Académique Documents
Professionnel Documents
Culture Documents
Follow
JenMurnaneOConnor @JenMurnaneOConn
Public Services Card (PSC) ID Policy - TheoryTest.ie -
The official RSA Driver Theory Test
http://
fb.me/3iIJnPizy
Follow
The next point relates to article 80 of the GDPR, which deals with
representation of data subjects. A real problem in this area has
been that individuals can lack the expertise, knowledge, time and
money to enforce their legal rights. As members know, the Irish
legal system is expensive and difficult to navigate for lawyers,
never mind those people unfamiliar with it. Many of these rights,
if they are to be enforced, would involve a trip to either the
Circuit Court or the High Court at a cost that is simply beyond
the scope of the average individual. The GDPR aims to alleviate
that problem with a mandatory and two optional provisions with
article 80. The mandatory provision is that member states must
allow individuals to nominate a not-for-profit body to act on their
behalf to make complaints to a data protection authority, appeal
against decisions of a data protection authority, or take an action
against a controller, like an Internet service provider, where it
has abused personal data. The optional parts of the article are
that member states may allow individuals to nominate not-for-
profit groups to act on their behalf to seek damages and they
may allow not-for-profit groups to bring actions on their own
initiative without the need for an individual to nominate them to
do so.
My next point does not appear on the speaking note that was
distributed but it relates to head 20 of the Bill, which would allow
for restrictions to be placed on controller obligations and the
exercise of data subject rights by means of statutory instrument.
We are concerned that head 20 appears to introduce a far-
reaching power on the part of each individual Minister to
effectively exempt particular forms of data processing from the
requirements of the GDPR in a way that might not be fully
consistent with fundamental rights. It is noticeable that in the
heads of Bill the Department acknowledges it would be desirable
for Departments to introduce limitations on these rights by
means of primary legislation but it suggests it is nevertheless
necessary to have a residual power by means of statutory
instrument to introduce these exceptions.
Image: Shutterstock/Rawpixel.com
IRISH ADULTS BOTH in the country and across the world
will be able to renew their passports online from Thursday.
The Online Passport Application Service (OPAS) will be
available on the Department of Foreign Affairs website.
The new service is only for the renewal of adult applications,
first time applicants and children will have to use the
current system.
In a statement the Department of Foreign Affairs said,
People can apply via the Departments website using their
PCs, tablets or mobile phones.
The service will be convenient, secure and it will offer faster
and more predictable turnaround times.
The Minister for Public Expenditure and Reform, Brendan Howlin, T.D., has announced
the establishment of the Office of the Government Chief Information Officer (OGCIO) at
the Department of Public Expenditure and Reform.
The Government CIO is responsible for developing and implementing an ICT Strategy for
Government that ensures an integrated approach to the exploitation of ICT across all
Departments and Public Service Bodies, accelerating the delivery of digital services
across Ireland and a transformation I the use of the Governments information
assets. The OGCIO will remain responsible for coordinating the implementation of the
existing eGovernment and Cloud Computing Strategies.
Minister Howlin said this new organisation will, when fully resourced, allow Bill and his
team to lead, manage and direct across Government Departments to define and
implement an enterprise-wide ICT strategy to support the Reform agenda and improve
the overall performance of the public service.
Mr. McCluggage said I look forward to leading the team here at the OGCIO, and working
with colleagues across the Public Service, to deliver real transformation in the way public
services use ICT and the development of new and improved digital public services. The
work of the OGCIO has a valuable role to play in delivering real reform of Public Services
and I intend to ensure we step up to the challenge.
Ends
23 July, 2013
The Government CIO, Mr. Bill McCluggage, leads the cross-organisational CIO Council
in devising and implementing an ICT strategy and is currently responsible for all IT
operations in the Department of Public Expenditure and Reform.
CMOD
The Office of the Government Chief Information Officer (OGCIO) replaces the previous
Centre for Management and Organisation Development (CMOD).
Responsibilities of OGCIO
The Office of the OGCIO has a wide remit and is responsible for ICT Strategy
development of the Public Service; Government Networks; eGovernment Systems
Development; eGovernment Policy; EU and International engagement; ICT Metrics; plus
delivery of an IT Shared Service to the Departments of Public Expenditure and Reform,
Finance and the HR Shared Service Peoplepoint.
http://www.per.gov.ie/en/minister-howlin-launches-new-office-of-the-
government-chief-information-officer-ogcio/
Updated ID Policy
Updated Identification Requirements
Policy
With effect from 30th September 2014, Identification
Requirements will change for those candidates taking the
Category C and Category D Driver Theory Tests, as
detailed below.
Please be advised if you do not bring the required
identity documents with you for testing, you will not
be allowed to sit your test and you will lose your fee.
You must bring one of the following, plus two identical
colour passport-sized photographs that conform to
the required standards :
A current Category C or D Irish Learner Permit
A full current Category C or D Irish Driving Licence, (or
one from an EU/EEA member state or Switzerland)
A full current Category B Irish Driving Licence (or one from
an EU/EEA member state or Switzerland)
http://www.theorytest.ie/updated-dtt-id-reqs-from-april-2013/
http://www.theorytest.ie/policy-and-customer-charter/
Applying for a passport or
driving licence? You'll soon
need a Public Services Card to
do so
The Department of Public Expenditure and Reform confirmed that the
card will be needed to apply for a passport from autumn of this year.
May 22nd 2017
Source: Shutterstock/Astroette
A SIGNIFICANT BACKLOG in passport applications has
developed at Irelands Passport Office.
Figures released to TheJournal.ie by the Department of
Foreign Affairs (DFA) show that currently 65,916
applications are outstanding (ie awaiting process).
This represents an increase from the 60,404 such
applications that were outstanding at this time last year.
The single greatest reason for the backlog would appear to
be Brexit.
Since the UK voting to leave the EU in June 2016,
applications for Irish passports have increased to a huge
extent from eligible citizens living in Britain hoping to avoid
issues with free travel (and employment) throughout the
union once Brexit becomes official in March 2019.
Last year saw a 33% increase (33,008) year-on-year of the
number of applications received from Northern Ireland and
mainland Britain.
The first five months of 2017 have seen that trend explode
with a staggering 55% increase in the number of
applications received from this time last year (29,792
additional applications received year-on-year until end May
2017).
Its understood that there is a deal of concern within DFA
regarding the ongoing backlog in the process of applications,
although waiting times currently vary depending upon the
manner of application.
TheJournal.ie contacted DFA for a statement in relation to
this matter. A response had not been received at the time of
publication.
Source: DFA
The 66,000 applications currently outstanding are totalled
from applicants in Ireland, Northern Ireland and Great
Britain, and via DFAs online passport renewals service.
The breakdown of outstanding applications at present is:
Irish applicants 43,274 (66%)
Northern Irish applicants 10,288 (16%)
British applicants 8,609 (13%)
Online renewals 3,745 (5%)
Unusually high
number of people'
seeking Irish
passports, Northern
Ireland's Post Office
says after EU vote
GoogleTrends said UK searches for "getting an Irish passport" jumped more than 100% after the Brexit result came through.
And while the data analysts would not reveal the exact number of searches for information on the Republic's citizenship
rules, they said most interest was shown in Northern Ireland with the normally unionist heartland of Holywood, Co Down,
taking top spot.
Figures from Ireland's Department of Foreign Affairs earlier this month showed the total
number of Irish passport applications from Britain this year is 3,334 - up very slightly from
3,239 over the same period last year.
Officials also cautioned that there have been significant fluctuations in recent years and
applications from Britain were only a fraction of what they were from 2007-09.
A Senator in the Irish parliament, Neale Richmond, urged passport officials to be ready for
the so-called Cascarino effect, recalling Jack Charlton's tactic of picking British footballers
with Irish heritage when he managed the Republic of Ireland.
Mr Richmond, who has two English cousins who recently applied for Irish passports, said:
"British citizens with Irish grandparents applying for Irish passports could now move from a
torrent to a flood."
In Northern Ireland, which voted to remain in the EU along with Scotland, Deputy First
Minister Martin McGuinness called for a referendum on a united Ireland, while Nicola
Sturgeon, the Scottish First Minister, said a second independence referendum was highly
likely in the next two-and-a-half years.
http://www.telegraph.co.uk/news/2016/06/24/unusually-high-number-of-
people-seeking-irish-passports-northern/
BY CONOR HENEGHAN
Minister for Public Expenditure Paschal
Donohue said that the changes would be
introduced due to the increase in acts of
terrorism over the last several years.
Irish citizens applying for Irish passports will have to
produce the States public service card from autumn of
this year onwards and all applicants for Irish driving
licences will be required to do so from next year onwards.
According to The Irish Times, it has been confirmed that
the card will be a requirement in the application process
for both the passport and driving licence, with Minister for
Public Expenditure Paschal Donohue telling the paper that
the reasons for introducing the requirement were very
simple.
https://www.ireland.co.nz/wp-
content/uploads/2016/04/CURRENT-passport-fees-and-
guidelines.pdf
The state should, with some legal exceptions, only acquire, store and
process citizens personal information with the full informed consent
of each citizen.
The state must inform citizens about any plans to use their personal
data in any way other than the purpose for which it was acquired. Clear
information about these other purposes must be provided at the time
and place at which the data is acquired.
Whether legally or illegally obtained, personal data has a long and
persistent life and those who control access to it will change.
For data protection purposes the state is not a monolithic entity. If one
department intends to share personal data with another, it must
inform citizens fully about this when it collects this data.
Informed consent such as this leads to trust and empowered decision
making by individuals. Citizens can choose whether they wish to trust
the state with their personal data, in which context and for how long.
In addition to this the government and a range of public bodies have
fairly extensive powers to demand personal data from other bodies
without consent, where the individual involved might never be aware
of it and doesnt have to give consent.
The various state bodies involved have to earn trust from citizens. In
order to earn trust, full information about uses and safeguards around
personal data must be provided.
If the state seeks to short-circuit this relationship built upon trust by
forcing people unwittingly or unwillingly onto the register, citizens will
suspect the state cannot give enough assurances that the state is a
trustworthy guardian of their personal data.
Privacy campaigners have expressed concern that a plan by the Government to make
all citizens applying for a passport and a driving licence first obtain a State-issued
public services card represents the introduction of a national ID card by stealth.
Minister for Public Expenditure and Reform Paschal Donohoe confirmed that all
passport applicants will be required to have a Public Services Card (PSC) from the
autumn, although he insisted it is not and will not be compulsory for citizens to get the
card.
Not calling the Public Services Card an identity card is the thinnest of
rhetorical cover and it is surprising that this has gone on mostly unquestioned
for several years until it hit the front page of the Irish Times last Monday. If
the state wants to introduce a national identity card it should let citizens
know and make its arguments as to why it feels this is necessary.
Responding to the Irish Times story, former justice minister and current
Senator Michael McDowell said he has always been opposed to national
identity cards and remains so.
The executive director of the Irish Council for Civil Liberties Liam Herrick said
that the government should propose such a measure through primary
legislation and facilitate a national debate on such a measure.
In such a debate ICCL would argue that ID cards are an ineffective, expensive
and intrusive mechanism to advance the stated public policy objectives. We
note that plans to introduce a national ID card system in the UK were
abandoned in 2010 for these reasons.
Dr. Dennis Jennings, the only Irish inductee into the Internet Hall of Fame and
the closest thing Ireland has to a Tim Berners-Lee, was before the joint
Oireachtas Committee on Finance on Tuesday and was scathing in his
criticism of the way the state is going about introducing the Public Services
Card.
