The Public Services Card scheme was deemed to have breached data protection laws.
The Data Protection Commission (DPC) has told the Irish Government that it must delete data held on 3.2m citizens, which was gathered from applications for the Public Services Card (PSC) scheme.
It found that the indefinite retention of documents provided by applicants, including utility bills and financial information, goes against data protection law.
The DPC said it looked at the intended benefits of the scheme to assess whether those benefits had been realised. It added that it was “struck by the extent to which the scheme, as implemented in practice, is far-removed from its original concept”.
The scheme was established to help Irish citizens access public services, but has been “reduced to a limited form of photo-ID”, the DPC said.
The PSC eventually became mandatory to access State services such as obtaining a passport or driver’s license, but the DPC found that there is no lawful basis for State bodies – other than the Department of Social Protection – to make the card mandatory for accessing any of their services.
The DPC conducted a lengthy and detailed report, which cannot be published in its entirety without the permission of the Department of Social Protection.
In a summary of the report, the DPC said that from a data protection perspective, “it can quickly be seen that, given its scale and reach, the PSC project presents significant challenges in terms of ensuring that core data protection principles are respected in its operation”.
The DPC questioned the transparency around what information is collected and how it will be used, the safeguards and controls that have been built into the system, and whether the system sits on an identifiable and coherent legal foundation, among other concerns.
The DPC found that the Department of Social Protection does not have a legal basis to process data in transactions between individuals and other specified bodies other than the Department itself.
Deeming elements of the PSC system unlawful, the Commission is giving the Irish State a period of six weeks to submit an implementation plan to the DPC, identifying the changes it will make to the PSC scheme.
In order to bring the PSC scheme into compliance with data protection legislation, bodies other than the Department of Social Protection will no longer be able insist that an individual obtain a PSC to access public services provided by that body.
Speaking to The Irish Times, Data Protection Commissioner Helen Dixon said that the retention of data gathered during the application for the total of 3.2m cards issued to date was unlawful.
This data must be destroyed, according to Dixon. She said that the data is still necessary during the application process, but in the future, it should be destroyed once an application is complete.
Individuals still seeking services directly from the Department of Social Protection will still need to register for a PSC.