The creation of a biometric photo database from Ireland’s 3.2 million Public Services Card (PSC) holders has no legal basis, a report has claimed.
The Data Protection Impact Assessment (DPIA), produced by consultant, KPMG on behalf of the Data Protection Commission, stated there was also a risk of personal data being “further processed or transferred for unspecified and/or illegitimate purposes” by the Department of Social Protection or a third-party provider.
Biometric data is information that can be used to identify someone through their physical characteristics.
The document, obtained by the Irish Council of Civil Liberties (ICCL) and Digital Rights Ireland under Freedom of Information laws, highlighted a number of risks.
The DPIA said the Department provided an insufficient level of detail regarding facial matching software.
It also noted that cardholders were not directly informed about the biometric processing involved in obtaining a PSC during face-to-face interviews.
Further, it identified a risk that the personal data would be retained by the Department for the lifetime of each cardholder plus 10 years, which KPMG said could be deemed to be unnecessary or excessive.
KPMG said the Department was at risk of reputational damage, fines and enforcement orders as a result of the highlighted risks.
The PSC is currently the subject of a multi-year investigation by the Data Protection Commission to determine whether the project is legal under data protection legislation.
Dublin, 13 June 2023