The current situation where the Department of Public Expenditure
and Reform is trying to introduce 3 million Public Services Card,
using data sharing from multiple sources under the provisions of a
very old and out-of-date (from a privacy perspective) Social
Welfare legislation is, I think, truly shocking, and a gross breach of
this principle and of the trust that is required.
http://myprivacykit.com/project
s/the-identity-card-that-most-
assuredly-isnt-an-identity-card/
INTERNET HALL of FAME PIONEER
Dennis Jennings
As the first Program Director for Networking at the US National Science Foundation
(NSF, 1985-86), Dr. Jennings was responsible for the design and development of the
NSFnet Program. Jennings developed a vision of an open network of networks an
Internet designed to serve all of US research and higher education.
Jennings selection of the DARPA TCP/IP Internet protocol suite, and his insistence on
its deployment across NSFnet, was a key contribution. The NSFnet Program stimulated
the development of many regional research and education networks, and it connected
them to campus networks, to supercomputing centers and their networks, and to the first
(interim) NSFnet backbone (and later to US federal agency networks, and international
research and education networks). NSFnet eventually became a major part of the Internet
backbone.
In the 1990s he became interested in angel investing, and he left UCD in 1999 to pursue
his commercial interests. He served on the Board of ICANN (2007-2010), and chaired the
Irish National Centre for High-end Computing Oversight Board (2006-2012). Jennings
earned a PhD in Physics (Astrophysics) from UCD in 1972.
https://www.youtube.com/watch
?v=L08YD3fOSqU
Public services card a gross breach of citizens trust
Dr Dennis Jennings told the Joint Oireachtas Committee on Finance public confidence in the data
protections provided by Government systems was required before making an ID system compulsory.
The rollout of three million public services cards to citizens using out-of-date welfare legislation from
a privacy perspective is truly shocking and a gross breach of the trust required between the citizen
and State, an Oireachtas committee has heard.
Irish physicist Dr Dennis Jennings told the Joint Oireachtas Committee on Finance that public
confidence in the data protections provided by Government systems was required before making an ID
system compulsory.
The Government has been issuing public services cards to citizens since 2012, with more than 2.3
million provided to date.
Ministers have confirmed all citizens applying for a passport or a driving licence in the future will be
required to have the card, although they insist the card is not compulsory.
The cards infrastructure is built on a database controlled by the Department of Social Protection.
Citizens may access some State services through the recently launched online portal MyGovID, which
is built on the same database.
Dr Jennings, a delegation from the privacy advocacy group Digital Rights Ireland and data protection
barrister Dr Denis Kelleher addressed the committee at a session examining the general scheme of the
new Data Sharing and Governance Bill.
Dr Jennings, who made a major contribution to the development of the global internet in the 1980s,
said current identity mechanisms, including passports, driving licences, medical cards and PPS
numbers were all, in his view, poor substitutes for what is actually required.
Public confidence
General buy-in to the use of unique identifiers can and will be achieved by the State offering
compelling value propositions, better, faster, slicker, more convenient, more accurate, more efficient
services, so that in due course, when public confidence in the data protection provided by the systems
has been established, the identification system may be made compulsory, he said.
Giving citizens access to their own data must be an integral part of it from the very beginning.
Data protection consultant Daragh OBrien said the Bill was a missed opportunity to learn from prior
experiences.
He said we had seen recent cases where the careless handling of information had resulted in a fact
being created, and a process put in train, that impacted on the private life of at least one
whistleblower.
We have also seen a constant procession of cases before the Data Protection Commissioner and the
courts where data has been accessed inappropriately and without authorisation.
Dr Kelleher said that to comply with the new EU General Data Protection Regulation, data sharing by
the state required a law, he said.
The model used in the proposed Bill was one of memorandums of agreement between government
departments.
Vice-chairman of the committee Senator Gerry Horkan (FF) said if the legislation was not fit for
purpose as far as the delegation was concerned it should be sent back to the Department of Public
Expenditure saying improve your efforts.
https://www.irishtimes.com/news/politics/public-services-card-a-gross-
breach-of-citizens-trust-1.3093672
Facial-recognition software and our fear of Big Brother
Chris Horn
Some employees and passengers at certain international airports accept their faces being photographed
for security. Photograph: Qilai Shen/Bloomberg
John de Mol is a Dutch entrepreneur and media tycoon, who has been listed as one of the 500 richest in
the world. His influence here in Ireland is chiefly through the reality TV series Big Brother, which he
created in 1997. Some 20 years later, there have been several hundred seasons of the Big Brother
franchise in over 50 countries worldwide.
The shows name derives from George Orwells book Nineteen Eighty-Four, in which Big Brother is
the leader of a totalitarian state wielding absolute power over its citizens, not least by telescreens which
continuously observe its inhabitants.
Fortunately, we do not live in a totalitarian society. Nevertheless, the State is increasing its surveillance
over us. The Garda Automatic Number Plate Recognition system was first introduced in 2008. Garda
cars fitted with the equipment can continuously and automatically scan number plates, and verify that
the vehicles so identified are taxed. Speeding vehicles are also identified.
In principle, the system can also verify that vehicles are insured, but full integration with accurate data
from insurance companies may yet take until 2019. Paper disks on windscreens for tax, NCT and
insurance could then become a thing of the past. As the system has been further developed, it can
automatically detect stolen vehicles, and vehicles associated with criminal suspects. During recent
court cases, the Garda has reported cars of interest being automatically identified by the system near
the scenes of crimes.
Fraudulent identity
In 2015, the Department of Social Welfare introduced facial-recognition software which automatically
scans photographs of new applicants against the departments internal database of existing claimants.
Any match is then a potential case of fraudulent identity, and is brought to the attention of the
departments special investigation unit. A number of successful court prosecutions have been taken,
and more cases are listed.
Passengers through some international airports accept their faces being photographed during security
and then checked again before boarding. International travellers to the US likewise have their faces
scanned by customs and border control. The Trump administration has now announced its Biometric
Exit programme. Every visa holder leaving a US airport will automatically have a high-quality
photograph of their face scanned against the federal visa application database. If there is no match, then
the visitor may have entered the US illegally.
Furthermore, the same technology could be used to check the FBI database and other databases of
interest at the state or federal level. Thus, in the same way that the Garda system can automatically and
continuously check number plates against databases of criminal- and security-related activity, so might
many airport systems automatically and continuously review facial scans. In fact, there is little
technical challenge to doing likewise using any security-related video feeds, including from good-
resolution CCTV systems widely deployed in urban areas. Automatic verification of identity can
catalyse continuous law enforcement.
State surveillance
And so, while we have been watching Big Brother, Big Brother is increasingly watching us, with
implications for law enforcement and civil rights. But in addition to surveillance by state authorities,
the reality TV show is becoming real: not only can we watch and learn about strangers in a custom-
built house, but we can potentially watch and learn about strangers in the real world too.
The Google Glass project offered a computer display mounted as a pair of eyeglasses. Google stopped
its prototype Glass project in 2014, but not before some software developers had created facial-
recognition-based apps for Glass which could identify random strangers.
Just last month, a UK ad agency announced a new app, Facezam, which would let you to take a photo
of a random stranger with your smartphone, and then identify them from Facebook accounts.
Facebooks technology facilitates such automated searches, because the hundreds of millions of its
users are explicitly encouraged to identify and tag friends and family members in the photos which are
uploaded into Facebook.
Apps which exploit Facebooks facial-recognition algorithm such as Facezam violate the social
media firms current privacy norms and are consequently likely to be disallowed. In fact, Facezam
turned out to be a publicity hoax, aiming simply to draw attention to the ad agency concerned.
On the other hand, a Facezam equivalent already exists and is not at all a hoax. The Findface app uses
the Russian social network VK to recognise strangers from photos, provided those strangers are users
of that particular social network.
John de Mol has made a lot of money from his Big Brother reality TV brainchild, but it is not his only
reality TV concept. Among other titles, he created Fear Factor in which contestants are challenged to
overcome their instinctive fears. Our own fascination with identifying and watching complete strangers
is becoming scary.
https://www.irishtimes.com/business/innovation/facial-recognition-
software-and-our-fear-of-big-brother-1.3061827
By Justin Lee
The use of facial recognition technology at U.S. airports is raising concerns among some legal experts,
who argue that the program may violate specific privacy rights and that Congress has not fully
authorized it, according to a report by MIT Technology Review.
The U.S. Department of Homeland Security has partnered with airlines such as JetBlue and Delta to
implement recognition systems at New Yorks JFK International Airport, Washingtons Dulles
International, and airports in Atlanta, Boston, and Houston, with plans to expand to other airports this
summer.
The practice is part of a Congress-mandated initiative that ordered DHS to implement a biometric
system for recording the entry and exit of nonU.S. citizens at all air, sea, and land borders. The
initiative was fast-tracked earlier this year by President Trumps executive order.
In the past couple months, U.S. Customs and Border Protection began scanning the faces of all
travelers boarding a daily flight to Tokyo from George Bush Intercontinental Airport in Houston, and
on flights leaving Dulles for the United Arab Emirates.
Delta will soon begin testing its eGates facial recognition system for travelers flying out of Atlanta and
Boston, while JetBlue will trial a similar system for travelers flying out of Boston to Aruba. The data
from both airlines programs will be sent to CBP.
For both programs, airline-owned cameras at the gate capture passenger photos and compare them with
the passport and visa photos associated with the identities of the passengers on a given flight manifest.
Harrison Rudolph, a law fellow at Georgetown Laws Center on Privacy and Technology, said that
people should not be fooled by the CBPs use of the term testing.
He said the technologies are operational in that the agency is already using these systems to generate
biometric exit records for foreign nationals.
Advertisement
In addition to foreign nationals, CBP is also scanning the faces of U.S. citizens. For instance, only
travelers with U.S. passports are able to participate in JetBlues self-boarding program in Boston.
Rudolph and other privacy advocates say that Congress has never fully authorized the routine
collection of facial scans from U.S. citizens at the border.
Weeks after announcing the executive order, the Trump administration revised the order to clarify that
the biometric exit program did not include U.S. citizens.
Both JetBlue and Delta have said that the facial recognition identity check is optional, however, it is
unclear if this also applies to foreign nationals.
Meanwhile, DHS said that if a U.S. citizen does not want to participate, an available CBP officer may
use manual processing to verify the individuals identity.
It is still unclear as to what the CBP does with the information after the agency collects it at the gate
and verifies a travelers identity, but DHS claims that all data relating to the images is deleted within
14 days.
http://www.biometricupdate.com/201707/legal-experts-say-biometric-
exit-practices-at-airports-may-be-violating-privacy-laws
If You Get Your Face Scanned the Next Time You Fly, Heres
What You Should Know
Were willing to do a lot to make the airplane boarding process smoother, but privacy experts say we
might want to think twice before agreeing to let a camera at the gate scan our faces.
Facial-recognition systems may indeed speed up the boarding process, as the airlines rolling them out
promise. But the real reason they are cropping up in U.S. airports is that the government wants to keep
better track of who is leaving the country, by scanning travelers faces and verifying those scans
against photos it already has on file. The idea is that this will catch fake passports and make sure
people arent overstaying their visas.
The practice is raising concerns among some legal experts, who say that the program may violate
individual privacy protections and that Congress has not fully authorized it.
The U.S. Department of Homeland Security has partnered with airlines including JetBlue and Delta to
introduce such recognition systems at New Yorks JFK International Airport, Washingtons Dulles
International, and airports in Atlanta, Boston, and Houston, among others. It plans to add more this
summer. The effort is in response to a years-old mandate from Congress that DHS implement a
biometric system for recording the entry and exit of nonU.S. citizens at all air, sea, and land ports of
entry. Earlier this year, President Trump fast-tracked that mandate via executive order.
As facial-recognition technology has improved significantly in recent years, it has attracted the interest
of governments and law enforcement agencies. Thats led to debates over whether certain uses of the
technology violate constitutional protections against unreasonable searches (see As It Searches for
Suspects, the FBI May Be Looking at You). Privacy advocates also point out that research has shown
the technology to be less accurate with older photos and with images of women, African-Americans,
and children (see Is Facial Recognition Accurate? Depends on Your Race).
