Advertisement

Readers like you keep news free for everyone.

More than 5,000 readers have already pitched in to keep free access to The Journal.

For the price of one cup of coffee each week you can help keep paywalls away.

Support us today
Not now
Saturday 2 December 2023 Dublin: 5°C
request refused

Woman has request to see changes made to her own data refused as database 'is blanked every two weeks'

The woman had requested access to her own citizen’s data file under freedom of information.
47.3k
45
Dec 5th 2017, 12:05 AM

shutterstock_614157998 Shutterstock / Mantinov Shutterstock / Mantinov / Mantinov

A WOMAN WHO requested information about changes made to her citizen’s data file has had her request refused for the reason that the database holding the information is routinely blanked.

The woman in question initially requested a copy of her own file from the Department of Employment Affairs and Social Protection (DEASP).

Such data is held on a database known as the Single Customer View (SCV), operated and managed on behalf of DEASP by the Department of Public Expenditure and Reform.

The view depicts a person’s PPS number, their date of birth, gender, address, birthplace, and mother’s birth surname – much of the same information that is currently encrypted on the government’s controversial Public Services Card (PSC).

PSC The Public Services Card

The database comprises information from a number of state bodies, including DEASP, the Road Safety Authority, the Revenue Commissioners, and the HSE, to name a few. Collectively, the data is known as a citizen’s Public Service Identity (PSI).

Anyone can obtain a copy of their own file by applying to the Client Identity Services section of DEASP.

Deleted

In this case, the woman was curious as to what changes may have been made to her own data – known as an audit trail (essentially a log of who had accessed her file and of whatever changes may have been made).

She requested an audit of all such changes made to her own file held under the SCV, along with the name and rank of any civil servant who may have made such a change, if any, and a copy of what her file would have looked like at a date in the recent past.

FOI

Click here to view a larger image

The department replied:

“On a fortnightly basis data on the Single Customer View system is deleted and recollected from the data providers.”

There is no archive or audit trail of previous updates.

However, this suggestion appears to contradict the information contained within DEASP’s own recently-produced document, the ‘Comprehensive Guide to SAFE Registration and the Public Services Card’.

That document stresses that:

“The Single Customer View database is stored in a secure government data centre. Access to the data is tightly controlled and restricted to specified bodies on the private Government Network.”

All data access is logged and regularly audited.

DEASP DEASP DEASP

Click here to view a larger image

That document itself was published on 20 October in reaction to the Data Protection Commissioner (DPC) expressing concern in recent times over matters of transparency concerning the PSC and the SCV, with those concerns chiefly resulting from a report by the State auditor, the Office of the Comptroller and Auditor General, which determined that no business case had been put in place with regard to the rollout of the Public Services Card.

The above apparently contradictory statements, meanwhile, raise the question as to whether an approach of blanking such a database, and in doing so removing any evidence of changes that may have been made, is compliant with both existing data protection legislation, and the EU’s forthcoming General Data Protection Regulations, which will come into force in May 2018.

“The Single Customer View is a read-only, periodically updated, consolidated view of Public Service Identity data only. Essentially, it is a mechanism used to enable sharing of the PSI dataset with specified bodies. The Single Customer View is held electronically on secure systems owned by the State in a secure government data centre on the private government network in Ireland,” a DEASP spokesperson said in response to a query from TheJournal.ie regarding the matter.

The PSI data displayed is that obtained by each contributor during their most recent transaction with the customer. The basis data on the SCV system is deleted and recollected from the data providers, generally on a fortnightly basis. There is no record of previous transfers of data held.

“All accesses to the Single Customer View application are logged. Information is logged about what information was accessed, by whom, and when. This log data is retained,” they added.

Security trail

“It’s good practice to keep audit logs of access to this kind of information for the purpose of demonstrating that data is being kept securely,” said Simon McGarr of Data Compliance Europe.

It increases the chances that the department would face compensation claims and other administrative fines in the event of a data breach if they could not demonstrate their own security trail.

TheJournal.ie raised the possibility that the Single Customer View database is routinely wiped with the Office of the DPC.

A spokesperson said: “Matters relating to the security of the data held and shared amongst the bodies involved in the SCV and PSC are currently being examined by the Data Protection Commissioner.”

smcg Rollingnews.ie Simon McGarr Rollingnews.ie

It’s understood that the Data Protection Commissioner submitted as many as 50 questions to DEASP in recent months with regard to issues of transparency with the Public Services Card project and the SCV database, while a full investigation is now under way to determine whether or not those initiatives demonstrate full compliance with Ireland’s data protection acts.

The spokesperson continued:

“Since 2016, the DPC has been seeking clarity and greater transparency to the public on these matters. While the (commissioner) welcomes the greater clarity certain responses bring, engagement with the department is ongoing in relation to matters covered in the guide and in recent Dáil responses to PQs (parliamentary questions) particularly as they relate to biometric data processing and governance and data issues associated with the interplay between the Public Services Card, Public Service Identity set, MyGovID, Single Customer View and Infosys.”

To examine details of the above matters further, the DPC has now commenced an investigation under Section 10 of the Irish Data Protection Acts with a view to establishing whether there is full compliance with the requirements of the Acts.

Read: Senator says folic acid should be added to bread to stave off potential birth defects

Read: Keith Harrison continues High Court case against the State despite tribunal dismissing all his allegations

Making a difference

A mix of advertising and supporting contributions helps keep paywalls away from valuable information like this article. Over 5,000 readers like you have already stepped up and support us with a monthly payment or a once-off donation.

For the price of one cup of coffee each week you can make sure we can keep reliable, meaningful news open to everyone regardless of their ability to pay.

Support us Learn More

Author
Cianan Brennan
cianan@thejournal.ie
@ciananbrennan
Send Tip or Correction
Read Next
More Stories
Related Tags
Your Voice
Readers Comments
45
This is YOUR comments community. Stay civil, stay constructive, stay on topic. Please familiarise yourself with our comments policy here before taking part.
Leave a Comment
    Submit a report
    Please help us understand how this comment violates our community guidelines.
    Thank you for the feedback
    Your feedback has been sent to our team for review.

    Leave a commentcancel