What is the Public Services Card is and why was it introduced?
The Public Services Card (PSC) was introduced as pilot project in 2011, primarily as a means of preventing social welfare fraud. Essentially, it was to be a card with personal details of the holder on it, like their name, photo, PPSN etc, that could be presented when they were identifying themselves for the purposes of claiming social welfare benefits.
And initially at least, that was what it was used for. But bit by bit the Government started to broaden its application to other areas. And so now today, it is used during a whole raft of public service transactions, including the replacement of certain lost, stolen or damaged passports, citizenship applications, education grants, appeals around school transport, the driving test, driver licence appointments and many more.
Dozens of public service organisations also have access to the information on the cards and around 3.2 million people now have one. And the Government has plans to expand the system further.
The card started to worry people concerned about civil liberties and data protection. Why was that?
Yes, when the card became required for a whole variety of other applications, many people started getting worried. Partly that was because some saw it becoming a national ID card by stealth. Others just don't think governments should be able to gather and share large amounts of personal data about citizens without a good reason.
But from a data protection perspective, the issue was that in order to gather, process and store personal data, a data processor has to have a sound legal basis upon which to do it, and act in compliance with data protection laws. And the concern was that as the use of the public services card widened, the necessary data protection rules were not being complied with.
So in 2017, the Data Protection Commission (DPC) announced it was going to open an investigation into whether the public services card and its related systems fully comply with the law.
And what then has the Data Protection Commission found?
In a lengthy and quite technical statement published on the Data Protection Commission's website, the data regulator says that its inquiry examined a whole range of aspects around the use of the card. However, the findings disclosed today focus on just two questions.
The first is the legal basis on which personal data was processed in connection with the cards. The second relates to the question of whether information provided to members of the public in relation to the processing of their personal data for the cards satisfied the legal requirements around transparency.
The commission said it found that processing of personal data by the Department of Employment Affairs and Social Protection for the issuing of public services cards for the purpose of identifying a person claiming a benefit, is legal under data protection law - remember that's the original reason the card was set up.
But when it comes to the department's processing of personal data during the issuing of a Public Services Card for its use in transactions between the holder and a public body other than the department itself, well that is illegal.
The commission also found that the department's blanket and indefinite retention of documents and information provided by people applying for a Public Services Card contravenes data protection law.
And it ruled that the scheme does not comply with the transparency requirements of the data protection acts, because the information given by the department to the public about the processing of their personal data in connection with the issuing of the cards was not adequate.
What does the Data Protection Commission say the department has to do about it?
The DPC has given the department three weeks to stop all processing of personal data, where a public services card is being issued only for the purpose of a transaction between the holder and a public body other than the department itself.
Within that timeframe, the department will have to contact public bodies who require the production of a public services card as a pre-condition for a service to tell them that in the future the department will not be able to issue cards to any member of the public for such a purpose.
The decision also means that the personal documents and information provided by all 3.2 million card applicants, which has been held indefinitely by the Government, will have to be deleted.
The commission has warned that if it does not implement the measures the department will face an enforcement notice, which if not complied with can lead to a criminal prosecution in court.
The department will also have six weeks in total to submit a plan to the Data Protection Commission outlining how it will bring the public services card scheme into compliance with data protection legislation. The plan will have to identify the changes it will make to the PSC scheme and the time period within which those changes will be made.
But for people like me who have a card, what on a practical level does all this mean?
The Data Protection Commission says that nothing in the findings impacts the validity or use by individuals of cards that have already been issued. So, if you have one, you can continue to use it for accessing benefits, including free travel for example. The department is also not prevented from issuing further PSCs for these specific purposes.
But the department will not be able to issue any further cards where the use is for a public service not provided directly by it. And so public service providers other than the department won't be able to demand you have a public services card before giving you a service as there is no lawful basis from a data processing point of view for them doing that.
And that, presumably, is going to cause a major headache for those very many services that now require people to have one. But perhaps not as big a headache as the political one now about to hit the Government and Minister Regina Doherty, who said in 2017 that the card was "mandatory but not compulsory".