On Friday, 16 August 2019 the Data Protection Commission ("the Commission") published a statement on its investigation into aspects of the Public Service Card (“PSC Scheme”), and on Tuesday, 17 September 2019 the Department of Employment Affairs and Social Protection (“the Department”) published the full report. As expected the report has been critical of the PSC Scheme and its compliance with data protection principles.

The Scheme

The PSC Scheme operated by the Department involves the collection, storing and processing of large amounts of personal information about nearly every person in the State, and has significant implications for a person’s capacity to access public services here. Noting this in its report, the Commission was concerned that the scale and reach of the project presented significant challenges in ensuring respect for core data protection principles, and subsequently the challenges were not adequately met.

The Commission was particularly concerned about the necessary balance to be struck between the interests of the State and of the data subject whose personal information is being collected and used. This balance between competing interests was central to the assessment of the lawfulness of the PSC Scheme.

The Findings

As part of a wider investigation, the report focuses on the legal basis for processing service-users’ personal data and the transparency in that processing. Eight findings have been made: three relating to the legal basis issue, and five relating to transparency.

Seven of those findings are adverse to positions advanced by the Department, insofar as the Commission has found that there is, or has been, non-compliance with data protection. The sole finding in the Department’s favour was the presence of a legal basis for processing personal data in connection with the issuing of the cards to validate the identity of persons claiming or receiving a benefit, that is, the initial reason for the scheme’s introduction.

The adverse findings include that the processing of personal data in connection with the scheme for the purposes of transactions with bodies other than the Department has no a legal basis, blanket and indefinite retention of underlying documents and information, and the information provided by the Department to the public about the processing of their personal data is not sufficiently transparent.

The Enforcement

The Commission identified a number of measures required to bring the PSC Scheme into compliance. Processing by all public bodies other than the Department was to cease within 21 days, and the Department must notify other public bodies that it would not be in a position to issue PSCs to any member of the public who wishes to enter a transaction with them.

The Minister for Employment Affairs and Social Protection, Regina Doherty, and the Minister for Finance, Paschal Donohoe, hit back at the findings, stating that they were satisfied that processing of personal data relating to the PSC has a strong legal basis, the retention of data is lawful and that the information provided to users satisfies the requirements of transparency. Legal advice from the Attorney General has been cited in support of a refusal to withdraw or modify the use of the PSC or the data processes that underpin it.

The Commission, meanwhile, has been reported as preparing to issue an enforcement notice to the Department. Section 10 of the Data Protection Acts 1988 to 2003, under which this part of the investigation was conducted, provides that the Commission may serve a notice on a controller requiring it to take specified steps, and failure to comply can be an offence. Section 133 of the Data Protection Act 2018 provides for enforcement under that Act. An appeal by the Department against an enforcement notice would put enforcement on hold pending the outcome of that appeal.

The dispute appears to be widening, with reports that the Department of Children and Youth Affairs faces investigation over a mandatory requirement to hold a PSC card in order to access the National Childcare Scheme. Data Protection Commissioner Helen Dixon has described that requirement as “totally at odds” with the findings of her report.

Regardless of the outcome of the current quarrel, the Commission's statement is a salutary reminder for data controllers of the importance of identifying and adhering to a purpose and a legal basis for processing, and of the principle of transparency. Transparency issues appear to have been a recurring feature of other major data protection investigations to date.