Government departments at risk of fines over data-sharing agreement
The Department of Social Protection and the Department of Public Expenditure could be liable for fines under the GDPR over confusion about who controls the database underpinning the Public Services Card (PSC).
Privacy experts have cast doubt in the data-sharing agreement struck by the two departments in December 2017, under which the Department of Social Protection is named as the data controller for the Public Service Identity (PSI) database, the Irish Examiner reports.
The agreement describes the Department of Public Expenditure, which was responsible for the controversial and ultimately unlawful expansion of the PSC scheme, as the data processor.
However, privacy experts have suggested that the Department of Social Protection can not be considered the controller of data once it has been handed over to another department.
Privacy solicitor Simon McGarr, director of Data Compliance Europe, told the Irish Examiner: “The core of this is, who is liable for doing this?
“If a department doesn’t know the answer, or doesn’t have sufficient knowledge to understand but has contracted with another to transfer data anyway, then any processing under the existing agreement would be invalid. If that’s the case then the [Data Protection Commission] could issue fines.”
The Data Protection Commission (DPC) recently ruled that there is no legal basis for requiring the PSC to access many public services which now require it.
The Department of Social Protection was ordered to stop all processing of personal data carried out in connection with the issuing of PSCs where they are being issued solely for the purpose of a transaction between a member of the public and a body other than the Department.