PSC – What’s all the fuss about a little card?

PSC - Public Services CardThe Public Services Card (PSC) has become something of a “hot-button” topic in recent weeks. It’s been featuring on the national radio stations in the last week with plenty of discussion taking place. So in this post I’ll try to set out what is happening and why you may want to be concerned or not, as the case may be.

What’s is the PSC?

According to the Department of Social Protection (DSP):

The Public Services Card (PSC) helps you to access a range of public services easily. Your identity is fully authenticated when it is issued so you do not have to give the same information to multiple organisations.

They started being rolled out by the DSP in 2011 and were used for people claiming welfare benefits.

What’s all the fuss about so?

Well one issue is it’s usage is expanding and it’s causing concern to data privacy advocates. As you can see from the DSP website (linked above) the PSC is now being used for the following purposes:

  • Access to Social Welfare Services (including Child Benefit and Treatment Benefits)
  • First time adult passport applicants in the state
  • Replacement of lost, stolen or damaged passports issued prior to January 2005, where the person is resident in the State.
  • Citizenship applications
  • Driver Theory Test Applicants
  • Access to high value or personal online public services, e.g. Social Welfare and Revenue services, via MyGovId, the mechanism for accessing public services online.

They also indicate that the future plans for the PSC are as follows:

  • September 2017 – School Transport Appeal
  • November 2017 – Treatment Benefit (DSP)
  • March 2018 – Driving License Application
  • April 2018 – Student Grant Application (SUSI)
  • Quarter 3 2018 – Proof of Age card
  • September 2018 – School Grant Appeal, Online Health Portal and individual access to AgFood.ie
  • Quarter 4 2018 – Passport Application

That’s a lot of services being supported by this one card. A big issue from the data privacy types, is that there is no indication that any proper Data Privacy Impact Assessment (DPIA) has been carried out to show that the government/civil service has given data protection any consideration in the roll-out of this card. If you recall my recent post about what happened in Sweden, when a government/civil service fails at data protection, people’s lives can be put in jeopardy.

Wait! What was that MyGovID thing?

Yeah! I hadn’t heard about this either until this story took off. According to the FAQs on it’s website:

MyGovID is an online identity service that enables the access of online public services in a safe and secure environment.

That sounds nice. Why haven’t we heard about this more? Has there been any discussion on this? I think I’ll be coming back to this one soon.

We have a Data Protection Commissioner. What have they being doing about it?

According to an article in the Irish Times:

In a statement, the Data Protection Commissioner said that while a framework to authenticate identity for individuals availing of State services was “an entirely legitimate government policy choice”, the means of communicating what data was being collected, for what purpose and with whom it may be shared needed to be adequately addressed.

“We have strongly conveyed our views on numerous occasions to the Department of Social Protection and in a number of other fora that there is a pressing need for updated, clearer and more detailed information to be communicated to the public and services users regarding the mandatory use of the PPSN and PSC for the provision of public services,” it said.

At least the DPC statement finished with something hopefully positive:

At this point, DPC has now secured D/SP agreement to publish a comprehensive FAQ, the questions for which the DPC has supplied, that would fully clarify all of the arrangements around the personal data collected for the PSC i.e. How it is secured?, Who can access it?, How it interfaces with the Single Customer View & MyGovID? How it will interface with the published General Scheme of the Data Sharing and Governance Bill? etc.

What I found most concerning in the Data Protection Commissioner statement was the following:

The DPC is also aware that the 2015 Comptroller and Auditor General Report on the PSC specifically asserted that:
“There is no single business case document for the PSC, setting out at a high level all of the information needed to get the project started (scope, justification, funding, roles and responsibilities), and which communicated this key information to the project’s stakeholders”

That sounds to me like a bunch of bureaucrats had gathered in a pub one night, having just finished launching the PSC for people claiming benefits from the DSP and one of them saying “Right. We’ve got this card out there. What else can we use it for?” and the others start shouting out “Drivers Licenses!”, “Passports!”, “Student Grants!” and then they write them down on a beer mat (coaster to my foreign followers) and head off to Coppers for the disco.

If you recall the other recent story I posted about, where a different state agency was looking to spy on tourists, I’d be really concerned about what the civil service is up to and linking all of these services to one single card can be dangerous.

But won’t linking all these services together improve efficiency?

Theoretically yes, if it’s done properly and securely. However the government/civil service is not well known for doing things properly and we have no idea if this is being done securely, because they are not telling us anything about how they are securing the thing.

So what are the risks?

This card is the central key to a growing number of government services. If they do not properly secure the personal data that is associated with this card, then evil doers may be able to compromise crucial and sensitive parts of your life.

I would liken it to your main e-mail account. The one that you use all the time and is associated with all of your online life (social media, online shopping, travel bookings, etc.). If you don’t use a unique and super strong password and two-factor authentication on this e-mail account, then if somebody gets access to your e-mail account they can compromise everything associated with it. They can find all other services that you registered with your e-mail account and take these over, changing those passwords by using the forgot password feature to send password resets the e-mail account they have just taken over.

So with the PSC, if the personal data isn’t properly secured, the bad guys could potentially interfere with your social welfare benefits or the application for a passport. We just don’t know how well secured it is.

 

OK, you’ve convinced me, I won’t get one so.

Well you might not have a choice. They say you don’t have to get one if you don’t want to, but you won’t be able to draw benefits from the Department of Social Protection. For example there was the case of the pensioner who refused to get the card, who has been prevented from claiming some €13,000 in pension payments over a period of 18 months.

The Road Safety Authority won’t let people apply for the driver theory test without one, so it is kinda becoming something that is mandatory. There is a whole debate going on as to whether its compulsory or mandatory and whether there is any supporting legislation for the card in the first place. I’ll leave that to the legal minds of this country.

Where to now?

I would certainly not like to see the PSC usage expand until they have answered the questions set out by the Data Protection Commissioner to their satisfaction.

I also would like to see the legal types among the privacy advocates being satisfied that there is good and proper legislation put into place to correctly support the use of this card. That’s probably going to be a bit of a stretch.

So for me it’s a wait and see. But I will be keeping a close watch on this.