Neither the Minister for Employment and Social Protection, nor- it seems- the Secretary General of the Department appear to know what Biometric Data is.
This is concerning as the Dept is the largest processor of biometric data in the State, thanks to the #PSC card database.
What we can infer is that the Depts new Data Protection Officer (whoever she or he is) *does* know the definition of Biometric Data and so they put it in the Privacy Notice that they were processing it.
(That’s a thing you have to do now, per GDPR)
We know the Minister has asserted that the Dept of Employment and Social Protection doesn’t collect biometric data. At all. (Small video of just the most recent of those statements)
Oh hey, look. Remember me saying it was critical to know who had signed off on the changes to the Department’s Privacy Notice that removes the acknowledgement that the Dept processes Biometric Data?
@CathMurphyTD asked. Turns out the SecGen did it when the DPO wasn’t in.
That nugget from this AGOG-making @ElaineEdwardsIT piece on the hasty trampling of the @welfare_ie ‘s DPO Independence by a SecGen who neither knows the meaning of the word Biometric, or - we now know-*appropriate*. irishtimes.com/news/ireland/i…
The Minister claims the PSC’s photos (both printed and stored digitally on the card and in the Dept database) aren’t Biometric because they’re just photos of faces, and-they say- that can’t be what biometric data is.
This is wrong.
The Dept DPO knew it was wrong.
So, when that admitting that truth (the Dept does sometimes process biometric data) became inconvenient the SecGen ordered the DPO’s work on the Privacy statement to be changed, without their agreement (or maybe even knowledge)
This is now much more serious.
I've set out some of the basis for my (pretty confident) assertion that neither the Minsister nor the SecretaryGeneral of @welfare_ie understand the meaning of "Biometric Data", unlike the Department's DPO.
The SecGen changing the Dept’s Privacy Notice because it had a politically embarrassing truth (the Dept processes biometric data), without the agreement of the DPO is the opposite thing to an “appropriate” change.
Meanwhile, how's the DPC's investigation into the PSC going?
From a PQ answer today:
I've added links to sources for all my citations in the blogpost explaining why every element of European Law and regulatory opinion agrees that
The Facial Images on the PSC are Biometric Data
Includes GDPR, CJEU caselaw, ECHR caselaw, Article 29, DPC
This has turned into an extraordinary tale. Here's the Minister explaining how her Secretary General came to rewrite the department's privacy notice when it was pointed out that it, correctly, said the Dept processed biometric data.
The answer concedes, in its last paragraph, that the original Privacy Notice was correct, because the process the Minister describes is an admission of processing biometric data.
Today’s FOI release confirms that neither the @welfare_ie DPO, whose team had drafted the Dept’s Privacy Notice, nor his office team knew or approved the changes made by the Sec-Gen to it. Changes which made it go from correct, to wrong.
This FOI release has lots of lovely bits, but my favourite is where they redacted two lines from an email and then forgot to redact the same lines from the same email appended at the bottom of the reply.
Thus do we know that the DPO has been overruled by the Sec-Gen in his role
I presume the remaining redaction is where the DPO’s office says “So that’s how come we are processing biometric data”
Now, it is a significant thing that the Privacy Notice for the Dept @welfare_ie is wrong, making all the biometric processing the department does unlawful.
But, frankly, it’s not the most important thing here any more.
The Dept @welfare_ie is the largest processor of sensitive personal data in the state.
It’s Sec-Gen has interfered with the DPO’s role as drafter of the Privacy Notice, but also as arbiter of Data Protection in the Dept.
The Sec-Gen’s Official position is, the DPO is wrong.
If the Dept @Welfare_ie doesn’t have a Sec-Gen who understands or respects the independence of the DPO in the key data-controlling Dept of the state, we have an immediate and severe problem.
And, we can now see, it doesn’t.
Here’s the Sec-Gen, deciding to just rewrite (and make inaccurate) the Privacy Notice without reference to the department’s DPO.
A DPO is not part of the normal hierarchy of an institution. On Data Protection matters, they are the final say.
