Data Protection Commissioner
Data Protection Commissioner

Data Protection Commissioner Statement on the Public Services Card

30th August 2017

The Data Protection Commissioner notes the ongoing public commentary in relation to the Public Services Card (PSC). While a framework to authenticate identity for individuals availing of State services is an entirely legitimate government policy choice, transparency to the public on the underpinning legislative provisions, what data is being collected, for what purpose, and with whom data may be shared and for what purpose, needs to be adequately addressed.

The Data Protection Commissioner and her staff have strongly conveyed their views on numerous occasions to the Department of Social Protection and in a number of other fora, including at Oireachtas Committee hearings, that there is a pressing need for updated, clearer and more detailed information to be communicated to the public and services users regarding the mandatory use of the Public Services Card for accessing public services. The provision of up-to-date, comprehensive and relevant information to the public is not just part of the openness and transparency requirements for the fair processing of personal data under data protection law, but also in the interests of maintaining public confidence in the system.

The Commissioner highlighted the transparency issue in relation to the card in the 2016 Annual Report when she highlighted that the "....implementation of large-scale government projects without specific legislative underpinning, but rather relying on generic provisions in various pieces of legislation, poses challenges in terms of the transparency to the public.....and the uses to which personal data is now being applied. While a lawful basis for such use of personal data can be cited, the need for notice and transparency is especially high in these types of cases and it is not always clear that public clarity has been delivered."

The Data Protection Commissioner is also aware that the 2015 Comptroller and Auditor General Report on the PSC specifically asserted that:
"There is no single business case document for the PSC, setting out at a high level all of the information needed to get the project started (scope, justification, funding, roles and responsibilities), and which communicated this key information to the project's stakeholders"  http://www.audgen.gov.ie/documents/annualreports/2015/report/en/Chapter10.pdf

The Data Protection Commissioner has sought that the Department of Social Protection publish a comprehensive FAQ to fully clarify all of the arrangements, procedures and legislative provisions relating to PSC. The comprehensive list of questions, which the Department of Social Protection has agreed to answer and publish, were provided by the Data Protection Commissioner. The questions included such matters as: How the legislative provisions set out in the relevant Social Welfare Acts, which have been cited to the Data Protection Commissioner as the legal basis for the PSC, provide a robust legal basis for what is now being implemented across the public sector, beyond public services provided by the Department of Social Protection? How is data collected as part of the issuing of a PSC secured? Who can access it? How does the Safe 2 identity verification process interface with the Single Customer View & MyGovID? How it will interface with the published General Scheme of the Data Sharing and Governance Bill? etc.

The Data Protection Commissioner continues to assess developments in respect of these matters and will assess the Department of Social Protection’s response to the FAQs which we expect will be published imminently.

END.