Data Protection Commissioner

CASE STUDY 5/99

 voluntary organisation - role in administration of an official scheme - collection and use of RSI numbers - failure to register as a data controller

A small number of voluntary organisations were authorised by a State body to assist in the administration of an official scheme. The scheme was designed to benefit a certain category of individuals, many of whom would be represented by the voluntary organisations. Applications for participation in the scheme were made through the voluntary organisations, and in this context applicants were asked to supply their Revenue and Social Insurance (RSI) number.

I received a complaint from an individual who objected to the collection of RSI numbers by one of the voluntary organisations in question. The complainant was unhappy that the voluntary organisation, which was not an official State body, had access to the RSI number, which was also used in connection with his health and social welfare entitlements, and in connection with his tax affairs. Allowing a private body to hold his RSI number would, he feared, put at risk the privacy of his dealings with the State sector. The complainant also noted that the voluntary organisation in question was not registered with my Office, as was required under the Act.

I approached the organisation and asked why it was seeking RSI numbers from applicants. The organisation explained that the number was used to avoid duplications that might arise among the different organisations which were administering the scheme. Most adults had a unique RSI number, and so it was a handy identifier for applicants. I pointed out to the organisation my view that widespread and unregulated use of the RSI number, beyond the limited purposes for which the number had been instituted, could, over time, lead to an erosion of citizens' privacy. Having considered my viewpoint, the voluntary organisation agreed to stop using the RSI number, and to look for other ways of meeting its administrative needs. The organisation also accepted that it had failed to register with my Office, as required by section 19 of the Data Protection Act, and it took steps to regularise the position.

The issue was solved to the complainant's satisfaction through the co-operation of the data controller. However, this case study raises interesting questions regarding the use of what is now the Personal Public Service Number (PPSN), in the light of the provisions of Part IV of the Social Welfare Act, 1998. This Act regulates the use of the PPSN and specifically limits its use to specified bodies. It appears to me that it is for the Department of Social, Community and Family Affairs, in the first instance, to ensure compliance with the requirements of Part IV of the Social Welfare Act, 1998. However, a data controller who, in contravention of the Social Welfare Act, 1998, "uses a personal public service number or seeks to have a personal public service number disclosed to him" may also face difficulties under the Data Protection Act, 1988. It is difficult to see how such a data controller could demonstrate that personal data had been "fairly obtained" as required by section 2(1)(a) of the Data Protection Act, where his or her acquisition of the PPSN contravened the Social Welfare Act, 1998.

In my view, unlawfully obtained personal data could not meet the "fair obtaining" criterion of the Data Protection Act. In this connection,it is worth recalling that when the then Data Protection Bill, 1987 was being debated, the then Minister for Justice, in response to a proposed amendment, commented as follows: "I have been advised that the obligation already imposed by the subsection to obtain fairly data or information constituting data would amply comprehend also obtaining it lawfully and with due regard to the data subject's constitutional rights."






» Permanent Link