Call McGarr Solicitors on: 01 6351580

The Data Sharing Agreement re the Public Services Card

It’s a requirement that public bodies sharing personal data, and relying on the provisions of the Social Welfare Consolidation Act 2005 to do so, have an agreement in place first.

I wrote in 2014 about the (eventually)  fatal consequences for Irish Water’s attempts to rely on the 2005 Act in the absence of that Ministerial agreement. (It was illegal, and the hundreds of thousands of PPSN records Irish Water collected were subsequently scrapped.)

So, having read through a good deal of documentation on the Public Services Card, I knew that the Department of Social Protection were claiming that they were the Data Controller for the National biometric ID Database which the Card is linked to.

Despite this, for reasons the Dept has chosen to never explain (I could hazard a guess) they have passed the storage and management of that database to the Department of Public Expenditure and Reform.

So I FOI’d the Agreement which underpins that relationship.

You can read it yourself below.

There are striking things about this 2014 document, but one thing stands out above them all.

It’s an agreement between two Ministers, but it’s neither signed by them or on their behalf. Though the opening text recognises that what is needed is that the Ministers make this Agreement, it is eventually signed by Departmental Officials. It isn’t signed for and on behalf of the respective Ministers either. Rather, it’s signed For and On Behalf of the two Departments.

Leaving us with the entire PSC Database lacking the underpinning of a completed Agreement between the relevant Ministers.

(Oh, and unless it was renewed before 17th February 2016 the Agreement, insofar as there may have ever been one, has lapsed.

The Public Services Card- An ID database and ID card

There is an excellent article by Elaine Edwards online (but not in the paper) regarding a pensioner whose pension payments have been stopped because she declined to submit to the biometric scanning and so on involved in being given an Public Services Card.

This card has been, to be charitable, inaccurately referred to as voluntary by Minister Pascal Donoghue.

However, if you don’t agree to submit to the carding process (which involves a biometric scan of your face, as well as a system to associate that ID record with your mobile phone) you currently can have any and all your social welfare payments (pension, free travel, children’s allowance, maternity benefit, paternity benefit…) cut off.

In addition, you cannot get a new driving licence, you cannot get a replacement passport if it has been lost or stolen, you cannot get your first passport or be made a citizen.

That’s the list of consequences for not volunteering so far. You can read the ambitious list of planned uses on the Department’s own website. I’ve reproduced it below, for ease of reference. Here’s an excellent piece by Loughlin O’Nolan and Elaine Edwards on just how voluntary this system is.

So, what we have here is a national ID card system which has never been debated by the Oireachtas, isn’t based on any primary legislation and has been introduced (where there is any legal justification for it cited at all) by wilfully forcing a new interpretation onto old legislation.

The Legal Basis that wasn’t there

I’d like to just rattle through some of that claimed legal justification, simply to demonstrate how shaky it is. Anyone who has read my previous pieces on the Health Identifiers Act 2014 and the Primary Online Database may notice some familiar themes emerging.

Here’s what the Department of Social Welfare cites as the legal basis for cutting off the pensions of old ladies who refuse to comply with the demand they get an ID card:

The Social Welfare Consolidation Act 2005, as amended, viz.
– Section 247C(1) of the Act provides that the Minister may require any person receiving a benefit to satisfy the Minister as to his or her identity;
– Section 247C(2) of the Act specifies the consequences of failure to satisfy the Minister in relation to identity as required, specifically that a person shall be disqualified from receiving a benefit;
– Section 247C(3) of the Act specifies the manner in which the Minister may be so satisfied; in effect, this Section describes the process for registering a person’s identity

The first two of those provisions simply say that a person who refuses to satisfy the Minister as to his or her identity may have their payments stopped until their identity has been confirmed. This is a completely reasonable and laudable requirement, necessary to make sure money is going to the right person.

But here, the Department hasn’t said that the lady whose pension they’ve stopped isn’t who she says she is. They’re not denying her identity at all- they know who she is. An official even visited her at her house and was shown her marriage cert. The lady has produced her passport- the document which Ireland expects every other country in the world to be an acceptable proof of identity at their borders.

Again, they know who she is. That’s not why they’ve cut her off. They’ve stopped her pension because she refuses to comply with the biometric carding process.

