DPC Statement on Matters Pertaining to the Public Services Card
16th August 2019
Following the completion of a detailed and lengthy investigation, the Data Protection Commission (DPC) has today published its findings on certain aspects of the Public Services Card (“PSC”).
Rationale for the investigation
The PSC (and the system of registration known as SAFE 2 behind it) involves the collection, storing and processing of large amounts of personal information about nearly every person in the State.
Using that information, State agencies make thousands of decisions every day that impact in very direct and significant ways on individual members of the public, from the issuing of driver’s licences or passports, to decisions to grant or suspend payments or benefits under the social protection code, to the filing of appeals against decisions about the provision of school transport. In practical terms, a person’s capacity to access public services both offline and online is now contingent, in an ever-increasing range of contexts, on obtaining and producing a PSC.
Looking at it from a data protection perspective, it can quickly be seen that, given its scale and reach, the PSC project presents significant challenges in terms of ensuring that core data protection principles are respected in its operation.
For example, is there transparency and foreseeability in terms of what information is collected and how it will be used?
How does the operation of the system impact on each person’s capacity to exercise meaningful control over their personal information?
What safeguards and controls have been built into the system?
Does the system sit on an identifiable and coherent legal foundation, consistent with applicable provisions of data protection law?
The DPC resolved to undertake an investigation to try to find answers to these questions, and to assess, ultimately, the lawfulness from a data protection perspective of the system as implemented.
The scope of our investigation
While, in overall terms, the investigation was targeted at the much broader range of issues, the particular findings published today are targeted at two key issues:
- We examined the legal basis on which personal data is processed in connection with the PSC.
- We also examined whether the information provided to data subjects in relation to the processing of their personal data in connection with the PSC satisfies applicable legal requirements in terms of transparency.
Further reports and findings will follow at a later date in relation to a number of other issues.
Legal framework
Because the PSC scheme (and our investigation) pre-date the coming into effect of the GDPR, the present findings have been made by reference to the Data Protection Acts, 1988 and 2003. (This is specifically mandated by national legislation introduced in 2018 to facilitate the effective implementation of the GDPR, i.e. the Data Protection Act, 2018).
Nonetheless, the report delivered to the Department incorporating our findings also contains (non-binding) analysis capturing changes to the law as introduced by GDPR.
Findings
A total of eight findings are made in the report. Three of those relate to the legal basis issue; the remaining five relate to issues around transparency.
Seven of the eight findings are adverse to positions advanced by the Department, insofar as the DPC has found that there is, or has been, non-compliance with the applicable provisions of data protection law.
In summary terms, the DPC has found that:
- The processing of certain personal data by the Department in connection with the issuing of PSCs for the purpose of validating the identity of a person claiming, receiving or presenting for payment of a benefit, has a legal basis under applicable data protection law.
- The processing of personal data by the Department in connection with the issuing of PSCs for the purposes of transactions between individuals and other specified public bodies (i.e. bodies other than the Department itself) does not have a legal basis under applicable data protection laws; specifically, such processing contravenes Section 2A of the Data Protection Acts, 1988 and 2003.
- The Department’s blanket and indefinite retention of underlying documents and information provided by persons applying for a PSC contravenes Section 2(1)(c)(iv) of the Data Protection Acts, 1988 and 2003 because such data is being retained for periods longer than is necessary for the purposes for which it was collected.
- In terms of transparency, the scheme does not comply with Section 2D of the Data Protection Acts, 1988 and 2003, in that the information provided by the Department to the public about the processing of their personal data in connection with the issuing of PSCs is not adequate.
Next steps; enforcement
We have identified a number of measures that the Department and other public bodies which utilise or rely on the PSC will now be required to take to bring the PSC scheme into compliance with data protection legislation. However, recognising the structural nature of the changes that will be needed, the Department will be afforded a period of six weeks to submit an implementation plan to the DPC identifying the changes it will make to the PSC scheme and the time period within which those changes will be made.
