The Irish Data Protection Commission (DPC) has today published its findings on certain aspects of the Public Services Card (PSC) following a lengthy investigation.
It found that there was no legal basis for the State to make citizens obtain the PSC in order to access services such as renewing a driving licence or filing appeals against decisions about the provision of school transport.
What is the PSC?
It is a Government-issued card which contains a person’s name, photograph, signature and PPS number. It is required for citizens who collect welfare payments. The Department of Employment Affairs and Social Protection (DEASP) claimed that the PSC had a legal basis in the Social Welfare Acts and it was used to reduce instances of fraud. Initially the PSC was required for claiming social welfare but then it was extended to other services (eg when applying for a passport for the first time or claiming education grants).
Outcome of DPC's investigation
As the investigation pre-dated the coming into effect of the General Data Protection Regulation (GDPR), the findings are based on the old data protection legislation (the Data Protection Acts 1988 and 2003). In summary, the DPC found that:
- the processing of certain personal data by the DEASP in connection with the issuing of PSCs for the purpose of validating the identity of a person claiming social welfare benefits had a legal basis under applicable data protection law
- the processing of personal data by the DEASP in connection with the issuing of PSCs for the purposes of other transactions (ie with bodies other than the DEASP) did not have a legal basis
- The DEASP’s blanket and indefinite retention of the underlying documents and information provided by individuals applying for a PSC was unlawful because such data was being retained for periods longer than was necessary for the purposes for which it was collected
- In terms of transparency, the scheme did not comply with applicable data protection law as the information provided by the DEASP to the public about the processing of their personal data in connection with the issuing of PSCs was not adequate
Next steps
The DEASP has been given 21 days to (i) stop all processing of personal data carried out in connection with the issuing of PSCs where a PSC is being issued solely for the purpose of a transaction between an individual and another public body; and (ii) notify public bodies who require the production of a PSC as a pre-condition for entering into transactions with individuals that, in future, the DEASP will not issue PSCs for such transactions. Furthermore, the DEASP must delete all supporting documents for the PSC scheme and, within 6 weeks, must submit an implementation plan to the DPC identifying the changes it will make to the PSC scheme and the time period within which those changes will be made.
As the DPC cannot publish its report without the DEASP's prior agreement, the DPC has written to the DEASP seeking confirmation that, within 7 days, it will publish the report on its own website or alternatively that it agrees that the report can published on the DPC's website.
Lesson for businesses
The lesson for businesses is that they should be aware of their data protection obligations and should ensure that they have a legal basis when collecting and processing personal data because failure to do so can have serious financial and reputational consequences. To ensure your business is data protection compliant, contact any member of our Data Protection team.