The Data Protection Commission is set to review all data gathering pertaining to child benefit applications in the fallout from a contentious court case between itself and the Department of Employment Affairs and Social Protection.
The inquiry, which will be of the commission’s own volition, will be conducted under the EU’s General Data Protection Regulation, which grants data regulators considerable power in terms of applying fines to those who breach it.
The DPC can pursue GDPR inquiries under two headings - from complaints delivered to it, or of its own accord where it believes there are sufficient grounds to merit an investigation.
In July 2019, the Department of Social Protection appealed a decision of the DPC, in which it had ruled that the data gathering used to assess a child benefit claim by the department breached privacy law, via judicial review.
That case, which was initiated several years prior to the implementation of GDPR, concerned requests for data via a child benefit eligibility certificate from a person regarding their child’s schooling and details of their younger children’s last doctor’s visit and playschool attendances.
The department explained those requests at the time as having been provided for within social welfare legislation.
In its decision against the department, the DPC said that the State had not provided a detailed justification for the processing of this personal data, or its proportionality.
For a time pending the delivery of the DPC’s original decision, the department had suspended the complainant’s child benefit payments, before eventually agreeing to lift that suspension.
The department’s appeal is still officially live - however last December the DPC agreed to quash its own decision. It’s understood that the department’s appeal hinged on the commission’s breach of fair procedure in coming to its decision, as opposed to specific errors in the application of data protection law.
It’s believed that the complainant assented to the decision in their favour being dropped on the proviso that the complaint be subsequently investigated under GDPR.
“I can confirm that the Data Protection Commission has commenced an inquiry into the gathering of data through child benefit applications of its own volition,” said Graham Doyle, assistant commissioner and head of communications with the DPC.
Own volition inquiries are distinct from those dealing with specific similar complaints from the public, in that the investigating body has no obligation to inform complainants as to the progress or terms of reference of such investigations.
Child benefit is a universal State payment of €140 per child made on a monthly basis to the parents or guardians of all children aged under 16.
The dropping of the DPC’s decision represented something of a high point for the Department in its dealings with the independent regulator over the past several years, which have tended to be fraught.
Last August, the Commissioner Helen Dixon ruled that the department’s signature public services card programme is illegal when applied to any services other than that of welfare.
That adverse ruling has since been appealed to the circuit court, with the department and former Minister Regina Doherty having repeatedly cited “incredibly strong” advice delivered by the Attorney General that the PSC project had been conducted in a legal manner.