Critically, however, the Department will be required to complete the implementation of two specific measures within a period of 21 days:
- It will be required to stop all processing of personal data carried out in connection with the issuing of PSCs, where a PSC is being issued solely for the purpose of a transaction between a member of the public and a specified public body (i.e. a public body other than the Department itself). The corollary of this finding is that bodies other than DEASP cannot insist that a person who does not already hold a PSC must obtain one as a pre-condition of accessing public services provided by that body.
- The Department will be required to contact those public bodies who require the production of a PSC as a pre-condition of entering into transactions with individual members of the public, to notify them that, going forward, the Department will not be in a position to issue PSCs to any member of the public who wishes to enter a transaction with (or obtain a public service from) any such public body.
Members of the public may wish to note that nothing in the findings made by the DPC impacts the validity or use by individuals of PSCs already issued. Likewise, nothing in the findings impacts individuals accessing benefits including free travel who currently do so using their PSC and the DEASP is not prevented from issuing further PSCs for these purposes.
Commentary
The introduction of a scheme like the PSC necessarily involves the striking of a balance between the interests of the State (in terms of accessing the intended benefits of the scheme), and the interests of the individual, whose personal information is to be collected and used. The balance struck between these competing interests is in turn central to any assessment of the lawfulness (or otherwise) of such a scheme.
In the course of our investigation, one of the things we tried to do was to identify and weigh the individual factors that impact on this balancing exercise. So, for example, we sought to identify the rationale for the scheme; equally, we sought to trace how that rationale has developed as the application of the scheme itself evolved and expanded; we then sought to map that rationale against the legislative framework that underpins the scheme, so that we might assess whether and how it satisfies specific requirements of data protection legislation.
We also sought to identify the intended benefits of the scheme and to assess whether those benefits have been realised and, if so, whether they can be quantified in a meaningful way and measured against interferences with the interests of individual members of public whose data is the subject of collection and processing.
Ultimately, we were struck by the extent to which the scheme, as implemented in practice, is far-removed from its original concept. Whereas the scheme was conceived as one that would make it easier to access (and deliver) public services, with chip-and-pin type cards being used for actual card-based transactions, the true position is that no public sector body has invested in the technology capable of reading the chip that contains the encrypted elements of the Public Sector Identity dataset. Instead, the card has been reduced to a limited form of photo-ID, for which alternative uses have then had to be found.
Even in terms of stated justifications for the card around identity validation standards and fraud-prevention, it was established that cards are in fact issued in some cases without the applicant being required to submit to the full range of identity checks. Surprisingly, the criteria applicable to such exceptions remain unclear.
As new uses of the card have been identified and rolled-up from time to time, it is striking that little or no attempt has been made to revisit the card’s rationale or the legal framework on which it sits, or to consider whether adjustments may be required to safeguards built into the scheme to accommodate new data uses. Instead, the development of the card has proceeded by way of one-off, piece-meal changes to existing social welfare legislation, resulting in a situation where, in our view, the approach to the project from a data protection perspective is lacking in coherence and where, more importantly, there is little or no evidence of any attempt to balance the interests of the State, acting through those public bodies who participate in the scheme, and the interests of those members of the public who are required to obtain and produce the card (and provide their personal information when registering for it). Certainly, there is no evidence of any such balance being re-examined on each occasion when a new form of use is identified for the card. That cannot be considered acceptable in a data protection context where careful calibration is required when considering adjustments to any scheme that, by its very nature, interfaces with established and important legal rights.
These factors necessarily inform the DPC’s analysis of those issues that are the subject of the findings published today.
Publication of the Report containing our findings
Under applicable laws, it is not open to the DPC to publish its Report without the prior agreement of the Department. The DPC has written to the Department asking it to confirm, within a period of seven days, that it will either publish the Report on its own website or, alternatively, that it will agree to the publication of the Report on the Commission’s website. The Department’s response is awaited.