Data protection consultants welcome the findings from the investigation by the DPC into the Public Services Card. In a blog post back in February expert data protection consultants GDPRxpert rightly predicted the main conclusions resulting from the recent investigation by the office of the DPC into the legitimacy of the Public Services Card. At the time we highlighted some of the concerns that the DPC was likely to focus on in the continuing contentious debate. The full report has not yet been made available by the Dept.of Employment Affairs and Social Protection (DEASP). However, the DPC has published some initial findings.
As we stated in the earlier blog post, “Most of you will remember some controversy about this card at the time it was introduced, and it initially focused on one theory in relation to its introduction. For many, it represented no more than the introduction of an identity card by stealth. The government vehemently denied this, and different Ministers for Social Protection (Burton, Varadkar, and Doherty) regularly appeared in the media to explain and defend the purposes behind its introduction and certify its bona fides. It was just a convenient card with no other purposes than to cut down on benefit fraud and streamline operations. Everything now should work more cost- effectively and taxpayer money would be saved.” See the GDPRxpert blog post, “Public Services Card Debate Resumes” at www.gdprxpert.ie/public-services-card-debate-resumes-2/ .
Our earliest key finding was that the introduction of the card did have a solid lawful basis. It was underpinned by legislation. (We detail the sections under the Social Welfare Consolidation Act 2005 in our earlier blog.) This concurs with the DPC finding. The introduction and use of the card in relation to accessing social services from the Dept of Social Protection was legitimate. That is where its lawful basis ended. What must be borne in mind is that the report was compiled in the context of events prior to the introduction of the GDPR. From a practical perspective, and because GDPR cannot be applied retrospectively, the report was based on data protection laws in force at the time. Here we refer to the Data Protection Acts 1988 and 2003 (‘the acts’). There is much in common between ‘the acts’ and the GDPR, but the GDPR has higher standards of transparency, accountability, and enforcement.
It was partly these lower general standards, but particularly the lower standard of transparency (than under GDPR) that revealed systemic illegitimacy. Retention of supporting documentation that was demanded in support of an application was excessive. Central to this criticism was the general lack of any definitive retention period policy but instead a ‘blanket and indefinite retention of underlying documents and information provided by persons applying for a PSC’. This contravened Section 2(1)(c)(iv) of the Data Protection Acts, 1988 and 2003 because such data was being retained for periods longer than is necessary for the purposes for which it was collected. Any information provided by the Department to the public about the processing of their personal data in connection with the issuing of PSCs was not adequate. One has only to look at the information now required under Arts. 12, 13 &14 GDPR to see the depth of the lower standards under ‘the acts’.
While the Dept of Employment Affairs and Social Protection (DEASP) had at least a lawful basis for the card, other departments and public bodies did not. They just began asking for it in the normal course of business. It is more accurate to say they demanded it. They had absolutely no lawful basis for this type of demand. Both the Passport Office and the National Driving Licence Service demanded the PSC before allowing any applications through their offices. It is those other bodies and departments that lack a lawful basis entirely, and now they must cease the practice of demanding the PSC. There will be much discussion, especially in government circles, over the next few weeks regarding the future of the PSC. Many data protection professionals, GDPRXpert.ie included, have formed an initial consensus that the card is likely to continue in use, but only in connection with services from DEASP.
Some Immediate Measures.
The DEASP, “will be required to complete the implementation of two specific measures within a period of 21 days:
- It will be required to stop all processing of personal data carried out in connection with the issuing of PSCs, where a PSC is being issued solely for the purpose of a transaction between a member of the public and a specified public body (i.e. a public body other than the Department itself). The corollary of this finding is that bodies other than DEASP cannot insist that a person who does not already hold a PSC must obtain one as a pre-condition of accessing public services provided by that body.
- The Department will be required to contact those public bodies who require the production of a PSC as a pre-condition of entering into transactions with individual members of the public, to notify them that, going forward, the Department will not be in a position to issue PSCs to any member of the public who wishes to enter a transaction with (or obtain a public service from) any such public body”. (From DPC statement)
We will return to the topic as things develop and add to this (shorter than normal) blog post very soon. Prompt publication of the entire report would be beneficial to all parties.
Patrick Rowland, GDPRXpert.ie
GDPRXpert, GDPR & data protection consultants, with bases in Carlow/Kilkenny and Mayo, offer a nationwide service.
P.S. 3 Sept. 2019. The deadline passed for the Department and no report was forthcoming. Indeed, things have altered to the extent that it is unlikely the Dept. will release the report in the foreseeable future. Most data protection consultants, such as GDPRXpert agree with the findings by the DPC. However, it seems the Government is to challenge the findings of the DPC in court having taken legal advice from the Attorney General, and externally. See I.T. article on the latest. So the saga continues. As they say, ‘watch this space’.
P.S. No. 2 Somewhat surprisingly, just a couple of days after this postscript the Govt. did publish the report of the DPC. See Irish Times article, ” The Irish Times view on the Government defiance of the DPC”, Sept. 19, 2019. Text following is from that article.
Key findings include a decision that the card cannot be required to obtain services from other departments because no lawful basis exists for such use. It cites numerous examples of the “mission creep” by which the card transformed from its original intention as a chip-and-pin verification device for social welfare services, into a required form of identity for seemingly random purposes, such as sitting a driving test, obtaining a passport, or appealing school transport decisions.
The report states that such examples illustrate “obvious and significant deficits in terms of logic and consistency” for when the card is required.
While such findings had been released earlier in summary form by the DPC, the full report adds significant heft and leaves little legal wriggle room for the Department. Yet the Government intends to defend the card, in direct defiance of a national regulator, with both the Minister and Taoiseach Leo Varadkar suggesting that the DPC should have met with the Department to “discuss” the findings.