The Data Protection Commissioner (DPC) has today (16th August 2019) issued a statement regarding an investigation he undertook into the use of data obtained by the Department of Employment Affairs & Social Protection (DSP) for the purposes of issuing each individual in the State over the age of 18 years with a Public Service Card (PSC).
Protection of data within the EU is governed by Directive 95/46/EC, commonly known as the General Directive for the Protection of Data “GDPR”. This was transposed into Irish law by the Data Protection Act 2018, amending existing Irish data protection legislation.
In her statement today, the Data Protection Commissioner, Helen Dixon, found that whilst the use of data collected by DSP for the purposes of (a) issuing PSCs and, (b) performing duties and functions statutorily mandated to that Department, was permissible and lawful; the sharing (and retention) of such data on a widescale basis with other Government departments and agencies was impermissible and unlawful. It is believed that the data of in excess of 3 million people could have been impermissibly shared and/or retained in this way.
Simply put, the overarching general principal is that data may only be collected, used and retained by government departments, bodies and/or agencies where that data is necessary for them to carry out a duty and/or function that is specifically set out in legislation.
This does not mean that a Minister, or their officials, can never share data lawfully collected and/or retained with another Minister. However, this can only done be on 2 basis: –
- Where there is a statutory provision permitting this, such as in Section 66 of the Civil Registration Act 2004, as amended, or
- On an individualised basis, following a specific request and only where it is necessary to carry out a duty or function that has a statutory basis. In Desmond v Glacken (No. 2)  3 IR 67 the Supreme Court held this was permissible, where the Central Bank had provided information to the Minister for Finance, who in turn provided it to the Minister for Industry & Commerce, who relayed it to an Inspector investigating transactions relating to the sale of Telecom Eireann. The Supreme Court held that this was permissible as at each point when information was shared it was provided for by statute;
- The Central Bank had a statutory duty and/or obligation, under the Companies Act 1990 and the Central Bank Act 1954, to provide the Minister for Finance with certain information
- Telecom Eireann was a State owned company established under the Postal and Telecommunications Services Act 1983, and under the remit of the then Minister for Industry & Commerce
- The Minister for Finance provided the Minister for Industry & Commerce with information which was necessary to enable them to carry out certain duties and functions provided for under the 1983 Act
- The Inspector had been appointed under the Companies Act 1990, which provided him with specific powers and functions
- Also, the information which was shared was not en masse and related to identified individuals and companies
The Data Protection Commissioner has given a period of 3 weeks within which the sharing of data by DSP and the use and/or retention of data by Departments other than DSP must be rectified. In other words, Departments who have received information in this manner must delete this data as it was unlawfully collected. And, if they require this data for statutory functions, they must request the data from the data subject post deletion, or make individualised requests to DSP (to come within the ambit of the judgment in Desmond v Glacken).
Section 92 of the Data Protection Act 2018 provides a means through which an individual can seek to have data rectified or deleted in certain instances.
If you think you may have been affected by the impermissible and unlawful sharing, use and/or retention of your information by DSP, you may wish to seek legal advice.