There is no legal basis for the creation of a biometric photo database of the country’s 3.2 million Public Services Card (PSC) holders, digital rights campaigners have said following the publication of a Data Protection Impact Assessment (DPIA).
There is also a risk of personal data being “further processed or transferred for unspecified and/or illegitimate purposes” by the Department of Social Protection or the third-party provider, the assessment, carried out my KPMG for DPIA, concluded.
In July 2021, a DPIA of a facial matching software upgrade for the PSC was conducted by KPMG. The PSC is a form of identification which is required to access a range of services.
The document, obtained by the Irish Council of Civil Liberties (ICCL) and Digital Rights Ireland under Freedom of Information laws, highlighted a number of risks. The DPIA said in an information leaflet on the PSC, the Department provides an “insufficient level of detail regarding facial matching software in that it does not note a legal basis for the processing”.
It also noted that cardholders were not directly informed about the biometric processing involved in obtaining a PSC during face-to-face interviews. Biometric data is information that can be used to identify someone through their physical characteristics. The assessment also found a leaflet issued by the Department of Social Protection neither provided sufficient detail about the use of the facial recognition software, nor a legal basis for the biometric processing.
Further, it identified a risk that the personal data would be retained by the department for the lifetime of each cardholder plus 10 years, which KPMG said could be deemed to be unnecessary or excessive. KPMG said the department was at risk of reputational damage, fines and enforcement orders as a result of the highlighted risks. The PSC is currently the subject of a multiyear investigation by the Data Protection Commission to determine whether the project is legal under data protection legislation.
Olga Cronin, surveillance and human rights policy officer at ICCL, said the Department has been “building a national biometric database without a relevant legal basis and without transparency”.
“It continues to collect people’s biometric information in exchange for services they are legally entitled to. This must stop. This processing is unnecessary, disproportionate, and presents a risk to people’s fundamental rights,” she added.
Antoin O Lachtnain, Director of Digital Rights Ireland, said the Data Protection Commission has been investigating the biometric element of the public services card “for a number of years now”.
“This DPIA document must be in its possession as part of that investigation. Given its legal failings, the DPC must publish its findings as soon as possible.”
A spokesman for the Department of Social Protection said the DPIA identified 12 risks, none of which relate to the legal basis.
“Accordingly, the Department does not accept either that it failed to identify a legal basis for the processing of biometric data or that it failed to give individuals the information required to be given in respect of its processing of such data,” the department said.
“In fact, the DPIA, conducted by KPMG, makes no adverse finding whatsoever relating to the legal basis for the data processing. The Department, in keeping with good practice guidelines and in order to keep information leaflets as simple and understandable as possible, does not in general specify or repeat the precise legal grounds for the services and schemes it offers.”
The report acknowledges steps taken by the department on the highlighted issues, adding “all risks have been mitigated”.