A privacy rights group has alleged a “grave breach” of data protection legislation by the Department of Social Protection following changes made to a privacy statement on its website.
The changes, which removed references to the department’s processing of biometric data in relation to individuals, were ordered by the department’s secretary general in the absence of the data protection officer, who was on leave.
Records obtained by The Irish Times under the Freedom of Information Act show the data protection officer subsequently emailed the secretary general, John McKeon, saying he would not have agreed to the changes and that they were not discussed with him.
The privacy statement had been changed in May to reflect the EU General Data Protection Regulation (GDPR), and said that at times the department needed to collect “special categories” of personal data, such as health and biometric data. It had been signed off by the department’s data management programme board earlier that month.
When questions about the new policy were raised by The Irish Times on July 5th, the department said the reference was an "error" and it was subsequently changed to remove the reference to biometric and special categories of data.
In a letter of complaint to Minister for Social Protection Regina Doherty, Digital Rights Ireland alleged the requirements of the regulation had not been met regarding the role of the data protection officer. Noting recent media coverage of the issue, DRI chairman TJ McIntyre said the data protection officer was first excluded from a decision to make changes to the privacy statement and was then "given instructions regarding the exercise of his functions".
He said both of these actions constituted violations of Article 38 of the EU regulation.
‘Timely manner’
Under the legislation, public bodies and some other organisations are obliged to appoint a data protection officer, who is expected to be allowed to carry out his or her duty independently.
It stipulates that this officer must be involved “properly and in a timely manner, in all issues which relate to the protection of personal data” and that they shall not receive any instructions regarding the exercise of those tasks.
The privacy body said it wanted Ms Doherty to clarify what action she was taking to address the issue.
“We have been contacted by a number of individuals who are concerned that this incident, in addition to itself constituting a number of breaches of the GDPR, forms part of a wider pattern of behaviour on the part of the DEASP,” Mr McIntyre wrote.
“We hope that we do not need to underline the seriousness of this issue and the implications of this failure, at the highest level, in one of the largest data controllers in the State.
“It is our preference to engage with you on this issue, but failing this the GDPR provides a number of potential remedies and sanctions and in the absence of a satisfactory response it is our intention to fully pursue these on our own behalf and on behalf of the affected data subjects.”
Internal exchanges after the query was raised by The Irish Times show the data protection officer's staff considered the question of whether it was processing biometric data "to be clear from a GDPR perspective".
Mr McKeon emailed the data protection officer on July 5th telling him to check the rest of the privacy statement “to make sure that we don’t refer to collection of biometric data”.
“What we do is that we process photographic data to produce a biometric representation for comparison purposes - But we don’t collect or share this data,” he wrote.
The data protection officer responded to the secretary general within 30 minutes saying: “This was not discussed with me! I wouldn’t have agreed to this change.”