On Friday 16 August 2019, the Data Protection Commission (DPC) published its findings on certain aspects of the Public Services Card (PSC). The DPC found that seven out of eight of its findings were adverse to the positions advanced by the Department of Employment and Social Protection (DEASP) and that there is and has been non-compliance with the applicable provisions of data protection law.
In 2011, the DEASP first introduced the PSC and its face-to-face registration process known as SAFE 2 (together, the PSC Scheme). In order to avail of a PSC, applicants would have to supply large amounts of personal data as evidence of identity and address. Under the PSC Scheme, individuals were required to register to SAFE 2 and obtain a PSC in order to access certain services such as social welfare payments and entitlements, citizenship applications, first time adult passport applications and the driving test. As a result, an individual’s capacity to access certain public services was conditional on obtaining and producing a PSC.
In October 2017, the DPC commenced an investigation into the PSC Scheme to determine its lawfulness from a data protection perspective. This investigation was launched under the Data Protection Acts 1988-2003 and as such, the investigation will conclude under the former legislation. The purpose of the investigation included:
- establishing if there is a legal basis for processing data in connection with the PSC Scheme;
- examining whether there are appropriate security measures employed in relation to the personal data processed in relation to the PSC Scheme;
- evaluating the information that has been made available to the general public; and
- establishing whether this meets the transparency requirements of data protection legislation.
A draft 138 page report was issued to the DEASP in August 2018. This draft report contained 17 requests for further information and 13 provisional findings. In response, the DEASP provided extensive submissions and materials (totalling almost 470 pages) for the DPC’s consideration.
While the investigation concerned a broad range of data protection issues, the DPC addressed two key issues in its statement, namely the legal basis for processing personal data in connection with the PSC Scheme and whether the information provided to data subjects meets the applicable transparency requirements. While the scope of the DPC’s investigation was limited to the former legislation mentioned above, the DPC helpfully advised that both the statement and the long awaited report contain non-binding analysis to capture the GDPR.
In summary, the DPC found that:
- there is a legal basis under applicable data protection legislation for the processing of certain personal data by the DEASP in connection with the issuing of PSCs for the purpose of validating the identity of a person claiming, receiving or presenting for payment of a benefit;
- there is no legal basis under applicable data protection legislation for processing of personal data by DEASP for the purposes of transactions between an individual and other specified public bodies;
- the DEASP’s indefinite retention of personal data arising out of or in connection with the PSC Scheme contravened applicable data protection legislation;
- the PSC scheme did not comply with its transparency obligations under applicable data protection legislation, in that the information provided to the public about how the DEASP and other specified public bodies used their information was not adequate; and
- its findings do not impact the validity or use by individuals who already hold PSCs or their access to certain benefits such as free travel.
The DPC was critical of the lack of evidence of any attempts or effort being made by the DEASP to balance the interests of the State (in terms of accessing the intended benefits of the PSC Scheme) and the interests of the individuals (who are providing their personal information). The DPC stressed that this balancing exercise was at the core of any assessment of the lawfulness of the PSC Scheme. The DPC identified the following individual factors that would impact on this balancing exercise:
- identify the rationale for the scheme;
- trace how that rationale has developed as the application of the scheme itself evolved and expanded;
- map that rationale against the legislative framework that underpins the scheme;
- assess whether and how it satisfies specific requirements of data protection legislation;
- identify the intended benefits of the scheme;
- assess whether those benefits have been realised and, if so, whether they can be quantified in a meaningful way and measured against interferences with the interests of individuals whose data is being collected and processed.
The DPC also criticised the stark divergence between the DEASP’s original concept behind the scheme and the scheme’s current framework. The DPC emphasised that the DEASP did not revisit the PSC Scheme’s rationale or legal framework, consider making adjustments to existing safeguards to deal with new data uses and re-examine the balance of interests.
The DPC now requires the DEASP to complete the following two implementation measures within 21 days of its statement:
- the DEASP will be required to stop all processing of personal data carried out in connection with the issuing of PSCs, where a PSC is being issued solely for the purpose of a transaction between a member of the public and any specified body that is not the Department itself. This means that no public body other than DEASP can insist that an individual obtains a PSC as a pre-condition of accessing public services provided by that body; and
- the DEASP are required to contact those public bodies who currently require the production of a PSC as a pre-condition to entering into transactions with individual members of the public, to notify them that the DEASP will not be in a position to issue PSCs to any member of the public who wishes to enter a transaction with (or obtain a public service from) any such public body.
The DPC has also given the DEASP a period of six weeks to submit an implementation plan to the DPC identifying the changes it will make to the PSC Scheme to bring it into compliance with data protection legislation and the time period within which those changes will be made.
The DPC has asked the DEASP to confirm, within seven days of its statement, its agreement to the publication of the DPC’s report on either the DPC or DEASP’s website. We currently await the DEASP’s response and we will issue further commentary on the long-awaited report if it is published.
Full text of the statement can be found here.