Government did not breach data protection laws with Public Services Card database

The conclusion brings an end to a near two-and-a-half-year investigation by the DPC into whether or not the department had contravened the EU’s General Data Protection Regulation (GDPR) by allegedly removing references to such data without its then DPO’s consent.

In her ruling, Ms Dixon said that the department had “involved their DPO, properly and in a timely manner, in the Department’s amendment to its Privacy Statement as implemented on July 6, 2018” and as such did not infringe Article 38 of the GDPR.

She added that the department “did not provide any instruction to the DPO” as regards the changing of the statement.

Under GDPR an entity’s DPO is supposed to be entirely independent in their function, with any interference with their role deemed to be a breach of the regulation.

The complaint, first taken by advocacy group Digital Rights Ireland and sponsored by Irish Times data and privacy columnist Karlin Lillington, related to the news reported at the time that the Secretary-General of Social Protection, John McKeon, had ordered that a reference to biometric data be removed from the department’s privacy statement and replaced with the phrase “data such as photographs”.

At the time, the then Minister for Social Protection Regina Doherty had insisted repeatedly that no biometric data - that is data, such as a photograph, which uses a person’s characteristics to make them digitally identifiable - was processed by her department as part of the Public Services Card (PSC) project.

Under GDPR, biometric data cannot be processed for the purposes of identifying a person unless specifically provided for in legislation. The department’s privacy policy had been redrafted in May of that year to reflect the enactment of GDPR into law.

Responding to the DPC’s decision, chair of Digital Rights Ireland TJ McIntyre said that “even though there wasn’t a breach the process was still dysfunctional as the investigation has shown that a well-developed policy was overhauled in haste when it was realised that the statement was causing embarrassment to the Minister”.

In the aftermath of the removal of references to biometric processing, the Department acknowledged that the DPO had been “on leave” at the time of the change, but said that the reference to biometric data had been an “error”.

The DPC’s investigation found that a member of the DPO’s staff emailed the DPO at the time to say: “This was not discussed with me! I wouldn’t have agreed to this change.

Are you happy for the blanket removal of reference to biometric data? Not sure I am!

However, in an interview with the DPC, the then DPO stated that although on leave he had been in communication with the Department at the time of the change and that he was “entirely satisfied that the views of the DPO were included in the overall consideration of the matter by the Secretary General”.

The PSC is the primary means by which Irish people access welfare payments. There are over 3 million such cards in circulation in Ireland.

A 2019 investigation by the DPC ruled that the PSC is unlawful for all uses other than accessing welfare payments, and ordered that the Department must delete the 3.2 million historic records it held on citizens accumulated as part of the project.

That ruling was subsequently appealed by the Department to the Circuit Court, where it currently remains.

A further investigation by the DPC into the biometric nature of the card was initially due to have been published by the end of 2019. However it’s now understood that report is unlikely to emerge until the PSC court case has been concluded.