Today the DPC provided its 170 page long awaited findings into the validity of the Public Services Card (PSC) to the Department of Social Protection leading to calls for the Minister to resign – so how badly did the Irish Government violate our data protection rights?
Initial concerns were raised about the card some years ago as it was allowing the sharing of personal data between all government departments without the consent of the individual. The card was originally designed to combat welfare fraud and was to assist in identifying individuals in receipt of social welfare benefits but subsequent scope creep resulted in the use of the card and the data base of now 3.2 million users being shared with other government departments and the information being used for a number of completely different data processing purposes. Each data processing activity needs its own legal basis for processing, and this was lacking for the card.
The key findings we can learn from:
Once again, one of the key findings we are getting from an investigation by a data protection authority is the lack of transparency – the fundamental pillar on which the GDPR is built. The investigation found the information being provided to people around the processing of their personal data was lacking, highlighting the importance of having a clear, concise, easy to read privacy notice.
- Legality of data processing
The second takeaway relates to the legality of the data processing – it was upheld that there was only one legal basis available for the processing of data and that relates to the payment of social welfare payment and other benefits. This essentially means that the other much touted uses of the card, including first time passport applications and the driver theory test were essentially illegally processing personal data. The investigation concluded that the legislation which underpinned the card did not provide a legal basis for public service bodies to demand the card.
Another salient finding, there was little evidence that the impact of changes to the uses of the card over time had been considered by the department, in terms of the impact on a data subject’s rights. This indicated a lack of a data protection approach from the department.
- Retention of data
And finally, there is the sticky topic of retention and the department’s inability to destroy data when it was no longer required. The department has been ordered by the DPC to delete all data held on the 3.2million citizens who applied for the card. The rule being if you have validated the identity, you no longer need the supporting documentation. This is a lesson all businesses can take note of, especially in our HR documents where we tend to hold a large amount of sensitive personal data.
So, what can we all take from this:
- Develop a clear, concise privacy notice to provide to all your service users detailing the purposes of processing, your legal basis and your retention policies.
- Be aware of the impact of any change in the processing of personal data within your business. Consider if a Data Protection Impact Assessment (DPIA) is required or indeed, if a previous DPIA should be revised in the event of a change in how you process personal data.
- Having a retention policy is not enough; you also need to implement it by deleting and destroying the data – so get the shredder serviced and start securely destroying data you no longer need. Stop being a personal data hoarder!