KPMG found there was no legal basis for public services card database

That DPIA, the first carried out on the controversial card in its 11-year history, states that the Department provides “an insufficient level of detail regarding facial matching software in that it does not note a legal basis for the processing”.

The assessment suggests that the Department was aware that the PSC could be legally unsound, despite having consistently denied in recent years that the card’s photo constitutes biometric data. There are more than 3.2m PSC holders in Ireland at present.

The controversial card is currently the subject of a multi-year Data Protection Commission investigation to determine whether or not the personal data and photo on the card is biometric, and therefore whether or not the entire project is legal. A draft decision relating to that investigation is currently being prepared.

Biometric data refers to personal data which can be used to identify someone via their physical characteristics, in this case their photo image.

Such information is specifically protected under GDPR and requires dedicated legislation should a State body wish to make use of it. Many Irish privacy experts have been arguing for years that no such legislation exists.

KPMG said that as things stood the Department was at risk of reputational damage, GDPR fines, and enforcement orders from the DPC due to Social Protection failing to “completely inform the data subject of the creation or use of the biometric template” when their photo was recorded when registering for the card, something the consultancy said ran the risk of being “not transparent”.

Further, it identified a risk surrounding the fact the sensitive personal data being held by the Department for the lifetime of each cardholder, plus an additional 10 years after their death, could be deemed to be unnecessary or excessive and therefore not legal.

'Lack of transparency'

Olga Cronin, surveillance and human rights policy officer with the ICCL, said that Social Protection had been “building a national biometric database without a relevant legal basis and without transparency”, and had been collecting people’s biometric information “in exchange for services they are legally entitled to”.

”This must stop,” she said.

A spokesperson for the department said that it “does not accept either that it failed to identify a legal basis for the processing of biometric data or that it failed to give individuals the information required to be given in respect of its processing of such data”.

“The PSC photo is not biometric,” they said. They added that no data protection impact assessment had taken place for the card previously as the systems in place for authenticating cardholders’ identity “were well established and there was no change in risk”.

“It was therefore not necessary to carry out a DPIA,” they said, adding that this situation had changed when the facial matching software used had become due for an upgrade.

They further stated that the Department’s decision to hold citizens’ data for the duration of their lifetimes and a further ten years after death “is appropriate”, despite KPMG concluding that such a timeframe could be seen as disproportionate.

Data protection commissioner Helen Dixon had already previously ruled as illegal any attempts by State agencies to make holding a PSC a mandatory requirement for people looking to access services like passport or driving licence applications.

Last week, meanwhile, the DPC ruled that users of the PSC’s free travel pass variant had had their GDPR rights breached by the Department over the recording and sharing of their public transport journey history and personal data without their knowledge.