Laura Keogh: The compatibility of the Public Services Card with the EU GDPR
Barrister Laura L. Keogh, author of Data Protection Compliance: A Guide to GDPR and Irish Data Protection Law, writes for Irish Legal News on the Public Services Card (PSC) - which contains an individual’s name, signature, PPS number, card number and facial image - and its compatibility with the EU General Data Protection Regulation (GDPR).
A facial image is a type of biometric data under Article 4(14) GDPR. This is important as biometric data falls within the category of “special categories of personal data” under Article 9 GDPR, thereby requiring additional legal safeguards.
It is interesting that on the PSC website it states that the facial image is not biometric data, when in fact it is in accordance with the definitions under the GDPR. Furthermore, the arithmetic template of your facial image is collected and stored by the Department of Employment Affairs and Social Protection for their facial image matching software. Regardless of the method, if the image is used to uniquely identify the individual, as is the intention with the PSC, it is biometric data.
Of course any entity may collect facial images with consent; however, consent is not an appropriate legal basis for the PSC. If the Department is insistent that no biometric data is collected, this would be a question that should be put to the European Data Protection Board.
In order to legally process biometric data, certain conditions need to be met and a legal basis for the processing must be established under Articles 6 & 9 GDPR. Section 46 of the Irish Data Protection Act 2018 states that processing special categories of personal data is permissible for carrying out an obligation in connection with social welfare law. In this guise, the legal basis for the PSC is cited as the Social Welfare Consolidation Act 2005 (as amended).
The PSC was originally introduced for accessing welfare payments in order to minimise instances of fraud. There have been submissions that the use of the PSC has in fact been successful and reduced instances of fraud. This appears to be a legitimate interest, with a legal basis under the 2005 Act. As part of this, sections 260-265 of the 2005 Act lists the “specified bodies” with whom your public service information (as gathered via the PSC) may be shared. I was unable to find a data protection impact assessment for the PSC however (not required to be public), which is required under Article 35 GDPR. Furthermore, I could not find a consolidated data privacy statement on the PSC, as is required under the GDPR. The PSC website simply provides a question and answer section and a press section. The Data Protection Commission has conducted an assessment into the PSC and, when finalised, they will release a summary.
The Public Services Card began to be identified as a preferred proof of identity for other services i.e. for driving license applications. Regarding the need for a PSC for driving applications, there was a back step from this (apparently due to lack of legal basis) and it is now not a requirement to have a PSC to apply for a driving license. However, progression has been made on the need for a PSC to apply for your first passport, among other items. A legal basis must be established for any new use.
The core question for any GDPR assessment is, of course, that of necessity. Being an island, the majority of people have passports – would this not be sufficient to verify identity? Was a PSC card really necessary?
In accordance with the PSC website, its necessity is found in the fact that a passport or a driving license is not enough to validate an identity to “SAFE Level 2”. It is surprising that a passport, which enables international travel, is not considered sufficient proof. Especially since there has been a commitment to make passports SAFE Level 2. The main advantage of a PSC over a passport, from my perspective, is that it has your PPSN number on it, and it also makes the sharing and storage of your public service information easier and more streamlined. In order to counteract fraud, this may be seen as a sufficient necessity.
This topic resonates well with the EU proposal on identity card regulations, which would standardise EU identity cards and require the collection of individual’s images and fingerprints. There was corresponding, somewhat negative, feedback from the European Data Protection Supervisor (EDPS). As I write in my upcoming book on the topic:
“The EDPS noted that the proposal from the EU did not sufficiently justify the need to process two types of biometric data (facial images and fingerprints). It was particularly concerning as biometric data is considered a special category of personal data. As such, the EDPS called for close scrutiny; requiring an assessment on the necessity of such measures. Thus, the EDPS showed that collecting unnecessary biometric data will not be permissible.”
This demonstrates that even the EU is held accountable to the necessity requirement and is one that cannot be avoided.
Other EU countries
Other EU countries issue identity cards; however, 15 of the 26 EU countries that do issue identity cards do not contain biometric data at all. On the other hand, several EU countries collect facial images and fingerprints. Denmark and the UK are the only two EU countries that do not issue identity cards at all. EU citizens, in general, may enter the Republic of Ireland with just their national ID. The main purpose of a national ID card is to enable EU citizens to travel to other EU member states without a passport. All Irish citizens are currently entitled to avail of a passport card, which enables one to travel throughout the EU. Another common function of national ID cards is to facilitate the interaction with national administrations.
The PSC is in essence a “half” ID card as its only purpose is to facilitate interaction with national administrations. It may also be used as evidence of identity in certain situations. If it will become a requirement for all Irish citizens to have a PSC (no such plans are publicised), it may be beneficial to combine it with the Irish passport card, and create a proper national ID and enable more practical use to be gained from the card for citizens.
It is certainly a fascinating area with lots of conflicting information, and one hopes that with the Data Protection Commissioner’s review and continuing consideration of the PSC, clarity shall be found regarding the PSC.
- Laura L. Keogh is a barrister and author of the forthcoming title Data Protection Compliance: A Guide to GDPR and Irish Data Protection Law, to be published by Clarus Press in April 2019.