Ireland’s DPC (Data Protection Commission) released the findings of its investigation into the controversial PSC (Public Services Card).
What is the PSC?
The PSC was introduced as part of a social welfare pilot scheme in 2011. It displays the holder’s full name, PPS (Personal Public Service) number, signature and photograph.
The card was initially required for social welfare payments from the Department of Social Protection, but it later emerged that it would also be needed for passport and driving licence applications, driving theory tests, college grants (SUSI) and for claiming benefits covered by PRSI (Pay Related Social Insurance).
Controversy surrounding the card
People who opposed the PSC questioned its legality and argued that the data accumulated could be used by the government for other purposes and pose a massive risk to individuals’ privacy.
In response, the DPC announced in 2017 that it would conduct a full investigation into the PSC and related systems to ensure they fully compliedwith data protection laws.
Results of the investigation
The DPC examined the legal basis used for processing an individual’s data under the PSC and its accompanying backend system, SAFE 2. It also investigated the transparency of the processing under the Data Protection Acts 1988 and 2003, as the investigation pre-dated the GDPR (EU General Data Protection Regulation) enforcement date.
Speaking to the Irish Times, Helen Dixon, head of the DPC, said there had been a “fundamental misunderstanding” and that forcing people to use the card for other services was “unlawful from a data-processing point of view”.
“There’s a whole range of documentation and the indefinite retention of it in circumstances where the Minister has satisfied herself as to identity already […] We believe there is no lawful basis for that,” she said.
In summary:
- The Department of Social Protection can collect personal data to validate the identity of someone claiming benefit payments.
- The Department does not have a legal basis under data protection law to process data between individuals and other public bodies for transactional purposes. This is prohibited under section 2A of the Data Protection Acts 1988 and 2003.
- The Department’s indefinite retention of information and documentation provided by PSC card applicants is prohibited under Section 2(1)(c)(iv) of the Data Protection Acts 1988 and 2003 as it is being kept for longer than needed for the purposes for which it was collected.
- Information provided to data subjects on the processing of their data is inadequate and therefore breaches Section 2D of the Data Protection Acts, 1988 and 2003.
Enforcement of DPC ruling
The Department of Social Protection and other public bodies involved in the PSC and SAFE 2 are now required to bring the scheme into compliance with data protection requirements.
The DPC has given the Department six weeks to submit an implementation plan that will identify the necessary changes and outline the time needed to work towards compliance.
In addition, the Department has 21 days to cease processing personal data for PSCs that are issued solely for transactional purposes and to contact other government bodies that require the PSC as a condition for entering a transaction to notify them of the change.
