Latest news with #PublicServicesCard
The Journal
12-06-2025
- Politics
- The Journal
Department of Social Protection fined €550k for unlawful database of millions of Irish people's faces
IRELAND'S MAJOR DATA watchdog has fined the Department of Social Protection €550,000 following a major investigation into its use of facial recognition technology linked to the Public Services Card. The Data Protection Commission (DPC) inquiry, launched in July 2021, examined the DSP's 'SAFE 2′ registration process, which requires applicants to submit biometric facial data used for facial matching as part of their card application. The Public Services Card is needed for accessing many welfare and public services, including applications for Child Benefit, Jobseeker's Benefit and driving licences. A sample Public Services Card. Department of Social Protection Department of Social Protection 'SAFE 2′ registration has led to the Department of Social Protection holding biometric facial templates for about 70% of Ireland's population, making it one of the largest biometric data collections in the country. The DPC inquiry found that the Department did not have a valid legal reason to collect or keep this sensitive facial data. According to the DPC, the Department also failed to clearly inform people about how their data would be used, and the Department's privacy risk assessment was 'incomplete'. As well as the €550,000 fine, the data watchdog ordered the department to cease processing biometric data for 'SAFE 2′ registration by March next year, unless a lawful basis is identified. Deputy Commissioner Graham Doyle said that the DPC decision 'does not challenge the principle of SAFE 2 registration itself'. 'The technical and security measures in place for handling biometric data are sound,' Doyle said in a statement. Advertisement 'Our concerns relate to whether the legal framework and the way the Department of Social Protection operates the system meet the requirements of data protection law. We found clear gaps in that regard.' The DPC emphasised the need for a clear and precise legal basis when processing such sensitive data, as required by European privacy laws (GDPR), to protect individuals from arbitrary interference with their privacy rights. The DPC's decision was made by Data Protection Commissioner Dale Sunderland, and was notified to the Department of Social Protection this week. The Department of Social Protection has yet to comment on the ruling. 'More than a decade late' The Irish Council for Civil Liberties (ICCL), which has campaigned against the use of facial recognition in the Public Services Card for more than 15 years, welcomed the decision but described it as 'more than a decade late and inadequate.' Joe O'Brien, ICCL's Executive Director, said the ruling 'vindicates the actions taken by ICCL and Digital Rights Ireland against the Department of Employment and Social Protection'. He said the ruling also confirmed what they had long argued – that the Department unlawfully collected facial records from millions without proper legal grounds or clear explanation. 'The Public Services Card, which was estimated to have cost the State €100 million, trespassed upon human rights and infringed EU and Irish law,' O'Brien said. 'The Department effectively created a de facto national biometric ID system by stealth over 15-plus years without a proper legal foundation. This illegal database of millions of Irish people's biometric data must be deleted.' Olga Cronin, Senior Policy Officer at ICCL, criticised the mandatory nature of the facial recognition process. 'The Department unlawfully forced vulnerable people to give it their biometric data before it would help them,' Cronin said. 'It demanded data from people who needed its help to put food on the table. We should not have to trade our biometric data to access essential services to which we are already legally entitled.' Readers like you are keeping these stories free for everyone... A mix of advertising and supporting contributions helps keep paywalls away from valuable information like this article. Over 5,000 readers like you have already stepped up and support us with a monthly payment or a once-off donation. Learn More Support The Journal
Irish Independent
12-06-2025
- Politics
- Irish Independent
Government fined €550,000 by privacy regulator and warned over facial scans for Public Services Card
