a public services card with a woman (Cathleen Ni Houlihan) screaming

Assessment of PSC facial recognition software reveals Department of Social Protection has known its biometric processing arising from the PSC is illegal

9 June 2023

A Data Protection Impact Assessment (DPIA) of a facial matching software upgrade for the Public Services Card (PSC) in 2021:

  • Failed to identify any legal basis under Article 9 GDPR for the creation of a biometric photo and template database of 3.2 million cardholders; 
  • Admits that individuals were not given information on the legal basis of processing at the time of PSC biometric photo data collection and acknowledges that as a breach of transparency; and 
  • Identifies a risk that sensitive personal data is being held for longer than necessary or lawful. 

This document was obtained under the Freedom of Information Act by the Irish Council for Civil Liberties (ICCL) and Digital Rights Ireland (DRI). It reveals for the first time that the Department of Social Protection has known that its biometric processing of personal data arising from the PSC project is illegal.  

It noted that cardholders were not directly informed about the biometric processing involved in obtaining a PSC during face-to-face interviews for the same. 

In addition, it found a leaflet issued by the Department of Social Protection neither provided sufficient detail about the use of the facial recognition software, nor a legal basis for the biometric processing. 

The DPIA indicates the Department of Social Protection has built a national biometric database of 3.2 million cardholders’ unique facial features since 2013, including, in some cases, those of children. It also indicates that the Department is intent on retaining each cardholder’s biometric data for their individual lifetime, plus 10 years. 

Olga Cronin, Surveillance and Human Rights Policy Officer, ICCL, says: 

“The Department has been building a national biometric database without a relevant legal basis and without transparency. It continues to collect people’s biometric information in exchange for services they are legally entitled to. This must stop. This processing is unnecessary, disproportionate, and presents a risk to people’s fundamental rights.” 

Antoin O Lachtnain, Director of Digital Rights Ireland, says: 

“The Data Protection Commission has been investigating the biometric element of the PSC for a number of years now. This DPIA document must be in its possession as part of that investigation. Given its legal failings, the DPC must publish its findings as soon as possible.” 

Fieldwork for the DPIA began in October 2019 and it was completed in July 2021 - 10 years after the Minister for Social Protection recently stated the Department started processing biometric data as part of the SAFE registration process in 2011. The DPIA states the reason it was carried out was because an upgrade to the then facial matching software, in place since 2013, involved a new algorithm.  

Work on the DPIA began two months after the Data Protection Commission, in August 2019, found significant legal issues with the PSC. The DPIA’s authors say that the Department did not consult with cardholders during the DPIA process.  

A Data Protection Impact Assessment (DPIA) is an assessment carried out to identify and mitigate against any data protection-related risks of a project where personal data is processed. Under the GDPR it is mandatory for a DPIA to be carried out in respect of scenarios where the processing of personal data would be considered high risk. Prior to the GDPR, while not mandatory, it was best practice to carry one out. 

Apart from the 2021 DPIA, ICCL and DRI also sought, under FOI, a copy of each DPIA carried out by the Department since the Department started processing biometric data as part of the SAFE registration system in 2011, but were told no such records existed. 

The DPIA obtained confirms that, as of July 2021: 

  • The Department used the facial matching software in the following manner:  
    • “The normal digital photograph (in JPEG format) captured during the SAFE registration process is input into and stored in this facial image matching software. It is then modelled and searched against the Department’s photo database to ensure that the person in the photograph has not already been registered using a different Personal Public Service Number or a different identity dataset. The software compares photographs by converting the image into an arithmetic biometric template based on the individual’s facial characteristics and checking it against the other image templates already held in that software’s database from other SAFE registrations. The process is already in place, the new element is the upgrade to the facial matching software. The upgrade to the facial matching software aims to improve performance and functionality.” 
  • No DPIA was previously carried out before the 2021 DPIA;  
  • The Department was not transparent about the use of people’s photographs, including the creation of their biometric template and it didn’t directly inform people about the biometric processing;  
  • A ‘SAFE registration and your personal data’ leaflet neither provided sufficient detail about the biometric processing, nor a legal basis for the biometric processing;
  • The State failed to provide any legal basis under Article 9 of the GDPR, which provides for the processing of special category personal data (which includes biometric data). Instead the DPIA states the State was relying on Article 6 of the GDPR, and the Social Welfare Consolidation Act 2005. These enactments do not provide for the processing of biometric data. 

