Retaining 3.2m citizens’ data risks EU law breach
The Department of Social Protection could be in breach of European law for retaining the historical data of 3.2m holders of the public service card (PSC) in an attempt to stop future welfare fraud.
At a stormy Oireachtas committee meeting, Social Protection Minister Regina Doherty said she had been “instructed” by the Ombudsman to retain the data held by her department to prevent the overruling of welfare benefit decisions made by her own officials.
“The Ombudsman has told us and overruled decisions we have made on appeal because we don’t have the supporting documentation for those decisions,” Ms Doherty said.
Under questioning from Independent senator Alice Mary Higgins, the minister said: “We were instructed that if we didn’t keep the documentation we wouldn’t be able to stand over the decisions made thereafter”, adding that “it’s not solely for the purposes of the Ombudsman, we can use it as validation for any query brought up in future”.
However, a legal expert has said such data retention appears to contravene a 2014 decision of the Court of Justice at the EU (CJEU) which states, in striking down the EU’s data retention directive, that any such retention must be both necessary and proportionate, on which point the blanket holding of 3.2m citizens’ records on file could be deemed excessive.
This is the first time the involvement of the Ombudsman in the department’s decision-making has come to light.
“Both the minister and the secretary general of her department have admitted the department is routinely retaining data on an indiscriminate basis and are relying upon an argument that data may be necessary in certain individual cases at some unspecified and unknown point in the future,” said privacy solicitor Simon McGarr.
“This was the argument both the European Commission and Ireland made to justify the data retention directive before the CJEU, and lost.
The court found that directive was illegal because such a basis was not proportionate, even in respect of the pre-emption of serious crime or terrorist offences.
Mr McGarr added that, on foot of the revelation, the regulator (the Data Protection Commissioner in this instance) “may open an investigation into this new potential breach”.
The department did not respond to a query on the claim.
The meeting also heard the minister say repeatedly that at no time had the PSC been intended as a mandatory requirement for accessing public services, such as passport applications.
However, for three years between 2016 and 2019 first-time applicants for passports, for example, could not access the travel document without first holding a PSC. The requirement was finally dropped in September on foot of a highly critical report on the PSC produced by the Data Protection Commissioner.
“There has been a charge made that we were trying to force people down a particular tunnel,” Ms Doherty said. “That didn’t happen.”
