The Data Protection Commission (DPC) today announced its final decision following the conclusion of an inquiry which commenced in July 2021 and followed a previous inquiry dealing with the issuing of PSCs.

The inquiry examined the Department’s processing of biometric facial templates, and usage of associated facial matching technologies, as part of the “SAFE 2 registration” that forms part of the PSC application process.

SAFE 2 registration is mandatory for anyone who wishes to apply for a public services card. Persons who do not submit to such processing cannot access services including welfare payments.

The rollout of SAFE 2 registration has resulted in the ongoing collection, storage and processing of highly sensitive personal data, including biometric data consisting of facial templates, on a large scale by the Department of Social Protection.

Under the GDPR, biometric data is categorised as special category data to which higher protections and safeguards must be applied. In 2021, the Department held biometric facial templates relating to 70 per cent of the population of the State.

The facial matching technology used by the DSP involves the creation of biometric data relating to a very substantial proportion of the population.

The scale and intrusive nature of the processing requires precise legal justification, the DPC has said. In such circumstances, it is established EU case law that legislation which is precise and foreseeable is necessary to ensure protection against arbitrary interferences with the rights of individuals.

The scope of the DPC’s inquiry was to examine and assess:

1. whether the Department had a lawful basis for collecting biometric data for the purposes of conducting facial matching as part of SAFE 2 registration;
2. whether the Department had a lawful basis for retaining biometric data collected as part of SAFE 2 registration;
3. whether the Department complied with its transparency obligations in respect of data subjects undergoing SAFE 2 registration; and
4. whether the Department had carried out an adequate Data Protection Impact Assessment as part of SAFE 2 registration.

The DPC’s decision, which was made by commissioner Dale Sunderland and was notified to the Department this week, finds that the Department:

• infringed Articles 5(1)(a), 6(1), and 9(1) GDPR by failing to identify a valid lawful basis for the collection of biometric data in connection with SAFE 2 registration at the time of the inquiry;
• having regard to the preceding finding, infringed Article 5(1)(e) GDPR by retaining biometric data collected as part of SAFE 2 registration;
• infringed Articles 13(1)(c) and 13(2)(a) GDPR by failing to put in place suitably transparent information to data subjects as regards SAFE 2 registration; and
• infringed Articles 35(7)(b) and (c) GDPR by failing to include certain details in the Data Protection Impact Assessment that it carried out in relation to SAFE 2 registration.

As a result, the DPC reprimanded the Department, issued administrative fines totalling €550,000, and ordered it to cease processing of biometric data in connection with SAFE 2 registration within nine months of the decision if the Department cannot identify a valid lawful basis.

Deputy commissioner Graham Doyle said: “It is important to note that none of the findings of infringement identified, nor the corrective powers exercised by the DPC, pertain to the rollout of SAFE 2 registration by the DSP as a matter of principle.

“The DPC did not find any evidence of inadequate technical and organisational security measures deployed by the DSP in connection with SAFE 2 registration in the context of this inquiry.

“This inquiry was concerned with assessing whether the legislative framework presently in place for SAFE 2 registration complies with the requirements of data protection law and whether the DSP operates SAFE 2 registration in a data protection-compliant manner, and the findings announced today identify a number of deficiencies in this regard.”

The DPC says it will publish the full decision and further related information “in due course”.