The Data Protection Commission is carrying out an investigation into the facial recognition data held by the Government as part of its Public Services Card project.
It comes after the body completed its initial investigation into the way the Government has been using the card - and warned that it is in breach of several aspects of data protection law.
The watchdog is demanding immediate action to fix the problem.
Various state agencies use the Public Services Card (PSC).
It's most commonly used by people to access social welfare payments, but is also required for services form other departments - such as first-time passport and driving licence applications.
In the report released today, the watchdog said it has no issue with the Department of Social Protection (DEASP) processing personal data on the card so that it can be used to claim social welfare.
However, it said it objects strongly to the information being processed by other state agencies - a situation which the commission says is in breach of data protection laws.
It means most state bodies will no longer be able to insist a person has the card to access public services.
The report also criticised the information provided by the department to the public about the use of the card and the processing of their personal data.
Thirdly, it found that the Department is holding on to the data used to prove a person's identity for longer than it needs to.
It said the Department is entitled to keep information such as name, age and gender - but must delete the documentation submitted to prove those details once it is satisfied a person is who they say they are.
On The Pat Kenny Show this morning, Data Protection Commissioner Helen Dixon said the watchdog will submit a second report on the facial recognition data held by the department in the coming months.
"We are looking at the photo-matching personal data generated as a result of the process that the department is implementing [...] as a second report that will issue to the Department in the coming months.
"So we have yet to make some findings on that specific area."
She said the watchdog understand that it is "difficult and challenging " for the Department of social Welfare to put a system in place the efficiently eliminates fraud, but said the Government has responsibility to be "100% sure" the system is lawful.
"As a data protection authority we are all in favour of efficient public services administration," she said.
"We are in favour of efficiency for the service user as well and making it as easy as possible for them - but equally, we have to insist that there is that lawful basis underpinning whatever is implemented."
She said it is unclear why some departments feel the card is more efficient when it comes to proving personal details.
"It is very difficult currently to establish what the PSC actually represents proof of.
"If you want to renew your driver licence, you can bring the PSC with you - in fact it is the proffered form of photo ID.
"If you choose to bring your passport instead you have to additionally bring evidence of PSN, proof of address and proof of entitlement to residency in Ireland and actually the PSC does not provide proof of address of proof or entitlement to residency."
Public Services Card
The commission is demanding the department contacts various agencies to tell them the card can no longer be mandatory.
According to the report, bodies other than DEASP "cannot insist that a person who does not already hold a PSC must obtain one as a pre-condition of accessing public services provided by that body".
The DEASP has now been given six weeks to come up with plan to make changes to the PSC scheme.
However, it has only 21 days to implement two measures - including stopping all processing of personal data related to PSCs being issued for purposes involving public bodies other than the department itself.
"Far-removed from its original concept"
Explaining their findings, the Data Protection Commission said: "We were struck by the extent to which the scheme, as implemented in practice, is far-removed from its original concept.
"Whereas the scheme was conceived as one that would make it easier to access (and deliver) public services, with chip-and-pin type cards being used for actual card-based transactions, the true position is that no public sector body has invested in the technology capable of reading the chip that contains the encrypted elements of the Public Sector Identity dataset.
"Instead, the card has been reduced to a limited form of photo-ID, for which alternative uses have then had to be found."
In a statement, the Irish Council for Civil Liberties (ICCL) welcomed the DPC report.
Elizabeth Farries, ICCL Information Rights programme manager, said: "We support the immediacy of the DPC’s enforcement measures.
"They are appropriate given that the card lacks a legal basis, is unnecessary, and presents serious risks to the highly sensitive personal data it collects."
Additional reporting from Michael Staines