【导读:爱尔兰数据保护委员会(Irish Data Protection Commission, “DPC”)经过调查后,叫停了公共服务卡计划(Public Services Card)。公共服务卡计划涉及该国公民大量个人信息的收集、存储和处理,政府可以据此作出对个人产生直接且重大影响的决定。DPC的调查聚焦于该计划使用获取数据的法律依据,以及对有关主体的数据处理是否满足透明度要求等问题。鉴于公共服务卡项目生效于GDPR之前,因而该项调查是在1988及2003年的数据保护法体系下进行(但调查中包含有对于GDPR的法律适用性的分析)。DPC认为虽然政府社会保障部门有权为便利对公民的服务而对特定个人数据进行处理,但其无权就公民个人与其他公共机构之间的事务处理发放公共服务卡。DPC同时指出相关政府机构存在不当长期留存相关信息,未充分披露其对个人数据的使用的问题。基于此,DPC给予社会保障部门6周时间提出整改计划,但对于其中两项措施设定了21天的时限要求,这两项措施分别为:(1)在其他公共机构与公民之间的交易中,停止与公共服务卡相关的一切数据处理活动;(2)告知其他公共机构,社会保障部不会再就其他部门的服务出具社会公共服务卡。(本文源自爱尔兰数据委员会官网。)

DPC Statement on Matters Pertaining to the Public Services Card

Following the completion ofa detailed and lengthy investigation, the Data Protection Commission(DPC) has today published its findings on certain aspects of the PublicServices Card (“PSC”).

Rationale for theinvestigation

The PSC (and the system ofregistration known as SAFE 2 behind it) involves the collection, storing andprocessing of large amounts of personal information about nearly every personin the State.

Using that information,State agencies make thousands of decisions every day that impact in very directand significant ways on individual members of the public, from the issuing ofdriver’s licences or passports, to decisions to grant or suspend payments orbenefits under the social protection code, to the filing of appeals againstdecisions about the provision of school transport. In practical terms, aperson’s capacity to access public services both offline and online is nowcontingent, in an ever-increasing range of contexts, on obtaining and producinga PSC.

Looking at it from a dataprotection perspective, it can quickly be seen that, given its scale and reach,the PSC project presents significant challenges in terms of ensuring that coredata protection principles are respected in its operation.

For example, is theretransparency and foreseeability in terms of what information is collected andhow it will be used?

How does the operation ofthe system impact on each person’s capacity to exercise meaningful control overtheir personal information?

What safeguards andcontrols have been built into the system?

Does the system sit on anidentifiable and coherent legal foundation, consistent with applicableprovisions of data protection law?

The DPC resolved toundertake an investigation to try to find answers to these questions, and toassess, ultimately, the lawfulness from a data protection perspective of thesystem as implemented.

The scope of ourinvestigation

While, in overall terms,the investigation was targeted at the much broader range of issues, theparticular findings published today are targeted at two key issues:

1. We examined the legal basis on which personal data is processedin connection with the PSC.

2. We also examined whether the information provided to data subjects inrelation to the processing of their personal data in connection with the PSCsatisfies applicable legal requirements in terms of transparency.

Further reports andfindings will follow at a later date in relation to a number of other issues.

Legal framework

Because the PSC scheme (andour investigation) pre-date the coming into effect of the GDPR, the presentfindings have been made by reference to the Data Protection Acts, 1988 and2003. (This is specifically mandated by national legislation introduced in 2018to facilitate the effective implementation of the GDPR, i.e. the DataProtection Act, 2018).

Nonetheless, the reportdelivered to the Department incorporating our findings also contains(non-binding) analysis capturing changes to the law as introduced by GDPR.

Findings

A total of eight findingsare made in the report. Three of those relate to the legalbasis issue; the remaining five relate to issuesaround transparency.

Seven of the eight findingsare adverse to positions advanced by the Department, insofar as the DPC hasfound that there is, or has been, non-compliance with the applicable provisionsof data protection law.

In summary terms, the DPC has found that:

· The processing of certain personal data by the Department in connectionwith the issuing of PSCs for the purpose of validating the identity of a personclaiming, receiving or presenting for payment of a benefit, has a legalbasis under applicable data protection law.

· The processing of personal data by the Department in connection with theissuing of PSCs for the purposes of transactions between individuals and otherspecified public bodies (i.e. bodies other than the Department itself)does not have a legal basis underapplicable data protection laws; specifically, such processing contravenesSection 2A of the Data Protection Acts, 1988 and 2003.

· The Department’s blanket and indefinite retention of underlying documentsand information provided by persons applying for a PSC contravenes Section2(1)(c)(iv) of the Data Protection Acts, 1988 and 2003 because such data isbeing retained for periods longer than is necessary for the purposes for whichit was collected.

· In terms of transparency, the scheme does not comply with Section 2D of theData Protection Acts, 1988 and 2003, in that the information provided by theDepartment to the public about the processing of their personal data inconnection with the issuing of PSCs is not adequate.

