Use of the PSC Card and Privacy Notices

Business Legal has recently published their August Newsletter on all data protection matters.  This edition focuses on the use of the Public Services Card (PSC); Privacy Notices/Policies; verifying the identity of an individual requesting access to their data or that data be deleted; a GDPR fine in Romania; Brexit planning etc.  The newsletter is packed with useful information and guidance.  

The Public Services Card (PSC)

The Data Protection Commission (DPC) has determined that the PSC may not be used on a mandatory or compulsory basis by government departments other than the De-partment of Social Protection, which is the Department which issued the card. This means that it is not lawful for a PSC to be demanded in a driving licence or passport application, or any other application to any department other than the Department of Social Protection.

More problematically, the DPC has ordered the destruction of 3.2 million data subjects’ records on the basis that there are no longer required once the primary purpose for gathering that data was achieved, namely the identification of the individual.

The government appears to be inclined to try and retrospectively legislate to legitimise its unlawful actions, rather than to take on board the criticism of data protection practitioners, and the DPC with regard to its actions over the last number of years. There are very strong legal objections to this approach, as Article 5.1.b of the GDPR requires that personal data be “collected for specified, explicit and legitimate purposes”, and the data has already been collected. Any attempt to retain the personal data held in respect of the PSC, or to respectively legitimise its collection would likely be resisted by recourse to liti-gation. The PSC has put a 21 day stay on its order for the destruction of the personal data, so we will be reporting on further developments in our September edition of this newsletter.

Privacy Notices/Policies

With the prospect of increased GDPR regulatory activity ahead, it is important for organisations to ensure their Privacy Notices are compliant.

You must provide clear, intelligible and easily accessible information to individuals about the collection and use of their personal data.

This must be provided at the time personal data is obtained from individuals (or within one month when ob-tained from another source).

The categories of information to be provided include the purposes of processing, the legal basis for processing, the legitimate interest of the company which the company claims legitimises the processing (if applicable), any data sharing, any international transfers, and the data retention periods which apply to each processing.

Working this out, with documentation to meet the requirements of accountability, can be challenging. You may need to re-fresh data mapping or review justifications for legal basis. Privacy Notices should also align with your Records of Processing Activities (as required by Article 30). You may need more than one Privacy Notice depending on the individuals involved (customers, staff, etc.). Privacy Notices are not a once-off exercise and must be kept under review to reflect processing activi-ties.

They are part of your GDPR transparency obligations. It should be transparent to individuals that their personal data is being processed and to what extent.

How do you verify the identity of an individual requesting access to their data or that data be deleted?

The Dutch Data Protection Authority, Autoriteitpersoonsgegevens, has provided guidance.

If at all possible, refrain from asking for a copy of a formal ID

Some alternatives may be:

• Via an existing login system.
• A form of two-factor authentication. For example:
  • after receiving a request via e-mail request a confirmation by SMS. This mobile number must then match the customer data from your administration.
  • request confirmation of the telephone request by e-mail. This e-mail address must match the customer data from your administration.
  • ask for the last 3 digits of the account number, the date of birth and / or the customer number for verification.
  • ask someone to come by and show you his/her ID proof without making a copy. Note, however, that this cannot be used to set up a threshold to allow access and should only offered as an alternative

GDPR fine in Romania

EU Standard Contractual Clauses (SCCs) and EU-US Privacy Shield

While we can’t pre-empt the decision of the CJEU, if the SCCs and/or Privacy Shield were invalidated that would mean that businesses that have heretofore been relying on these mechanisms would need to consider alternative mechanisms for trans-ferring their personal data to third countries.

These include:

• Binding Corporate Rules (BCRs)
• Derogations
• Consent

Given the lack of any practical alternatives, should the SCCs and/or Privacy shield be struck down, the European Data Protection Board will come under significant pressure to allow for some kind of moratorium during which no enforcement action will be taken by a national regulator, as happened previously when the precursor to Privacy Shield (Safe Harbour) was deemed invalid.

Businesses would need to:

• educate senior management on the implications of a declaration of invalidity;
• analyse data flows outside the EEA, what mechanism(s) underpin these transfers and how important these transfers are;
• assess the potential impact of having to stop transferring data abroad and how any fall out may be mitigated. E.g cease certain data processing activities or cross-border transfers, bring the personal data back into the EEA or continue processing outside of the EEA;
• consider the extent to which business operations may continue without the need to transfer personal data outside the EEA;
• consider alternate mechanisms such as BCRs or one of the derogations, or demonstrate data subject consent to the transfers; and
• engage with third party service providers to determine what contingency plans they are putting in place to ena-ble them to continue to receive data.

How should companies plan for BREXIT?