Andrew Desmond: Data Protection Commission finds prison security system in breach of GDPR
Andrew Desmond, associate at William Fry, examines a recent investigation by the Data Protection Commission (DPC).
The Data Protection Commission has found a security system used in Irish prisons to be in breach of the General Data Protection Regulation (GDPR) after investigating a complaint by a prison officer. The security system involves scanning prison officers’ thumbprints in order to admit them through security gates.
The complainant worked in Castlerea Prison and initially complained about the system to prison management and to his union, the Prison Officers Association, in early 2019, on the basis that the system contravened the GDPR.
“Dactyloscopic data”, meaning data relating to identification by comparison of fingerprints, is specifically referred to in the GDPR as an example of biometric data, being “personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person”.
Biometric data when used for the purpose of identifying a natural person constitutes a special category of personal data under the GDPR, and accordingly can only be processed if one of a number of specified legal bases is in place. A key aspect of the complaint was that there was no appropriate legal basis in place for this processing.
Thecomplainant alleged that he was told that as prison management and the prison officers’ unions had agreed to the implementation of the system, he was obliged to comply with the system, failing which he would be subject to disciplinary action. The complainant then made a protected disclosure to the Data Protection Commission.
The DPC investigated the matter and concluded in its subsequent report that “the Irish Prison Service ha[d] not established a legal basis for the processing of biometric data at issue in this case under Articles 6 and 9 GDPR and/or sections 46 and 49 of the [Data Protection Acts 1988 to 2018]”, and that as a consequence “the processing of the relevant biometric data of [the complainant] in connection with the set-up and operation of the relevant key vending system in Castlerea Prison is unlawful”.
In responding to the investigation, the Irish Prison Service argued, unsuccessfully, that the system was in fact subject to the Law Enforcement Directive, rather than the GDPR. The Law Enforcement Directive is a separate piece of EU legislation which runs parallel to the GDPR and which governs the processing of personal data for law enforcement purposes.
The DPC rejected this argument, as the processing at issue related to the employment relationship (and so was within the remit of the GDPR) rather than the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties by competent authorities (which is the remit of the Law Enforcement Directive).
The system in question was in operation in both Cork and Castlerea Prisons. It is understood the Irish Prison Service intended to introduce the system in every prison in the country, although the findings of the DPC investigation may put this in doubt. The Irish Prison Service has a right to appeal the findings of the DPC.