Claims News

Public Service Card Data Breach could lead to Compensation Claims

Posted on: August 17th, 2019

The Data Protection Commission (DPC) has released the finding of a report in the gathering of information during the application process for the Public Services Card (PSC)  which has deemed the practice was illegal. Due to the finding of the report there is a strong possibility that there will be a number of compensation claims made against the State.

The findings of the DPC review said that the PSC scheme does not comply with the transparency requirements of the data protection acts due to the amount of information given, by Department of Social Welfare, to individuals who were having their data processed as part of the application. The data that is currently being  held on over three million card holders must now be deleted and data processing by the Department must be come to an end within the allotted timeline or some enforcement sanctions may take place against those charged with managing the operation.

In a statement released on the finding of the reports the DPC said “Ultimately, we were struck by the extent to which the scheme, as implemented in practice, is far-removed from its original concept,” the DPC said in a statement published on its website.

“Whereas the scheme was conceived as one that would make it easier to access (and deliver) public services, with chip-and-pin type cards being used for actual card-based transactions, the true position is that no public sector body has invested in the technology capable of reading the chip that contains the encrypted elements of the Public Sector Identity dataset. Instead, the card has been reduced to a limited form of photo-ID, for which alternative uses have then had to be found.”

When it was first launched, the PSC was implemented for the processing of social welfare payments. Later, it was a required for applying for a range of other state services such as  first-time adult passport applicants, replacement of lost, stolen or damaged passports issued prior to January 2005, where the person is resident in the State, citizenship applications, driving test and driver licence appointments.

The PSC will, however, continue to be an acceptable form of identification for a range of services. Data Protection Commissioner Helen Dixon said: “Any cards that have been issued, their validity is not in question by anything we’ve found in this report,” she said. “They can continue to be used in the context of availing of free travel or availing of benefits that a person is claiming from the department.”

She added that this does not rule out possibility that a single card, or possibly a national identity card, could be used for all interactions with the state at some point in the future.  She stated: “No, we’re not saying that at all. We’re saying that if that’s what’s intended or required, there isn’t a lawful basis [as currently set up]. It can’t be the case that a national identity card automatically offends EU charter fundamental rights or EU data protection law because they exist all around Europe. It is a possibility, by carefully laying down the lawful basis for such a card.”

A number of civil society groups who have said that their are thinking about submitting a class-action style case in relation to this data breach. When the PSC was first introduced advocacy groups such as Digital Rights Ireland, the Irish Council for Civil Liberties, the UN’s special rapporteur on extreme poverty, Age Action objected to its introduction. Digital Rights Ireland welcomed the announced vis its Twitter account saying: “We welcome @dpcireland‘s observation that the PSC morphed from a cryptographic token designed to enhance security for citizens, into a photo id card with no particular purpose, but for which various alternative uses had to be found to justify its existence. We note that @welfare_ie tried its best to use spin, expensive PR campaigns, and hectoring of newsrooms to provide a basis for the PSC. They had to, because there was no legal basis, and limited political support.”

Elsewhere, there have those who have claimed that the the Minister for Social Protection Regina Doherty should be relieved of her position due to the data breach. Reacting to the investigation findings, Minister Doherty said: “We only received the report yesterday. It’s a very comprehensive report. We are going to consider the report and issue a full response as soon as we can.”

Political party Sinn Fein have said that they are reviewing the potential for tabling a motion of no confidence in the Minister.

 



This is an Information site only – if you feel you have a potential claim, you should discuss your situation with a solicitor registered with the Law Society of Ireland.