Wednesday, 14 February 2018

Questions (288)

Catherine Murphy


288. Deputy Catherine Murphy asked the Minister for Employment Affairs and Social Protection the way in which the public services card data is collected, stored and processed; if the card will be compliant with the general data protection regulation; and if she will make a statement on the matter. [7612/18]

View answer

Written answers (Question to Employment)

Section 263 of the Social Welfare Consolidation, Act (as amended) provides that:

(a) the following information is inscribed on the Public Services Card (PSC): forename, surname, Personal Public Service (PPS) Number, photograph, signature, card issue number and expiry date; and

(b) the following information is encoded on the chip of the PSC: forename, surname, date of birth, place of birth, sex, nationality, former surnames (if any), mother’s former surnames (if any), photograph, signature, issue number of the PSC, and expiry date of the PSC.

The above data (apart from the issue number and expiry date of the PSC) is part of the Public Service Identity (PSI) dataset as set out in section 262 of the Social Welfare Consolidation Act 2005 (as amended).

Section 262 also sets out how the sharing and use of the PSI data is restricted to public service bodies specified in law or their agents. Designation as a specified body requires primary legislation and as such can only be done by an Act of the Oireachtas.

The full PSI dataset consists of the surname; forename; date of birth; place of birth; sex; all former surnames (if any); all former surnames (if any) of his or her mother; address; nationality; date of death; certificate of death, where relevant; where required, a photograph of the person, except where the person is deceased; where required, the person’s signature, except where the person is deceased; any other information as may be required for authentication purposes that is uniquely linked to or is capable of identifying that person; and any other information that may be prescribed which, in the opinion of the Minister, is relevant to and necessary for the allocation of a personal public service number.

Section 262 provides that PSI data can only be used by a specified body for authenticating the identity of an individual with whom it has a transaction and in performing its public functions insofar as those functions relate to the person concerned. In addition, where a specified body collects any element of PSI data from a person, that information shall also be collected for the purpose of maintaining the person’s public service identity. The Data Protection Acts as amended, Subsection 1 c iii of Section 2A, also provide for personal data to be processed on condition that “the processing is necessary for the performance of a function of the Government or a Minister of the Government”.

Given its wide range of schemes, services and payments, the Department collects and holds large volumes of personal data on customers and is very aware of the need to have adequate data protection policies, procedures and structures in place in line with the General Data Protection Regulation (GDPR). The Department has established a GDPR implementation team which is undertaking a major programme of work to ensure compliance with the GDPR. This implementation programme is overseen by the Department’s Data Management Programme Board. Additionally, specific GDPR training and awareness is being provided by the GDPR implementation team and a specialist external training company to staff and senior managers across the Department.

I hope this clarifies the matter for the Deputy.