In recent weeks there has been much discussion regarding the Public Services Card (PSC) in Ireland and the report issued by the Data Protection Commission (DPC). Specifically, the DPC investigated the “function creep” of the uses of the PSC by government departments and agencies (e.g., driving licence) for identification purposes or for verification of identity. The report by the DPC concluded that the use of the PSC to access public services beyond those foreseen in the enabling legislation amounted to a breach of the purpose limitation and proportionality principles. While the Government may not have accepted the report, this article does not seek to explore the rights or wrongs of the PSC. Rather it seeks to extract useful information from the report about the DPC’s approach and logic that can inform how organisations might learn from this significant investigation on data protection compliance.
The findings of the DPC investigation suggest that the Commission, as well as other Data Protection Authorities, will likely consider the following key issues when conducting similar exercises:
Integrity and confidentiality are significant obligations for Controllers under GDPR. However, when it comes to controlling access to systems and services, the processing of personal data for the purposes of verification of identity must be adequate but must also be proportionate to the risks being mitigated against.
The DPC considered the default use of Safe 2 (the second level on Ireland’s Standard Authentication Framework Environment) as unnecessary with the use of this level of verification only required where the risk warrants it, in this case accessing benefits of ‘high value’.
Retaining Supporting Documentation:
When verifying the identity of an individual as part of achieving a lawful purpose, the personal data used to facilitate that verification do not need to be kept beyond a limited period required to facilitate an auditing process. Once the identity has been verified to a level necessary and proportionate to address the identified risks, the personal data should be returned or destroyed.
Storing personal data perpetually after the initial processing for the declared purpose (creation of the PSC) had been achieved was not seen as justifiable by the DPC.
Where an organisation uses legislation as the lawful basis, even when relying on Public Task, the legislation must be cited. Such legislation can only mandate the purpose of processing. The means of processing always has to be necessary to achieve that purpose for it to be lawful.
Also, while lack of knowledge of the law cannot be used as a defence against that law, the existence and publishing of that law does not, of itself, meet the requirement of transparency required under GDPR.
All the lawful bases set out under GDPR require that the processing of personal data must be necessary (not convenient or just useful) to meet a declared or explicit purpose. Where an organisation as Controller sets out this necessity and then implements, in practice, a separate system that deviates from that necessary processing, the Controller’s necessity argument is undermined. This causes the lawfulness of the processing to be drawn into question.
In the DPC’s report this was shown in two separate areas:
- Although a department declared that the encrypted data on the card was necessary, they never installed readers for the biometric data required to unlock that data
- By providing alternate ways of registering for the service, the department bypassed some of steps listed as being necessary in the standard process.
Thus, where processing is declared as necessary to achieve a given purpose, this must be reflected by the Controller on the ground in the real-world systems they implement.
As part of completing a Data Protection Impact Assessment (Art 35(8)) the Regulation requires consultation where appropriate. The DPC has made it clear that this consultation needs to be meaningful and organisations are missing an opportunity if they do not undertake such exercises early in the process.
The report noted that this was the case when beginning the creation and design of PSC in 2011.
When communicating with Data Subjects, it is necessary to be clear and concise to enable individuals to understand how and why their personal data will be processed. They need clear information to be able to make informed decisions. This includes the lawful basis, the declared purpose(s) linked to the lawful basis and the necessary processing (the means) by which an explicit purpose will be achieved (see 3 and 4 above). Any sharing of data or importing of data from third parties must also be clearly set out and explained.
High-level overviews in a Privacy Statement, even with radio, print and digital adverts, do not help meet the requirements for detailed explanations as required under the transparency principle.
What does this mean for Controllers in general?
The approach of the DPC can be summed up as ‘no surprises’. Controllers must be clear from the outset regarding how and why personal data will be processed starting with the lawful basis. From the lawful basis will come the declared purpose(s). Only then can a decision on the necessity and means of processing be worked out. This information must be readily accessible to the data subjects whose data you will be processing. Any lack of provision of necessary detail in relation to the means and purpose of processing cannot be compensated for by a variety and volume of less detailed communications (such as radio adverts or print media).
When designing a new system for processing personal data, consultation with stakeholders is not just a ‘nice to have’, it is an important part of the risk assessment process and needs to be meaningful where undertaken. The importance of consultation as regards assessing risks cannot be overlooked. Avail of opportunities to build trust and demonstrate your commitment to data protection.
Most of all, challenge system designers or processors you may be using (under contract) as to whether the data being processed and stored are absolutely necessary. Document your decision and the logic used in your design documents and data protection impact assessment. If you are not sure why you need the data, there will be little chance of being able to communicate clearly with the data subjects.
While the PSC report may pertain to one particular scheme, it provides a unique level of clarity as to the priorities and the expected levels of compliance expected by the Data Protection Commission and other Data Protection Authorities. Irrespective of whether the Irish Government challenges these or not, for now, the report provides a yardstick by which Controllers should measure their own compliance activities. If you need assistance with any of the topics raised, Trilateral can assist with DPIAs, authoring privacy statements and reviewing retention periods given our experience in the public and private sectors.