Just when people thought the questions and concerns surrounding the Public Services Card (PSC) had been forgotten about, the debate and mystery about this card resume. So what’s it all about?
Most of you will remember some controversy about this card at the time it was introduced, and it initially focused on one theory in relation to its introduction. For many, it represented no more than the introduction of an identity card by stealth. The government vehemently denied this, and different Ministers for Social Protection (Burton, Varadkar, and Doherty) regularly appeared in the media to explain and defend the purposes behind its introduction and certify its bona fides. It was just a convenient card with no other purposes than to cut down on benefit fraud and streamline operations. Everything now should work more cost-effectively and taxpayer money would be saved.
Nevertheless, ‘Big Brother is watching’ theory persisted. As time moved on the card began to be scrutinised more, especially in the light of data protection legislation and amid issues of concern from that aspect, which were beginning to be raised by Digital Rights Ireland and others. Prior to the introduction of GDPR, there was an increasing awareness of the changes in data protection that were just around the corner. When GDPR came into force it was clear that now the PSC could be re-examined from a whole new perspective. Indeed, GDPR facilitated a more robust questioning of the purposes and validity of the card’s introduction. We acknowledge the enhanced powers under the GDPR are not to be applied to incidents that occurred prior to May 2018. To highlight the strengthening of these powers since the GDPR, our analysis is done through the lens of these changes. When other bodies, in most cases unconnected to the granting or withdrawal of social welfare or pensions, began to insist on the card being produced to access other services, the questioning intensified. (At one point, both the Passport Office and National Driving Licence Service demanded the PSC).
The Lawful Basis for the PSC.
Art. 6 (1) (a-f) GDPR lays out in clear terms the lawful bases that need to be established before processing personal data. In this context, the Government has repeatedly referred to the legislation that they rely on as a lawful basis. Section 247 (c) of the Social Welfare Consolidation Act 2005, as inserted by Section 11, Social Welfare and Pensions ( Miscellaneous Provisions) Act 2013, is most cited by officials as the legislation underpinning the PSC. However, other legislation also stands in support of the PSC and its operation.
Legislative Support for the PSC.
Any power to issue a PSC is given under S.263 (1) of the Social Welfare Consolidation Act 2005, which was then substituted by S. 9 (1), Social Welfare and Pensions Act 2010. Some of the important terms in S. 9 include a reference to the information inscribed on the card and further information stored electronically on it. Section 263 of the 2005 act sets out finer details concerning the card and expressly states the minister may request the person to present themselves at a specified place, provide certain documentation, have a photograph taken and provide a signature in electronic form. It also clarifies the type of information that will be stored on the card. This includes the person’s date of birth, gender, primary account number, the expiry date of card and card service code electronically encoded on the card and any other information that may be prescribed either inscribed or encoded on the card. Therefore, more personal data can be added to the card when the Minister sees fit.
Schedule 5 of the 2005 act gives a list of ‘specified bodies’ that may use the PSC for the purposes of a transaction. A conclusion in this regard is that unless a body is a ‘specified body’ and on this list, it cannot demand the PSC. All the information that is referenced is personal data, within the meaning of Art. 4 GDPR and, therefore, requires a lawful basis prior to any processing operation.
So is there a lawful basis for the PSC?
An examination of the foregoing legislation, cited in support of the legality of the PSC, would support a lawful basis for processing under Art.6 (1) (c), GDPR. There is no doubting its lawful basis under Section 2D of the earlier Data Protection Acts. Had GDPR been in force, another lawful basis could be found under Art. 6 (1) (e). This is referring to processing that is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. Here there is a relationship back to the Social Welfare Consolidation Act which places the controller (The Dept.) under the lawful obligation. One legitimate question is whether the processing is ‘necessary’ for the performance of the task or in the exercise of official authority. A public body cannot ( generally) avail of the ‘legitimate interest’ lawful basis under Art. 6 (1) and so any ‘specified body’ under schedule 5 will have to have a lawful basis other than this basis.
