The Irish data protection commissioner has slammed its government’s implementation of a public ID card, finding no legal basis for public bodies to insist that people use the card when receiving services.

The public service card (PSC) was first introduce in 2011 and was originally designed as a form of ID for social welfare recipients in order to curb fraud.

Instead, the commissioner states that the card has been reduced to little more than a form of photo-ID. This then led to situation where departments sought ‘alternative’ uses for the card.

In damning report, that is yet to be published in full, the Irish data protection commissioner stated that: “We were struck by the extent to which the scheme, as implemented in practice, is far-removed from its original concept.”

“Whereas the scheme was conceived as one that would make it easier to access (and deliver) public services, with chip-and-pin type cards being used for actual card-based transactions, the true position is that no public sector body has invested in the technology capable of reading the chip that contains the encrypted elements of the Public Sector Identity dataset.”

Irish Public Service Card

The public service card has been required to receive other public services in Ireland such as obtaining a driver’s license. The commission has stated that this was not the original intent and the state has no legal basis to ask people for personal data, via the card, that has no relation to non-welfare services.

The commission has given the Irish government 21 days to stop the processing of all personal data that has been collected in relation to people not using it to collect social welfare awards.

For the Irish data protection commission a key challenge for all parties involved in projects like this is the ‘striking of a balance’ between the operation of the State as it tries to server a whole population and the individual who is subject of the collection and processing of personal information.

Unfortunately, the commissioner found that in her investigation that: “There is no evidence of any such balance being re-examined on each occasion when a new form of use is identified for the card. That cannot be considered acceptable in a data protection context where careful calibration is required when considering adjustments to any scheme that, by its very nature, interfaces with established and important legal rights.”

See Also: UK Ransomware Attacks Soar 195% – Malware Cocktails Proliferate