Written answers

Tuesday, 20 February 2018

Department of Employment Affairs and Social Protection

Data Sharing Arrangements

Photo of Catherine ConnollyCatherine Connolly (Galway West, Independent)
Link to this: Individually | In context | Oireachtas source

70. To ask the Minister for Employment Affairs and Social Protection if she is satisfied that the public service identity database and the public services card fully comply with EU standards and the general data protection regulation due to take effect in May 2018; and if she will make a statement on the matter. [8440/18]

Photo of Regina DohertyRegina Doherty (Meath East, Fine Gael)
Link to this: Individually | In context | Oireachtas source

SAFE2 identity verification processes, the Public Services Card (PSC) and the Public Service Identity (PSI) dataset are all underpinned by primary legislation. Section 263 of the Social Welfare Consolidation Act, 2005 (as amended) provides that:

(a) the following information is inscribed on the Public Services Card (PSC): forename, surname, Personal Public Service (PPS) Number, photograph, signature, card issue number and expiry date; and

(b) the following information is encoded on the chip of the PSC: forename, surname, date of birth, place of birth, sex, nationality, former surnames (if any), mother’s former surnames (if any), photograph, signature, issue number of the PSC, and expiry date of the PSC.

The above data (apart from the issue number and expiry date of the PSC) are part of the Public Service Identity (PSI) dataset as set out in section 262 of the Social Welfare Consolidation Act, 2005 (as amended).

Section 262 also sets out how the sharing and use of the PSI data is restricted to public service bodies specified in law or their agents. Designation as a specified body requires primary legislation and as such can only be done by an Act of the Oireachtas.

Section 262 also provides that PSI data can only be used by a specified body for authenticating the identity of an individual with whom it has a transaction and in performing its public functions insofar as those functions relate to the person concerned. In addition, where a specified body collects any element of PSI data from a person, that information shall also be collected for the purpose of maintaining the person’s public service identity. The Data Protection Acts as amended, Subsection 1 c iii of Section 2A, also provide for personal data to be processed on condition that “the processing is necessary for the performance of a function of the Government or a Minister of the Government”.

The Department provides extensive information on SAFE2, the PSC and PSI on its website, including on the range of bodies using the PSI and details on this usage. As part of this, the Department has also published a Comprehensive Guide to SAFE Registration and the PSC on its website.

The EU General Data Protection Regulation (GDPR) comes into effect on the 25th May 2018. This is the one of most significant developments in European data protection law in over 30 years. The GDPR strengthens the rights of data subjects and will have many implications for my Department. Given its wide range of schemes, services and payments, the Department collects and holds large volumes of personal data on customers and is very aware of the need to have adequate data protection policies, procedures and structures in place in line with the GDPR. Accordingly, the Department has established a dedicated GDPR implementation team which is undertaking a major programme of work to ensure compliance with the GDPR. Additionally, specific GDPR training and awareness is being provided by the GDPR implementation team and a specialist external training company to staff and senior managers across the Department. All of this work is being overseen by a senior level Data Management Programme Board.

I hope this clarifies the matter for the Deputy.

Comments

No comments

Log in or join to post a public comment.