Castlebridge gives a guarded welcome to the Data Protection Commission’s findings in respect of the Public Services Card and its associated database MyGovID and their lawfulness under Data Protection law. For the last number of years, we have strongly advised caution in the development and roll out of this system, both in public at events and in the media, and privately in our consulting and advisory work with a number of Public Bodies.
It is important to note that this investigation was undertaken under the legislation in place pre GDPR using the DPC’s powers under that legislation. The DPC is clear that there are further investigations underway into the PSC in the context of GDPR. It would be courageous on the part of any public body or spokesperson to claim at this time that there are no issues with PSC under our current legislation.
From the media coverage of the Data Protection Commission’s findings, and the statement published on their website this morning, it is clear that a number of serious issues were identified and remedial action is required immediately:
- The DPC has found there is no legal basis for requiring PSC registration as a condition precedent for applying for public services such as Student Grants, passports, or drivers licenses. This is consistent with our analysis and recommendations to a number of public sector clients over the last two and a half years and we welcome the DPC’s findings in this context.
- The DPC has ordered the Department to cease processing PSC applications where that application is solely for the purposes of availing of a state service outside the Department of Employment and Social Protection and has required them to contact all Public Bodies who have been requiring PSCs to advise them that they should no longer do so. This, again, is consistent with the migitations we recommended to Public Sector clients who were being told that they had to adopt PSC/MyGovID as part of their application processes.
- The DPC has found that the Department has failed in its obligations regarding transparency in terms of how they describe the purposes for processing
- The DPC has found that there is only a legal basis for requiring a PSC in the context of transactions with the Department of Employment and Social Protection. This is consistent with our analysis for various public sector clients and we welcome this reported finding.
Disturbingly, the DPC’s investigation has identified that the Department of Social Protection was retaining copies of all evidence documentation provided by 3.2 million people who have receied a Public Services Card without any purpose. This documentation ranges from utility bills to bank statements. The retention of such data demonstrates a significant lack of regard for the fundamentals of Data Protection within the Department’s implementation of a national ID card system. As data cannot be retained for longer than it is needed, this data will need to be destroyed.
As the DPC has now confined the scope of the PSC explicitly to transactions with the Department of Employment and Social Protection, this would suggest there is little or no justification for the maintenance of the shared MyGovID database. Castlebridge would hope that this purpose limitation question will be addressed in a subsequent decision by the DPC.
This report and enforcement action comes hot on the heels of negative findings against the DEASP in respect of the independence of their Data Protection Officer under GDPR. The findings in respect of the PSC and the serious concerns raised by the DPC in respect of the Data Protection Officer’s independence should raise significant concerns about the “tone at the top” in some public sector organisations when it comes to compliance with Data Protection and ensuring appropriate and effective Data Governance structures are in place.
That a Government Department could spend at least €54.6 million on the implementation of a data management system without addressing fundamentals of data protection such as data retention, transparency, and lawful basis is an unexcusable waste of taxpayer money, especially when a number of Public Bodies were required to make changes to their systems and processes to implement a PSC/MyGovID requirement which was not necessary for their purposes without a legal basis for processing, exposing those agencies to potential liability.
We look forward to the Department of Employment and Social Protection spending yet more taxpayers’ money on an appeal and a judicial review of this decision, just as they have appealed and launched a judicial review of another DPC decision in relation to information capture in relation to Child Benefit claims last month.
The key takeaway from today’s report is that, while a Public Service Card might be “mandatory but not compulsory”, compliance with data protection laws is both mandatory and compulsory.
Our welcome is guarded as we have not seen the report as it has not been published. The DPC has indicated that they have asked the Department to publish it or to agree to it being published by the DPC as the Commissioner believes there is a public interest in it being published. Castlebridge calls for the immediate publication of this report, and given Helen Dixon’s published statement that she believes there is a “real public interest” in publishing the report, she would consider the full scope of her powers under Section 13(2) of the Data Protection Acts 1988 and 2003 to disseminate information relating to compliance with the legislation in respect of the public interest in this report and the analysis it contains.
It is noteworthy that the Commissioner has given the Department 7 days to confirm if they will publish the report or if they are happy to publish the report, given the findings have a significant Public Interest. If the Department has nothing to hide in relation to PSC and they believe the Commission’s findings are incorrect, it would be a significant step in public sector transparency to publish this report, the interim report, and their responses to these reports.
In addition, a number of significant issues remain outstanding for decision by the Commission as they are still subject to investigation. This includes the question of the lawful basis for the processing of biometric information in the PSC.
It is also important to note that the DPC’s findings open the door to civil liability for the State for any processing that has occured since the 25th of May 2018, when GDPR and the Data Protection Act 2018 came into force.