The Data Protection Commission (DPC) has found the Department of Employment Affairs and Social Protection's processing of personal data during the issuing of Public Services Cards (PSC) for use in transactions between a person and a public body other than the department itself to be illegal.
The commission also found that the blanket and indefinite retention of documents and information provided by people applying for a Public Services Card contravenes data protection law.
The data protection regulator also ruled that the scheme does not comply with the transparency requirements of the data protection acts, because the information given by the department to the public about the processing of their personal data in connection with the issuing of the cards was not adequate.
The implication of the decision is that there is no legal basis from a data processing point of view for making people obtain a card in order to access services other than those provided by the department.
It also means that the data held on more than three million card holders must now be deleted.
The commission has given the department three weeks to stop all processing of personal data where a PSC is being issued solely for the purpose of a transaction between a member of the public and a public body other than the department itself.
Within that timeframe, the department will also have to contact public bodies who require the production of a PSC as a pre-condition to tell them that in the future the department will not be able to issue PSCs to any member of the public for such a purpose.
The commission has warned that if it does not implement the measures it will face enforcement action.
The department will have six weeks in total to submit a plan to the DPC outlining how it will bring the PSC scheme into compliance with data protection legislation.
The plan will have to identify the changes it will make to the PSC scheme and the time period within which those changes will be made.
"Ultimately, we were struck by the extent to which the scheme, as implemented in practice, is far-removed from its original concept," the DPC said in a statement published on its website.
"Whereas the scheme was conceived as one that would make it easier to access (and deliver) public services, with chip-and-pin type cards being used for actual card-based transactions, the true position is that no public sector body has invested in the technology capable of reading the chip that contains the encrypted elements of the Public Sector Identity dataset.
"Instead, the card has been reduced to a limited form of photo-ID, for which alternative uses have then had to be found."
In a statement to RTÉ's Morning Ireland, a spokesperson for the Minister for Employment Affairs and Social Protection Regina Doherty said the minister had received the report, was considering it and would respond in due course.
- What is the Public Services Card?
- Department says Public Services Card has clear legal basis
- Rollout of Public Services Card lacked 'coherence' - commissioner
- Minister says Public Services Card not compulsory, but mandatory for some services
- Data Protection Commissioner says transparency is needed over PSC
The report of the investigation, which incorporated its findings, was sent to the department yesterday.
The commission has asked the department to confirm whether it will publish the report itself within seven days, or if not whether it will agree to the DPC publishing it on its own website.
The findings follow an extensive investigation by the data protection watchdog into the Public Services Card.
Despite the negative findings, the DPC said it had found that processing of certain personal data by the department for the issuing of PSCs for the purpose of identifying a person claiming a benefit is legal under data protection law.
However, of the eight findings made in the report, seven found that there is or there has been non-compliance with the application of data protection laws.
The DPC says that nothing in the findings impacts the validity or use by individuals of PSCs already issued.
The findings also do not affect individuals accessing benefits, including free travel, who currently do so using their PSC and the department is not prevented from issuing further PSCs for these specific purposes.
The PSC was first introduced in 2011 for social welfare payments, but since then it has been rolled out to a large number of other services.
These include first time adult passport applicants, replacement of lost, stolen or damaged passports issued prior to January 2005, where the person is resident in the State, citizenship applications, driving test and driver licence appointments.
However, the Data Protection Commission began its investigation in 2017 after concerns were raised that the legislation underpinning the card did not cover it to collect and process data for these other purposes.
"As new uses of the card have been identified and rolled-up from time to time, it is striking that little or no attempt has been made to revisit the card's rationale or the legal framework on which it sits, or to consider whether adjustments may be required to safeguards built into the scheme to accommodate new data uses," the DPC said.
"Instead, the development of the card has proceeded by way of one-off, piece-meal changes to existing social welfare legislation, resulting in a situation where, in our view, the project is lacking in coherence and where, more importantly, there is little or no evidence of any attempt to balance the interests of the State, acting through those public bodies who participate in the scheme, and the interests of those members of the public who are required to obtain and produce the card (and provide their personal information when registering for it)."
The DPC's inquiry examined a whole range of aspects regarding the use of the card.
However, the findings disclosed today focus on the question of the legal basis on which personal data was processed in connection with the PSC.
They also relate to the question of whether information provided to members of the public in relation to the processing of their personal data in connection with the PSC satisfied legal requirements around transparency.
The DPC said further reports and findings will follow at a later date, regarding a number of other issues.