Dear Mr. O’Regan,
The Public Services Card is a ‘Big Deal’ for almost 1,000,000 old age pensioners and people with a disability who have the right to the protection of personal data concerning them and the right to have such data processed fairly for specified purposes and on the basis of the consent of the person concerned or some other legitimate basis laid down by law.
Under GDPR, personal data is data which can identify a living person directly or indirectly, especially by reference to an identifier such as a name, an identification number, location data, an online identifier or one of several special characteristics, which expresses the physical, physiological, genetic, mental, commercial, cultural or social identity of these natural persons. In practice, these also include all data which are or can be assigned to a person in any kind of way. For example, the telephone, credit card or personnel number of a person, account data, number plate, appearance, customer number or address are all personal data.
Under the GDPR, administrative fines can be imposed on data controllers and data processors that breach certain provisions of the GDPR. The most serious breaches will be liable to fines of up to €20 million or 4% of the undertaking’s annual turnover, whichever is greater.
This is GDPR law, Mr. Regan, it was ‘Data Protection’ law before that. It should be of concern to all law abiding citizens that we, as tax payers, will foot the bill and the costs of all subsequent legal actions, should our government be deemed to have acted unlawfully in relation to GDPR & Data Protection. As Minister Doherty pointed out last week, 3.2 million people have a PSC. 3.2 million claims for compensation for unlawful use of the PSC will add up to an extremely large number.
The Public Services Card replaces the previous free travel pass. With the previous free travel pass, OAPs and people with a disability showed the free travel pass to the transport operator. The transport operator did not record the name of the person using the travel pass, nor an identifying number nor any data which could directly or indirectly identify the user. The use of the previous free travel pass was therefore ‘anonymised’.
The PSC travel pass data is not ‘anonymised’. The PSC travel pass data can identify a living person directly and indirectly by reference to identifiers such as a name, an identification number and location data. This was confirmed in writing to me by the National Transport Authority a number of months ago:
When a PSC is presented to the ticketing machine, the ticketing system records that a journey has been taken and assigns a “fare foregone” value to the record that is stored in the ticket machine. The records held are operator ID, number, route number, date and time of journey and the fare foregone amount, which is the adult single fare that would have been charged for a fare paying adult.
This data is uploaded to the back-office system and subsequently made available to the DEASP. The purpose of recording this information is so that the transport operator can record overall passenger numbers and overall usage information and also to be able to make a claim for reimbursement from the DEASP in respect of services delivered to free travel pass holders.
This was confirmed by the NTA in a reply to Thomas Byrne TD just last week:
“The NTA has a data sharing agreement in place with the DEASP regarding the exchange of data to do with the Free Travel Pass”
Each PSC travel pass is assigned a unique identifying number which is embedded in the card. This number is assigned to each individual PSC travel pass by the DEASP. This number is not visible on the card and must pass through a card reader such as a ticketing machine to be read. This unique identifying number and the data listed above by the NTA, is collected by transport providers who are under the illusion that this is not ‘Personal Data’. However, once this data and the unique identifying number is made available to the DEASP by the NTA, it ceases to be anonymous because the DEASP can, and does, match the data and each unique identifying number to an individual PSC travel pass user. Every transport provider and the NTA are data controllers. It is their responsibility to ensure that the data they collect is not used to identify an individual by reference to an identifier such as a name, an identification number and location data.
That this data is recorded by and available to the DEASP was confirmed by the Secretary General of DEASP in the Public Accounts Committee last week:
There’s a limited number of officers who have it and they’re in our Business Intelligence Unit, the only time we do it is at the request of the Gardai in the case of criminal investigation or at the request of IR revenue protection officials. I think they have the authority under their relevant legislation to look for that information.
This mass retention of personal data is literally the thing that the CJEU has said was illegal in the Digital Rights Ireland case. Even, in that case, in the case of serious crime or terrorism, not train ticket crimes.This is mass retention of personal data without a lawful basis in contravention of the Charter of Fundamental Rights. It was its permission of such retention that caused the CJEU to find the Data Retention Directive illegal under EU treaties and the Charter. The DEASP has outlined exactly the same form of data retention activity in place, but without the benefit of any statutory basis. DEASP cannot collect and retain data on 1,000,000 OAPs and those with a disability “just in case” the police want to use it in future.
A fundamental tenet of data collection is that it must be proportionate. Considering that only 33 ‘requests’ have taken place in 2019, 35 in 2018, 32 in 2017 and none in 2016 out of 1,000,000 PSC travel pass holders by Revenue Protection Officials (not Gardai), there can be no doubt that this mass retention of data by DEASP is grossly disproportionate and unnecessary. OAPs and people with a disability are overwhelmingly honest people, they have not abused the free travel pass in the past and on the DEASPs own figures for ‘requests’ for personal identifying data, there is absolutely no justifiable reason to hold this vast amount of personal data on 1 million OAPs and persons with a disability.
The PSC travel pass, the actual physical card, can continue to be used by PSC travel pass holders, but what it should not be is ‘scanned’ on ticketing machines or any other device. Every OAP in this country has a right to free travel based on their age alone, a drivers licence or a passport is adequate ID to avail of public transport as a right.
30.4 million journey were recorded using the PSC last year, that’s 30.4 individual breaches of the personal rights of 1 million OAPs and people with a disability. Surely you can see Mr. O’Regan, that the mass surveillance of these people is not only a ‘Big Deal’ for the 1 million PSC travel pass holders, but also a very ‘Big Deal’ for every other taxpayer who will have to foot the bill for all the personal actions and administrative fines which will arise because of the hubris of a handful of civil servants and clueless Ministers who refuse to be accountable to the law.