Public Service Card Data Breach Likely to Result in Compensation Claims

Following revelations that the manner that data was collected during the issuing of Public Services Cards (PSC) was illegal, it appears that there is a good chance that compensation claims will be submitted against the State.

The Data Protection Commission (DPC) has released a report which reveals that the retention of information gathered during the application process was not legal, along with the obligation on the general public to have the card in order to receive certain State services and benefits.

There are already a number of civil society organisations groups who are said to be looking at putting together a class-action style case.When the card was introduced advocacy groups such as Digital Rights Ireland, the Irish Council for Civil Liberties, the UN’s special rapporteur on extreme poverty, Age Action were vociferous with their opposition to it.

After the DPC investigation it was ruled that the operation of the PSC scheme does not adhere with the transparency obligations of data protection legislation due to the inadequate nature of information given, by Department of Social Welfare, to those individuals who were having their data processed. The outcome of this is that the kept in relation to over three million card holders must now be deleted and data processing by the Department, rather that the public body providing the service, must be brought to an end. These tasks must be finished within the outlined timeline or some enforcement measures may be applied against those to blame.

The DPC released a statement which said “Ultimately, we were struck by the extent to which the scheme, as implemented in practice, is far-removed from its original concept,” the DPC said in a statement published on its website. Whereas the scheme was conceived as one that would make it easier to access (and deliver) public services, with chip-and-pin type cards being used for actual card-based transactions, the true position is that no public sector body has invested in the technology capable of reading the chip that contains the encrypted elements of the Public Sector Identity dataset. Instead, the card has been reduced to a limited form of photo-ID, for which alternative uses have then had to be found.”

The card was first launched during 2011 in order to help out with the processing of social welfare payments. After this, it was necessary for a number of other services including first-time adult passport applicants, replacement of lost, stolen or badly-damaged passports issued before January 2005, where the person is living in the State, citizenship applications, driving test and driver licence appointments.

In relation to the PSC, Data Protection Commissioner Helen Dixon said: “Any cards that have been issued, their validity is not in question by anything we’ve found in this report. They can continue to be used in the context of availing of free travel or availing of benefits that a person is claiming from the department. She went on to say that this does not mean that it is impossible to issue a single card, or possibly a national identity card that can be used for all interactions with the state.  She said: “No, we’re not saying that at all. We’re saying that if that’s what’s intended or required, there isn’t a lawful basis [as currently set up]. It can’t be the case that a national identity card automatically offends EU charter fundamental rights or EU data protection law because they exist all around Europe. It is a possibility, by carefully laying down the lawful basis for such a card.”

Ms Dixon has asked the Department to publish the report of the investigation in the Public Services Card.