Ireland planning to introduce national identity cards by stealth, with no debate and unclear privacy safeguards

National identity cards are an emotive topic. In the UK, the ID card debate raged for years before and after the authorities there passed a law in 2006 to introduce them. Five years later, a change of government saw the law being repealed as a result of widespread public concerns. The Irish government seems to be adopting a different approach. It is introducing ID cards for its population while denying that it is doing so, perhaps in an attempt to dodge the heated arguments that raged in the UK.

Ireland’s ID card plans are hidden within the recently-published eGovernment Strategy 2017-2020, which is described in typical government-speak as follows:

“The Strategy takes note of the contextual changes of the last few years such as technology innovation, a more joined-up Civil Service and developments across the EC, particularly GDPR [the new EU privacy laws], the eGovernment Action Plan and the Digital Single Market.”

Later on in the document, the issue of how the Irish government will manage identity is discussed briefly:

“We will develop our existing e-ID capability – we recognise the value of eIDs as a means to protecting our people and our businesses against fraud; improving the overall user experience, avoiding the requirement for the public to provide the same information to Government numerous times; and helping Public Service fully align with Data Protection principles and legislation. The e-ID and the Digital Services Gateway will be the means for single sign-on/authentication and verification/update of general information (e.g. simple address information), using the “tell us once” principle.”

It is only in Annex B of the strategy that the plans to introduce what turns out to be an ID card are mentioned:

“the Public Services Card (PSC) infrastructure is the Government’s standard identity verification scheme, which is to be used for access to all public services where appropriate. As such, the widespread adoption of the PSC infrastructure, including its online counterpart MyGovID, to underpin access to public services by citizens is critical to the successful delivery of the eGovernment strategy”

As that reveals, the Public Services Card (PSC) – which the Irish government studiously avoids calling an ID card – will be used for access to public services. These include key ones such as applying for a passport and obtaining a driver’s license. The Annex notes that some will require something called “SAFE” registration. A PowerPoint presentation on the Irish government Web site explains that SAFE – the Standard Authentication Framework Environment – is a set of rules-based standards for establishing and authenticating identity in order to provide access to public services. It also includes the PSC “identity token” – an ID card, in other words.

Putting that all together, the Irish eGovernment Strategy means that in order for the country’s citizens to be able to drive a car, or travel abroad, they must have a PSC. In fact, the Irish government’s plans go far beyond simply introducing these ID cards by stealth. As the Digital Rights Ireland organization explains:

“The Public Services Card is actually much bigger than the card itself. It is a plan that will result in the linking up of private, intimate details of Irish citizens’ lives across all sections of government, including the education system, Gardai [the Irish police force] and the Health Service. There is no legal framework to provide for this to be done in a fair, safe and legal manner.”

The key problem is the lack of public debate in Ireland about the introduction of this far-reaching consolidation of personal data held by the government. In the absence of that discussion, it’s worth looking at a document written by the UK’s Information Commissioner, Richard Thomas, whose role is to be a “champion of public openness and personal privacy.” It was issued in 2004, during the early days of the UK debate about ID cards, and listed the Information Commissioner’s concerns about the ID card scheme. Thomas pointed out the the UK proposals – just like those of the Irish government – were not only about an ID card, but also an extensive national identity register, complete with a national identity registration number. He wrote:

“I also have concerns in relation to the wide range of bodies who can view the record of what services individuals have used. This will enable the Government and others to build up a comprehensive picture of how we live our lives. However, individuals will not know which bodies have been accessing their personal information because the draft bill removes the right to see their own information.”

Digital Rights Ireland has similar concerns about the PSC and the linked-up databases. It points out that tens of thousands of public servants and contractors could have access to parts of these national data sets, and yet there seem to be no plans for how this access will be controlled. The scope for disastrous leaks of highly-personal data is evident. In fact, the Irish government department that lies at the heart of the plans for the PSC and associated database, the Department of Social Protection, suffered hundreds of privacy breaches a few years back. More recently, an Irish police officer was convicted of illegally accessing personal information held on the country’s police database. With more data accessible by more people, the risk is that these incidents will increase.

The Irish government insists that it is not mandatory to obtain the Public Services Card. That may be true in a theoretical sense, but for all practical purposes, anyone who wants to live a normal life in Ireland will indeed be obliged to obtain a PSC, and thus become part of the databases that lie behind it. The enormity of that transformation ought to require a particularly deep and frank public debate about the implications of such a move. Instead, the Irish government is trying to introduce this national identity card system by stealth. Given the UK experience of massive resistance to the idea, that probably isn’t a very wise approach.

Featured image by Ireland’s Department of Service Protection.