Last month, U.S. Customs and Border Protection began scanning the faces of people boarding a daily
flight to Tokyo from George Bush Intercontinental Airport in Houston. In May, it began doing the
same for a flight leaving Dulles for the United Arab Emirates. In Atlanta and Boston, Delta will soon
begin testing what it calls eGates, which scans passengers faces before they can board the plane.
JetBlue says it is testing a similar system in place for a flight out of Boston headed to Aruba. The data
from those programs goes to CBP.
In each case, airline-owned cameras at the gate capture passenger photos so they can be compared with
the passport and visa photos associated with the identities of the people on a given flight manifest.
Dont be fooled by the term testing, says Harrison Rudolph, a law fellow at Georgetown Laws
Center on Privacy and Technology. They are operational, at least in the sense that CBP is already using
these systems to create biometric exit records for foreign nationals, he says.
Rudolph and others are raising alarms because as part of the process, CBP is also scanning the faces of
U.S. citizens (in fact, at this point only customers with U.S. passports can participate in JetBlues self-
boarding program in Boston). They say Congress has never expressly authorized the collection of
facial scans from U.S. citizens at the border routinely and without suspicion. The Trump administration
revised his executive order to clarify that the biometric exit program did not pertain to U.S. citizens.
As it is still early in what appears to be a broader effort to deploy facial recognition in airports across
the country, we dont yet know how easy or difficult it will be for travelers to avoid. Both JetBlue and
Delta say people can opt out, but it is not clear if that applies to foreign nationals. According to DHS, if
a U.S. citizen asks not to participate, an available CBP officer may use manual processing to verify
the individuals identity.
No matter whose face is being scanned, though, we dont know much about what happens to the
information after CBP collects it at the gate and verifies a passengers identity, but DHS says that all
data pertaining to the images is deleted within 14 days.
https://www.technologyreview.com/s/608255/if-you-get-your-face-
scanned-the-next-time-you-fly-heres-what-you-should-know/
The State appears to be on a collision course with European law over its handling of major projects
involving personal data, an Oireachtas committee has heard.
Pre-legislative scrutiny of the general scheme of the Data Protection Bill 2017 concluded at the Joint
Committee on Justice and Equality on Wednesday.
The proposed legislation must be in place by May next year to give effect to the new European Union
general data protection regulation and an associated directive on sharing data for law-enforcement
purposes.
Legal experts have been making submissions to the committee over several sessions with a view to
shaping the draft legislation. The office of the Data Protection Commissioner has also given its views.
Law lecturer and chair of Digital Rights Ireland (DRI) Dr TJ McIntyre, and the organisations solicitor
Simon McGarr appeared before the committee on Wednesday.
Independents 4 Change TD Mick Wallace asked the delegations views on a number of issues,
including oversight of state surveillance, and the rollout of the public services card project here.
He also asked if the new legislation squared with the ongoing health identifiers project being rolled out
by the Health Service Executive, which will assign each citizen a number that will track them from
birth to death.
Mr McGarr said the card needed to be considered as part of the wider question of judgment by the
Court of Justice of the European Union, known as the Bara judgment.
In that 2015 case, the Romanian government was found to have acted unlawfully by transferring a
citizens personal data from one public body to another without notifying the citizen first.
Mr McGarr said the State had taken a lot of concrete steps in recent years to build not merely an ID
database, of which the public services card was merely the physical manifestation, but also to build a
series of national databases.
If it was the case that the legislation underpinning the health identifiers did not comply with European
law following the Bara judgment, every single resident of the State would have a claim on the State if
their rights had been breached, even if they had suffered no financial loss.
Fines
I think that the risk that the IHI [Individual Health Identifier] database poses to the exchequer and also
again to the relationship of trust between the State and its citizens is such that it would be very valuable
for the matter to come under extremely close scrutiny between now and the implementation of the
GDPR [General Data Protection Regulation] in May 2018, Mr McGarr said.
Independents 4 Change TD Clare Daly said she believed Mr McGarrs comments were a polite way of
saying: Were on a collision course really and were out of kilter with the rest of Europe on some of
these issues.
DRI shared concerns also voiced by the Data Protection Commissioner that the proposed Bill would
seek to exempt public bodies from substantial fines provided for in the regulation.
It suggested explicit recognition of the right to compensation for both material and non-material
damages should be written into the Bill, and also said the Government should implement an option that
would allow individuals nominate not-for-profit bodies to take a single action on their behalf where
their data had been abused.
https://www.irishtimes.com/business/technology/state-on-collision-
course-with-eu-court-over-data-sharing-1.3144218
Government continues data-sharing projects despite EU ruling
Data dilemma: the MyGovID online platform for citizens to access State services, which last week won
an award in the Civil Service Excellence and Innovation awards, appears to ignore the European Court
of Justice ruling in the Bara case.
Three years ago, the Government embarked on a grand scheme to consult with the public service,
government departments and members of the public on how the personal data of citizens might be
shared to improve and streamline State services.
Even in a rapidly expanding environment for private and public services online, it was an ambitious
proposal, but it remained almost entirely under the radar apart from being noted by a tiny cohort that
might be unkindly referred to as the privacy geek community.
One high-level observer said the public should be properly informed about the grand bargain
involving the trading of their personal data for the benefits they get from the State.
Such arrangements may, under recent plans, include the sharing of sensitive health information for so-
called health solutions for the general public. Delivered via apps or through other routes, these
services might be processed by third parties, such as multinational corporations with their headquarters
outside the EU namely the US which does not generally provide the same fundamental rights
protections as the EU for personal data. There are ongoing concerns (to say the least) in the EU over
the processing of citizens personal data which may be accessed by US national security authorities or
by other law enforcement authorities, with minimal scrutiny.
Hacking, for identity theft and data fraud, in particular in the health sector, is a growing and ever-
present threat, with some studies suggesting health data breaches take up to twice as long to detect and
also that health data is also worth up to 10 times as much as other data on the black market.
But back to Ireland: following a public consultation in late 2014, a draft piece of primary legislation
that would cover government data-sharing projects was drawn up and approved by the Government in
the middle of 2015. But in October of last year, a ruling by the Court of Justice of the European Union
in the Romanian case of Smaranda Bara, appeared to blow much of that plan out of the water.
In that case, the Luxembourg-based court held that the requirement of fair processing of personal data
meant a public administrative body had to inform citizens of the fact that their data would be
transferred to another public administrative body for other purposes.
At the recent re:Publica conference in Dublin, Dr Dennis Jennings, who sits on the Governments open
data governance forum, said he had informed the Government that much of its plan for sharing
citizens data, under that draft legislation, would be illegal under the Bara ruling. The legislation is
back at the drawing board, but has not yet been before the Oireachtas.
The Data Protection Commissioner, who is responsible for ensuring the processing of citizens
personal information is in compliance with the law, issued guidance on the Bara ruling.
Helen Dixons office said that the public policy objective being pursued by a particular data sharing
arrangement without consent should be explicit and that an assessment should be made as to whether
the likely benefits of the sharing justified the overriding of the individuals data protection rights.
Public sector bodies should consider the potential benefits and risks, either to individuals or society, of
sharing the personal data, her office said.
In theory, that should have sent the Governments data-sharing project, driven mainly by the
Department of Public Expenditure and Reform and the Department of Social Protection, back to the
drawing board. The drafting of legislation is still under way.
Yet a number of massive Government data-sharing projects have continued apace almost as if the
European ruling in Bara had not happened.
Active Government projects currently include the HSEs eHealthIreland divisions project to create an
individual health identifier for every person in the State and the creation of a database on every primary
school pupil.
The Department of Social Protection has a plan, in conjunction with the Department of Public
Expenditure, is to issue every adult in the State with a public services card by the end of this year.
The Government has a contract with a private provider to fulfil a requirement to issue three million
cards and has already issued around two million, but is short of the number it is required to issue. It
appears to be desperately trying to get them out the door, through means such as issuing cards to
customers using their passport details from the Department of Foreign Affairs.
At least 431,000 public services cards have been issued in this way, according to the Department of
Social Protection. Both departments insist the legal basis for sharing personal data resides in the Social
Welfare Act of 2005.
Yet question marks remain over whether the legislation cited by both those departments provides a
legal basis for sharing citizens data.
Records released under the Freedom of Information Act reveal that the MyGovID project an online
identity management system for members of the public launched in February, was still in need of
appropriate communications, governance and standards two months later.
Separately, the HSE was warned by the Data Protection Commissioner that a privacy impact
assessment on the implementation of the individual health identifier for every citizen did not cover the
creation of new databases, such as a national diabetes register.
The DPC also said serious consideration must be given to its guidelines in relation to data sharing in
the public sector, and in particular around the issue of transparency.
In comments on the draft of the HSEs privacy impact assessment for the health identifier project, the
Data Protection Commissioners office said the 82 submissions received on the public consultation was
a somewhat disappointing return given that this project will affect every citizen of the State.
Records released under the Freedom of Information Act said that while there was no indication as to
the identity of the respondents to the consultation, it appeared that the majority of responses are from
individuals within the health sector, which may lead to a distorted view of the privacy risks for
individuals associated with the project.
While the office recognised there had been a concerted effort by eHealthIreland and the HSE to
promote and discuss the health identifier project, it said the lack of public knowledge regarding the
legislation and its impact was a risk in itself.
The Department of Social Protection has control of the MyGovID online identity management project
launched in February. As of March, it had already given presentations to the Revenue Commissioners,
the Department of Transport, the Road Safety Authority, Solas, the Department of Education, the
Immigration and Naturalisation Service, the Private Residential Tenancies Board, the Department of
Health and the Passport Office, clearly with a view to them accessing the service.
The Garda Vetting Unit, which assesses people for certain job applications, has drafted a business case
for access to the system.
Earlier this week the Governments MyGovID online platform for citizens to access State services
through an online identity management platform won an award in the Civil Service Excellence and
Innovation awards.
Daragh OBrien, managing director of Castlebridge Associates, a consultancy firm on data governance
and data protection issues, said the new General Data Protection Regulation, various judgments of the
Court of Justice of the European Union, as well as the EU Charter of Fundamental Rights, made it clear
that data collection on a grand scale must be both necessary and proportionate.
Nothing exemplifies the failure of the Irish public service to recognise that data protection law exists,
and has evolved, more than the celebration of an award for a project that on the face of it appears to
ignore the Court of Justice ruling in the Bara case, he said.
In relation to the MyGovID project, he said that building governance controls after a department had
built a massive database of citizens information was the equivalent of blocking the door after the
horse has bolted.
As of October, the Data Protection Commissioner was still reviewing the documentation pertaining to
the health identifiers project, which was presented as a fait accompli by the HSE in the summer.
https://www.irishtimes.com/business/technology/government-continues-
data-sharing-projects-despite-eu-ruling-1.2896362
It is a serious matter of concern that legislation proposed by the Government seeks to exempt public
bodies from fines where they breach data protection rights, the Data Protection Commissioner has said.
It is a serious matter of concern that legislation proposed by the Government seeks to exempt public
bodies from fines where they breach data protection rights, the Data Protection Commissioner has said.
Helen Dixon and two deputy data protection commissioners attended the Joint Oireachtas Committee
on Justice and Equality on Wednesday for pre-legislative scrutiny of a new data protection Bill.
The general scheme of the Data Protection Bill 2017 outlines legislation that would give effect to the
new EU General Data Protection Regulation (GDPR), as well as an EU directive on the sharing of
personal data for law enforcement purposes.
Fines of up to 20 million or 4 per cent of annual worldwide turnover may be imposed on bodies that
breach the regulation, depending on the circumstances.
The regulation, along with a new electronic privacy regulation protecting communications by phone
and email and electronic means will take effect across the union from May 25th next year.