And for that, they’re relying on Section 247C(3) of the Social Welfare Consolidation Act 2005. The actual provision was only brought in in 2013 in the Social Welfare and Pensions (Miscellaneous Provisions) Act 2013

The problem for the Department is that, though Section 247C(3) describes a visit to a Social Welfare office, showing some documents and having your picture taken and giving a copy of your signature as being the Minister’s preferred method of you proving who you are, it doesn’t say that the purpose of doing so is to have your data entered onto the national Public Services Card register, with all the subsequent data sharing and processing that involves.

The Act sets out, in a clause not cited by the Department, that this attendance and these records can only be lawfully used for one purpose. Section 247C(1):

“to satisfy the Minister as to his or her identity”

Once that’s done, there is no lawful basis for any further use of that data. No legislative requirement to be placed on an ID register. No basis for sharing the data collected with other government agencies (as envisioned by Section 8 of the Health Identifiers Act, for example).

Joan Burton, when she was Minister for Social Protection, acknowledged that building an ID database was something which couldn’t simply be treated as an administrative act. It has serious and permanent consequences for the relationship between the citizen and the state.

The question of the introduction or otherwise of a national identity card was not part of SAFE’s remit. The matter of establishing a national identity index and producing a national identity card is a wider issue. It would require due consideration by the appropriate agencies before any policy decisions could be formulated by Government and would require the development and implementation of legislation to support any such policy. (source)

Now, you can issue a person with an ID card without a legal basis, if they consent to it. Of course you can. The problem is, in order for that consent to be valid under EU law, it can’t have been compelled. It can’t have been extracted on pain of penury at the loss of your pension, of the child benefit you rely on or your unemployment benefit.

And a person can’t give consent if they haven’t been clearly told to what purposes the data they are agreeing to hand over will be put.

Until we have a full and open debate on the merits of a national ID card (and the identity index database those cards extend from) we cannot decide if we are happy with the consequences of such a plan or (as happened in the UK) whether we decide it is a dangerous and illiberal step.

If the Government wants to legislate for an ID card, let it first propose the plan and see it through the Oireachtas.

Personal data is legitimately gathered and used by the state on the basis that it is a safe guardian of citizens’ fundamental data and privacy rights. Without trust that the state will do the right thing, the legitimacy of that collection breaks down.

If the state won’t even admit to what it is doing, how does it expect citizens to trust that it will do the right thing?

Roadmap for mandatory requirements for the Public Services Card

Painful Pincers at the Border

Photo by: Magnus Norden

The UK government has issued the outlines of a new Data Protection Bill. It will be a substantial piece of work because it will replicate the General Data Protection Regulation (GDPR). The GDPR is EU law and is directly effective in all Member States including the UK, on 25th May 2018. The UK Brexit plan requires “replication” rather than “supplementation” because the UK has no intention of cutting itself free of EU “red tape”, if it is in the form of the GDPR.

The UK Brexit plan also, it seems, has set the UK on a race to implementation of its new Data Protection Bill on or before the coming into force of the GDPR. So, it will introduce the Bill to parliament in September next, where there is the narrowest of time slots to do so.

We now know, from the UK Information Commissioner (ICO), that she intends to levy fines equivalent to those provided for in the GDPR, on persons, organisations and companies that breach the new Data Protection law.

Any miscreant Irish company doing business in the UK will be exposed to those fines if the ICO applies the UK Data Protection law, rather than the GDPR. That will be a major problem for cross-border firms doing business with Northern Ireland. Whatever about any [mistaken] assumption those firms may harbour that the Irish Data Protection Commissioner will not apply high fines for GDPR breaches, they can readily believe the ICO will apply those fines.

What are the limits to the fines? There are two categories of fines:

A. Fines up to €10 million or 2% of annual global turnover;

B. Fines up to €20 million or 4% of annual global turnover;

Consider the recent Swedish data breach involving the Swedish Transport Agency and IBM. On available information they would each have faced a fine from category B if the breach had occurred after 25th May 2018.

 

Medical Negligence*- Case Report on hospital liability

Court: UK Court of Appeal

March 2017

Facts:
The Plaintiff suffered a head injury from an assault. He attended at the Defendant’s hospital – the A & E dept., with a friend. The receptionist took his details and told him he would have to wait and it would be up to five hours before he was seen. In fact the hospital operated a system of having such patients seen within thirty minutes by a triage nurse. The receptionist did not mention this.

Before the expiry of the thirty minutes and the arrival of the triage nurse the Plaintiff and his friend left the hospital without notifying the receptionist.

