Department ordered changes to ‘biometric’ privacy on website

Data protection officer ‘on leave’ when alterations made, says Social Protection

The Department of Employment Affairs and Social Protection has confirmed that the secretary general instructed that changes be made to the privacy policy.

The Department of Employment Affairs and Social Protection has confirmed that the secretary general instructed that changes be made to the privacy policy.

a
 

The secretary general of the Department of Employment Affairs and Social Protection ordered changes to the department’s new privacy policy last week which removed a reference to the department processing “biometric” data on individuals.

The department’s policy had been changed in May to reflect new data protection laws, and said that at times it needed to collect “special categories” of personal data, such as health and biometric data.

When questions about the new policy were raised by The Irish Times last week, the department said the reference was an “error” and it was subsequently changed to remove the reference to biometric and special categories of data.

Photographs of individuals who hold one of the three million public services cards issued by the department and held in a database used for anti-fraud measures are not “biometric” data, it has said.

In a response to Social Democrat TD Catherine Murphy, the department has confirmed the changes to the policy were not signed off or approved by the data protection officer, who was “out of the office on annual leave”.

The General Data Protection Regulation Unit within the department said the communications unit applied the changes “on the instruction of the secretary general”.

In response to Ms Murphy’s question about whether the data protection officer (DPO) was informed of the changes to the privacy statement, it said: “Yes, he was. However, the DPO was out of the office on annual leave, so the secretary general, in conjunction with the head of communications, made the appropriate changes to the privacy statement.”

Under the EU General Data Protection Regulation, public bodies and some other organisations are obliged to appoint a data protection officer, who is expected to be allowed to carry out his or her duty independently.

It stipulates that this officer must be involved “properly and in a timely manner, in all issues which relate to the protection of personal data”.

A new contract worth more than €9 million to print up to two million public services cards was awarded earlier this month to Security Card Concepts Ltd, which was called Biometric Card Services Ltd until a month ago.

Netherlands-based company Idemia, which specialises in identity management using biometric data, is one of two companies involved in the consortium awarded the contract.

Minister for Social Protection Regina Doherty has said the department “does not ask for or collect biometric data from its customers such as fingerprints, retinal scans or any other items that could be listed as biometric data”.

Privacy advocates and civil liberties groups have raised concerns about the card project, saying it amounts to the introduction of a national identity card without proper debate and safeguards. The department says it is not a national identity card.

Ms Murphy said the data protection officer in the Department of Employment Affairs and Social Protection, and in all departments, was independent.

“They must maintain full autonomy to perform their function and duties without interference from secretaries general and Ministers,” she said.

A spokesman for privacy rights lobby group Digital Rights Ireland, questioned why there was “such confusion” about whether the department was processing biometric data or so-called “special categories” of data. The definition also includes data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, data about a person’s health, and data about a person’s sex life or sexual orientation.

“Government departments are building massive personal datasets. The data protection officer needs independence so they can represent the interests of individuals and protect privacy. They need to be able to tell data subjects (ordinary people) clearly what is going on,” he added.

In the law, biometric data means “personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic (fingerprint) data”.

a