Ms Dixon said that in general terms, her office welcomed the new legal regime for data protection law
in Europe and the important additions to her toolkit as an enforcer.
Its undoubtedly the case that there will be investigations where a punitive fine is warranted in order
to deter organisations from failing to invest in compliance and to deter them from creating risks for
consumers and individuals, she said.
The very purpose of punitive fines provided for in the new EU law was to act as a deterrent to all types
of organisations, Ms Dixon said.
Her office saw no basis on which public bodies or authorities would be excluded, particularly given
that arguably higher standards in the protecting of fundamental rights are demanded of those entities.
The heads of the Bill as published propose that public bodies would only be subject to administrative
fines where they were acting as undertakings, namely where the services they were providing were in
competition with other bodies in the private sector.
Ms Dixon said the workload proposed for the DPC in making assessments of whether public bodies
were engaged in activities that would compete with the equivalent private sector bodies would take her
office away from its substantive role in relation to data protection.
Her office, she said, occupied a unique position as a supervisory authority in Europe as its remit
covered the largest global internet companies that had their European bases in Ireland.
A comprehensive toolkit as an enforcer was a necessity.
Ms Dixon noted the new EU regulation was intended to represent a clean slate with regard to data
protection legislation in Europe, and yet there was no guarantee that the existing Irish data protection
acts of 1988 and 2003 would be repealed.
She said her office considered that their retention, and a patchwork presentaiton of Irish law, ran the
risk of creating legal uncertainty in terms of precisely which provisions of the law would apply, and in
what circumstances, after May 2018.
The commissioner also raised an issue regarding the handling of complaints from individuals under the
GDPR, noting it introduced changes in relation to the manner in which supervisory authorities must
deal with complaints from individuals about alleged infringements of their rights. She said it was
important to note in this context that the supervisory authority was required to investigate a complaint
to the extent appropriate.
Our aims in these circumstances will be to ensure that our resources are deployed in a way that
maximises them, pursues investigations in cases of the most grave or enduring infringements on an
objective and priority basis, she said.
Independents 4 Change TDs Clare Daly and Mick Wallace raised concerns about Government projects
such as Public Services Cards and Individual Health Identifiers and whether the manner in which they
were being rolled out was compatible with EU law.
Seamus Carroll of the civil law reform division in the Department of Justice and Equality said he did
not want to be drawn on the details of health legislation which was being considered separately.
But he said that for the future, there must be a lawful basis for the processing of personal data and there
must also be greatly increased transparency.
Ms Dixon will address the Data Summit hosted by the Department of the Taoiseach at the Convention
Centre in Dublin on Thursday morning.
It will be opened by newly elected Taoiseach Leo Varadkar, with an introduction by Minister for
European Affairs, the EU Digital Single Market and Data Protection Dara Murphy.
The event spans Thursday and Friday and is supported by a range of partners, including all the main
multinational data firms in Ireland, Enterprise Ireland, IDA Ireland, Science Foundation Ireland and the
American Chamber of Commerce Ireland.
http://www.irishtimes.com/news/politics/serious-concern-over-exemption-of-public-bodies-from-data-
protection-fines-1.3120643
Dixon: Data Protection Bill 2017 exemptions a 'serious matter
of concern'
Ireland Data Protection Commissioner Helen Dixon spoke out against proposed
legislation seeking to exempt public bodies from penalties when violating data
protection rights, saying its a serious matter of concern, The Irish Times
reports. The Data Protection Bill 2017 would give effect to the EU General Data
Protection Regulation and the EUs directive on sharing data for law enforcement
purposes and states that public bodies would only be given fines if they are
acting as undertakings, specifically when the services they are offering are in
competition with others in the private sector, the report states. Dixon said the
legislations fines are meant for all organizations, and her office saw no basis on
which public bodies or authorities would be excluded, particularly given that
arguably higher standards in the protecting of fundamental rights are demanded
of those entities.
https://iapp.org/news/a/dixon-speaks-out-against-proposed-data-
protection-bill-2017-exemptions/
This guidance sets out the principles of confidentiality and respect for patients privacy that all
doctors are expected to understand and follow. It also sets out the responsibilities of doctors for
managing and protecting patient information.
http://www.gmc-uk.org/Confidentiality___Key_legislation.pdf_70063869.pdf
Our core guidance, Good medical practice, makes clear that patients have a right to expect that their
personal information will be held in confidence by their doctors.
This guidance outlines the framework for considering when to disclose patients personal information
and then applies that framework to:
Doctors must follow all our guidance: serious or persistent failure to do so will put their registration at
risk.
http://www.gmc-uk.org/guidance/ethical_guidance/confidentiality.asp
The Public Services Card (PSC) helps you to access a range of public services easily. Your identity is
fully authenticated when it is issued so you do not have to give the same information to multiple
organisations. It was first introduced in 2011 and was initially rolled out to people getting social
welfare payments. It is now being rolled out to other public services.
The front of the card holds a persons name, photograph and signature, along with the card expiry date.
The back of the card holds the persons PPS number and a card number. It also holds a magnetic stripe
to enable social welfare payments such as pensions to be collected at post offices
If the person holding the card is entitled to free travel, the card will display this information in the top
left-hand corner. If FT-P is written on the card the holder is personally entitled to free travel. If FT+S is
written on the card the holder can travel with their spouse, partner or cohabitant. If FT+C is written on
the card the holder can have a companion (over 16) travel with them for free (because they are unable
to travel alone for medical reasons).
Face-to-face registration for a Public Services Card is called SAFE (Standard Authentication
Framework Environment) registration.
SAFE registration takes about 15 minutes to complete (once all documents are presented). During this
appointment your photograph will be taken and your signature recorded for your new Public Services
Card, which will be posted to you. You will also be asked for the answers to some security questions.
You must bring certain documents with you to your appointment to prove your identity and address.
You should also bring your mobile phone, if you have one. Having your mobile phone with you when
you are SAFE registered means that we can pair that mobile phone number with you. This makes it
much easier for you to verify your MyGovID account which is required should you wish to access
public services online in the future.
Ordinarily, to get a PSC, a person must attend a face to face interview at a DSP Office. However in
certain circumstances and subject to a persons consent a PSC can also be issued based on information
provided to another state body, such as in a drivers licence application. Accordingly this Department
intends to write to certain persons who applied for a driving licence and in doing so has provided the
Road Safety Authority with personal information and a photograph. These people will be offered the
opportunity to complete the SAFE registration process without attending a DSP office. See Privacy
Impact Assessment on the use of RSA Driving Licence data here.
If you dont yet have a PSC you can make an appointment to get one either by using MyWelfare.ie or
by calling into your local Intreo Centre or social welfare local office. Details of the Department of
Social Protections offices can be found here: http://www.welfare.ie/en/Pages/Intreo-Centres-and-
Local-and-Branch-Offices.aspx
If your Public Services Card is lost, stolen or damaged, you should immediately contact the Public
Services Card Helpdesk at 1890 837000.
Questions
If you have general questions about the card or the registration process you can use the Department of
Social Protections online query form or contact:
Irish citizens applying for a new passport or a driving license will also have to hold the States Public
Services Card (PSC).
Although Irish Ministers insist that the cards are not compulsory, the new requirements mean that, for
anyone who wishes to travel or drive, they effectively are.
Those applying for a passport will be required to produce the PSC from the autumn while it will be
needed for driving license applications from next year.
Since 2011, the card has been issued to 2.3 million Irish citizens. It is underpinned by a biometric facial
recognition database controlled by the Irish Department of Social Protection. Recently it has been
given to people claiming social welfare benefits and, although a policy of non-obligation has been
maintained, the Irish Government has been keen to encourage all citizens to sign up.
The new measures will go some way towards hitting its target of having three million people registered
by the end of 2017.
Paschal Donohoe, Irish Minister for Public Expenditure, explained that the reason for the change in
procedure was to do with the safety of Ireland and its citizens.
Given the increase in acts of terrorism over the last several years, every democratic country should be
obliged to deploy the most robust means of authenticated travel across borders that it has available, he
told The Irish Times. It is not, and will not be, compulsory to have a PSC.
However, Government has an obligation to deploy the most robust means of online and physical
identity verification possible to ensure that it is doing all it can to reduce fraud, personation and the risk
of identity theft in the delivery or accessing of public services.
Mr Donohoe said that the process behind the card has a legislative underpinning but others are
unconvinced.
TJ McIntyre, chairman of civil liberties group Digital Rights Ireland and a law lecturer at UCD,
described them as very concerning.
http://www.theirishworld.com/public-services-id-cards-ireland/
Irish passports
Irish citizens applying for a passport will be asked to produce a public service card from Autumn.
The card, which has been issued to 2.3 million people since 2011, is supported by a recognition
database controlled by the Department of Social Protection.
People will also need the card for when applying for driving licenses from next year.
Minister for Public Expenditure and Reform, Paschal Donohoe TD (Image: Collins
Photo Agency)
Public Expenditure Minister Paschal Donohoe told The Irish Times: "Given the increase in acts of
terrorism over the last several years, every democratic country should be obliged to deploy the most
robust means of authenticated travel across borders that it has available."
The Minister stressed that the card will not be compulsory despite the fact it will be vital for getting
both a passport and a driving license.
ByCormac O'Shea
5 APR 2017
US President Donald Trump shakes hands with the Taoiseach of Ireland Enda
Kenny (L) during a meeting in the Oval Office of the White House in Washington,
DC, March 16, 2017
Irish tourists heading to the United States may have to give over their social media passwords before
getting a Visa to enter.
President Trump's new extreme vetting orders would make travelling to the US for Irish tourists a lot
more difficult.
Under Trump's orders homeland security have announced new plans to up demands to get visa
demands for tourists, immigrants and refugees.
This new vetting would apply to all countries under the Visa waiver programme which includes
France, the UK and Ireland.
Under the Visa waiver programme citizens of 38 countries to travel to the States for 90 days without a
Visa under certain stipulations.
Irish visitors could be asked to hand over their passwords for social media accounts and their mobile
phones if they wish to get in.
According to The Wall Street Journal people's public as well as private posts on social media would be
examined.
Not only that, but the person's financial information and political ideologies could be examined as part
of the vetting.
These highly controversial ideologies examinations were discussed by Trump during his campaign.
Questions in this test may involve whether or not they value "sanctity of human life" and if they
believe in "honor killings".
Speaking to The Journal, Gene Hamilton, a top aide to Homeland Security Secretary John Kelly said it
is important to know the reasons why people are travelling to The States.
He said: " If there is any doubt about a persons intentions coming to the United States, they should
have to overcome really and truly prove to our satisfaction that they are coming for legitimate
reasons."
The proposals have come in for a lot of criticism including being blasted by the Center for Democracy
a Technology who said it was an invasion of privacy.
In a statement they said: "This proposal would enable border officials to invade people's privacy by
examining years of private emails, texts and messages.
"It would expose travellers and everyone in their social networks, including potentially millions of US
citizens to excessive, unjustified scrutiny.
"And it would discourage people from using online services or taking their devices with them while
travelling, and would discourage travel for business, tourism and journalism."
http://www.irishmirror.ie/news/irish-news/irish-tourists-travelling-could-
hand-10162427
The Irish government will make it mandatory for all citizens to show their public services card (PSC)
when applying for a passport and drivers licence, starting in autumn and 2018, respectively, according
to a report by The Irish Times.
The identity card was initially launched in 2011 to social welfare recipients, and has since been issued
to 2.3 million citizens.
The card is supported by a facial recognition database run by the Department of Social Protection.
Given the increase in acts of terrorism over the last several years, every democratic country should be
obliged to deploy the most robust means of authenticated travel across borders that it has available,
said Minister for Public Expenditure Paschal Donohoe.
He added that the current passport system was very good but that the SAFE registration process met
the highest international standards.