    Ends

    Notes to Editors

    Available for comment: Antoin O Lachtnain, Director, Digital Rights Ireland (087 240 6691)

    For media queries: ruth.mccourt@iccl.ie / 087 415 7162

    Download the DPIA (PDF)

    A timeline of the Public Services Card

    2009: In December 2009, the Department of Social Protection entered into a contract with a supplier at a fixed price of €19.7million plus 21% VAT to produce 3 million PSCs by end of 2013 - 2,095,000 standard cards and 905,000 free travel variant cards. 

    2011: In 2011, the PSC and the purported role it could play in terms of cracking down on ‘welfare fraud’ gained new momentum due to the recession, Troika loans and emphasis on austerity measures. 

    End of 2011: Around 4,000 PSCs are issued in Ireland. 

    April 2012: The Department awarded a contract for facial matching software, worth almost €213,000, to 3M Ireland Ltd. 

    April 2012: The Social Welfare and Pensions Bill 2012 is introduced. During debate on that Bill, the then Minister for Social Protection Joan Burton announced that she would be proposing a change in the law, saying: “Under the existing legislative provisions there is no mandatory requirement for a person to allow for his or her photograph and signature to be captured and reproduced in electronic format for purposes of a PPSN allocation, public services card and claims for social welfare benefits. I will be proposing a change to provide for the introduction of a new condition for any new claim for social welfare payment that the claimant must satisfy the Department as to his or her identity including allowing for electronic capture of photograph and signature.” 

    25 April 2012: During committee stage of the Bill, Ms Burton introduced a raft of amendments to the Bill totalling 23 pages and they included provisions related to the PSC. 

    Fianna Fáil’s Sean Fleming complained at the outset of the debate that he and his Dáil colleagues only received the amendments at midnight the previous night. He also said the list of amendments (at 23 pages) was as long as the bill itself. Ms Burton told the Dáil, in response to a question from a Sinn Féin TD, that the Attorney General had “worked really hard” to bring forward amendments to the Bill in order to give power to social welfare inspectors at ports and airports to ask questions of people. The amendments included an amendment to Section 241 of the Social Welfare Consolidation Act 2005. A subsection (1C) was added to Section 241, stating that “for the purposes of satisfying himself or herself as to the identity of a person who makes a claim for benefit, the Minister may, without prejudice to any other method of authenticating the identity of that person, request that person: “(a) to attend at an office of the Minister or such other place as the Minister may designate as appropriate, (b) to provide to the Minister, at that office or other designated place, such information and to produce any document to the Minister as the Minister may reasonably require for the purposes of authenticating the identity of that person, (c) to allow a photograph or other record of an image of that person to be taken, at that office or other designated place, in electronic form, for the purposes of the authentication, by the Minister, at any time, of the identity of that person, and (d) to provide, at that office or other designated place, a sample of his or her signature in electronic form for the purposes of the authentication, by the Minister, at any time, of the identity of that person.”  

    A new subsection (1D) was also added, stating that the Minister shall retain in electronic form any photograph or other record of an image of a person taken and any signature provided pursuant to subsection (1C). Similar language was introduced in Section 253 of the 2005 Act under a new subsection 263B. None of these sections provide for the biometric processing of people’s facial features. 

    26 April 2012: The Bill is passed and includes amendments on the PSC. 

    May 2012: 7,000 PSCs have been issued to date. 

    End of 2012: 100,000 people had completed the SAFE registration process necessary for getting a PSC. 

    2014: The Department’s 2013 annual report announces it used facial image matching software to help detect and deter duplicate registrations for the PSC. It also states that a number of suspected cases of identity fraud have been referred to the Department’s Special Investigation Unit for further investigation. 

    2015: The Department’s 2014 annual report says that “facial matching software has been in use since March 2013”. 

    July 2015: The Department launches mygovid.ie which allows people to register for access to the Department and other government online services, including an appointment to register for a PSC. 

    End of 2015: There are around 1,750,000 PSCs in circulation. 

    2016: Office of the Comptroller and Auditor General’s 2015 annual report states the PSC project failed to develop a business case when the Government took steps in 2004 and 2005 to roll it out. It stated: “There is no single business case document for the PSC, setting out at a high level all of the information needed to get the project started (scope, justification, funding, roles and responsibilities).” The C&AG also noted: 

    • Use of the card was to be piloted as part of driver licence applications by the Road Safety Authority, including theory test applications and driver licence renewals; and 
    • A trial issue of PSC to transition year students was to be completed in May 2016 and an initiative has commenced to roll-out the card to all transition year students in the 2016/2017 school year. 

    2016: In 2016, it became necessary for all first-time passport applicants aged 18 and over, and resident in Ireland, to present a PSC when making their application. 

    June 2016: ​​The total number of PSCs produced at the end of June 2016 was 2.06 million comprising 1.37 million standard cards and 693,000 free travel variants.  Of the 2.06 million cards produced at the end of June 2016, only 1.2 million (58%) had been activated.  

    May 2017: It was confirmed that anyone applying for a passport or driving licence in the future would need a PSC. RSA also announced (on May 5, 2017) that from June 1, theory test candidates would need a PSC to book their theory test …and PSC is also an ID requirement at the centres from June 17 onwards. 

    August 2017: Stories started to emerge about difficulties that people encountered while assessing welfare benefits and services related to the PSC. 

    August 2017: The Irish Times reports about a woman, in her 70s, whose non-contributory pension was stopped after she refused to register for the PSC. The Department owed her €13,000 but refused to pay her even though she offered to identify herself by other means. 

    August 2017: The Journal reports that a 29-year-old man with Down syndrome received a letter in which he was requested to attend an appointed time to register for the PSC which would replace his travel pass. The following day, the Minister for Social Protection Regina Doherty told Newstalk the PSC was “not compulsory but is mandatory” to claim social welfare benefits. 

    August 2017: The Data Protection Commission issued a public statement on the controversy and said there was a pressing need for updated, clearer and more detailed information to be communicated to the public and service users regarding the mandatory use of the PSC for accessing public services. The commissioner asked the Department to publish a comprehensive FAQ. This was eventually published in October 2017. In the same month, the DPC Helen Dixon launched a formal inquiry into the PSC. 

    February 2018: ICCL and Digital Rights Ireland went before the Joint Committee on Employment Affairs and Social Protection for what was the first specific and widely publicised debate in respect of the legislation regarding the PSC project. ICCL and DRI explained to the Committee that: 

    • The PSC failed to meet relevant tests under the right to privacy with regard to its legal basis and with regard to its necessity and proportionality; 
    • There were concerns around lack of transparency; 
    • There were concerns around lack of clarity about the legal framework for the card as it had changed so many times over the previous ten years; 
    • The range of public services for which the PSC was the only acceptable form of identity had dramatically expanded since 2005 without proper legislative debate; and 
    • The PSC disproportionately affected people who were dependent on social welfare payments. 

    August 2019: The DPC published its findings which the State appeals to the Circuit Court. In summary, the DPC found: 

    • There is no legal basis for the Department of Employment and Social Protection (DEASP) to process personal data for the purposes of identity authentication or persons conducting transactions with public bodies other than DEASP; 
    • The indefinite, blanket retention by DEASP of certain documentation and information collected during the PSC application process contravenes the principle of not keeping data for longer than necessary; 
    • There’s a serious deficit of information provided to the public concerning the processing in question; 
    • The DPC orders the state to destroy the supporting documentation it was retaining on 3.2million people;
    • The DPC explains it will carry out separate investigations into (a) the Department’s use of biometric facial templates in the application of its facial matching software for the purposes of the SAFE 2 registration process; but noting, “The SWCA 2005 also does not make any reference to processing of photographs for matching purposes (i.e. using the CFIMS facial recognition software, which will be considered in a further separate report of the DPC…)”; and (b) the processing of personal data (and special category personal data) by the Department of Public Expenditure and Reform in the context of the Single Customer View (SCV) and MyGovID, the single account by which citizens may access government services on-line in Ireland.   

      October 2019: Martin McMahon made a complaint to the DPC accusing the Department of Social Protection of engaging in “mass surveillance” with regard to the collation of data from the free travel pass variant of the PSC. He alleged an excessive collection of personal data by the Department when people used the PSC as a free travel pass. 

      October 2019: Fieldwork begins on the first Data Protection Impact Assessment of the PSC for the Department of Social Protection (this is completed in July 2021). 

      April 2020: UN Special Rapporteur on Extreme Poverty and Human Rights Professor Philip Alston writes a letter to the Irish Government about the PSC, saying his analysis found that the PSC discriminates against the marginalised without a clear legal basis. ICCL provided a briefing on this letter to Oireachtas members. 

      August 2021: The DPC launches a new investigation into the Department of Public Expenditure’s (DPER) use of the PSC, following a complaint from DRI. The complaint alleges that the database underpinning the PSC was unlawfully made available to DPER and is being used by DPER in a manner that is not consistent with data protection rights. 

      December 2021: The Department of Employment and Social Protection withdraws its appeal in the Circuit Court, and finally acknowledges that other public sector bodies cannot compel individuals to get a PSC as a precondition to access public services. Alternative means to provide proof of identity must be accepted and those alternatives may be online or offline. 

      20 April 2023: In a written response to a parliamentary question from Social Democrats TD Catherine Murphy, Minister Heather Humphreys said: “The processing of personal data includes the creation and processing of biometric data from a photograph of the person concerned, to enable a check to be carried out as to whether the facial image matches an image already held.  A similar type of processing is carried out by the Passport Office and other Governmental authorities in many other countries, with responsibilities in the area of identification and authentication. The processing of biometric data has been an essential component of the SAFE registration process since it began in 2011. This processing is carried out by the Department on the Department's secure IT infrastructure. This biometric data is not stored on the PSC, nor is it shared with any other public body. The Department’s current contract for the provision of facial image matching software is due to expire in August 2023 and a Request for Tenders has recently been published, inviting tenderers to bid for a new contract. A Data Protection Impact Assessment (DPIA) was carried out in respect of an upgrade of the facial image matching system in 2021. My Department has responded in full to all queries from the Data Protection Commission related to its current investigation into the processing of biometric data during the SAFE registration process and looks forward to receiving the DPC's Draft Report as soon as it has been completed.” 

      May 2023: It emerges that the Department of Education has started mandating teachers to get a PSC in order to receive a new digital payslip. 

      May 2023: The Data Protection Commission (DPC) finds that the Department of Social Protection infringed the GDPR by failing to notify Martin McMahon when he received his PSC that in its use as a Free Travel Pass, personal data could be transferred to the Department of Social Protection. 

      May 2023: ICCL and DRI receive the 2021 DPIA of the facial matching system, requested under the Freedom of Information Act 2014. The DPIA’s overview states: “This DPIA examines the update to the Facial Matching Software used by the Department. The normal digital photograph (in JPEG format) captured during the SAFE registration process is input into and stored in this facial image matching software. It is then modelled and searched against the Department’s photo database to ensure that the person in the photograph has not already been registered using a different Personal Public Service Number or a different identity dataset. The software compares photographs by converting the image into an arithmetic biometric template based on the individual’s facial characteristics and checking it against the other image templates already held in that software’s database from other SAFE registrations. The process is already in place, the new element is the upgrade to the facial matching software. The upgrade to the facial matching software aims to improve performance and functionality.” The DPIA does not provide a legal basis for biometric processing under Article 9 of the GDPR which prohibits the processing of biometric data except in specific circumstances. Instead the DPIA says: “The Department relies on Article 6(e) of the GDPR as the lawful basis for the processing of personal data which takes place during the use of facial matching software. Article 6(e) states that processing is lawful if it is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. The basis for processing referred to in Article 6(e) is laid down in law in the Social Welfare Consolidation Act, 2005 (as amended).” The DPIA also notes that cardholders were not directly informed about the biometric processing involved in obtaining a card, while a ‘SAFE registration and your personal data’ leaflet neither provided sufficient detail about the biometric processing, nor a legal basis for the biometric processing. 

      Download the DPIA (PDF)