IRELAND
The Irish Government has been plunged into crisis after it was found to have illegally retained the personal data of 3.2 million people in the rollout of its controversial Public Services Card (PSC).
After a 20-month investigation, Data Protection Commissioner, Helen Dixon found the expansion of the card’s remit to other Government services from its social welfare origins was illegal under data protection legislation.
Given the huge number of citizens who hold a card and the Department of Employment Affairs and Social Protection’s now dubious legal standing on the issue, it has been speculated that under the European Union’sGeneral Data Protection Regulation, the state could be liable for damages totalling hundreds of euros for each of the cardholders.
Principal Solicitor with privacy specialist FP Logue, Fred Logue said the payout could run into tens of millions in euros in terms of liability, if people took a case en masse.
Ms Dixon ordered the Department of Employment Affairs and Social Protection, the body with principal responsibility for administering the card, to delete the historical personal information.
This included utility bills or other proof of residence it holds for all holders of a PSC.
She gave the Department 42 days to come up with an implementation plan.
The findings are a hammer blow to the PSC project, which has faced accusations of illegality from a data protection point of view since its inception in 2011, and particularly since the Government sought to expand the card’s remit to other services, such as applying for a driving licence, in early 2017.
The Commissioner’s announcement is likely to place extreme pressure on Minister for Social Protection, Regina Doherty, who has been one of the card’s staunchest defenders over the period of the investigation.
There are now mounting calls for Ms Doherty’s resignation.
Privacy expert T.J. McIntyre said Ms Doherty and her Secretary-General (Head of Department), John McKeon “absolutely should go”.
“The Department has consistently shown a disregard for private data,” Mr McIntyre said.
“It needs to be pointed out that the Secretary-General is directly implicated, as he was the one who personally sent an email requesting that the Department’s privacy statement be altered to remove reference to biometric data.”
Dublin, 19 August 2019