The Government department has also been ordered to stop the practice and cease using its biometric database by April of next year, unless it finds a correct legal basis under which to do it. The Department, the regulator said, holds biometric data on at least 70pc of the population here. It has been engaged in the 'ongoing collection, storage and processing of highly sensitive personal data, including biometric data consisting of facial templates, on a large scale', according to the DPC. The Public Services Card has been a privacy battleground between the Government and the regulator for years. While ministers and civil servants insist that it's necessary to bring more efficiency into public services, with facial scans being required to protect against fraud, critics have consistently labelled it an attempt to introduce a national identity card through the back door. In 2017, the then Social Protection Minister, Regina Doherty, infamously described it as being 'not compulsory but mandatory'. In 2021, the Irish privacy regulator began an investigation into what the Department was doing with regard to biometric facial templates and its usage of associated facial matching technologies as part of the registration process for the Public Services Card. The registration process, known as 'SAFE 2 registration', typically involves the submission of a digital photo of someone to make sure they're not already registered or claiming benefits under another identity. Under European GDPR law, biometric data is categorised as 'special category data' to which higher protections and safeguards must be applied. 'SAFE 2 registration is mandatory for anyone who wishes to apply for a Public Services Card,' said the DPC. ADVERTISEMENT 'Persons who do not submit to such processing cannot access DSP services, including welfare payments.' However the Department said it believes there is a legal basis to operate the process, but that the legal provision is 'not in it view, clear and precise enough to satisfy the requirements of the GDPR'. it said that it 'will carefully consider the DPC decision report, in conjunction with colleagues in the Attoreny General's Office with a view to determining an appropriate response within the nine-month timeframe'. It said that depending on the outcome, it may appeal any enforcement notice or work to rectify the issues as perceived by the DPC. The Department said that the DPC 'did not find any evidence of inadequate technical and organisational security measures. "There are no examples of any person suffering damage or loss as a result of SAFE registration.' It insisted that the process has led to a reduction in identity fraud and offered 'security and customer service benefits'. There are no immediate implications for users of the card or MyGov ID, according to the Department, and during the nine-month period the process will continue. The regulator had looked at whether the Department of Social Protection had a 'lawful basis' for collecting and retaining biometric data 'for the purposes of conducting facial matching' as part of this SAFE 2 registration. It also examined the Department had complied with transparency obligations and had carried out an adequate Data Protection Impact Assessment (DPIA) as part of SAFE 2 registration. It found the Department liable on all counts, by 'failing to identify a valid lawful basis for the collection of biometric data in connection with SAFE 2 registration' and, thus, incorrectly 'retaining biometric data collected' as part of the process. The watchdog said that it also 'failed to put in place suitably transparent information' to citizens and failed to include certain details in the DPIA it carried out. 'In light of the infringements identified above, the DPC has reprimanded the DSP, issued administrative fines totalling €550,000 and issued an order to the DSP requiring it to cease processing of biometric data in connection with SAFE 2 registration within nine months of this decision if the DSP cannot identify a valid lawful basis,' said the privacy regulator. However, the regulator did not suggest there was any security risk to the sensitive facial scans stored. 'The DPC did not find any evidence of inadequate technical and organisational security measures deployed by the DSP in connection with SAFE 2 registration in the context of this inquiry,' said Graham Doyle, deputy commissioner of the DPC. 'It is important to note that none of the findings of infringement identified, nor the corrective powers exercised by the DPC, pertain to the rollout of SAFE 2 registration by the DSP as a matter of principle. "This inquiry was concerned with assessing whether the legislative framework presently in place for SAFE 2 registration complies with the requirements of data protection law and whether the DSP operates SAFE 2 registration in a data protection-compliant manner, and the findings announced today identify a number of deficiencies in this regard.'