He went home to take paracetamol for his head pain. The triage nurse came into the waiting area and looked for him. However, she couldn’t find him and so he was given the assessment which the hospital system had intended he would benefit from.

Unfortunately, the Plaintiff’s condition deteriorated while he was at home and he was subsequently taken to the hospital by ambulance. On arrival at the hospital, he was medically assessed and was found to have an extradural haematoma. He subsequently underwent surgery. However after his surgery he was left with a permanent left hemiplegia and long-term disabilities. The Plaintiff sued, within the Statute of Limitations for medical negligence.

Decisions:

The initial UK trial court found for the Defendant hospital. The Plaintiff appealed the decision to the UK Court of Appeal.

The appeal court found for the Defendant hospital, with one dissenting judgment. The Appeal court found, among other things, that liability could not extend to the Defendant taking responsibility for the Plaintiff walking out of the hospital without reporting to the receptionist that he was leaving.

The dissenting judgment found that the Plaintiff’s decision to leave did not break the connection between the injury suffered and the poor quality of the information given to the Plaintiff about the waiting period.

The IBM Complex

Photo by: Magnus Norden

Reputedly, corporate America values conformity, hence the maxim – “Nobody ever got fired for hiring IBM” – applied to the purchase of materials or services.

This approach fails to understand the drawbacks of conformity and the failure to understand both IBM and the real world.

In Sweden the Transport Agency hired IBM to manage its vehicle registration and drivers’ licence database. The price, not relevant here, was €100 million.

In the events that have happened, IBM did not understand that it was not in the USA – it was in Europe, understanding which required knowledge of the real world.

The Transport Agency failed to understand IBM, understanding which required knowledge of the real world.

Each of them failed to understand Data Protection and data security. IBM recklessly distributed huge quantities of personal data (and State secrets) collected in discharging its tasks, to many IBM business units outside Sweden, in Europe (and possibly beyond).

The Transport Agency itself stored the data in cloud servers. It offered access to the data to commercial users.

Sweden is in the European Union. European Union law obliged Sweden to safeguard the personal data of its citizens and to ensure that any processor of that data (IBM) conformed to EU law. Sweden and IBM were obliged to limit access to the data, not strew it across Europe.

So, the Director General of the Transport Agency has been fired. Two Swedish government ministers have been fired. The government remains in office on a thread.

All of this happened before the General Data Protection Regulation comes into force next May. If IBM were to repeat such errors after that date it would face fines calculated on its global turnover.

Ireland is exposed to the same risks as Sweden; we must not try to sub-contract our obligations under the GDPR – it won’t work. We must not preserve our careers by “hiring IBM”; it won’t work.

We have only ten months left to conform to the real world.

People will get fired; companies will go bust.

Digital Rights Ireland: Application for a Trial of Preliminary Issue

In January 2012, in the case of Digital Rights Ireland Ltd. v The Minister for Communications & Ors., the High court referred certain questions to the CJEU (ECJ) under Article 267 TEU.

In the events that happened the ECJ struck down or found invalid Directive 2006/24/EC in the course of the hearing of the referred questions.

The High court is now hearing the parties (Digital Rights Ireland Ltd. and the Minister for Communications & Ors.) in the resumed proceedings, interrupted by the reference made in 2012.

Interested parties may attend. The hearing is taking place in Court No. 14 on the 2nd floor of the Four Courts in Dublin. It may conclude today.

McGarr Solicitors act for Digital Rights Ireland Ltd.

GDPR – Start now!

egg timer image to illustrate article on Cerebral palsy claims statute of limitations

If you do not know about the personal data you hold, you cannot comply with the GDPR. So, trace the flow of personal data in your company. Bear in mind that the personal data of employees is covered by the GDPR.

Compliance with the GDPR will involve those self-same employees. They will need training in the application of the principles of the GDPR in your organization.

Possibly you are obliged to appoint a Data Protection Officer (DPO). If so, even if you decide you need one regardless of a lack of obligation to appoint one, there is little point in leaving it to May 2018 to do so. The DPO will be needed to help you reach compliance with the GDPR.

As your DPO will tell you quickly, many systems must be devised and implemented to ensure compliance. You will have to ensure that data protection is “baked in” to your systems. In other words, no change can take place without a rational analysis of the data protection implications and the measurement of risk for any such change. Here, speaking of change carries the assumption that your organization is not currently in compliance. It would be an unusual organization if it were to be already in compliance with the GDPR.

