Understanding the Public Services Card Data Protection BreachSeptember 2019
On Friday 16 August, the Data Protection Commission (DPC) published its findings on certain aspects of the Public Services Card (PSC).
The DPC found that seven out of eight of its findings were adverse to the positions advanced by the Department of Employment and Social Protection (DEASP) and that there is and has been non-compliance with the applicable provisions of data protection law.
The Department of Employment Affairs and Social Protection’s processing of personal data during the issuing of the Public Services Cards for use in transactions between a person and a public body other than the department was found to be unlawful.
The Data Protection Commissioner also found that blanket retention of personal data also contravened data protection law. This means that personal data held on more than three million card holders must now be deleted. At a cost of about €60 million to roll out, with savings of only €2.5 million in welfare fraud, the card targets social and economically vulnerable people forcing them to trade their personal data for services to which they are entitled.
But why does this matter to you?
Personal data collected by the department included a photo, gender, address, all digitally encoded, as well as the creation of a biometric facial recognition database.
The risks associated with maintaining data such as fingerprints, retina screening and facial recognition or biometric data (metrics related to human characteristics) have obvious technical security considerations, but consider the encroachment of state authority over human dignity? It is also possible that biometric data may be used in ways for which the individual may not have consented as is the case here, but also it could disclose physiological and/or pathological medical conditions that the person may not even know about.
For example, fingerprint patterns can be related to chromosomal diseases, iris patterns could reveal vascular diseases, behavioural biometrics could reveal neurological diseases. Excessive perhaps for accessing social welfare payments? Then think about other public bodies that collect your information and may not do a good job of protecting it or deleting it.
Any organisation subject to data protection law is required to create a database of personal information collected and in this record of processing specifics on what documentation is collected and for what purpose must be detailed. Organisations must consider unintended consequences and understand security measures in place to protect this personal data. They must think about retention periods and note that blanket retention periods are never okay, requesting excessive information and using it for purposes other than initially agreed isn’t okay either.
If you need help with your data protection requirements, contact RegSol for consultancy or enrol on a course on our training website here.
By Judy de Castro - Regulatory Consultant