Irish Times
12-06-2025
- Irish Times
Department of Social Protection fined €550,000 over facial scans
The Department of Social Protection has been fined €550,000 after data protection watchdogs found 'a number of deficiencies' in its compliance with European data privacy rules concerning the use of facial scans in issuing Public Services Cards. The Department was also ordered to come up with a valid lawful basis for the use of facial scans and facial matching software for the registration of Public Services Cards within nine months, or it must stop using it. The decision is the result of an inquiry that the Data Protection Commission commenced in July 2021, examining the department's processing of biometric facial templates and the use of facial matching technologies as part of the registration process for the Public Services Card. The department uses Safe 2 registration to verify identity when accessing public services. The process involves a photo of the applicant, which is then run through software to check against images used in other Safe 2 registrations. This is designed to prevent duplicate registrations. READ MORE The registration is mandatory for applying for a Public Services Card, of which 3.2 million are in existence, and is necessary for certain services, including welfare payments. [ 'No legal basis' for photo database created using Public Services Card Opens in new window ] However, that means there is ongoing collection, storage and processing of sensitive personal data on a large scale by the DSP, which requires precise legal justification, the DPC said. The inquiry looked at whether the DSP had a lawful basis for collecting biometric data for conducting facial matching as part of Safe 2 registration, if it could retain that data, if it complied with transparency obligations, and if it had carried out an adequate Data Protection Impact Assessment. The DPC found the department had infringed data protection regulations on a number of fronts. In its decision, the regulator said it failed to identify a valid lawful basis for the collection of biometric data for Safe 2 registration at the time of the inquiry. As a result, it also infringed GDPR by retaining biometric data collected as part of Safe 2 registration. The DPC also penalised the department for infringing its obligations on transparency, and for failing include certain details in the Data Protection Impact Assessment that it carried out. The DPC said it had reprimanded the Department of Social Protection and issued the administrative fines. The department must also stop biometric data in connection with Safe 2 registration within nine months of this decision, if it cannot identify a valid lawful basis for the data collection. 'It is important to note that none of the findings of infringement identified, nor the corrective powers exercised by the DPC, pertain to the roll-out of Safe 2 registration by the DSP as a matter of principle. The DPC did not find any evidence of inadequate technical and organisational security measures deployed by the DSP in connection with Safe 2 registration in the context of this inquiry,' said deputy commissioner Graham Doyle. 'This inquiry was concerned with assessing whether the legislative framework presently in place for Safe 2 registration complies with the requirements of data protection law and whether the DSP operates Safe 2 registration in a data protection-compliant manner, and the findings announced today identify a number of deficiencies in this regard.' A previous inquiry into the processing of personal data in connection with the issuing of Public Services Cards was concluded in 2019, with the department initially appealing the DPC's decision before withdrawing the action and coming to an agreement with the watchdog.
RTÉ News
12-06-2025
- RTÉ News
Data watchdog issues €550,000 facial recognition fine over Public Services Card
The Data Protection Commission (DPC) has fined the Department of Social Protection (DSP) €550,000 for breaches of privacy rules relating to the use of facial recognition technology in the registration process for the Public Services Card. A DPC investigation found breaches of the General Data Protection Regulation (GDPR) relating to failures to identify a valid lawful basis for the collection of biometric data, the retention of biometric data collected, and failures to put in place suitably transparent information to data subjects. The investigation, which commenced in July 2021, focussed on the processing of biometric facial templates, and usage of associated facial matching technologies, as part of the registration process for the Public Services Card, a process known as "SAFE 2 registration". As well as a reprimand and the €550,000 fine, the DPC has issued an order requiring the Department of Social Protection to cease the processing of biometric data in connection with SAFE 2 registration within nine months of the decision if the department cannot identify a valid lawful basis. The DPC's decision was made by Data Protection Commissioner Dale Sunderland and was notified to the Department of Social Protection this week. "It is important to note that none of the findings of infringement identified, nor the corrective powers exercised by the DPC, pertain to the rollout of SAFE 2 registration by the DSP as a matter of principle," said Graham Doyle, Deputy Commissioner, DPC. "The DPC did not find any evidence of inadequate technical and organisational security measures deployed by the DSP in connection with SAFE 2 registration in the context of this inquiry," he said. "This inquiry was concerned with assessing whether the legislative framework presently in place for SAFE 2 registration complies with the requirements of data protection law and whether the DSP operates SAFE 2 registration in a data protection-compliant manner, and the findings announced today identify a number of deficiencies in this regard," Mr Doyle said. The Department of Social Protection said it believes that it has a valid legal basis and that it does satisfy the requirements of transparency required to operate the SAFE process, including the biometric processing element. "We note that the DPC decision does not find that there is no legal provision but that the legal provision that exists is not, in its view, clear and precise enough to satisfy the requirements of the GDPR," a department spokesperson said. "However, we will carefully consider the DPC decision report, in conjunction with colleagues in the Attorney General's Office with a view to determining an appropriate response within the nine-month timeframe provided for in the decision," it stated. "Depending on the outcome of this consideration, this may involve appealing any enforcement notice and/or working to rectify the issues as perceived by the DPC," the department said. The department added that as it has been given nine months to address the issue, there are no immediate implications for users of the Public Services Card or MyGovID or anyone wishing to, register for or avail of, these services in the next nine months. "We also note that the DPC did not find any evidence of inadequate technical and organisational security measures and that there are no examples of any person suffering damage or loss as a result of SAFE registration," the department spokesperson said. "On the contrary the SAFE process has directly led to a reduction in identity fraud and delivered very significant security and customer service benefits to the millions of people who use the services every day," they added. This inquiry followed on from a separate investigation previously carried out by the DPC into certain aspects of the DSP's processing of personal data in connection with the issuing of Public Services Cards, which concluded in 2019. The DSP initially brought legal proceedings against the decision of the DPC in that inquiry by way of an appeal to the Circuit Court. That appeal was ultimately withdrawn and a joint agreement between the DPC and the DSP, as well as the final investigation report from that inquiry, were published in December 2021. That final investigation report stated that processing of personal data, including biometric data, by the DSP in respect of SAFE 2 registration was to be addressed separately by the DPC. Today's decision is the culmination of that separate inquiry process.