The GDPR requires the writing of a Data Protection Impact Assessment for change. To comply with the GDPR is to change. So, you will need to write your Data Protection Impact Assessment.

The foregoing is a cursory look at what you have to do. Start doing it now. You are possibly going to be late and not in compliance on 25th May 2018 but if you recognize the urgency you might just make it.

Start. Start now. Do not get diverted or distracted. You need to focus; you will need all the time that remains to do even the few things listed above.

GDPR and Brexit (whatever that means)

used under cc licence by Descrier

There is probably a book yet to be written on the interplay between the General Data Protection Regulation and Brexit, but some elements can be seen now.

Unusually, the GDPR permits the introduction of some national legislation on data protection issues. They include occasions where a legal obligation mandates the processing of personal data, or the processing relates to a public interest task, or the processing is carried out by a body with official authority. There are others.

As a presumption, we believe that Brexit will not happen outside the provisions of Article 50 TEU and therefore will not happen before 25th May 2018.

If the UK makes legislative provision within the scope of the GDPR it will be incumbent on the UK to include those provisions in the Brexit negotiations and receive EU assent to their recognition, otherwise the UK derogations will fail as law (from the point of view of the EU) on the happening of Brexit.

For Irish organisations one important issue would be the receipt of consent to data processing in relation to children. The GDPR sets the age for “children” and the requirement that consent be given by parents, to be up to 16 years of age. This can be subject to national derogation and reduced to 13 years of age. If the UK derogates on the point and fails to get agreement in Brexit negotiations, Irish organisations must immediately apply the provisions of the GDPR in full.

Put another way, it would be wiser, as a commercial matter, not to give recognition to any UK legislative derogations until the full conclusion of the Brexit negotiations.

Putting it in yet another way, pending the successful (with agreement) conclusion of the Brexit negotiations, Irish organisations should not accept, in relation to data processing of personal data, the inclusion of jurisdictional law clauses in such contracts, where the stipulated legal jurisdiction is the UK.

GDPR; Personal data belongs to people

Personal Data Doesn't work on Finders Keepers

The EU deferred the application of the GDPR personal data rules for two years to allow organisations to make the necessary internal changes to reach compliance. The first, and possibly the most difficult, is to perceive what is stated in the title here; personal data belongs to the data subject.

Personal data, collected by you, is not owned by you.

Think of it as money. Less than one year from now, your organisation must be able to account for personal data in very close detail. You will be answerable to regulators and to the data subject for the personal data.

If you’re in a business or organisation preparing their GDPR compliance project, you are going to need to include a map of all the personal data you are storing (storage,in EU law, is a form of ‘processing’) , as well as the purpose for which it is stored. You’ll also need to be able to show that you have a legal basis for that use, even if you’re only storing it. The GDPR even requires that you keep an up-to-date register of all the data processing done in your organisation, for inspection by the regulator.

Unless you prepare, the very possession of personal data could be a breach of the GDPR data protection rules and, depending on the nature of that breach, its circumstances etc., the fine for a breach could be fatal for your organisation.

That is intended by the EU; under the GDPR, personal data is potentially commercially radioactive. The EU intends to send that message that if it is mishandled, you may go out of business. There are historical reasons (see, most of the 20th Century) why the EU takes the primacy of human dignity in data protection seriously. There’s no doubt that, with the coming into force of the General Data Protection Regulation, it intends that all the organisations doing business inside the EU take it just as seriously as well.

 

 

Why bother with the GDPR?

A line of CCTV cameras

Here is news that was not (to my knowledge) on RTE. Deep Root Analytics maintained a database on an estimated 62% of the population of the USA. It contains what is known as “sensitive” information on the population. It is being used to profile the US population.

The GDPR is designed to prevent the processing of exactly such a database as Deep Root Analytics possesses.

Companies like Deep Root Analytics believe that the information they have collected is theirs, not the data subjects. They believe that they can sell it and exploit it for their profit.

The GDPR is predicated on the rejection of those ideas.

Those ideas are, currently, default ideas with regard to personal data.

This is the reason why some companies and organisations doing business in the EU must go through a metamorphosis to comply with the GDPR.

This is the reason why the new Regulators of the GDPR will definitely apply the planned fines and penalties provided for in the GDPR.

Nothing but such penalties will bring about the GDPR revolution.