Author of this post: Ciara Fitzgerald, Head of Legal at Ward Solutions
Background
On 16th August last, the Data Protection Commission (“the DPC”), issued a summary of its findings following an investigation into the use of the Public Services Card (“the PSC”). The full report has been issued privately to the Department of Social Protection and we wait to see will the Department consent to the full report to be published.
The PSC has been in use for some time now. As the DPC notes in the summary they issued, it was originally to operate as a chip and pin card that would make it easier to access (and deliver) public services but public sector bodies did not invest in the technology capable of reading the chip that contains the encrypted elements of the Public Sector Identity dataset. The card instead operates as a form of identity verification and gateway to accessing certain public services. The Government has been explicit about its intention to expand the use of the PSC and this is where the wider implications of the DPC’s decision may be felt.
Objections to the PSC
Before the DPC issued its findings on 16th August, the PSC had come in for some criticism from various organisations in relation to the legal basis of the processing, the necessity for the card itself, the establishment of a de facto national identity card and the obtaining, storage and processing of people’s biometric data.
The DPC’s findings have validated some, if not all, of the concerns that have been raised about the PSC.
The DPC’s Findings
The DPC has found that while the processing of certain personal data by the Department for social welfare payments has a legal basis, there is no such legal basis for the processing when the PSC is being issued to persons to use for transactions with other public bodies. In addition, the open-ended retention by the Department of the documents and information provided by data subjects to the Department in the application process is contrary to the relevant laws. Finally, the Department did not adhere to the principle of transparency in that the information it provided to the public about processing their personal data was not adequate.
Action Points for the Department
The immediate implications for the Department are spelled out in the DPC’s summary (and presumably more fulsomely in the report!). Within 21 days it has to stop processing personal data relating to the issuing of PSCs for the sole purpose of a transaction between a person and a public body other than the Department itself. The knock on effect of this is that these public bodies cannot insist that a person who does not already hold a PSC must obtain one to access public services provided by that body. It must also contact the various public bodies who require the public to have a PSC to access services and inform them that the Department cannot issue PSCs for their purposes anymore. It’s unlikely that this will actually be necessary given how widely publicised the DPC’s decision on this matter has been!
The Department has been given a period of 6 weeks to draw up and submit to the DPC an implementation plan to bring the PSC scheme into compliance with the data protection legislation. One point to note here is that while the decision of the DPC was made pursuant to the Data Protection Acts 1988-2003 (as the scheme pre-dated the coming into force of the GDPR), the Department will have to have an eye on the data protection laws as they now stand under the GDPR when drawing up this implementation plan.
What does all this mean for the PSC Scheme?
Without sight of the full report and the reasoning on which the decisions of the DPC are based, it is hard to predict the full implications of these findings. It will certainly slow, if not completely halt the expansion of the PSC scheme. Prior to the 16th August, the card was mandatory (but not compulsory!) for a number of public services outside of social welfare payments such as first time adult passport applications, driver licence appointments and applications for a driving test. The PSC was also linked to the MyGovID account. For those who have not come across this account before, it is an account that allows you to access certain government services online. To access most of these services online, an individual is required to verify their account – which requires a PSC! These services include maternity and paternity benefit, Revenue services and student grant applications. The plan was to bring further services into the MyGovID fold in 2019 including the Online Health Portal, all online passport renewals and the Affordable Childcare Scheme. The roll out of these services through the MyGovID platform in conjunction with the PSC will have to be reconsidered. Whether the Government will be able to save its vision for what the PSC is now seriously in doubt.
What lessons can be learned?
The good news is that all businesses and organisations can learn from the decision of the DPC to improve our data protection processes!
- It is essential to ensure that each processing activity has a legal basis, bearing in mind that different processing activities of the same personal data could have different legal bases. The legal bases for each processing activity should be also documented in a comprehensive Data Protection Policy.
- Following on from the above, where an organisation or business expands the scope of their offering, the privacy implications of this must be assessed – data protection by design. This means that all the principles relating to the processing of personal data as set out in the GDPR are met, including ensuring that any new processing activity has a legal basis.
- Every organisation should have a Data Retention Policy which documents the retention period for each category of personal data and the rationale for the retention period. More importantly, the policy has to be followed so personal data must actually be securely destroyed or deleted at the end of the retention period!
- Transparency is key – organisations must have a clear, understandable and concise privacy notice which communicates to data subjects how the organisation processes personal data and how it complies with the data protection principles.
If you have queries relating to data protection or how your business can meet its data protection obligations, speak to our subject matter experts for further advice, call us: 1800 903 552 or e-mail us.