Public Service Card Data Breach Could Result in Compensation Claims
It appears probable that the State will face a number of compensation claims in the aftermath of revelations that the collection of data during the issuing of Public Services Cards (PSC) was not legal.
The Data Protection Commission (DPC) has released a report which ruled that the holding of information collected during the application process was not legal, in addition to the obligation on the general public to have the card in order to be in receipt of certain State services and benefits.
The card was first introduced in 2011 in order to help with the processing of social welfare payments. After this, it was required for a number of other services including first-time adult passport applicants, replacement of lost, stolen or unusable (due to condition) passports issued prior to January 2005, where the person is resident in the State, citizenship applications, driving test and driver licence appointments.
Already there have been a number of civil society groups who have said that they are considering filing a class-action style case. At the time that the card was introduced advocacy groups in including Digital Rights Ireland, the Irish Council for Civil Liberties, the UN’s special rapporteur on extreme poverty, Age Action objected to its introduction.
After the DPC investigation concluded, it was deemed that the operation of the PSC scheme does not adhere with the transparency obligations of the data protection acts due to the inadequate manner of information handed over, by Department of Social Welfare, to those who were having their data processed. The result of this is that he data stored on more than three million card holders must now be deleted and data processing by the Department, rather that the public body providing the service, must be ended. These tasks must be finished by a specified date or some enforcement measures may be sanctioned against those to blame.
In a statement about the investigation the DPC revealed “Ultimately, we were struck by the extent to which the scheme, as implemented in practice, is far-removed from its original concept.
“Whereas the scheme was conceived as one that would make it easier to access (and deliver) public services, with chip-and-pin type cards being used for actual card-based transactions, the true position is that no public sector body has invested in the technology capable of reading the chip that contains the encrypted elements of the Public Sector Identity dataset. Instead, the card has been reduced to a limited form of photo-ID, for which alternative uses have then had to be found.”
This does not mean that the PSC is no longer a relevant form of identification and it will still be valid for a range of specific services. Data Protection Commissioner Helen Dixon stated: “Any cards that have been issued, their validity is not in question by anything we’ve found in this report. They can continue to be used in the context of availing of free travel or availing of benefits that a person is claiming from the department.”
She added that this does not mean that it will be impossible, in future, to issue a single card, or possibly a national identity card that can be used for all interactions with the State. She commented: “No, we’re not saying that at all. We’re saying that if that’s what’s intended or required, there isn’t a lawful basis [as currently set up]. It can’t be the case that a national identity card automatically offends EU charter fundamental rights or EU data protection law because they exist all around Europe. It is a possibility, by carefully laying down the lawful basis for such a card.”