Article 38 GDPR is critical.
As her enquiry sparked this crisis I’ve passed the full FOI to @ElaineEdwardsIT (because that is what this is- a crisis- the refusal to implement data protection law, mere weeks after it comes into force by the head of an EU member state’s largest state Data Controller)
As it has even more jaw-droppers in it than you’ve seen here, I’d hope there might be some good reading in the auld @IrishTimes shortly.
In 2011 the Dept of @welfare_ie collected up biometric voice prints of people to pilot identifing them when they called.
The Dept, as recently as July of this year were aware of this processing and referred to it as an achievement in their modernisation programme.
The Department, in its submissions to the Data Protection Commissioner on the #PSC, acknowledged that its “arithmetical template” was another term for a biometric record.
In 2011, the Department of @Welfare_ie published their policy paper on reducing fraud.
They unhesitatingly acknowledged that the photograph on the #PSC card is a biometric record, a true fact flatly denied by the Dept’s Sec-Gen as he overruled the DPO
The 2015 Dept @welfare_ie Annual Report on fraud prevention was proud of how the getting a #PSC card forced a citizen to undergo “biometric capture” (ie, the collection of their facial characteristics by the taking of a biometric photo)
The Sec-Gen specifically denies this.
• • •
Missing some Tweet in this thread? You can try to
force a refresh
Thought I’d give you a quick round up of where we are with the Public Services Card scheme. Because these things go in months or years long arcs, it can be helpful to take stock. #PSC
The #PSC project sees the Dept of Social Protection (DEASP) acting as joint Data Controller with the Department of Public Expenditure and Reform (DPER) over a database of citizen’s identity, called the Single Customer View.
The PSC is the card attached to that database.
At some point in the past, DPER decided it wanted a single ID card and database which would be used throughout the public service to gain access to services- and they preferred to call it a “Public Services Card”, instead of, you know, an ID Card.
Today’s Sunday Times (um, [insert link to print paper]) reports that the DPC’s #PSC investigation report has found @welfare_ie’s claimed legislative power
“does not provide a sound legal basis to compel people to have a card to access other public services”
As the state cannot rely on consent (as any consent could not meet the requirement for being freely given, given the power imbalance), this- if it stands- would mean that all of the processing done without another legal basis would be in breach.
I gave evidence to the Joint Oireachtas Committee on Social Protection on 8th February this year, trying to warn of this self inflicted crisis.
I have blocked the Senator, previously. But this statement- attempting to defend a Bishop’s earlier statement by asserting not all unwanted sex is rape- is sufficiently telling to be worth spreading, as an example of why registering to vote is worthwhile.
This was the Bishop’s contribution to public discourse.
Bishops gonna bishop. But as an NUI Senator, Senator Mullen is taken to represent me (an NUI grad). I’d prefer it it were otherwise.
The Government has just lost on an amendment in Seanad proposed by @aliceeire to Data Protection Bill. They've called for a walk through vote. The amendment would limit the powers of Ministers to act, by ensuring doing so would only be where it was necessary and proportionate
Nope, reversed after a whip around of extra senators by the Gov side, and with the casting vote of the Chair.
Today, on and off, I have been reading the newly published Data Protection Bill, which is 132 pages long, being introduced via the Seanad, and needs amendments submitted by next Tuesday.
Unfortunately you can’t table an amendment that says “this is terrible”.
It is the worst.
I’m going to have to blog it over the weekend.
I think Section 54(3) a list of made up exemptions for the state not in the EU law that the State wishes had been in the Regulation *might* be the worst.
But then I think: What about Section 56(6) where the state wants to pretend it can exempt itself, or anyone, from anything it thinks is in the public good?
This is quite significant. Irish Water relied on their Schedule 5 status to collect PPS Numbers. (the same basis @welfare_ie used to justify DPER Processing data on their behalf.)
Then they had to destroy all those records when they couldn’t produce a Ministerial Agreement.
The 2014 Agreement starts off as an Agreement between Ministers (as you might expect).