Public Service Card: Data protection breach
The future of the Public Services Card is in doubt after the Data Protection Commissioner ruled that there was no legal basis for it being used in any instances other than claiming social welfare payments.
Findings published by the Data Protection Commission on 16 August have given the Department 21 days to implement two specific measures and afforded a six-week period to submit an implementation plan, identifying changes to the PSC scheme and a timeframe for making those changes.
Initially, the Department has been ordered to stop all processing of personal data carried out in connection with the issuing of PSCs, where it is being used solely for the purpose of a transaction between a member of the public and a specified public body (other than the Department itself.)
As well, the Department is required to contact public bodies who require the production of a PSC as a pre-condition of entering into transactions with the public, to notify them of this move.
The DPC found aspects of the data collection around the PSC to be unlawful and that there was no lawful basis for bodies outside the Department to make the card mandatory.
Already the Passport Office and the Irish Naturalisation and Immigration Service (INIS) have begun reviews around their requirement of a PSC for first time applicants.
Originally designed to increase security and reduce fraud around social welfare benefits, the move to roll-out the PSC as a mandatory requirement to access other public services has been a contentious issue, with the majority of criticism centred on the risk to privacy around such a mass collection and retention of data.
The DPC investigation, while targeting a broader range of issues, published findings around two core issues. Firstly, the legal basis on which personal data is processed in connection with the PSC and, secondly, whether the information provided to data subjects in relation to the processing of their personal data in connection with the PSC satisfies applicable legal requirements.
Seven findings found that there is, or has been, non-compliance with the applicable provisions of data protection law.
A summary of these findings are that:
- the processing of personal data by the Department in connection with the issuing of PSCs for the purposes of transactions between individuals and other specified public bodies does not have a legal basis under applicable data protection laws;
- the Department’s blanket and indefinite retention of underlying documents and information provided by persons applying for a PSC contravenes Section 2(1)(c)(iv) of the Data Protection Acts, 1988 and 2003 because such data is being retained for periods longer than is necessary for the purposes for which it was collected; and
- in terms of transparency, the scheme does not comply with Section 2D of the Data Protection Acts, 1988 and 2003, in that the information provided by the Department to the public about the processing of their personal data in connection with the issuing of PSCs is not adequate.
Commenting on their findings, the DPC said that they were “struck” by the extent to scheme is far removed from its original concept.
“Whereas the scheme was conceived as one that would make it easier to access (and deliver) public services, with chip-and-pin type cards being used for actual card-based transactions, the true position is that no public sector body has invested in the technology capable of reading the chip that contains the encrypted elements of the Public Sector Identity dataset. Instead, the card has been reduced to a limited form of photo-ID, for which alternative uses have then had to be found,” it stated.
It appeared to criticise that in the addition of new uses for the card, “no attempt has been made to revisit the card’s rationale or the legal framework on which it sits, or to consider whether adjustments may be required to safeguards built into the scheme to accommodate new data uses”.
The DPC believes that the development of the card has proceeded “by way of one-off, piece-meal changes” to existing social welfare legislation, resulting in the project “lacking in coherence” and with “little or no evidence of any attempt to balance the interests of the State, acting through those public bodies who participate in the scheme, and the interests of those members of the public who are required to obtain and produce the card”, from a data protection perspective.
“That cannot be considered acceptable in a data protection context where careful calibration is required when considering adjustments to any scheme that, by its very nature, interfaces with established and important legal rights,” it explains.
The Department of Employment Affairs and Social Protection and the Department of Public Expenditure and Reform are to be brought before the Public Accounts Committee, which has confirmed plans to carry out a separate investigation around the expenditure of €60 million of public money on the scheme.