Identity schemes and data protection: lessons from Ireland's Public Services Card
The Irish Data Protection Commissioner has made a ruling on the controversial Public Services Card (PSC) that has described much of what is is done with the card as unlawful. The PSC has proven controversial: introduced in 2012 for welfare claimants, it's use expanded to more and more uses, including its use to get a driving licence or passport. Now, following campaigns from civil liberties organisations, this expansion of use has now been found to be unlawful by Ireland's Data Protection Commissioner.
The nature of the findings are highly relevant for how we must look at ID schemes all over the world.
- It is essential that there is an effective data protection regime prior to the introduction of an identity system. Across the world, we see schemes introduced without these protections, or the data protection regime emerging as almost an afterthought. It is increasingly clear that this is no longer acceptable. International organisations, such as the World Bank, stand by the principle that a legal and regulatory framework surrounding "data privacy" is essential for an ID system. Rather than emerging later, or in response to court action against a system, we need data protection legislation implemented in an effective regime from the start. To continue to promote and fund ID systems without these protections in place leaves a system open to abusing the rights of individuals and communities.
- The 'function creep' of ID schemes is a feature we also see all over world, as the uses of a system are put to more and more purposes. But the Irish case highlights the issue that the implications of this function creep are often not considered. As the Data Protection Commissioner said, "As new uses of the card have been identified and rolled-up from time to time, it is striking that little or no attempt has been made to revisit the card’s rationale or the legal framework on which it sits, or to consider whether adjustments may be required to safeguards built into the scheme to accommodate new data uses." It's essential that a scheme, once implemented, any potential new uses are interrogated and critiqued, for their compatibility with data protection and human rights law but also taking into accounts the risks surrounding exclusion, exploitation, and surveillance. Introducing an ID scheme through the 'back door', like in Ireland, is not acceptable.
- The Irish scheme also illustrated how ID schemes can also lead to the creation of new ID requirements where, previously, ID was not required. The Data Protection Commissioner highlighted the case of its use in the school transport system, for a use which previously did not have any ID requirement at all: “There may be a real artificiality in terms of embedding the requirement for the [card] in processes that heretofore did not require identification to that standard.” Thus the Ireland example is ID used not to empower, but the creation of new barriers.
There are valuable lessons to be learnt from the experience of Ireland: for those places looking to adopt ID cards, but also those organisations promoting their use. The lessons from the experience of Ireland must be heeded for there to be a future where ID respects everyone's rights.
[Image source: George Hodan]