It is not, and will not be, compulsory to have a PSC, he said. However, government has an
obligation to deploy the most robust means of online and physical identity verification possible to
ensure that it is doing all it can to reduce fraud, personation and the risk of identity theft in the
delivery/accessing of public services.
All forms of data processing for the ID card and the online digital identity system is supported by
legislation, Donohoe said.
There has also recently been a few legislative proposals which establish further obligations on public
organizations that go beyond the requirements of the Data Protection Act, which protect the privacy
rights of citizens.
https://www.mygovid.ie/
Donohoe said that it was essential that people know and trust that their data is fully protected.
The government has a contract with a private supplier to manufacture the cards, working towards the
goal of issuing three million cards by the end of 2017.
Meanwhile, many privacy advocates are troubled by the news that the cards were to become
compulsory for travel and driving documents.
Dr. TJ McIntyre, a UCD law lecturer and chairman of civil liberties group Digital Rights Ireland, said
the expanded requirements were very concerning.
The countrys Road Safety Authority recently announced that all applicants taking the driver theory
test would be required to have the card from June, as well as confirmed that all applicants for a driving
licence will require the card from early next year.
http://www.biometricupdate.com/201705/irish-citizens-will-require-
biometric-id-card-when-applying-for-passports-drivers-licenses
MyWelfare
MyWelfare is a new website that is owned and maintained by the Department of Social Protection.
MyWelfare provides the following services:
Appointment Services
Jobseeker Services
https://www.mygovid.ie/en-IE/MyGovIDVerified
By Ryan Wilk
This is a guest post by Ryan Wilk, vice president of customer success at NuData Security, a
MasterCard company.
When a family member dies, there are myriad things to look after from closing bank accounts, sorting
belongings and notifying everyone they did business with. It would feel like the worst that could
happen just did until you find out that your elderly relative had defrauded companies and individuals
for hundreds of thousands of dollars!
While that may sound like a ridiculous movie plot, this scenario is becoming reality more often than
you think. To identity thieves, obituaries are nothing more than another source of data.
Synthetic identity fraud is a rising trend, one that has the potential to threaten the CNP industry, where
fraud exposure is expected to hit $71 billion annually by 2020.
Bad actors access genuine identity data, either through hacking or purchase on the Dark Web, and use
it to build artificial identity profiles. One common ploy is to access social security numbers (SSNs) of
children through school or health insurance records filled out by parents. Another means is to access
SSNs of deceased people (known as ghosting), with no one available to contradict the usage.
Using childrens information is advantageous to bad actors as the crime may not be discovered for
many years when the then-young adult applies for credit and is denied based on past fraudulent
behavior. Unfortunately, we wont know that magnitude of this damage for another 10 or 20 years.
Synthetic identity fraud can also be created via collusion schemes, called furnishing. Fraudsters set up
a company with the soul purpose of making sales to synthetic identities they have created themselves.
An applicant synthetic identity applies for and is granted credit for the purchase of a high-end
product from the furnishing merchant. Each month the furnishing merchant reports an on-time
payment from the synthetic identity. This continually boosts the credit score of the synthetic identity
and it can eventually be used for other financial fraud once the bad actor knows the identity has value.
Advertisement
Thieves steal the identities of nearly 2.5 million Americans annually, including people of all ages from
newborns to seniors, according to the IDTheftCenter. The stolen SSNs often are assigned fictitious
birthdates of people in their 20s to give the appearance of someone starting to establish credit.
Using these IDs to start building credit history is easier than you might think. Applying for credit, even
if the application is declined, starts a file with credit reporting agencies. After two or three applications,
and perhaps success with a small account, the file grows and eventually a credit record is established.
Aite analysts believe synthetic identity fraud is under-reported and that financial institutions write off
bad debt without discovering the applicants were not real people. Even so, Aite recently reported that
13% of checking account application fraud and 9% of credit card application fraud involved synthetic
identities.
Until recently, synthetic identity fraud was almost impossible to detect. Making use of behavioral
biometrics is the most effective method to identify the creation and use of synthetic identities. While
the data points entered by individual bad actors may pass the traditional PII checks, knowing the
underlying behavior of the user creating the account provides a new insight into the types of behavior
risk present at the time of account creation.
DISCLAIMER: BiometricUpdate.com blogs are submitted content. The views expressed in this blog are
that of the author, and dont necessarily reflect the views of BiometricUpdate.com.
By Stephen Mayhew
The fourth annual EAB Research Projects Conference (EAB-RPC) will take place September 18-19 at
the Fraunhofer IGD research institute in Darmstadt, Germany.
The conference is organized by the European Association for Biometrics (EAB) in cooperation with
the Joint Research Center (DG-JRC) of the European Commission, through its Cyber and Digital
Citizens security unit. The EAB-RPC 2017 will be co-located with the EAB Research Awards and the
IEEE BIOSIG Conference, later that same week. The conference is currently the largest event on
research funded by the European Union in the area of biometrics and identity management.
EAB-RPC will include the participation of numerous EU-funded research projects including: ARIES;
iBORDERCtrl; PYCSEL; AMBER; LIGHTest; ABC4EU; HECTOS; BODEGA; PROTECT; SWAN;
INGRESS; FastPass, and; Tabula Rasa. Researchers and industry participants will present advances
made in these projects, updates on how finished projects are being currently used and provide insight
into the future of biometric research.
The conference will offer a holistic and comprehensive perspective of the status of biometric and
identity management technology in Europe with the participation of the following stakeholders: end-
users (Frontex, ENFSI, ENLETS); policy makers (DG Home), and; managers of large IT systems (eu-
LISA, SIS-II and Eurodac).
All the projects in the conference are engaged in one of the objectives driving the EUs policy
development in order to reach a more secure society: fight crime, illegal trafficking and terrorism;
strengthen security through border management; provide cybersecurity; increase Europes resilience to
crises and disasters; ensure privacy and freedom including the internet and enhance the societal
dimension of security; enhance standardization and interperability of systems.
http://www.biometricupdate.com/201707/european-association-for-
biometrics-announces-eab-rpc-2017
Simon McGarr and some alarmed and determined parents fought a long and
tedious battle with the Department of Education over the legality of this
Primary Online Database which wound its way through refusals of Freedom
of Information requests, abrupt changes to the terms for which information
would be held and an intriguing attempt by the department to claim that the
Data Protection Commissioners office had approved the entire thing (thats
not what the Data Protection Commissioners office does.) Some highlights
are below and you can read more in Simons archive of the whole (as yet
unfinished) affair.
Information Commissioner
orders release of POD
documents
MARCH 11, 2016 POD SIMON MCGARR 0
The Information Commissioners office has now published their
binding decision in my appeal against the Department of
Educations and Skills refusal to release certain documents
relating to POD to me on foot of an FOI request.
With the exception of one document (of which more shortly) all
of the Department of Educations refusals have been
overturned. In fact, release had been refused repeatedly, once
on the basis that they were about something that the department
was thinking about doing in the future and then, when I
appealed, again on a whole new basis that it wasnt in the
interest of public administration as if they released them, it might
get in the way of the Department doing what they wanted.
The Information Commissioner has said that the Department
failed to consider whether the public good in access to
information might overrule the departments convenience and so
the basis for the refusal was invalid.
That doesnt mean that I have the papers in my hand yet. The
Department can still put off the evil day of transparency. When I
rang their FOI section to ask what their expected timeline for
release was, I was told they could take the full eight weeks.
When I pointed out that the maximum time allowed for them to
enter an appeal is 4 weeks, that changed to 4 weeks.
Basically, it seemed, whatever the longest possible time to delay
release is, thats what I could expect.
In the end, this is going to draw to a close by the start of April.
And, it seems, the Minister for Education will still be in office
while we can compare her public statements-asserting support
by the DPC for the POD project- to the actual correspondence
between them.
Finally, there was one document I wasnt given access to by the
Information Commissioner. The OIC decided that the
Department could assert legal privilege over the Data Protection
Commissioners own legal advice, which had been shared with
them. Normally, sharing your legal advice with a third party
means youve waived your rights to legal privilege.
However, the Information Commissioner found that was not the
case here. The basis of that decision was that the Data
Protection Commissioner (the regulator for this topic) and the
Department of Education and Skills (the regulated data
controller) were, when dealing with PODs terms, engaged in a
joint activity.
I am satisfied that the disclosure was limited to a party with a
common interest. Therefore, I am satisfied that legal
professional privilege has not been waived
Which is perhaps a more interesting statement regarding
relationship between the regulator and the state body it
regulates than whatever the letter might have said.
http://www.tuppenceworth.ie/blog/category/pod/
Mr G and Department of Education and
Skills (FOI Act 2014)
Whether the Department was justified in its decision to part grant a request for access
to records relating to the Primary Online Database
Conducted in accordance with section 22(2) of the FOI Act by Stephen
Rafferty, Senior Investigator, who is authorised by the Information
Commissioner to conduct this review
Background
On 27 May 2015, the applicant made a request to the Department for "any and all
documents, including but not limited to observations, letters, emails and/or submissions
whether held in paper, electronic or any format relating to the Primary Online Database
between the Department and Minister for Education and Skills and the Data Protection
Commissioner and/or her Office."
On 26 June 2015, the Department informed the applicant that it had decided to part grant
his request. On 27 June 2015, the applicant sought an internal review of the decision. On
14 August 2015, the Department affirmed its original decision to part grant the request,
but varied the exemptions relied upon. On 2 December 2015, the applicant sought a
review of the Department's decision by this Office.
I have decided to conclude this review by way of a formal binding decision. In conducting
this review, I have had regard to the contents of the relevant records, to the submissions
of the parties and to the provisions of the FOI Act.
Findings
The records at issue relate to engagement between the Department and the Office of the
Data Protection Commissioner (the DPC) in connection with the establishment of the
Primary Online Database (POD). This is an individualised database of primary school
pupils that has been developed by the Department. The Department refused access to
five records under section 30(1)(c) of the FOI Act, and to one record under section
31(1)(a).
Section 30(1)(c)
This is a discretionary exemption which allows an FOI body to refuse a request if access
to the record could reasonably be expected to "disclose positions taken, or to be taken,
or plans, procedures, criteria or instructions used or followed, or to be used or followed,
for the purpose of any negotiations carried on or being, or to be, carried on by or on
behalf of the Government or an FOI body". It is subject to a public interest balancing test
contained in subsection (2).
The records at issue relate to engagements between the Department and the Office of
the DPC in connection with the data to be collected and retained on POD. In its
submission to this Office, the Department stated that negotiations between the two
bodies related, in particular, to the retention policy for information stored on POD and the
question of whether identifiable information was necessary in order for POD to function. It
stated that the discussions resulted in maintaining the use of identifiable information on
POD and the revision of the age at which the information would be anonymised
downwards from 30 to 19 years. The Department stated that at the time of the FOI
request, it was in the process of communicating the changes to schools and, through the
schools, to parents.
I accept that the records at issue can be described as relating to a negotiation between
the Department and the Office of the DPC in so far as both bodies were involved in
discussions with a view to reaching agreement on matters relating to the nature of the
data to be captured and retained on POD. As such, I also accept that granting access to
the records could reasonably be expected to disclose positions taken by the Department
for the purpose of that negotiation and that section 30(1)(c) therefore applies.
However as I have outlined above, that is not the end of the matter as section 30(2)
provides that section 30(1) shall not apply where the body considers that the public
interest would, on balance, be better served by granting than by refusing the request. On
this point, the Department stated that "[I]t was felt that the release of these documents
could generate confusion as to the Department's current position on these matters, and
that on balance the public interest was best served by refusing to release the documents
in question."
