THE DEPARTMENT OF Employment Affairs and Social Protection will continue to process personal data related to the Public Services Card (PSC), saying it has a “strong legal basis” to do so.
The department has this evening published a long-awaited report by the Data Protection Commissioner (DPC), which last month found that there is no legal basis for a person to be required to get a PSC for anything other than social welfare payments and benefits.
Data Protection Commissioner Helen Dixon also ordered the government to immediately stop processing data for services outside of the department’s remit.
But in a statement accompanying the report’s publication, the department said that Minister Regina Doherty and the Minister for Finance Paschal Donohoe had informed the Government that they are satisfied that such processing is legal.
It also said that both ministers believe withdrawing or modifying the PSC or the data processes that underpin its use would be inappropriate and “potentially unlawful”, and that their opinions had been informed by advice from the Office of the Attorney General.
In comments accompanying the statement, Doherty said that she was publishing the report in the interests of transparency and to provide further context to the controversy, including recent correspondence between the department and the DPC about the report.
The Minister said:
While we respect the office of the DPC, in this instance based on strong legal advice, we cannot agree with the findings contained within this report.
We have strong legal advice that the existing social welfare legislation provides a robust legal basis for my Department to issue PSCs for use by a number of bodies across the public sector.
Report published
The PSC was first introduced back in 2011, when 4,000 cards were issued in a pilot project. By 2019, over 3 million of them had been created.
The government said the card would increase efficiency in delivering public services, and help to tackle social welfare fraud. But as the government sought to expand the card’s requirement for other public services, the DPC launched a report into the legality of doing so.
The completed probe first outlined last month how there is no legal basis for any department or state body, except for the Department of Social Protection, to insist that citizens obtain a PSC to access a public service they provide.
It also finds that the Department of Employment Affairs and Social Protection has no legal right to retain supporting documents, such as utility bills, which are collected during the PSC registration process.
And it criticises the department for not being sufficiently transparent in terms of the personal data it has processed in relation to the PSC.
In her foreword to the report, Data Protection Commissioner Helen Dixon noted that the PSC’s use is an arrangement that requires the processing of “significant volumes of personal data” from Irish citizens, and underpins important decisions to be taken about those citizens.
She warned that, as a result of this data processing, the PSC’s use was an arrangement that gave rise to potentially adverse consequences for those who used it:
Accordingly, it is of critical importance that an arrangement of this scale and importance is established on a proper legal footing… and that it operates in a fair and transparent manner in accordance with core data protection principles.
The report is also highly critical of the government for claiming that the card enables individuals to access public services more easily, and said that the PSC is not equipped to do so for the most part.
To highlight this, the commission pointed out that the National Transport Authority was the only body, aside from the department, which has successfully integrated its technology onto the PSC, with customers able to use it to access free public transport instead of a Leap card.
It said that the form of card issued by the department serves “little purpose”, because no public sector body is capable of reading it for the purposes of delivering public services.
Alcohol sales
Meanwhile, the DPC also expressed concerns about the potential for “function creep” in relation to the use of the PSC.
The report highlights how the card has already evolved from its original purpose, and is now being used as a form of photo ID to enable people to access other services.
Said the commission:
Equally, the card is now moving from being one that strictly required for use in the context of transactions with specified public sector bodies, to one that… may, in the near future, be used as an Age Card to be presented in off-licences to purchase alcohol.
The commission warned that this was a significant shift in the evolution of and rationale for the PSC, and said there had been little debate as to whether this was a positive development or whether there was legal basis for such use of the card.
Elsewhere, the DPC wrote that the ongoing change in policy and direction in relation to the PSC had led to a “very fragmented and insufficient underpinning of the PSC in terms of its legal basis”.
The report outlines how the 2005 Social Welfare Consolidation Act is cited by the department as the main piece of legislation which underpins the legality of the PSC and the SAFE registration standard.
However, the DPC notes that one of the provisions of the 2005 Act which is key to the PSC – Section 263 – has been amended six times by three different pieces of primary legislation.
The commission also notes that Section 241, also seen as important to the PSC project, has been amended 28 times by 11 enactments.
The report says:
It is the view of the DPC that the piecemeal and fragmented nature of the legislative interventions described in the preceding paragraph cannot but impact – adversely – on the coherence, credibility and sustainability of the legal foundations on which the PSC sits…
Court proceedings
In a statement to TheJournal.ie this evening, Graham Doyle of the Data Protection Commission welcomed the publication of the report.
“As previously stated, the process of preparation of the enforcement notice is now underway,” he said.
The report’s publication follows weeks of speculation as to whether it would be made public at all.
Following its delivery to the Department, Dixon ordered the Minister to publish the report within seven days, but Doherty said she would wait to discuss its findings first.
Following the delivery of the report last month, the DPC also announced that it would proceed with enforcement action over the government’s refusal to comply with its recommendations.
The government previously announced that it would appeal the findings of the report, although Doherty subsequently said she wanted to meet with Dixon before challenging the matter in court.
In further comments this evening, the Minister suggested such a meeting never took place.
“My officials did seek to engage further with the DPC on this matter but regrettably that engagement was not possible and therefore we are publishing the report without any further delay,” she said.
The Department added that as a result of potential court proceedings in relation to the report, it would not comment further.
With reporting from Sinead O’Carroll and Sean Murray.
Want to know where it all went wrong with the PSC? Was this inevitable or could it have been avoided? Sinéad O’Carroll and reporter Sean Murray were on joined on The Explainer last week by solicitor Simon McGarr, director of Data Compliance Europe. You can find out all you need to know about the controversy below:
The Explainer / SoundCloud
To embed this post, copy the code below on your site
have your say