Departments unsure of responsibility for overseeing PSC

The question goes to the heart of which of the two departments would be liable for any fines under the EU’s General Data Protection Regulation (GDPR) should their processing of Irish citizens’ data be found to be in breach of European law.

The Department of Social Protection is the body with primary responsibility for the PSC’s welfare benefit origins. The expansion of the card’s remit to other State services, such as passport and driving licence applications, has been handled by Public Expenditure and Reform.

Two weeks ago, the Data Protection Commissioner ruled that expansion was unlawful under legislation dating prior to the Data Protection Act 2018, which enacted GDPR within Irish law.

It has been speculated that that decision could give rise to a mass of civil liability suits should the data be found to have been processed unlawfully as per GDPR.

Under GDPR, State bodies are liable for fines of up to €20m for breaches of the regulation. While that figure was whittled down to €1m under the 2018 act, the instances of breaches regarding the PSC could total millions — one for each card.

Both departments were asked by the Irish Examiner whether they now consider themselves or their colleague body to be the data controller — that is the department with overarching responsibility, for the PSI dataset — or whether it is their opinion that both are joint controllers.

“The Department of Employment Affairs and Social Protection is the data controller for the PSI dataset held by the department,” said a spokesperson. The statement did not elaborate on who controls the data shared by the Department of Employment Affairs and Social Protection with another body.

The Department of Public Expenditure and Reform had not responded at the time of publication.

Under the two departments’ December 2017 data-sharing agreement, a legal tool necessitated when one body shares data with another, Social Protection is the data controller for the PSI database and Public Expenditure is the data processor, a subordinate position under privacy law.

The agreement also states that under the PSC expansion, Social Protection “collects elements of the PSI data from specified bodies and provides the Department of Public Expenditure and Reform with this data for all its clients and customers”.

Privacy experts have stated that such a statement is a contradiction in terms, as having delivered the data to Public Expenditure and Reform, the Department of Social Protection ceases to control it as a matter of fact.

“The core of this is, who is liable for doing this?” said Simon McGarr, a privacy solicitor and director of Data Compliance Europe.

If a department doesn’t know the answer, or doesn’t have sufficient knowledge to understand but has contracted with another to transfer data anyway, then any processing under the existing agreement would be invalid. If that’s the case then the DPC could issue fines.