Aspects of Public Services Card ‘without a legal basis’
16 August 2019 | 0
The Data Protection Commissioner (DPC) has published the findings of a “detailed and lengthy investigation” into the Public Services Card (PSC) which states that certain aspects of the processing of personal data of citizens under the scheme “does not have a legal basis under applicable data protection laws”.
The investigation, prompted by concerns raised in various quarters, especially among data privacy advocates, made eight significant findings. Three of the findings were in relation to the legal basis issue, while the other five were in relation to transparency.
Information provided by the Department to the public about the processing of their personal data in connection with the issuing of PSCs is “not adequate”
“Seven of the eight findings are adverse to positions advanced by the Department, insofar as the DPC has found that there is, or has been, non-compliance with the applicable provisions of data protection law,” says a statement by the DPC.
No legal basis
The findings say that while the processing of personal data by the Department of Employment Affairs and Social Protection (DEASP) in connection with the issuing of PSCs for the purpose of validating the identity of a person claiming, receiving or presenting for payment of a benefit, “has a legal basis under applicable data protection law”, the processing of personal data by the Department in connection with the issuing of PSCs for the purposes of transactions between individuals and other specified public bodies — bodies other than the Department itself — does not have a legal basis under applicable data protection laws. These laws are cited as Section 2A of the Data Protection Acts, 1988 and 2003.
The DPC said it recognised that the PSC scheme predated the introduction of the General Data Protection Regulation (GDPR), and so the findings had been made with reference to the Data Protection Acts, 1988 and 2003. The DPC goes on to say that investigation report, delivered to the DEASP also contains analysis capturing changes to the law as introduced by GDPR, though this is pointed out as being “non-binding”.
The investigation also found that the Department’s “blanket and indefinite retention of underlying documents and information” provided by persons applying for a PSC contravenes Data Protection Acts, 1988 and 2003, under Section 2(1)(c)(iv), “because such data is being retained for periods longer than is necessary for the purposes for which it was collected”.
Furthermore, the DPC said that in terms of transparency, the scheme does not comply with Section 2D of the Data Protection Acts, 1988 and 2003, in that the information provided by the Department to the public about the processing of their personal data in connection with the issuing of PSCs is “not adequate”.
The DPC has given the department “a period of six weeks” to submit an implementation plan identifying the changes it will make to the PSC scheme and the time period within which those changes will be made, but a period of just 21 days for two other measures.
The Department will be required “to stop all processing of personal data carried out in connection with the issuing of PSCs” where a PSC is being issued solely for the purpose of a transaction between a member of the public and a specified public body, that is a public body other than the Department itself. The DPC says the corollary of this finding is that bodies other than DEASP “cannot insist that a person who does not already hold a PSC must obtain one as a pre-condition of accessing public services provided by that body”.
The DPC is also careful to emphasise that the findings and actions to be undertaken do not in any way impact the validity or use by individuals of PSCs already issued. “Likewise, nothing in the findings impacts individuals accessing benefits including free travel who currently do so using their PSC and the DEASP is not prevented from issuing further PSCs for these purposes,” said the DPC.
‘Far removed from concept’
In the commentary on the investigation and its findings, the DPC says the introduction of a scheme such as the PSC necessarily involves the “striking of a balance between the interests of the State… and the interests of the individual, whose personal information is to be collected and used”.
“The balance struck between these competing interests is in turn central to any assessment of the lawfulness (or otherwise) of such a scheme.”
The DPC said it also sought to identify the intended benefits of the scheme and whether they had been realised. The conclusions make for awkward reading.
“Ultimately,” says the DPC, “we were struck by the extent to which the scheme, as implemented in practice, is far-removed from its original concept. Whereas the scheme was conceived as one that would make it easier to access (and deliver) public services, with chip-and-pin type cards being used for actual card-based transactions, the true position is that no public sector body has invested in the technology capable of reading the chip that contains the encrypted elements of the Public Sector Identity dataset. Instead, the card has been reduced to a limited form of photo-ID, for which alternative uses have then had to be found.”
“Even in terms of stated justifications for the card around identity validation standards and fraud-prevention, it was established that cards are in fact issued in some cases without the applicant being required to submit to the full range of identity checks. Surprisingly, the criteria applicable to such exceptions remain unclear.”
The DPC highlights the lack of review and impact of new and extended uses of the PSC, highlighting that “little or no attempt” had been made “to revisit the card’s rationale or the legal framework on which it sits, or to consider whether adjustments may be required to safeguards built into the scheme to accommodate new data uses”.
The commissioner said that development of the scheme had proceeded “by way of one-off, piece-meal changes to existing social welfare legislation, resulting in a situation where, in our view, the approach to the project from a data protection perspective, is lacking in coherence and where, more importantly, there is little or no evidence of any attempt to balance the interests of the State”.
To date, some 3.2 million PSCs have been issued in the state.
The investigation is damning for the government, at a time where many public services are under pressure to provide greater services with tighter budgets and lower headcounts. As the population ages, it is expected that all public services will rely to a greater extent on digital interaction and service delivery, with the PSC seen as a key factor in enabling such developments.
While the findings might be seen as a triumph for those who champion data protection and privacy rights, it may also be seen as a loss for the public overall as wholesale revision of the poorly implemented scheme may see the provision of digitally enabled services severely impacted.