In Case No. 98166 (X & Department of Enterprise, Trade and Employment), the then
Commissioner stated the following in respect of the corresponding provision of the FOI
Act 1997 (section 21):
"While section 21(1)(c) makes no distinction between disclosures which have the
potential to prejudice current or future negotiations in some way or to cause some other
harm and disclosures which do not, it seems to me that such a distinction should be
made in applying the public interest test in section 21(2) to records which disclose
positions taken etc. for the purposes of past negotiations. Put simply, if release of such
records cannot harm current or future negotiations or cause any other harm, then the
public interest in openness in the workings of Government means that, in the absence of
any other applicable exemption, the records should be released. On the other hand, if
access to records which disclose positions taken etc. for the purposes of past
negotiations could reasonably be expected to prejudice current or future negotiations or
cause some other harm, then this is a matter which must weigh heavily in the application
of the public interest balancing test."
In this case, I understand that following its discussions with the Office of the DPC, the
Department revised elements of POD, including the retention policy for identifiable data.
This revised position was communicated to schools by means of circular number
0025/2015, which issued on 15 April 2015. I am not aware that the release of the records
at issue could harm current or future negotiations or, indeed, give rise to any other
specific harm, and the Department has not drawn my attention to any such potential
harms. While the desire to avoid public confusion as to its position on the capture and
retention of data on POD may have been a relevant consideration at the time the records
were created, it seems to me that this concern is now moot.
On the other hand, section 11(3) of the FOI Act specifically requires bodies, in performing
functions under the Act, to have regard to, among other things, the need to achieve
greater openness in the activities of FOI bodies and to promote adherence by them to the
principle of transparency in government and public affairs. Accordingly, I find that, on
balance, the public interest would be better served by the release of the records at issue.
Section 31(1)(a)
The Department relied upon section 31(1)(a) in refusing access to record 29. Section
31(1)(a) is a mandatory exemption that requires FOI bodies to refuse access to records
that would be exempt from production in proceedings in a court on the ground of legal
professional privilege.
Legal professional privilege enables the client to maintain the confidentiality of two types
of communication:
confidential communications made between the client and his/her professional legal
adviser for the purpose of obtaining and/or giving legal advice (advice privilege) and
confidential communications made between the client and a professional legal adviser or
the professional legal adviser and a third party or between the client and a third party, the
dominant purpose of which is the preparation for contemplated/pending litigation
(litigation privilege).
The record is a letter from the DPC to the Department relating to the nature of the data
that the Department proposed for retention on POD. It recounts legal advice received by
the DPC from her external legal advisers in respect of some of the proposed data fields
in POD. In his request to the Department for an internal review, the applicant argued that
if the Office of the DPC has outlined a legal position to the Department which was
disclosed to it, privilege has been lost over same. I take this as an argument that the
Office of the DPC has, in effect, waived privilege.
The Department argued that the legal advice contained in the letter was shared in
confidence, and the letter was marked as confidential. It argued that the DPC never at
any point waived her right to legal professional privilege. In considering this issue, I have
had regard to the following comments of Finnegan J. in Redfern Ltd. v. O'Mahony [2009]
IESC 18, [2009] 3 I.R. 583:
"It is accordingly clear that privilege may be waived by disclosure. If the document comes
into the public domain privilege will be lost. It will not, however, be lost where there is
limited disclosure for a particular purpose or to parties with a common interest."
It seems to me that the Office of the DPC disclosed the legal advice it had received on a
limited basis and for a specific, limited purpose, namely with a view to reaching
agreement with the Department on the nature of data to be captured on POD. I am
satisfied that the disclosure was limited to a party with a common interest. Therefore, I
am satisfied that legal professional privilege has not been waived, and I find that the
Department was entitled to refuse access to the record under section 31(1)(a).
Decision
Having carried out a review under section 22(2) of the Act, I hereby vary the decision of
the Department. I find that record numbers 11, 12, 17, 18 and 27 are not exempt from
disclosure and should be released. I find that record number 29 is exempt from release
under section 31(1)(a).
Right of Appeal
Section 24 of the FOI Act sets out detailed provisions for an appeal to the High Court by
a party to a review, or any other person affected by the decision. In summary, such an
appeal, normally on a point of law, must be initiated by the applicant not later than eight
weeks after notice of the decision was given, and by any other party not later than four
weeks after notice of the decision was given.
Stephen Rafferty
Senior Investigator
http://www.oic.gov.ie/en/Decisions/Decisions-List/Mr-G-and-Department-of-
Education-and-Skills-FOI-Act-2014-.html
The documents below were withheld by the Department of Education following an FOI request. The
Department produced an array of reasons for their refusal to release the below docs, which the Office
of the Information Commissioner ultimately decided were invalid.
Here then, is the exchange of documents between the Department of Education and Skills and the Data
Protection Commissioners office which the Department did not want you to read.
https://www.scribd.com/doc/305489292/OIC-POD-FOI-Release-From-
Department-of-Education
1st-Reply-letter-to-DPC-email-of-April-2016-copy_Redacted
http://www.tuppenceworth.ie/blog/wp-content/uploads/2016/06/1st-Reply-
letter-to-DPC-email-of-April-2016-copy_Redacted.pdf
Final-2nd-Letter-re-FOI-docs-sent-to-DPC-PDF-format-_Redacted
http://www.tuppenceworth.ie/blog/wp-content/uploads/2016/06/Final-2nd-
Letter-re-FOI-docs-sent-to-DPC-PDF-format-_Redacted.pdf
Letter-to-Simon-McGarr-01-06-2016_Redacted
http://www.tuppenceworth.ie/blog/wp-content/uploads/2016/06/Letter-to-
Simon-McGarr-01-06-2016_Redacted.pdf
An interview giving the story so far
APRIL 11, 2016 GENERAL / POD SIMON MCGARR 0
The benighted story of the Department of Educations perennially unraveling Primary Online
Database of 5+year olds has been bouncing along for over a year now. If you were to scroll
through a years worth of this blogs posts youd have a pretty good picture of what happened
when, but you might also expire with tedium.
Itd be a race to see which would happen first.
To spare you from competing against your own boredom threshold for your life, you can now
listen to me explain the whole thing, end to end in 25 mins or less.
The link to the interviews page, choc full of bonus links about everything we mention along
the way is: https://adventuresininformation.com/2016/04/03/episode-1-the-pod/
And the links to the Podcast feed (because youre going to want to know what he comes up
with next) are
Minister considers partial backtrack on pupil PPS database
The Minister for Education, Jan O'Sullivan, is to review a new schools database which would have
held personal details about primary students until they reach the age of 30.
Letters have been distributed to parents in recent days informing them of the new Primary Online
Database which contains details such as a child's PPS number and ethnicity.
The Department says the information will be used to 'formulate education policy' into the future.
However, Minister O'Sullivan has said she is prepared to reconsider the length of time the data is kept,
admitting that keeping records until a former pupil turns 30 might be excessive.
Meanwhile, The Department of Education has announced building work is now underway on four new
schools being completed by the private sector.
The State will pay back for the four schools in: Skibbereen in Cork; Dundalk in Louth, Tulla in Clare,
Carrick-on-Suir in Tipperary - over 25 years.
The funding for the projects is being provided jointly by AIB and the German Bank KfW.
Minister O'Sullivan says this is a cost-effective way to build schools which will "provide places for
nearly 3,000 children".
She said: "Its a very positive programme, weve had a number of other bundles delivered on a similar
basis and I know from talking to the schools that theyre very happy with the way this process has
worked."
http://www.irishexaminer.com/breakingnews/ireland/minist
er-considers-partial-backtrack-on-pupil-pps-database-
657250.html
Fianna Fil Spokesperson on Education Charlie McConalogue has called on the Education
Minister to clarify whether schools will be penalised if parents refuse to grant permission for
their childrens information to be stored on the Departments Primary Online Database.
Charlie McConalogue TD
In response to a Parliamentary Question on the issue, Minister Jan OSullivan states that from the
2016/17 academic year it is intended that teacher allocations and capitation grants will be made on the
basis of POD data.
Deputy McConalogue said he is seriously concerned that the Minister is using the threat of capitation
and teacher number reductions as a means to force parents to hand over their childrens personal details
for this new centralised database.
Schools already have the necessary information and documentation regarding students on file, but this
new database encompasses students racial profile, psychological assessments, medical and disability
needs, religion, and PPS number. This information will now be retained by the department until the
students reach 30 years of age.
Parents legitimately have concerns about this level of information being stored on a national database,
and the Data Commissioner has also raised a red flag after it emerged that the Department had begun
collecting data from schools before informing the Commissioner. Despite these concerns, the Minister
is pressing ahead with the process, and now appears to be using the database as leverage for teacher
numbers and capitation grants.
The Minister is effectively threatening to withdraw capitation funds and to reduce teacher numbers,
despite the fact that parents have genuine concerns about this database. They are now being forced into
a choice between handing over their childrens personal information or see the number of teachers in
their schools cut and the amount of funding allocated to the school reduced. This could see hundreds or
even thousands of schools penalised as a result of legitimate parental concerns.
The Minister must take the concerns of parents and the Data Protection Commissioner on board
before forcing through these measures, instead of threatening the future of schools across the country.
http://www.donegaldaily.com/2015/02/11/minister-must-
not-use-primary-online-database-to-cut-funding-
mcconalogue/
Information on students including PPS numbers will be stored in the new Primary Online Database.
The childs name, address, date of birth, nationality and mothers maiden name, plus non-compulsory
fields such as ethnic or cultural background, religion, and need for learning supports would all be kept
by the Department on secure servers.
It has proposed that this data could be shared with other Government Departments, but staff would
have limited access.
Worrying overreach
Security experts have raised concerns over the database, calling it a worrying overreach of the State.
Under the current scheme, data could be stored until the child is 30.
However, speaking today to Newstalks Lunchtime, Minister Jan OSullivan said it was something she
was willing to look at.
The reason for keeping the data for 30 years I presume is because we want to ensure that we have the
necessary information in terms of planning etcetera, but look, that is an area I would be happy to
examine.
She noted that database was supported by parents, teachers, and school management groups, and the
data protection commissioner has been consulted.
The purpose of this is to really ensure that, for example, children dont drop out after primary school
and maybe never progress to post-primary, the Minister explained.
Special advisor to Europols Cybercrime Centre, Brian Honan, raised concerns over what the
information could be used for in future.
Problem 3) Storing all details of a primary school pupil until they're 30 is excessive data retention.
"They themselves say they will be sharing the data with the
Department of Social Protection and other agencies," McGarr
said.
"If they intend to hold it until the children are 30, that data will
be sitting around in a database gradually every year collecting
up the personal data of every citizen being educated.
"This is not a small thing - and I think more debate and more
reflection by the department is needed."
The Department of Education's website says the scheme "has
been thoroughly piloted with a selection of schools" and
"extensively discussed with the education partners and
management bodies."
It says it will share the information with Social Protection, the
HSE, and National Council for Special Education.
The data collected will include:
First and second names
PPS number
Mother's maiden name
Date of Birth and gender
Full address
Mother tongue
Ethnicity
Religion
Irish language exemptions
Enrolment date, teacher / class details
Previous school / pre-primary education
Learning support details
In its documentation, the Department says it is compulsory for
parents to register their children. In the event a PPS number is
not available for a student, the Department will use the
mother's maiden name to look up Department of Social
Protection records.
The Department also reports that only information on ethnic
and religious background requires the consent of a parent of
guardian.
"All other information was deemed by the Data Protection
Commissioner as nonsensitive personal data and therefore
does not require written permission from parents for transfer
of the information to the Department," the letter to parents
says.
