Irish DPC Fines Government Department $635K for GDPR Violations
Ireland's Department of Social Protection (DSP) breached the General Data Protection Regulation when it collected biometric data in connection with registrations needed on applications to obtain a public services card, the Data Protection Commission (DPC) announced Thursday.
Sign up for a free preview to unlock the rest of this article
The commission reprimanded the DSP, fined it $635,000 (550,000 euros) and ordered that it stop processing biometric data in connection with the registrations within nine months if it can't find a legal basis for doing so.
The DPC has fined several public sector bodies previously, Deputy Commissioner Graham Doyle emailed Privacy Daily. However, "this is by far the largest fine, being five times greater than the second biggest, which was 110,000 euros." Any fine imposed on, and paid by, a public sector body comes from that organization's budget, he added.
The DSP processes biometric facial templates and uses associated facial matching techniques as part of the process, known as "SAFE 2 registration," for cards that can be used to access welfare and other services, the DPC noted. Registration is mandatory for anyone seeking a card.
The DSP infringed the GDPR, the DPC found, by failing to identify a valid lawful basis for collecting biometric data in connection with SAFE 2 registration and then, having collected the information, retaining it.
The DSP also failed to give data subjects transparent information about the registration, and neglected to include certain details in the data protection impact assessment it performed in relation to registration, the DPC said.
The rollout of SAFE 2 registration has meant the ongoing collection, storage and processing of highly sensitive personal data on a large scale by the DSP, the watchdog noted. Under the GDPR, biometric data is classed as special category data which requires high protection and safeguards. In 2021, it added, the DSP held biometric facial templates relating to 70% of the country's population.
The DPC stressed it found no evidence of inadequate technical or organizational security measures in connection with SAFE 2 registrations.
The DSP believes it has a valid legal basis for collecting the data and that it satisfies the transparency requirements needed to operate the SAFE process, the department emailed Thursday. It noted that the DPC didn't find that there was no legal basis but that the "legal provision that exists is not, in its view, clear and precise enough to satisfy the requirements of the GDPR."
The department said it will now consider the decision in conjunction with Ireland's Attorney General's Office in order to determine an appropriate response within the nine-month timeframe. That could invoice appealing any enforcement notice and/or working to correct the issues as perceived by the DPC.
The decision has no immediate implications for people using or wishing to register for services during the nine months, the DSP added.