THE DEPARTMENT OF Employment Affairs and Social Protection has retained data from every person who has been issued with a Public Services Card, including their utility bills and financial statements.
To date, 3.2 million Public Services Card have been issued and Data Protection Commissioner Helen Dixon has told TheJournal.ie that she is “unaware of any parallel” across State bodies where such a large volume of data on Irish citizens is retained indefinitely.
Dixon spoke to TheJournal.ie about the Data Protection Commission’s long-awaited landmark report into the legality of the Public Services Card, which was sent to the department this week.
Among the probe’s findings are that there is no lawful basis for State bodies – other than the Department of Social Protection – for making the card mandatory to access any of its services, and that the department’s communication with the public about the card was inadequate.
Its other main conclusion is that the department has no lawful basis for retaining all of the supporting documentation it collects after it has verified a person’s identity through its Safe process and issued a Public Services Card.
When someone is engaging with this process – which the department calls Safe-2 – they must provide evidence of their identity and evidence of their address, with other documents such as a medical card or a student card described as “helpful” on the Public Services Card website.
Dixon said that its investigation has found that supplementary documents a person provides to get a PSC, such as a utility bill or an official letter, is retained indefinitely by the department.
“We fail to see what the requirement and necessity is to retain the documentation once the identity has been authenticated,” Dixon said.
She also said that she was unaware, in her role as Data Protection Commissioner, of another State body retaining such a large volume of personal data, bearing in mind 3.2 million cards have been issued.
“I can say I am certainly unaware of any parallel to this, nor indeed why there’d be a desire or a perceived requirement on the part of any body to retain the type of very specific additional information on individuals,” she said.
In cases where such documents were required, she said, in most identity authentication processes that would be immediately deleted once verified as it was no longer relevant, she said.
Dixon added: “So I cannot – in public or private context – think of anything… that is the equivalent to this.”
The commissioner – in furnishing the Department of Employment Affairs and Social Protection with this report – has requested an implementation plan within the next six weeks from the department in how it can get rid of this data.
“We would anticipate that they would be implemented by the 31 December,” she said.