Irish Examiner
12-06-2025
- Politics
- Irish Examiner
Ireland's largest public GDPR fine hits State over illegal biometric data use in PSC
The Data Protection Commission has hit the State with a €550,000 fine, the largest GDPR penalty for a public body, for processing people's biometric data without a legal basis via the Public Services Card. The DPC said that the Government must now discontinue processing such data using the PSC within 9 months unless it can find a legal basis for doing so. Biometric data refers to any information that can identify a person by their physical characteristics — for example, via a fingerprint or, in the PSC case, a photograph. The State has long denied that the PSC uses biometric data, despite a person's photograph appearing on every version of the card. It has instead argued that it creates an "arithmetic template" from the photo for processing purposes — a method it claims does not constitute biometric data. Such data is classified as special category personal data under the EU's General Data Protection Regulation (GDPR), meaning it must be explicitly permitted in a country's laws to be processed legally. There is no single law on Ireland's statute books governing the PSC. Its various uses are allegedly permitted through dozens of amendments to the 2005 Social Welfare Consolidation Act. In addition to the €550,000 fine — five times greater than the next largest penalty for a public body — and the order to stop processing biometric data, the DPC also issued an official reprimand to the Department of Social Protection. The Commission found that the card violated GDPR by failing to identify a legal basis for processing biometric data, retaining that data without justification, and not ensuring sufficient transparency about how the data would be used during registration. Deputy Commissioner with the DPC Graham Doyle said that it is 'important to note that none of the findings of infringement identified, nor the corrective powers exercised by the DPC, pertain to the rollout of SAFE 2 registration (the technical process by which PSC data is first collated and then stored) by the DSP as a matter of principle'. He added that the investigation focused solely on how the PSC's biometric process complies with the GDPR, noting that 'the findings announced today identify a number of deficiencies in this regard." It remains unclear what will happen next. However, if the Government accepts the report, it will finally need to introduce specific legislation through the Oireachtas to legalize the PSC. The Department of Social Protection declined to comment. In announcing its conclusions the DPC has brought to a close its lengthiest domestic data protection saga, one which had lasted close to 8 years. By announcing its conclusions, the DPC has ended its longest domestic data protection investigation—a process that lasted nearly eight years. In August 2019, the DPC ruled that the State had no lawful basis for making the PSC — originally conceived in the 2000s as a welfare benefits card by the Department of Social Protection — mandatory for all public services. That decision led to a prolonged legal battle between the State and one of its own regulators. The dispute ended in a December 2021 settlement, with the DPC's findings left unchallenged but the State continuing with the PSC project—albeit without mandatory requirements. A separate investigation into the biometric nature of the card ran concurrently with the original report. Initially, it was expected that this investigation would publish its findings by the end of 2019. While the conclusions of the biometric investigation are not surprising, today's publication comes nearly six years later than anticipated. The PSC is now used daily by millions of Irish citizens—not just for receiving welfare payments, but also for services such as renewing driving licences and accessing the National Childcare Scheme. Read More Funding available for schools to procure mobile phone storage, department says
