Data commissioner’s ruling lifts the veil from Public Services Card

The PSC has divided opinion, but Helen Dixon’s decision is clear: it breaches privacy

Data Protection Commissioner Helen Dixon: found that key aspects of the PSC have no basis in law. Photograph: Dave Meehan/The Irish Times
Data Protection Commissioner Helen Dixon: found that key aspects of the PSC have no basis in law. Photograph: Dave Meehan/The Irish Times

Ever since it was first announced, the Public Services Card (PSC) has divided opinion.

Its proponents argued that it would make life easier and more efficient for the holder, unlocking a range of public services that previously required the filling out of reams of documentation, and bringing forward a new era of access to public services. It would also make it easier for the State to administer payments to millions of people, and to detect fraud.

Critics, meanwhile, said that it represented a data land-grab, and a massive risk to privacy. The debate over just what the PSC can – and should – do has raged for years now.

The case of a woman, revealed by The Irish Times, who was not paid her pension for 18 months because she refused to register for the card ignited intense debate about the card. More recently, the UN poverty envoy Prof Philip Alston said the card was a "big risk" to privacy and civil liberties.

READ MORE

Now Helen Dixon, head of the Data Protection Commission (DPC), which decided to investigate the card in 2017, has found that key aspects of the scheme do not have a basis in law.

“It is our finding that the legislation does not support what is being implemented,” she told The Irish Times. Her ruling, which was delivered to the Department of Employment Affairs and Social Protection on Thursday morning, will make for difficult reading for politicians – and civil servants – who have championed the scheme.

The DPC’s report contains several key findings. The first is that there is no basis in the thicket of social welfare legislation for multiple State bodies to demand someone register for a PSC in order to avail of services.

“I would characterise that as unlawful from a data processing point of view,” Ms Dixon said.

In 2017, the department published a list of public services for which the card was to be “required”. These included drivers licence applications, student and school grants and appeals, passport applications, online health services and appeals to the school transport system. This, however, is wrong, according to the DPC.

‘Fundamental misunderstanding’

In its analysis, the DPC has found that there “has been a fundamental misunderstanding” by the department of the basis on which cards can be demanded, Ms Dixon said.

She said the department assumed that the legislation has a “legal basis for public sector bodies to mandatorily demand the card, and it doesn’t, once you conduct the legal analysis”.

“What we can see when we trace through it is that practice in implementation has now diverged from the legislation that underpins it.”

From now on, the only organisation that can demand a PSC is the Department of Social Welfare itself, for processing social welfare payments and other services. There is no legal basis for anyone else to do so.

The report will also kill off any suggestion that private entities can process the data on the card. At the lower end of the scale, this means it cannot be used as proof of age, but concerns had been raised about a card that was originally intended for access to public services becoming available for processing in the private sector.

The DPC also found that there was no lawful basis for retaining the information – often intensely personal – which individuals must hand over to the department to verify their identity during the application process. Some 3.2 million cards have been issued, and any data retained by the department in this process must now be destroyed, the DPC has directed.

“There’s all sorts of documentation within that which can include information in relation to refugee status; it can include information in relation to gender, changes to gender, as well as utility bills, who you procure your services from and potentially what you spent on those services,” Ms Dixon said. “The indefinite retention of it in circumstances where the Minister has satisfied herself as to identity already . . . we believe there is no lawful basis for that.”

Insufficient transparency

The investigation also found that there was insufficient transparency made available to the public on what personal data is processed, and how it is treated. The DPC has ordered that the department improve its privacy statements and make more, and more easily understood, information available to the public.

In terms of what this means on the ground, there won’t be a massive impact on individual holders of the cards. They can still choose to use a PSC to access services where they wish and where it is accepted as a valid form of identification, and there is no need to exchange a card that has already been issued.

The real fallout will be political; the whole saga reflects poorly on how the department and the Minister for Employment Affairs and Social Protection, Regina Doherty, have stewarded a massive, complex and politically contentious project which was strongly defended by the Government. The Minister's description of the card as "mandatory but not compulsory" will ring in the ears of many now who argued that the department was guilty of overreach.

While she accepts the department’s bona fides in pushing forward a project it believed to be in the public interest, and commends its co-operation with the investigation, Ms Dixon’s verdict is clear.

“Data protection legislation cannot simply be ignored. Having a good idea and a good motivation is not enough for State bodies to proceed with projects that involve significant volumes of personal data,” she said. “They must categorically ensure they have a lawful basis.”