State may face damages claims over unlawful data gathering from Public Services Card 

Free travel pass users were encouraged by the Government to use the Public Service Card to access their free travel entitlements.

However, complainant Martin McMahon noticed that when he scanned his Public Service Card as a travel pass on public transport, the machine noted that the journey was being ‘recorded’. 

This notification prompted him to ask who was recording his data, where was it being held and what was it being used for?

Complaint

Mr McMahon, who is host of the Echo Chamber podcast, a campaigner, and employment status expert, submitted a complaint to the DPC in October 2019, alleging an excessive collection of personal data by the DSP when people used the Public Services Card as a Free Travel Pass.

The DpC has now ruled that the complainant's personal data was not processed in a transparent manner. This infringed the principle of lawfulness, fairness and transparency, the judgement stated.

It also found that the DSP’s collection of the data was excessive, a contravention of Article 5(1)(c) of the GDPR and constituted an infringement of the principle of data minimisation.

The DSP told the commission that it received personal travel data from the National Transport Authority to assess Free Travel usage for the administration, control and funding of the scheme.

Such data received by the department up to February 2020 included journey transaction data, like the time, date and route. 

It also collected the Integrated Ticketing System (ITS) number, contained on an individual’s Public Service Card.

Although the number is generally non-identifying, it can be linked to the card-holder by the department.

The commission considers the ITS number a unique identifier which constitutes personal data.

Since Mr McMahon’s complaint was submitted in 2019, the department has collected less Free Travel data to include only basic, summary data.

In a statement, the Department of Social Protection said it accepts the DPC's ruling, and that it no longer collects the ITS number.

“It is important to stress that the DPC did not make any order following from their investigation of this complaint, it said.

Mr McMahon said that he will seek damages following the ruling.

“What they did was unlawful.

“I will be taking action. If I take an action I’m putting a monetary figure on the damages. If I get awarded €10 and there were 50m of these journeys in 2019/2020, that’s €500m.” 

'Important decision'

Dr Eoin O'Dell, associate professor of law in Trinity College Dublin, said that the judgement was “a very important decision” and "will have important ramifications”. 

He said that there is currently no precedent in Irish law to suggest whether a claim for damages through the courts following such a ruling would be successful.

But British law has shown that data protection cases that turn on the distress caused — rather than a specific loss as a result of the data processing — have tended to fail.

There have not yet been any Irish claims following a Data Protection Commission ruling that have gone to trial and judgement in Irish courts, he said.

“There’s very little Irish case law for breach of GDPR. The DPC ruling does not mean that there will automatically be a successful claim,” Mr O’Dell said.

“But in the UK, cases that turn on ‘distress’ — ‘you used my data in a terrible way and I’m upset by the consequences’ — those cases tended to fail. Whereas, ‘you sold my data’ — which is not the case here; ‘you improperly profited from my data’ those cases tend to succeed.

“And we’ve had no equivalent case in Ireland yet to work out what the Irish response might be.” 

The case establishes the important principle of data minimisation which both public bodies and private entities must now address and respect, he said.

“This is an important case that establishes an important principle," he said.

“The principle it establishes is that departments building these kind of systems have to respect the principal of data minimisation.

“The problem here was they [the Department of Social Protection] were asking for way too much information.

“There was absolutely no justification for it. 90% of the data, especially the identifiable data, that they were getting for the purposes of processing was not justified. All they needed to know was the number of passengers so as to be able to charge. All the rest was entirely unnecessary.

“You only collect as much data as is necessary and you only keep it for as long as is necessary.

“It’s a common problem in most Government departments to collect too much data."

The commission noted that the DSP now notifies individuals, at the time they receive their PSC-FT, that ‘For control purposes the National Transport Authority will transfer usage data to the Department’.

“Accordingly, no order needs to be imposed as DSP has already implemented the necessary measures in relation to transparency and proportionate and necessary data collection,” the ruling said.

This story was edited at 9.40pm on 20 May 2023 to include a response from the Department of Social Protection.