If a person does not consent to private details being held in databases in order to access essential services, there needs to be legislative basis for it, writes Elizabeth Farries.
An Oireachtas committee will be meeting tomorrow regarding concerns surrounding the Public Services Card, including its National Biometric Database (together, the PSC).
If you don’t currently have a PSC, you can be denied access to essential services, in violations of your human rights.
The PSC requires users to provide a facial image biometric scan via the Standard Authentic Framework Environment registration system. This data is combined across agencies into the Single Customer View database accessible by certain public agencies.
The implications of a database with biometric features raise serious alarms for security. When impermeable information such as biometric scans are contained, there is no undoing the breach once it occurs.
India, home of the world’s largest biometric identity card system, has recently been hacked and the details are being sold online for €10.
Previous database breaches are not unusual in Ireland and so further breaches are conceivable — for example the 350 data breaches in two years at PeoplePoint, the centre that provides HR and pensions administration services for 34,500 civil servants.
The electricity transmission system operator EirGrid was also hacked in 2017. A survey of 200 professionals carried out by the Irish Computer Society found 61% of organisations have had at least one data breach in the last year.
Nor do the cards appear to be financially necessary.
While Finance Minister Paschal Donohoe cites economic benefits to the PSC, including the prevention of welfare fraud, the Office of the Comptroller and Auditor General observes that no business case has been made for this regime and that a comprehensive estimate of the total projected costs was not prepared at the outset.
One example of extreme cost escalation includes the budget for the managed service provider element, which was increased, by €2m, to €26.4m in 2012 to take account of changes to the contract as a result of delays and card enhancements.
The card is costing, not saving, us money.
One way to push back against this regime is to refuse it. However, you are not allowed to refuse the PSC in many circumstances which appear to be inconsistent — as highlighted by the prominent case where the Department of Social Protection suspended a woman’s pension after she refused to register for the PSC.
Digital Rights Ireland referred her to a solicitor and her pension has now been restored. She is just one individual lucky enough to have legal support. Others have not been so fortunate.
Indeed, the PSC has now been made the only acceptable form of identity verification for services including social welfare payments, child benefit, school transport, treatment benefits, driver’s licence applications, age verification, school grant appeals, and online health and revenue portals.
Furthermore, the minister of state for Public Procurement, Open Government, and eGovernment, Patrick O’Donovan, has announced his intention to initiate requirements for 100,000 students to obtain the PSC before they can apply for grants.
If a person does not consent to their private details being held in databases in order to access essential services, there needs to be legislative basis for it.
There is no clear legislative basis for the PSC. Mr Donohoe cites the Social Welfare Act 2005; however, as legal expert Simon McGarr observes, while this act requires a person receiving benefits to demonstrate their identity, it does not require the level of information demanded for the PSC.
It is one thing to submit a photograph and a document with your address on it; it is another thing to be required to provide a facial image biometric scan.
This level of privacy infringing requirements means that the PSC is in breach of the requirement under EU law and that of the European Convention on Human Rights, which and ECHR law state that interferences with privacy must be both necessary and proportionate.
The PSC is not necessary because alternative forms of identification, including passports, are available and were previously sufficient for the purposes of accessing public services.
The PSC is also a disproportionate interference with privacy because requiring people in Ireland to link all of their personally identifiable information, including facial scans, into one database shared by numerous agencies creates a generalised audit trail.
This interferes with privacy rights in a manner that far exceeds the asserted goal of easy and convenient service access. The implications of a hackable database with biometric features exceed that goal even further.
There is also no clearly defined independent supervisory authority responsible for monitoring the management and security of stored data with the PSC, despite this being a growing norm of EU law where issues of surveillance and privacy are concerned.
Clearly defined oversight could review ethical problems in data management, including allegations that the State is deliberately erasing the Single Customer View database history showing who has accessed and changed your personal information.
There is also, finally, the risk that future governments may use your data for unethical reasons. We are watching how new governments can easily role back rights that citizens previously took for granted.
In the US, privacy act protections have been revoked for non-citizens, making it easier for agencies to share data on legal and undocumented immigrants with customs officials. The PSC risks undermining Ireland’s democratic fabric in a similar way.
The Irish Council for Civil Liberties will address the Oireachtas meeting regarding the human rights concerns attached to the PSC.
We will argue that the Government has failed to respond to the clear privacy concerns raised by the PSC and has instead invested further funds for promoting a project that is already over budget. We assert that the PSC should not be continued in its current form.
Indeed, we have reservations as to whether a data retention system of this type could ever be implemented in a safe and lawful way.
Elizabeth Farries is the information rights project manager for the Irish Council of Civil Liberties and the International Network of Civil Liberties Organisations.
---
Autor(en)/Author(s): Elizabeth Farries
Quelle/Source: Irish Examiner, 07.02.2018
Bitte besuchen Sie/Please visit:
