William Aird: DPC warns of risk of de facto national ID

Can I just ask the first question? Does the Data Protection Commission see a risk that although public service cars used, you know, with third parties is voluntary, banks, utilities or landlords could effectively make it required? What safeguards would prevent this becoming de facto compulsory? I think there is a risk there. We've seen that perhaps with the DPC's work in the space of landlords. You mentioned landlords in particular seeking perhaps excessive personal data in order to grant people access to properties. We would, I suppose, look to see that first of all handled by the department in clear transparency once this legislation or if this legislation comes through as to what the public services card can be used for. And then we'd have to look at our own enforcement mechanisms to monitor the use of it by different sectors and to ensure that it hasn't been inappropriately compelled for production. Is the Data Protection Commission satisfied that the concept to include data on the public service card is really freely given and can be withdrawn without any disadvantages in practice when dealing with the public service? I suppose to date from our engagement with the department through the consultative process, we haven't identified any matters giving rise to significant concern in this that it will be handled in a consensual manner. And as I mentioned to a previous question, it must be in accordance with the GDPR as easy to withdraw consent as to grant it and it should be facilitated. Does the Data Protection Commission consider there is a risk that expanded public service card users could lead to a function creep towards the de facto national ID system and what limits would be needed to prevent that? I think I would maybe go back to Dr Fari's answer to the previous question on that in that our investigative work in the two inquiries to date have looked at the specific legal basis for the public services card rather than I suppose the policy objectives which I think would, in the view of the DPC again, be best addressed through, as I've called for, a comprehensive review of the legislation by government on all of the underpinnings. Given that the Data Protection Commission's previous findings on unlawful biometric processing, can you clarify whether a fully compliant legal basis for the public service card biometric system now exists? And if so, why is it not explicitly addressed in Head 7 of this bill? I suppose from the DPC's point of view, at the conclusion of our 2025 inquiry, we provided a time period of nine months for the department to bring its processing of biometric data into compliance. There were preliminary conversations with the department around possible legislative moves to do that. However, the inquiry decision was subsequently appealed and it's now in the hands of the court to see whether our findings in fact will be borne out. Do you accept the concern that even if the public service card use is framed as voluntary, its expansion into private service risk creating the de facto mandatory national ID system through function creep and institutional pressure? I think the risk is certainly there and that's the risk that will have to be managed. First of all, I would say by the department as the owner of the card and by the minister as the owner, which the amendments also further make clear, we would expect that the department will seek to manage and monitor the use of the card through the Act. I suppose the DPC as a regulator will, through the lens of the GDPR, monitor and enforce the processing of data in this context. But certainly, I think the risk exists. It's there to be handled. How do you reconcile the stated aim of supporting vulnerable groups with the previous DPC findings that the public service card biometric processing may have unlawfully affected the same groups and what concrete safeguards now prevent reoccurrence of this? I suppose I would divide those into two. In looking at the present amendment, we can take the department's view that allowing for the voluntary use of the public services card can be of benefit to those individuals who perhaps don't have a passport, don't have a driving licence and in particular where the passport costs money whereas the public services card is free. We see that argument. Again, in relation to the biometrics, I suppose I'm limited in what I can say until the outcome of the appeal of our decision. Do the witnesses believe that the data sharing provisions in the general scheme meet the GDPR standard of necessity and proportionality? Are there areas where the powers drafted are overly broad? We haven't identified anything that we consider is in breach of the principles of necessity and proportionality. What specific safeguards should be written directly into the legislation rather than left to regalisation or departmental policy to protect citizens' personal data? In terms of the present amendments, I think ensuring that the process fully embeds the requirements of the GDPR with regard to consent. Has the department adequately justified the scale of personal financial data processing proposed under the scheme, particularly for fraud prevention purposes? Again, I think the fraud prevention purposes of the processing of the card are subject to the DPC's inquiry decision which is before the courts and I can't comment much more on that.