The Department claims the database will eliminate the
existing annual school census, facilitate transfers between
schools, and keep track of students who do not go on to
secondary school.
http://www.breakingnews.ie/ireland/concern-over-personal-info-database-for-
every-primary-student-656963.html
http://www.education.ie/en/Publications/Statistics/Primary-Online-Database-
POD-/POD-Fair-Processing-Notice.pdf
Updating and simplifying the manner in which schools can maintain pupil enrolment
and attendance records (Clarleabhar, Leabhar Rolla and Leabhar Tinrimh Laethuil)
following the introduction of the Primary Online Database (POD)
https://www.education.ie/en/Circulars-and-Forms/Active-
Circulars/cl0033_2015.pdf
Primary Online Database (POD)
The Primary Online Database (POD) is a nationwide individualised database of primary school
pupils, facilitating the monitoring of educational progress as pupils move through the primary
education system and on to post primary. The system allows schools to make online returns to the
Department of Education and Skills (DES) and provides the Department with the comprehensive and
in-depth information needed to develop and evaluate educational policy.
The new primary online database (POB) requires that primary schools hand over PPS numbers for
all their pupils, to be held by the department and shared with other state agencies until the child
is 30 years old.
However, not all primary schools collect PPS numbers when enrolling pupils and, in cases where
parents are asked but refuse to provide the information, the department has said it will use the
mothers name to seek the childs number through Social Protection.
All primary schools require a childs birth certificate for enrolment and the certificate carries
details of the childs mother and her married and maiden names. Schools will be required to
provide the mothers maiden name to the POB in cases where they do not have the childs PPS
number.
According to the Department of Education, this is because: If a school cannot get the childs PPS
number, we will have an arrangement in place to obtain the PPS number from the Department of
Social Protection by matching the childs details with the mothers maiden name.
Ironically, the childs own name is not a compulsory feature of the POB, as the PPS number is
considered the key to all the associated data although pupils names are requested to help verify
and validate the PPS.
The only information parental consent is required for is a childs religion and ethnic or cultural
background. Other personal details about a child, their progress through the school system, their
use of learning supports, psychological assessments and the language spoken in the childs home
will be collated without consent.
The department has said there will be no consequences for schools if parents do not provide
information on their childrens religion as this question is being asked for statistical purposes
only.
However, it warns that if information is not supplied about ethnic and cultural background, it will
be harder to target resource allocation to schools with children who may need extra language
classes and other supports.
It also warns that if information is not provided about Traveller children under this heading,
schools could lose out on the higher capitation grants available where Traveller pupils are
enrolled.
The parents of more than half a million children are currently receiving letters from their schools
explaining the need for the data collection, which is meant to be completed by March and updated
on an ongoing basis afterwards.
The project has come in for criticism over its intention to hold the information from the time a
child enters school until they turn 30.
Education Minister Jan OSullivan has already said she will look again at whether it is necessary
to hold the information so long.
However, further doubts have been raised over the plan following warnings the move could
breach data protection laws.
A leading solicitor said that, under the Data Protection Act, information gathered should be
limited to only what is necessary, it should be gathered for very particular circumstances, and it
should not be retained for longer than necessary.
Simon McGarr, an expert in digital rights, said the plans which involve sharing the information
with various state bodies and holding on to it until pupils are at least 30-year-old seemed
excessive.
http://www.irishexaminer.com/ireland/parents-cannot-withhold-kids-pps-
numbers-307299.html
Irish Water will be asking for your PPS number and theyll be
doing so within weeks
Image: Shutterstock
IRISH WATER WILL begin asking for peoples PPS numbers in the next couple of weeks as it
prepares to begin the roll-out of water charges from next year.
Speaking on RTs Morning Ireland, Irish Waters Elizabeth Arnett said that the company realises that
it is unusual for a utility to ask for this kind of detail but that they are doing so to ensure people
receive the allowances they are entitled to:
Enda Kenny recently reiterated his pledge that water services for children will be free and stated that
the average household charge will not exceed 240 per year.
Arnett says that Irish Water wants to make sure that people get the allowances theyre entitled to in an
easy, transparent and accountable way.
She adds that the company has been working with the Data Protection Commissioner as it begins to
engage directly with customers:
As you can imagine a utility like ours will hold a lot of data from our customers. So we have an
ongoing engagement with the Data Protection Commissioner to ensure, first of all that we have the
appropriate authority to ask these kind of questions and also appropriate systems and internal systems
in place to ensure that we handle this data in the most appropriate way. ENDA KENNY HAS insisted
that the government will not renege on its promise to provide water services to children for free.
Speaking during Leaders Questions today, the Taoiseach said he could also confirm the average
household charge will not exceed 240 per year.
Deputy Peadar Tibn pushed the Fine Gael leader for more details following Irish Waters failure to
publish the charges during yesterdays farcical Oireachtas committee hearing.
The Sinn Fin TD added that this denial of information has led to a widespread belief that the charges
would creep higher than what was originally suggested.
The direction given by government through the Minister to the Environment to the regulator is that the
average bill for the regular household is 240. The second element of the instruction is that children are
free in terms of use of water, replied Kenny.
However, he did seem to indicate that the mooted 38,000 allowance for children may be cut. He
explained that this generation of children are more savvy at conservation techniques because of the
Green Flag initiative in schools and may not require the same amount as previous studies suggested.
He concluded that the governments policy decision on free water for children will not change.
Toibn also used the opportunity to reference Minister Ruair Quinns resignation today, implying that
the timing of the statement was an intentional slight of the Taoiseach.
I think it is an interesting insight into the state of disarray in the Labour party when Ruair Quinn
resigns two days before a leadership battle. And also that he gives his resignation speech at the same
time as Leaders Questions a snub to the Taoiseach.
Kenny was also called upon by Michel Martin to confirm a number of details about the collection of
the property tax for this year.
He said that government decided and agreed that local authorities should retain 80% of the money
collected in 2014.
He also reminded Fianna Fil that its representatives in council could look to reduce the charge by
15%.
Councils have been starved and were shafted by government last year, Martin claimed, asking for
some honesty from the coalition.
Kenny said it is possible for a number of authorities to reduce the charge because of the volume and
value of properties in their area.
The Taoiseach also insisted there is no big division between Fine Gael and Labour on the issue,
urging the Fianna Fil leader to not believe everything he reads in newspapers.
So it has been (more or less) confirmed that Irish Water (a private unlimited
company) will be seeking your Personal Public Service Number. Note the word,
personal. Irish Water claims that this will help ensure that those who will need
allowances will be able to get them speedily without too much hassle. But is this
true? Or more to the point, is this necessary or even legal?
Your PPS number is given to you and you alone. The only times you are required
to use your PPS number is in cases of taxation or in cases of claiming social
welfare. Under no circumstances are you to use your PPS number to aid or assist
a private company. Imagine if you were signing up for oh lets say a new Meteor
phone contract. Would you give Meteor your PPS number? If Meteor asked,
wouldnt you consider that as being wrong or possibly illegal?
Irish Water, created to appease the IMF/EU/ECB, have already proven they are
not a semi state organisation by responding to the question what if the people
of Ireland start to be very conservative with their water use? with this reply if
that happens, we will simply increase our costs! .. even the state (as much as it
likes to think its place is one place higher than any God) cant do that.
The notion that surrendering your PPS number is to help people who will
require allowances is pure and utter nonsense. If that is the case, why are the
social welfare not dealing with the allowances? If Irish Water truly is as
advertised, a semi state company, wouldnt it be more prudent to use the social
welfare? After all, the social welfare are best suited. They already know who are
the poorest in society and they pay the child benefit to every single family with
children under the age of 18. Using social welfare to distribute these allowances
would also cancel out any concerns about a company (semi private or fully
private) having access to legally protected data, such as your PPS number.
As things currently stand, legally you are not obliged to give Irish Water your
PPS number or those of your children. This is something that no doubt will
inevitably see its day in court. The only reason why a company (fully private or
not) would want access to your PPS number in Ireland would be because of the
states new approach to taxation. In that we dont care if you disagree, we will
simply take it at source . . . One might call me a conspiracy theorist now but who
thought the state would give revenue the power to take your property tax from
source?
On top of all of this are the FACTS that Ireland has being paying for her water
supply since the 70s through basic general taxation, since the 90s Ireland has
being paying twice for water, the second charge was levied and still is on
motorists through road tax (yes road tax pays for water) so you were paying
twice already. The kicker is simple and completely over looked by all concerned.
Those motor taxes and general PAYE taxes will not come down with the
introduction of Irish Water.
So you will be paying three times for your water. The third payment to a
company that already insists that its prices will need to go up due to lack of
funding from the state. A company that before it has even started has already cut
by 60% the allowances. A company that wishes for revenue to take from your
source. A company that has NO competition and will fully control water services.
A company that is boarded by ex Fine Gael and Labour tds. A company that is in
every way shape and form as corrupt as the state that created it.
Your PPS number is personal. Would you give it to Meteor? Why then, will you
give it to Irish Water?
http://www.thejournal.ie/irish-water-pps-numbers-1571854-Jul2014/
Kenny says Irish Water (and your PPS number) will not be
sold
Aoife Barry
TheJournal.ie30 September 2014
Kenny says Irish Water (and your PPS number) will not be sold
Irish water will not be sold, the Taoiseach said today, when asked about the security of peoples PPS
numbers.
He made the comment in the Dil during Leaders Questions, when questioned by Deputy Catherine
Murphy of the Technical Group.
She said that potentially Irish Water will have a more complete set of data available to them than any
Government department, which she called crazy.
Fair charges
Irish Water is a public entity it will not be sold, replied the Taoiseach.
It is prescribed in law that the information in regard to PPS numbers will be used solely and
specifically for the purpose intended to determine accurately the household and allowances in respect
to households and where there are children involved.
Murphy countered: Who is to say into the future that it cant and wont be sold? Legislation changes
all the time. Dont think people believe it cant be sold.
The Taoiseach said that there is protection of the data in respect of PPS numbers held by Irish Water.
On its website, Irish Water has a data protection notice which says:
Irish Water may keep the customers data for a reasonable period after the customer ceases to be
supplied with Water Services but will not keep it for any longer than is necessary and/or as required by
law.
Murphy also accused the Taoiseach of managing to pull off another stroke with the introduction of
charges tomorrow.
She said that if the point of water charges was to conserve water, then everyone in the State would have
been given a free allowance.
She said that if people dont supply their PPS numbers, they will essentially be fined.
Murphy said that she has repeatedly had people say to me they feel like theyre living in a
dictatorship.
The Taoiseach said the Government aims to make water charges as fair as possible.
He was heckled by other members of the Dil while he spoke, one of whom shouted thats rubbish,
absolute rubbish at him.
https://uk.news.yahoo.com/kenny-says-irish-water-pps-
number-not-sold-153908007.html
Data Protection
Background
Irish Water was established under the Water Services (No. 1) Act 2013 for the purposes of providing
water services functions, which include the provision of water and collection, treatment and disposal of
wastewater from domestic and non-domestic customers. The Water Services (No. 2) Act 2013 obliges
Irish Water to charge customers for the provision by it of water services. This Data Protection Notice
sets out Irish Waters procedures for the fair collection and processing of personal data required for
Irish Water to perform its statutory functions.
This data is used to manage and administer the customer account and for operational reasons, to
include
The provision of contact details (other than name and address) is optional, and will be used for
outbound communication to customers including outage notification and general account management.
Information may also be processed to assess a customers ability to pay in the event of arrears on an
account, so that Irish Water can treat those having genuine difficulty in making payment
sympathetically.
In addition, data provided by the customer may be used for marketing purposes, and this is explained
further below.
Following the Government decision of 19 November 2014, PPS Numbers are no longer required as
part of customer applications; Irish Waters arrangements are based on self-declaration and appropriate
audit.
On occasion, for example where a customers water usage varies significantly from that which is
typical for their occupancy configuration, Irish Water may ask customers to provide evidence in
support of the occupancy declaration they made in the application process. Proof may be sought, for
example, to ensure that children are still under 18 years old and so eligible for the Childrens Water
Allowance.
Customers may provide such evidence in a number of different forms. Any evidence provided by
customers in those circumstances will be retained only for as long as it takes for Irish Water to verify
the customers account details.
