On Friday, 16 August, the Data Protection Commission (DPC) announced that it had completed a 'lengthy and detailed' investigation into certain aspects relating to the Public Services Card (PSC) and the system of registration behind it, known as SAFE 2.
The SAFE 2 process involved collecting and storing data belonging to almost every person in Ireland. This data was then used by State agencies to make decisions regarding social welfare payments and other matters, such as the issuing of driver's licences. Data harvesting of this magnitude must be done extremely carefully, with safeguards built in to the process which promote transparency and enable persons to exercise control over their own data. This, it seems, was not done.
Legal basis for the card
The legal basis for the PSC is to be found in s 247C of the Social Welfare Consolidation Act 2005 as introduced by the Social Welfare and Pensions (Miscellaneous Provisions) Act 2013. The stated purpose of this card is to satisfy the Minister as to the identity of the holder, nothing more.
Therefore, as the PSC regime pre-dates the enactment of the General Data Protection Regulation and the Data Protection Act 2018 - the latter being brought in to facilitate the former - this investigation was conducted by reference to the Data Protection Act 1988 and the subsequent Amendment Act of 2003.
These older Acts contain many of the same sentiments which would eventually find their way into the GDPR. For example, the 1988 refers to concepts like rights of access and erasure which are often wrongly thought to have their origins in the GDPR.
Findings of the DPC investigation
The DPC made eight findings in total, with seven of these being negative from the point of view of the Department. The only positive found was that the Department did have a legal basis for collecting and processing certain personal data as a means of validating the identity of persons receiving social welfare.
However, the DPC found that the transferring of this data which was originally collected by the Department of Social Protection to other government bodies and agencies did not have a legal basis and as such, contravened s 2A of the Data Protection Acts 1998 and 2003.
It was also found that the Department's 'blanket and indefinite retention' of data relating to persons applying for a PSC contravenes s 2(1)(c)(iv). The SAFE 2 process also failed to live up to the transparency requirements of the Data Protection Acts as no real information was provided by the Department to the public about the processing of their data.
The DPC granted the Department six weeks to submit an implementation plan which would ensure compliance with data protection measures. However, a shorter timeframe of 21 days was given in respect of two specific measures: (1) that the processing of personal data be halted immediately in connection with the issuing of PSCs; and (2) the Department must identify other State bodies who require a PSC for certain transactions that they will not be in a position to issue PSCs for the foreseeable future.
These findings come as no surprise to privacy expert, TJ McIntyre. Speaking to the Irish Examiner, Mr McIntyre pointed out that the secretary general of the Department of Employment Affairs and Social Protection, John McKeon, specifically requested the removal of the term 'biometric data' from the Department's privacy statement.
As we know, the application process for the card involved having your face scanned - which is of course biometric data, designated as a 'special category' of data under the 2018 Act and thus, should have attracted more sensitive protocols.
Potential for legal action to follow
The 2018 Act provides that the maximum fine which can be levied against a government Department is capped at one million euro. However, the question remains as to whether legal liability will follow as against the Department for breach of duty.
Section 7 of the Data Protection Acts 1998 and 2003 imposes a duty of care on data controllers and the recent case of Collins v FBD  IEHC 617 clarifies that breach of same can lead to damages - though it is worth noting that this right does not accrue automatically.
The scale of the State's liability remains to be seen, and as such the full DPC report will have to be released before any estimations can be made regarding same. However, even if a minute breach is found, it will have to be multiplied by the number of potential affected litigants who could number up to 3.2 million. Therefore, this could end up being a very costly mistake for the State.
Privacy and Data Protection Law in Ireland by Denis Kelleher is scheduled for publication in June 2020. Containing comprehensive guidance on the GDPR and DPA 2018, this book is a must-have for data protection practitioners. Pre-order your copy here. Alternatively, click the button below for a free trial of our online services which contains a monthly data protection update through our IT/IP Briefing.