The Irish Data Protection Commission (DPC) has published a statement regarding its investigation into certain aspects of the Public Services Card (PSC) scheme run by the Department of Employment Affairs and Social Protection (Department). The statement levies heavy criticism at the Department and the PSC scheme regarding how it dealt with the personal data of millions of citizens in Ireland. The DPC requires the Department to implement substantial changes to remedy the situation.
The DPC’s statement focuses on its findings of non-compliance of the PSC scheme with data protection law in two key areas:
- The legal basis on which the personal data of individuals is processed, and
- The transparency of the information provided to individuals on the processing of their personal data
The DPC started its investigation under the old, pre-GDPR data protection law. In conducting the investigation, the DPC was aiming to balance the interests of the State with the interests of the public. In the statement’s commentary, the DPC notes that there is little evidence that the Department undertook this balancing exercise when it was introducing new uses for the PSC. Overall, the DPC describes the PSC scheme as “lacking in coherence” from a data protection perspective.
Minister for Social Protection, Regina Doherty has responded by indicating that the Department are considering the as yet publically unpublished report.
Legal basis for use of PSC cards by other public bodies
The DPC’s first key finding is that there is no legal basis for processing of an individual’s personal data if the purpose is to issue a PSC card to enable that individual to transact with a public body other than the Department. This means that, for example, while the Department can still require a person to obtain a PSC card to obtain social welfare payments, there is no legal basis for the Department of Foreign Affairs to require a person to obtain a PSC card to apply for a passport.
The DPC highlights that the current PSC scheme is far removed from its original concept, which was a ‘chip and pin’ type card to make it easier for individuals to access public services. Unfortunately, few public sector bodies have invested in the technology capable of reading the chip, meaning the PSC has effectively been reduced to a limited form of ‘photo ID’.
The DPC is also critical of the fact that as new uses of the PSC were implemented, little attempt was made to revisit its rationale or review the legal framework in terms of data protection compliance.
The DPC’s investigation establishes that although one of the justifications for the PSC is for identity validation and fraud prevention, surprisingly PSCs are issued in some cases without the individual being required to submit to the full range of identity checks. The criteria for these exceptions are unclear.
Retention of data and transparency
In its second key finding, the DPC found that the Department is retaining the personal data of PSC card applicants for longer that is necessary. For example, keeping photocopies of utility bills that individuals provided as proof of address when applying for a PSC.
The DPC also states that information the Department provides to the public about the processing of their personal data in connection with the issuing of PSCs is not adequate and does not meet the transparency requirements of data protection law.
WHAT NEXT? ACTIONS AND CHANGES ON THE DEPARTMENT
The DPC’s findings mean that Department has to urgently implement substantial operational changes. The Department has six weeks to submit a plan to the DPC to show how it will bring the PSC scheme into compliance with data protection law. It also has just 21 days to stop processing personal data in connection with issuing PSCs to individuals for transactions with other public bodies. In addition, other public bodies are no longer permitted to insist that someone has to hold a PSC to access public services.
Despite this, it is important to note that the DPC findings do not affect the validity or use of PSC cards that have already been issued.
Learnings from the DPC’s statement
What we have seen of the report so far reinforces the importance of both public and private bodies of complying with data protection law. In particular, ensuring that:
- Legal basis - you must have a suitable legal basis to process the personal data of individuals, for example consent or contractual necessity, and
- Transparency - you have to be able to demonstrate that you process personal data in a transparent way. This transparency means, for example, providing information to individuals about the processing of their personal data in a concise and easily accessible manner, using clear and plain language
WHAT TO EXPECT NEXT?
We anticipate that the DPC’s recent statement is not the end of the matter. The DPC has indicated that a further report will follow in relation to a number of other issues.
Campaigners and civic groups are considering organising class action-style claims against the State, the Department or other public bodies. At this stage, it is difficult to say if such claims would be successful but if they are, we could see compensation payable running into millions of euro.
There are also calls for members of the Department to appear before the Oireachtas Public Accounts Committee to answer TD’s privacy and data protection concerns about the ill-fated PSC scheme. It is also likely that Minister Doherty will face demands to resign.
The DPC has requested the Department’s permission to publish a copy of the full report to the public or allow the DPC to do so. This will likely give a more detailed insight into the findings of the DPC and whether any proposed legal claims or related actions have merit. We await its contents with interest.