPS nos is being done to achieve that. It is the method used by
electricity suppliers to avoid fraud and I can see not better cheaper way of doing that for IW.
I apologise to all those who prefer ranting to reason but not everyone can elegantly merge fury with
paranoia to produce idiocy.

Search for Irish Water data boss begins


Thursday, October 30, 2014
By Joe Leogue and Juno McEnroe

Irish Water has finally started a hunt for a data protection manager, months after it started the process
of demanding and recording customers PPS numbers.

Independent TD Catherine Murphy described seeking a data protection manager at this point as a cart
before the horse situation that is typical of Irish Water.

It looks like this has not been thought out at all. We saw an example last week of peoples bank
details being sent to their landlords, which undermines confidence in Irish Water. This is not a minor
issue, the Kildare North TD warned.

The advertisement for the position, posted online yesterday, comes as ministers defended the right of
Irish Water to seek peoples PPS numbers, following reports that staff in one Government department
had expressed concerns about handing over details.

Among the requirements for the role, the successful candidate must:

- Assess, monitor and control risks arising from transfer of information to and from external
organisations;

- Develop and implement an assurance plan over the critical information security and data protection
risks;

- Provide training to all employees, contractors or other third parties;

- Develop and implement an information security and data protection policy, processes and procedures
throughout Irish Water which fulfil the requirements of the corresponding Ervia group policy and
procedures, legislation and best practice.

Ms Murphy claimed that Irish Water has no statutory basis under which it can collect PPS numbers as
Social Protection Minister Joan Burton has yet to formally finalise the arrangement under which the
utility is authorised to collect the data. The minister of social protection is supposed to sign an order to
allow Irish Water to seek PPS numbers, but I understand she has yet to do that.

The Irish Examiner submitted a number of questions to Irish Water arising from the advertisement but
did not receive a reply at time of going to press.

Meanwhile, no definitive Government decision on further alleviation measures for households facing
water charges is expected in the next week.

The Governments four-person Economic Management Council will meet today and examine a menu
of options to help households with payments. These are expected to include a special capped family
payment for households where adult children are living at home. An extension of the assessed charge
payment period beyond next summer is also set to be discussed.
Environment Minister Alan Kelly will appear before the council.

The Tnaistes spokesman said last night that it might take a little bit longer than beyond next week
for Cabinet to agree on solutions to concerns.

Taoiseach Enda Kennys spokesman said people deserved clarity and certainty on what they would
be charged for water and the Cabinet was looking at this.

Earlier, Communications Minister Alex White conceded the Irish Water project was not ready. I will
agree with you that people have responded very, very strongly to this, that we have, I think, tried to bite
off too much too quickly in relation to this project.

http://www.irishexaminer.com/ireland/search-for-irish-water-data-boss-
begins-295584.html