All PPS Numbers provided prior to 19 November 2014 have been removed from Irish Waters
systems.
Data Processing
Irish Water may keep the customer's data for a reasonable period after the customer ceases to be
supplied with water services but will not keep it for any longer than is necessary and/or as required by
law, whether under the Data Protection Acts 1988 and 2003 or otherwise.
Irish Water may share the customer's data with authorised agents or third parties who act on behalf of
Irish Water, including local authorities, in connection with the activities referred to above, pursuant to a
contractual relationship. Irish Water continues to be the Data Controller for this data and these
authorised agents act as Data Processors on our behalf. Such agents or third parties are only permitted
to use the customer's data as instructed by Irish Water. They are also required to keep the customer's
data safe and secure.
Irish Waters data centres are located in Ireland. On occasions, mainly to resolve system issues, Irish
Water may require technical support from outside the European Economic Area (EEA). While this
does not involve storing data outside the EEA, it may involve technical support accessing Irish Waters
system remotely from outside the EEA, with a possibility that it may view customer data while trying
to resolve the issue. Technically, under data protection law, this is deemed to be a transfer of data as
the data can now (temporarily) be viewed outside the EEA. In all cases, any such activity is supported
by a contract which includes data protection clauses which are binding on the technical support agent.
Irish Water has included reference to this activity in its customer information for reasons of
transparency.
Irish Water may also disclose customer data if it is under a duty to disclose or share customer data in
order to comply with any legal obligation, or in order to protect the rights, property, or safety of Irish
Water, its customers or others. Irish Water will also disclose customer data if it is required to disclose it
in order to comply with any applicable law, a summons, a search warrant, a court or regulatory order,
or other valid legal process.
From time to time the customer may speak to employees of Irish Water (or agents acting on its behalf)
by telephone. To ensure that Irish Water provides a quality service, the telephone conversations may be
recorded. Irish Water will treat the recorded information as confidential and will only use it for staff
training/quality control purposes, and for confirming details of the conversations with Irish Water.
If the customer requests that Irish Water communicates with him/her by email, the customer is solely
responsible for the security and integrity of the customer's own email account. Unfortunately, the
transmission of information via the internet is not completely secure. Consequently, while Irish Water
will take all reasonable security measures, Irish Water cannot guarantee the privacy or confidentiality
of information relating to the customer being passed via the Internet; any transmission is entirely at the
customer's own risk.
For further information on data collected on our website, please see our Privacy Statement.
Non Customers
From September 2014, Irish Water mailed all households in Ireland with an application pack, using
names and addresses based on information received from multiple sources. As there is no one central
list of all households in Ireland that are connected to the public water main and/or public sewer, Irish
Water was unable to refine its mailing to Irish Water customers only. Therefore, Irish Water asked all
recipients of application packs to respond to confirm whether they are or are not a customer of Irish
Water. If someone declares themselves not to be a customer, certain information is required in order to
confirm that this declaration is correct, and to verify that that person is not in fact using water services
provided by Irish Water. Such information will be held until Irish Water has validated that that person
is not a customer. The information required in those circumstances is as follows:
Name
Supply Address
Whether that person is a Tenant or Owner
Type of water supply
Type of wastewater service
Any person who is declaring themselves as not being a customer will not have to submit the following
details to Irish Water:
Access Requests
The customer, or other person whose data is held by Irish Water, has a right to ask for a copy of that
persons data, which is held by Irish Water (under legislation Irish Water is entitled to charge a
nominal administration fee for this). If the customer or other person wishes to avail of this right, a
request must be submitted in writing to Irish Water, Data Protection Officer, PO Box 6000, Talbot St,
Dublin 1 or via email to dataprotection@ervia.ie .
In order to protect privacy, the person making the request may be asked to provide suitable proof of
identification. If any of the details are incorrect that person is entitled to notify Irish Water to amend
such details. If data held by Irish Water relating to a person is incorrect that person is entitled to notify
Irish Water to amend such details. You can download an Access Request form here.
Marketing
Irish Water and/or authorised agents acting on behalf of Irish Water may wish to contact the customer
by text message, email, post, landline or in person about water related products or services which may
be of interest to the customer ("Marketing Purpose"). For the avoidance of doubt, Irish Water will not
sell or provide personal data to third parties for marketing use. Irish Water will not use personal data to
market non-water or wastewater related products or services.
If the customer does not wish to be contacted for Marketing Purposes as set out above, the customer
may exercise a right of opt-out by either writing to Irish Water at FREEPOST, Irish Water, Data
Protection Officer, PO Box 6000, Talbot St, Dublin 1 or via email to dataprotection@ervia.ie or by
calling Irish Water on LoCall 1850 448 448. The customer may opt out at the time when Irish Water
collects their data or at any time thereafter.
Queries
Where a customer (or non-customer) has any queries in respect of personal data he/she should contact
Irish Water on LoCall 1850 448 448.
https://www.water.ie/data-protection-notice/
Demand f
I am opposed to water
charges and will not pay the 374 47.46%
charges
I am opposed to water
charges *but will* pay the 188 23.86%
charges
Richard Boyd Barrett, TD, People Before Profit Alliance, raises with the Minister the demands for PPS
Numbers by Irish Water and the serious questions over the implications for Data Protection in the Dail
on Oct 1st 2014.
https://www.youtube.com/watch?v=BKWlbjhqv4M
Details have emerged of some of the personal information that Irish Water will request from
householders.
An "allowances application form" will be sent out from September, in advance of the charges
beginning the following month.
The four-page document requests a range of personal information from the name and address, to the
PPS number of the householder and those of up to six children living at the property.
It will also ask questions about whether the householder is a homeowner or tenant.
The first bills for water usage are due to be sent out in January.
http://www.breakingnews.ie/ireland/irish-water-to-request-customer-pps-
numbers-636240.html
Ive been inundated with calls from constituents who are concerned about giving their PPS numbers to
a private company. I am also very uncomfortable with Irish Waters approach to providing customer
details to third parties for marketing purposes. So I got onto the Data Protection Commissioner and the
Minister for the Environment, Community and Local Government, Alan Kelly. The Minister informed
me that the Government made it legal for Irish water to request PPS numbers under section 20 of the
Social Welfare and Pensions Act 2014, and assured me that Irish Water is fully compliant with data
protection requirements.
However, the Data Protection Commissioner isnt so sure. I have written confirmation from the Data
Protection Commissioners office that states it is likely that we will be asking them (Irish Water) to
make certain amendments, and in relation to marketing preferences We will likely require an
amendment to the marketing reference in the data protection notice.
So whats going on? Im not sure, but I am calling on the Minister to make Irish Water liaise with the
Data Protection Commissioner to ensure all required changes are made before any Irish citizen is asked
to hand over information, or incurs any cost for non-compliance. I am also calling on Irish Water to
delete all PPS numbers of all customers and their children once theyve used them to verify the free
allowances available to each household.
The Data Protection Commissioner is in ongoing communication with Irish Water on a number of
issues and has asked it to be more transparent in relation to the disclosure of personal data to
outsourced functions and the protection and purposes of such disclosure. For claritys sake, heres
some of the answers the Data Protection Commissioners office gave me in response to constituents
questions.
Question: Is it safe for Irish Citizens to give their PPS numbers to Irish Water?
The collection of the PPSN for use by Irish Water in verifying occupants of a household (including
children) is provided for in legislation and this has the effect of setting aside data protection legislation
in relation to the request for and use of the PPSN for this purpose. However, the remaining obligations
contained in the Data Protection Acts e.g. keeping data safe and secure etc, still apply to Irish Water
and their holding of personal data generally.
Question: Once the PPS numbers have been used for any verification purposes by Irish Water,
should Irish Water should destroy the PPS numbers?
The Data Protection Acts require that an organisation only keep personal data for as long as is
necessary for the purpose for which it was collected. An organisation therefore has to be able to justify
its retention of personal data. We understand that the following is an extract from Irish Waters entry
on the Register of PPSN Users held by the Department of Social Protection: Retain it no longer than is
necessary for the specified purpose or purposes. Irish Water is in the initial stages of gathering PPSN
details from customers. Irish Water will remove individual PPSN details from our systems when the
PPSN is no longer required to support a claim for a water allowance.
Question: Is it acceptable for Irish Water to operate an opt out policy in relation to marketing,
under what circumstances is it not acceptable, and if people are finding it difficult to opt out,
what should they do?
It is our understanding that a prominent marketing opt-out is provided in the application forms
circulated by Irish Water. The basic rule that applies to direct marketing is that an organisation needs
the consent of the individual to use their personal data for direct marketing purposes. As a minimum,
an individual must be given a right to refuse such use of their personal data both at the time the data is
collected (an opt-out) and, in the case of direct marketing by electronic means, on every subsequent
marketing message. The opt-out right must be free of charge.
Let us for a moment assume that the IW folks did not ask for PPS nos as a condition of the payment of
a Government/Tax payer subsidy to individuals.
Then everyone could claim 8 children under 6 and IW would have no ability to check and the state
would be paying out a fortune. The public would be horrified and ask why this incompetent bunch
should be trusted with any information or with supplying water.
The PPS no is the way the state identifies individuals. If an individual is going to be the recipient of a
state service then it is correct that the PPS no is used.
I cannot understand how anyone fail to realise that the payment of Tax Payers money needs to be
controlled and that collecting PPS nos is being done to achieve that. It is the method used by
electricity suppliers to avoid fraud and I can see not better cheaper way of doing that for IW.
I apologise to all those who prefer ranting to reason but not everyone can elegantly merge fury with
paranoia to produce idiocy.
Irish Water has finally started a hunt for a data protection manager, months after it started the process
of demanding and recording customers PPS numbers.
Independent TD Catherine Murphy described seeking a data protection manager at this point as a cart
before the horse situation that is typical of Irish Water.
It looks like this has not been thought out at all. We saw an example last week of peoples bank
details being sent to their landlords, which undermines confidence in Irish Water. This is not a minor
issue, the Kildare North TD warned.
The advertisement for the position, posted online yesterday, comes as ministers defended the right of
Irish Water to seek peoples PPS numbers, following reports that staff in one Government department
had expressed concerns about handing over details.
Among the requirements for the role, the successful candidate must:
- Assess, monitor and control risks arising from transfer of information to and from external
organisations;
- Develop and implement an assurance plan over the critical information security and data protection
risks;
- Develop and implement an information security and data protection policy, processes and procedures
throughout Irish Water which fulfil the requirements of the corresponding Ervia group policy and
procedures, legislation and best practice.
Ms Murphy claimed that Irish Water has no statutory basis under which it can collect PPS numbers as
Social Protection Minister Joan Burton has yet to formally finalise the arrangement under which the
utility is authorised to collect the data. The minister of social protection is supposed to sign an order to
allow Irish Water to seek PPS numbers, but I understand she has yet to do that.
The Irish Examiner submitted a number of questions to Irish Water arising from the advertisement but
did not receive a reply at time of going to press.
Meanwhile, no definitive Government decision on further alleviation measures for households facing
water charges is expected in the next week.
The Governments four-person Economic Management Council will meet today and examine a menu
of options to help households with payments. These are expected to include a special capped family
payment for households where adult children are living at home. An extension of the assessed charge
payment period beyond next summer is also set to be discussed.
Environment Minister Alan Kelly will appear before the council.
The Tnaistes spokesman said last night that it might take a little bit longer than beyond next week
for Cabinet to agree on solutions to concerns.
Taoiseach Enda Kennys spokesman said people deserved clarity and certainty on what they would
be charged for water and the Cabinet was looking at this.
Earlier, Communications Minister Alex White conceded the Irish Water project was not ready. I will
agree with you that people have responded very, very strongly to this, that we have, I think, tried to bite
off too much too quickly in relation to this project.
http://www.irishexaminer.com/ireland/search-for-irish-water-data-boss-
begins-295584.html