Next steps; enforcement

We have identified a numberof measures that the Department and other public bodies which utilise or relyon the PSC will now be required to take to bring the PSC scheme into compliancewith data protection legislation. However, recognising the structuralnature of the changes that will be needed, the Department will be afforded aperiod of six weeks to submit an implementation plan to theDPC identifying the changes it will make to the PSC scheme and the time periodwithin which those changes will be made.

Critically, however, theDepartment will be required to complete the implementation of two specificmeasures within a period of 21 days:

1. It will be required to stop all processing of personal data carried out inconnection with the issuing of PSCs, where a PSC is being issued solely for thepurpose of a transaction between a member of the public and a specified publicbody (i.e. a public body other than the Department itself). The corollary ofthis finding is that bodies other than DEASP cannot insist that a person whodoes not already hold a PSC must obtain one as a pre-condition of accessingpublic services provided by that body.

2. The Department will be required to contact those public bodies who requirethe production of a PSC as a pre-condition of entering into transactions withindividual members of the public, to notify them that, going forward, theDepartment will not be in a position to issue PSCs to any member of the publicwho wishes to enter a transaction with (or obtain a public service from) anysuch public body.

Members of the public maywish to note that nothing in the findings made by the DPC impacts the validityor use by individuals of PSCs already issued. Likewise, nothing inthe findings impacts individuals accessing benefits including free travel whocurrently do so using their PSC and the DEASP is not prevented from issuingfurther PSCs for these purposes.

Commentary

The introduction of ascheme like the PSC necessarily involves the striking of a balance between theinterests of the State (in terms of accessing the intended benefits of thescheme), and the interests of the individual, whose personal information is tobe collected and used. The balance struck between these competing interests isin turn central to any assessment of the lawfulness (or otherwise) of such ascheme.

In the course of ourinvestigation, one of the things we tried to do was to identify and weigh theindividual factors that impact on this balancing exercise. So, for example, wesought to identify the rationale for the scheme; equally, we sought to tracehow that rationale has developed as the application of the scheme itselfevolved and expanded; we then sought to map that rationale against the legislativeframework that underpins the scheme, so that we might assess whether and how itsatisfies specific requirements of data protection legislation.

We also sought to identifythe intended benefits of the scheme and to assess whether those benefits havebeen realised and, if so, whether they can be quantified in a meaningful wayand measured against interferences with the interests of individual members ofpublic whose data is the subject of collection and processing.

Ultimately, we were struckby the extent to which the scheme, as implemented in practice, is far-removedfrom its original concept. Whereas the scheme was conceived as one that wouldmake it easier to access (and deliver) public services, with chip-and-pin typecards being used for actual card-based transactions, the true position is thatno public sector body has invested in the technology capable of reading thechip that contains the encrypted elements of the Public Sector Identitydataset. Instead, the card has been reduced to a limited form of photo-ID, forwhich alternative uses have then had to be found.

Even in terms of statedjustifications for the card around identity validation standards andfraud-prevention, it was established that cards are in fact issued in somecases without the applicant being required to submit to the full range ofidentity checks. Surprisingly, the criteria applicable to such exceptionsremain unclear.

As new uses of the cardhave been identified and rolled-up from time to time, it is striking thatlittle or no attempt has been made to revisit the card’s rationale or the legalframework on which it sits, or to consider whether adjustments may be requiredto safeguards built into the scheme to accommodate new data uses. Instead, thedevelopment of the card has proceeded by way of one-off, piece-meal changes toexisting social welfare legislation, resulting in a situation where, in ourview, the approach to the project from a data protection perspective is lackingin coherence and where, more importantly, there is little or no evidence of anyattempt to balance the interests of the State, acting through those publicbodies who participate in the scheme, and the interests of those members of thepublic who are required to obtain and produce the card (and provide theirpersonal information when registering for it). Certainly, there is no evidenceof any such balance being re-examined on each occasion when a new form of useis identified for the card. That cannot be considered acceptable in a dataprotection context where careful calibration is required when consideringadjustments to any scheme that, by its very nature, interfaces with establishedand important legal rights.

These factors necessarilyinform the DPC’s analysis of those issues that are the subject of the findingspublished today.

Publication of the Reportcontaining our findings

Under applicable laws, itis not open to the DPC to publish its Report without the prior agreement of theDepartment. The DPC has written to the Department asking it to confirm, withina period of seven days, that it will either publish the Report on its ownwebsite or, alternatively, that it will agree to the publication of the Reporton the Commission’s website. The Department’s response is awaited.

https://www.dataprotection.ie/en/dpc-statement-matters-pertaining-public-services-card-0

声明:本文来自个人信息与数据保护实务评论,版权归作者所有。文章内容仅代表作者独立观点,不代表安全内参立场,转载目的在于传递更多信息。如有侵权,请联系 anquanneican@163.com。