Investigation finds Public Services Card in breach of data protection laws
A lengthy investigation into the Public Services Card has revealed some damning findings.
An investigation by the Data Protection Commission (DPC) in connection with Public Services Cards (PSCs) has revealed multiple damning findings about the legality of the processing and storing of personal information of the 3.2 million Irish people who have one.
On Friday, the DPC published the results of the investigation, which dates back to 2017 and was initiated over concerns over whether the collection and storage of personal information complied with data protection guidelines.
Although the investigation covered a broad range of issues, it was focussed on two key issues:
- The legal basis on which personal data is processed in connection with the PSC.
- Whether the information provided to data subjects in relation to the processing of their personal data in connection with the PSC satisfies applicable legal requirements in terms of transparency.
Eight findings were published as a result of the investigation – three in relation to the legal basis issue and five relating to issues around transparency – and it emerged that seven of the eight findings were adverse to positions advanced by the Department of Social Protection, insofar as the DPC found that there is, or has been, non-compliance with the applicable provisions of data protection law.
The investigation found that the processing of certain personal data by the Department in connection with the issuing of PSCs (for the purpose of validating the identity of a person claiming, receiving or presenting for payment of a benefit) has a legal basis under applicable data protection law.
It also found, however, that the processing of personal data by the Department in connection with the issuing of PSCs for the purposes of transactions between individuals and other specified public bodies (bodies other than the Department itself) does not have a legal basis under applicable data protection laws.
Furthermore, the blanket and indefinite retention of underlying documents and information provided by applicants for a PSC contravenes Data Protection law because such data is being retained for periods longer than is necessary for the purposes for which it was collected.
As a result, personal documents and information provided by 3.2 million card applicants, held indefinitely by the Government, will have to be deleted.
In terms of transparency, the scheme also fails to comply with Data Protection law in that the information provided by the Department to the public about the processing of their personal data in connection with the issuing of PSCs is not adequate.
As a result of the investigation, the DPC say the Department of Social Protection will be required to stop all processing of personal data carried out in connection with the issuing of PSCs being issued for the purpose of a transaction between a member of the public and public bodies other than the Department itself.
The Department will also be required to contact public bodies who require the production of a PSC as a pre-condition of entering into transactions with individual members of the public and to notify them that, going forward, the Department will not be in a position to issue PSCs to any member of the public who wishes to enter a transaction with (or obtain a public service from) any such public body.
The Department of Social Protection will have 21 days to carry out both requirements above.
In a lengthy commentary on the investigation, the DPC said they were “struck by the extent to which the scheme, as implemented in practice, is far-removed from its original concept”.
“Whereas the scheme was conceived as one that would make it easier to access (and deliver) public services, with chip-and-pin type cards being used for actual card-based transactions, the true position is that no public sector body has invested in the technology capable of reading the chip that contains the encrypted elements of the Public Sector Identity dataset,” the commentary read.
“Instead, the card has been reduced to a limited form of photo-ID, for which alternative uses have then had to be found.
“Even in terms of stated justifications for the card around identity validation standards and fraud-prevention, it was established that cards are in fact issued in some cases without the applicant being required to submit to the full range of identity checks. Surprisingly, the criteria applicable to such exceptions remain unclear.”
The DPC cannot, under applicable laws, publish its report without the prior agreement of the Department of Social Protection.
The DPC has written to the Department asking it to confirm, within a period of seven days, that it will either publish the Report on its own website or, alternatively, that it will agree to the publication of the Report on the Commission’s website.
The DPC is currently awaiting a response.