Latest news with #SAFE2
The Journal
2 days ago
- Politics
- The Journal
Department of Social Protection fined €550k for unlawful database of millions of Irish people's faces
IRELAND'S MAJOR DATA watchdog has fined the Department of Social Protection €550,000 following a major investigation into its use of facial recognition technology linked to the Public Services Card. The Data Protection Commission (DPC) inquiry, launched in July 2021, examined the DSP's 'SAFE 2′ registration process, which requires applicants to submit biometric facial data used for facial matching as part of their card application. The Public Services Card is needed for accessing many welfare and public services, including applications for Child Benefit, Jobseeker's Benefit and driving licences. A sample Public Services Card. Department of Social Protection Department of Social Protection 'SAFE 2′ registration has led to the Department of Social Protection holding biometric facial templates for about 70% of Ireland's population, making it one of the largest biometric data collections in the country. The DPC inquiry found that the Department did not have a valid legal reason to collect or keep this sensitive facial data. According to the DPC, the Department also failed to clearly inform people about how their data would be used, and the Department's privacy risk assessment was 'incomplete'. As well as the €550,000 fine, the data watchdog ordered the department to cease processing biometric data for 'SAFE 2′ registration by March next year, unless a lawful basis is identified. Deputy Commissioner Graham Doyle said that the DPC decision 'does not challenge the principle of SAFE 2 registration itself'. 'The technical and security measures in place for handling biometric data are sound,' Doyle said in a statement. Advertisement 'Our concerns relate to whether the legal framework and the way the Department of Social Protection operates the system meet the requirements of data protection law. We found clear gaps in that regard.' The DPC emphasised the need for a clear and precise legal basis when processing such sensitive data, as required by European privacy laws (GDPR), to protect individuals from arbitrary interference with their privacy rights. The DPC's decision was made by Data Protection Commissioner Dale Sunderland, and was notified to the Department of Social Protection this week. The Department of Social Protection has yet to comment on the ruling. 'More than a decade late' The Irish Council for Civil Liberties (ICCL), which has campaigned against the use of facial recognition in the Public Services Card for more than 15 years, welcomed the decision but described it as 'more than a decade late and inadequate.' Joe O'Brien, ICCL's Executive Director, said the ruling 'vindicates the actions taken by ICCL and Digital Rights Ireland against the Department of Employment and Social Protection'. He said the ruling also confirmed what they had long argued – that the Department unlawfully collected facial records from millions without proper legal grounds or clear explanation. 'The Public Services Card, which was estimated to have cost the State €100 million, trespassed upon human rights and infringed EU and Irish law,' O'Brien said. 'The Department effectively created a de facto national biometric ID system by stealth over 15-plus years without a proper legal foundation. This illegal database of millions of Irish people's biometric data must be deleted.' Olga Cronin, Senior Policy Officer at ICCL, criticised the mandatory nature of the facial recognition process. 'The Department unlawfully forced vulnerable people to give it their biometric data before it would help them,' Cronin said. 'It demanded data from people who needed its help to put food on the table. We should not have to trade our biometric data to access essential services to which we are already legally entitled.' Readers like you are keeping these stories free for everyone... A mix of advertising and supporting contributions helps keep paywalls away from valuable information like this article. Over 5,000 readers like you have already stepped up and support us with a monthly payment or a once-off donation. Learn More Support The Journal
RTÉ News
2 days ago
- RTÉ News
Data watchdog issues €550,000 facial recognition fine over Public Services Card
The Data Protection Commission (DPC) has fined the Department of Social Protection (DSP) €550,000 for breaches of privacy rules relating to the use of facial recognition technology in the registration process for the Public Services Card. A DPC investigation found breaches of the General Data Protection Regulation (GDPR) relating to failures to identify a valid lawful basis for the collection of biometric data, the retention of biometric data collected, and failures to put in place suitably transparent information to data subjects. The investigation, which commenced in July 2021, focussed on the processing of biometric facial templates, and usage of associated facial matching technologies, as part of the registration process for the Public Services Card, a process known as "SAFE 2 registration". As well as a reprimand and the €550,000 fine, the DPC has issued an order requiring the Department of Social Protection to cease the processing of biometric data in connection with SAFE 2 registration within nine months of the decision if the department cannot identify a valid lawful basis. The DPC's decision was made by Data Protection Commissioner Dale Sunderland and was notified to the Department of Social Protection this week. "It is important to note that none of the findings of infringement identified, nor the corrective powers exercised by the DPC, pertain to the rollout of SAFE 2 registration by the DSP as a matter of principle," said Graham Doyle, Deputy Commissioner, DPC. "The DPC did not find any evidence of inadequate technical and organisational security measures deployed by the DSP in connection with SAFE 2 registration in the context of this inquiry," he said. "This inquiry was concerned with assessing whether the legislative framework presently in place for SAFE 2 registration complies with the requirements of data protection law and whether the DSP operates SAFE 2 registration in a data protection-compliant manner, and the findings announced today identify a number of deficiencies in this regard," Mr Doyle said. The Department of Social Protection said it believes that it has a valid legal basis and that it does satisfy the requirements of transparency required to operate the SAFE process, including the biometric processing element. "We note that the DPC decision does not find that there is no legal provision but that the legal provision that exists is not, in its view, clear and precise enough to satisfy the requirements of the GDPR," a department spokesperson said. "However, we will carefully consider the DPC decision report, in conjunction with colleagues in the Attorney General's Office with a view to determining an appropriate response within the nine-month timeframe provided for in the decision," it stated. "Depending on the outcome of this consideration, this may involve appealing any enforcement notice and/or working to rectify the issues as perceived by the DPC," the department said. The department added that as it has been given nine months to address the issue, there are no immediate implications for users of the Public Services Card or MyGovID or anyone wishing to, register for or avail of, these services in the next nine months. "We also note that the DPC did not find any evidence of inadequate technical and organisational security measures and that there are no examples of any person suffering damage or loss as a result of SAFE registration," the department spokesperson said. "On the contrary the SAFE process has directly led to a reduction in identity fraud and delivered very significant security and customer service benefits to the millions of people who use the services every day," they added. This inquiry followed on from a separate investigation previously carried out by the DPC into certain aspects of the DSP's processing of personal data in connection with the issuing of Public Services Cards, which concluded in 2019. The DSP initially brought legal proceedings against the decision of the DPC in that inquiry by way of an appeal to the Circuit Court. That appeal was ultimately withdrawn and a joint agreement between the DPC and the DSP, as well as the final investigation report from that inquiry, were published in December 2021. That final investigation report stated that processing of personal data, including biometric data, by the DSP in respect of SAFE 2 registration was to be addressed separately by the DPC. Today's decision is the culmination of that separate inquiry process.