It is important to bear in mind that the legitimate interest basis cannot be used to override the interests or fundamental rights and freedoms of the data subject. Undoubtedly, this includes rights under the European Convention on Human Rights and the European Charter. In the context of the PSC, privacy rights and data protection rights are the foremost of these rights. While the PSC may have a lawful basis, there is the consideration of some other criteria to assess the validity of the PSC and its associated personal data processing. The introduction of the card would have satisfied the legal basis required under the old Data Protection Acts 1988 and 2003. It would also have satisfied GDPR, had it been in effect. Our purpose in examining through the lens of GDPR is to emphasise the lower data protection standards applicable pre- GDPR. Despite these lower standards, the PSC had no lawful basis under Section 2A of the Data Protection Acts 1998 and 2003 to process the personal data of individuals for any transactions with bodies other than DEASP.
Some Other Important Criteria.
Articles 7 and 8 of the European Union Charter of Fundamental Rights guarantee the right to respect for private life and the right to protection of personal data respectively. Any limitation that may be imposed on the exercise of these rights must under Art.52 (1) of the Charter:
(a) be provided for by law:
(b) be necessary to meet some objectives of general interest;
(c) be proportionate.
Where a less intrusive measure can be taken to achieve the same stated objective, then the less intrusive measure must be taken. This is also in line with the data minimisation principle. Whether the card is necessary to meet an objective, such as countering social welfare fraud, is certainly debatable at least. Is it proportionate to the aims, especially when viewed through the lens of individual rights? Are there safeguards to defend these rights? Even if the PSC passes the tests it may still not be in compliance with the GDPR.
The PSC and Data Protection Principles under GDPR.
Even where the processing of personal data conforms to EU law, in the sense of the broader EU legal environment, and has a lawful basis that complies with Art. 6 GDPR, it still has to be in accordance with data protection principles under Art. 5 GDPR. Again, the relevant law pre GDPR is contained in the Data Protection Acts 1988 and 2003. This is where the PSC is most likely to fail to comply with the GDPR. Art. 5 (1) states personal data, “shall be processed lawfully, fairly and in a transparent manner in relation to the data subject”. The lawfulness element refers to EU law in general and not just data protection law. ‘Fairness’ is to be interpreted as ‘proportionality’ in the application of a measure. What this means is that any measure must be appropriate for attaining the objective pursued and not go beyond what is necessary to achieve it. It is the transparency element of Art. 5 which causes most problems for the PSC. Any transparency element is best read in conjunction with Arts. 12, 13 and 14, which concern the information that has to be given to the data subject regarding the processing of the personal data.
There is no evidence of data subjects being given the required information at the point of data collection, as mandated by Art. 13. The government in 2017 published a 73-page ‘Complete Guide to SAFE Registration and the Public Services Card’. It contains valuable information but very few of the applicants for a PSC are aware of the information it contains. It is the information under Art. 13 (1) and (2) that they should be made aware of, and it is not information they should have to seek out. A report on the PSC was recently sent to the government and is not being disclosed at present. One likelihood is that the card failed, particularly under the transparency element. Anecdotal evidence suggests most people were just told to turn up at a certain date and time, and that their photographs would be taken. No other information was offered.
Art. 5 (1) (b) is also likely to be problematic for the PSC. It states that data must be, “collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes”. Again, it directly relates back to transparency. People (i.e., the data subjects) must be made aware of the specific purposes of personal data processing. Combating welfare fraud seems somewhat unrelated to obtaining a driving licence.
Problems for the PSC are likely to surface under Art. 5 (1) (e). Personal data shall be, “kept in a form which permits the identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed…” So how long is necessary for the PSC? It has been apparent for quite some time that the personal data on the PSC stays on the card and only a new photograph is required to renew it every seven years. When a card is issued to persons, it is likely that the card will be theirs for life, irrespective of any need to access services in the future. Again, any information regarding retention periods is not being conveyed to PSC applicants.
There is no doubting the failure of the PSC card regime to meet the current transparency standards of the GDPR. It would also fail the standards of the Data Protection Acts 1988 and 2003. The office of the DPC is completing a report on the PSC that pre-dates the GDPR. This report will only focus on the law applicable at the time. Ultimately, conclusions in that report would be very different had GDPR been in effect when the report was commenced. Looking at it in the light of GDPR, as we have done, focuses on inherent weaknesses and flaws when judged under the higher GDPR standards. Any complaints post- GDPR, are now judged by these higher standards.
In the next blog, we will discuss the PSC from the ‘Special Categories’ perspective and focus on the Biometric data dimension.
Patrick Rowland, GDPRXpert.ie
Data protection consultants, GDPRXpert, are based in Carlow/Kilkenny and Mayo, offering a nationwide service.
Visit www.gdprxpert.ie for more information.