Irish identity card scheme contravenes data protection law, report finds

Out-Law News | 20 Aug 2019 | 10:39 am | 2 min. read

The management of the Irish Public Services Card (PSC) scheme by the Department of Employment Affairs and Social Protection (DEASP) violates several aspects of data protection law and requires significant reform, according to a new report.

The Irish Data Protection Commission (DPC) found that there was a legal basis under data protection law for the processing of some personal data by the department in order to validate the identity of a person claiming or receiving payment of a benefit.

However, other ways in which the DEASP was using personal data in connection with the cards contravened parts of the Irish Data Protection Acts. The DPC said the department’s “blanket and indefinite retention of underlying documents and information provided by persons applying for a PSC” contravened the law because the data was being retained for longer than was necessary.

It added that there was no legal basis for the processing of personal data by the department in connection with the issuing of PSCs for the purposes of transactions between individuals and other specified public bodies.

The DPC report also said the PSC scheme did not comply with legislation because the information provided by the department to the public about the processing of their personal data was not adequate.

The PSC scheme was introduced in Ireland in 2011 in a pilot project before being introduced for all social welfare recipients. It is now being used in other areas such as passport and driving licence applications and claiming benefits from agencies other than the DEASP.

As the card was introduced prior to the introduction of the EU’s General Data Protection Regulation (GDPR), the DPC investigation focused on the scheme’s adherence to earlier Irish data protection law. However the full report also contained recommendations for changes to ensure the PSC scheme adhered to the law as introduced by GDPR, the DPC said.

The DPC said it had identified a number of measures which the DEASP and other public bodies using the PSC would be required to take to bring the scheme into compliance with data protection legislation and gave the department six weeks to submit an implementation plan outlining the changes it would make.

However the DEASP will be required to implement two measures within 21 days. It has to stop all processing of personal data carried out in connection with the issuing of PSCs if a PSC is being issued only for the purpose of a transaction between a member of the public and a specified public body. Apart from the DEASP, public bodies will not be able to insist that a member of the public has to obtain a PSC as a pre-condition of accessing its services.

The DEASP will also have to tell other bodies which currently require members of the public to show a PSC, to tell them that it will no longer be in a position to issue the cards to any member of the public wanting to use services provided by that public body.

The DPC said during its investigation it tried to identify the rationale for the PSC scheme and its intended benefits to assess whether those benefits have been realised.

It said the scheme as implemented was “far-removed” from its original concept. Rather than being a chip-and-pin type card used for card-based transactions, it said “the true position is that no public sector body has invested in the technology capable of reading the chip that contains the encrypted elements of the Public Sector Identity dataset”.

The DPC also said cards were sometimes issued without the applicant being required to submit to the full range of identity checks.

It said it was striking that no attempt had been made to revisit the PSC’s rationale or the legal framework on which it sits, or to consider whether adjustments were required to safeguards built into the scheme to accommodate new data uses.

As a result the approach to the scheme from a data protection perspective was “lacking in coherence” with little evidence of any attempt to balance the interests of the state with those of members of the public.

The DPC said its findings did not impact the validity or use of PSCs already issued, and did not stop the DEASP from issuing PSCs in order for individuals to access benefits such as free travel.