Catherine Murphy (Kildare North, Social Democrats)
Link to this: Individually | In context | Oireachtas source

116. To ask the Minister for Employment Affairs and Social Protection the total cost of the data protection impact assessment conducted by a company (details supplied) in respect of the Public Services Card, PSC; if the assessment was forwarded to the office of the Data Protection Commissioner and or provided to it by way of request; and if not, the rationale for not sharing the findings with the DPC. [28860/23]

Heather Humphreys (Cavan-Monaghan, Fine Gael)
Link to this: Individually | In context | Oireachtas source

The media article referenced by the Deputy, concerning a Data Protection Impact Assessment (DPIA) carried out in respect of an upgrade to software used by my Department, misrepresents the contents of that DPIA, and I am happy to have this opportunity to set out the facts in this matter.

The DPIA makes no adverse finding relating to the legal basis for the processing of personal data.

The purpose of a DPIA, as its name suggests, is specifically to identify issues and risks arising out of the processing of personal data as a means of informing approaches to eliminate or mitigate these issues and risks. The primary aim of conducting a DPIA is to identify and minimise the data protection risks involved in a project.

A DPIA typically includes a description of the envisaged processing operations and the purposes of the processing, an assessment of the potential risks to the rights and freedoms of data subjects, as well as the measures envisaged to address any risks identified and demonstrate compliance with the General Data Protection Regulation (GDPR).

Accordingly, it is to be expected that a DPIA will identify risks and in fact if it did not do so it is unlikely to have served its purpose. The fact that risks are identified and articulated is not equivalent to saying that they have not been dealt with but is in fact an essential element of ensuring that a data processing operation complies with the requirements of the GDPR.

The DPIA in question notes that an information leaflet provided to people at their SAFE registration appointment does not note a legal basis for biometric processing. This is not at all equivalent to finding no legal basis for such processing or a finding that there is no legal basis.

Nor is it in any way equivalent to finding that the Department was unable to legally justify the data processing.

The information leaflet concerned was designed to follow the transparency guidelines set out by the European Data Protection Board, which is comprised of the representatives of the EU national data protection authorities, including Ireland's Data Protection Commission (DPC), and the European Data Protection Supervisor.

My Department is satisfied, not only that the leaflet is GDPR compliant, but also that it has a legal basis for the processing of personal data in relation to the SAFE registration process, including the processing of the biometric data generated by the Department from the photograph taken during SAFE registration. The legal basis is also referenced in the DPIA.

The cost of the DPIA referred to by the Deputy was €12,220 excluding VAT.

The DPIA was not forwarded to the DPC because, under the General Data Protection Regulation and the Data Protection Act 2018, a data controller is only required to submit a DPIA to the supervisory authority where it appears to a controller, having conducted a data protection impact assessment, that the processing concerned would, despite the implementation of safeguards, security measures or mechanisms set out in the DPIA, result in a high risk to the rights and freedoms of individuals.

No such risk or risks were identified in the DPIA. While the DPIA identified a number of risks, it also proposed actions to address these risks and noted that the risks had been mitigated as a result.

I can confirm that the DPC is undertaking an own volition inquiry into the processing of personal data in the context of the facial template matching software used by the Department in connection with the SAFE registration process. In its Notice of Commencement of the inquiry, the DPC requested a copy of the DPIA.

The Department is cooperating fully with that inquiry and has, as part of its response to questions from the DPC, sent the DPC a copy of the DPIA. A draft report is awaited. The finalisation of the report is a matter for the DPC.

I trust this clarifies the matter for the Deputy.