Departments unsure of responsibility for overseeing PSC

Departments unsure of responsibility for overseeing PSC

Confusion remains as to which of the Departments of Employment Affairs and Social Protection, and Public Expenditure and Reform, or both, has primary responsibility for the Public Service Identity (PSI) database.

The database is the building block on which the controversial public services card (PSC) and MyGovID online platform are based.

The question goes to the heart of which of the two departments would be liable for any fines under the EU’s General Data Protection Regulation (GDPR) should their processing of Irish citizens’ data be found to be in breach of European law.

The Department of Social Protection is the body with primary responsibility for the PSC’s welfare benefit origins. The expansion of the card’s remit to other State services, such as passport and driving licence applications, has been handled by Public Expenditure and Reform.

Two weeks ago, the Data Protection Commissioner ruled that expansion was unlawful under legislation dating prior to the Data Protection Act 2018, which enacted GDPR within Irish law.

It has been speculated that that decision could give rise to a mass of civil liability suits should the data be found to have been processed unlawfully as per GDPR.

Under GDPR, State bodies are liable for fines of up to €20m for breaches of the regulation. While that figure was whittled down to €1m under the 2018 act, the instances of breaches regarding the PSC could total millions — one for each card.

Both departments were asked by the Irish Examiner whether they now consider themselves or their colleague body to be the data controller — that is the department with overarching responsibility, for the PSI dataset — or whether it is their opinion that both are joint controllers.

“The Department of Employment Affairs and Social Protection is the data controller for the PSI dataset held by the department,” said a spokesperson. The statement did not elaborate on who controls the data shared by the Department of Employment Affairs and Social Protection with another body.

The Department of Public Expenditure and Reform had not responded at the time of publication.

Under the two departments’ December 2017 data-sharing agreement, a legal tool necessitated when one body shares data with another, Social Protection is the data controller for the PSI database and Public Expenditure is the data processor, a subordinate position under privacy law.

The agreement also states that under the PSC expansion, Social Protection “collects elements of the PSI data from specified bodies and provides the Department of Public Expenditure and Reform with this data for all its clients and customers”.

Privacy experts have stated that such a statement is a contradiction in terms, as having delivered the data to Public Expenditure and Reform, the Department of Social Protection ceases to control it as a matter of fact.

“The core of this is, who is liable for doing this?” said Simon McGarr, a privacy solicitor and director of Data Compliance Europe.

If a department doesn’t know the answer, or doesn’t have sufficient knowledge to understand but has contracted with another to transfer data anyway, then any processing under the existing agreement would be invalid. If that’s the case then the DPC could issue fines.

More on this topic

Ireland protects privacy of citizens more than any other developed nationIreland protects privacy of citizens more than any other developed nation

Only guilty need fear transparency - Evolving data protection normsOnly guilty need fear transparency - Evolving data protection norms

Are we the wild west of data protection?Are we the wild west of data protection?

Government faces calls to scrap controversial Public Services CardGovernment faces calls to scrap controversial Public Services Card


More in this Section

Mining experts to assess the risk of West Cork sinkholeMining experts to assess the risk of West Cork sinkhole

Residents in Leitrim continue round-the-clock protest against centre for asylum seekersResidents in Leitrim continue round-the-clock protest against centre for asylum seekers

Developer offers to lease almost 500 apartments for social homes in CoolockDeveloper offers to lease almost 500 apartments for social homes in Coolock

Revised plans for controversial Bus Connects plan to be unveiledRevised plans for controversial Bus Connects plan to be unveiled


Lifestyle

We catch up with Bushmills’ master distiller, who tells Sam Wylie-Harris more about this liquid gold.Irish whiskey masterclass: 11 things you need to know

Temples, beaches, and several nations with new names.From Bhutan to Costa Rica, Lonely Planet reveals its top countries to visit in 2020

Columnist and trained counsellor Fiona Caine offers guidance to a woman who’s unsure how to manage her mother’s dying wishes.Ask a counsellor: ‘Is it appropriate to notify my mother’s friends of her death by email?’

‘The Big Yin’ talks to Luke Rix-Standing about living with Parkinson’s, the power of forgiveness, and why he will never, ever stop swearing.Billy Connolly: ‘You don’t wake up famous, you wake up scratching yourself like everybody else’

More From The Irish Examiner