45. Deputy Clare Daly asked the Minister for Employment Affairs and Social Protection the number of face biometric data records collected through the administration of the public services card that are held by her Department; and the security protocols and policies in place to prevent a leak or breach of data records, including biometric data records collected by her Department through the public services card system. (Question 19302/18 asked on 03 May 2018)
Minister for Employment Affairs and Social Protection (Deputy Regina Doherty): Biometric information is information about the measurements of human body characteristics, such as fingerprints, eye retinas and irises, voice patterns, facial patterns and hand measurements and it is typically used for authentication purposes. The Public Services Card (PSC) does not store biometrics. While the card does store the person’s photograph and it appears on the card, it does not store the biometric or arithmetic template of that photograph. Nor is the biometric or arithmetic template of the photo stored in the PSI dataset or shared with other public bodies. My Department uses facial image matching software to strengthen the SAFE registration process. To date, just under 3.26 million PSCs have been produced. The normal digital photograph in JPEG format is captured during the SAFE registration process and is inputted into and stored in this facial image matching software. It is then modelled and searched against the Department’s photo database to ensure that the person in the photograph has not already been registered using a different Personal Public Service Number or a different identity dataset.
The software compares photographs by converting the image into an arithmetic template based on the individual’s facial characteristics and checking it against the other image templates already held in that software’s database from other SAFE registrations. It is a similar approach to that taken by the Passport Office in its systems when processing passport applications/renewals.
The arithmetic models behind the photographs are never stored on the PSC or in the Public Service Identity dataset. They are stored only in the facial image matching software’s database held in the Department’s own secure datacentres.
The Department does not ask for or collect biometric data from our customers e.g. fingerprints or retinal scans. Neither does it use advanced facial mapping cameras when taking the photo as part of the SAFE registration process. The process involves the digital photos collected being passed through a piece of facial matching software to detect and prevent error or suspected fraudulent activity.
It is also important to note that the application of this technology has detected a number of cases of serious identity fraud, some of which have been successfully prosecuted through the courts on indictment, with significant custodial sentences being imposed. .
I should also emphasise that my Department takes its responsibilities in relation to data protection and protecting the data of its clients very seriously. The Department has data protection and information security policies, standards, procedures and guidelines in place governing the use of its computer systems and customer data.
Access to the Department’s applications and associated information is restricted to authorised individuals and for the purpose intended. Access is based on the principles of ‘need-to-know’ and ‘need-to-use’. Access to the facial matching system is managed by a designated system administrator(s) who creates and manages system access accounts for authorised users. These access rights are allocated based on the specific requirements of a user’s role whereby an individual staff member is permitted the minimum access rights required to complete their assigned tasks. There is full and comprehensive logging of all actions and events that occur in the system. The Department has a dedicated security function in place and works closely with Government Networks and the Department of Communications, Climate Action and Environment to ensure that networks and systems are protected from unauthorised access, malware and viruses.
I hope this clarifies the matter for the Deputy.