Since 2008 the Department of Employment Affairs and Social Protection (DEASP) has issued child benefit beneficiaries with “eligibility certificates” which are, in fact, forms demanding personal information about the children involved in order to prove that they are still entitled to receive payments. The certificates are part of the Department’s “control measures”, aimed at ensuring fraudulent claims for social welfare payments are detected and that payments are not being continued for people who are no longer eligible, for one reason or other.
Such control measures might, under certain circumstances, be an appropriate and prudent measure to detect fraud and ensure that taxpayer funds are correctly distributed. I was consulted, however, by a client who had been receiving these forms repeatedly for a number of years, despite no change in circumstances. (Note: my client is satisfied that non-identifying elements of this case are disclosed.)
The forms demanded that that the client provide the following information:
- For each of your children aged between 5 and 18 years, please insert details overleaf of the school or college they attend including full school name, address and phone number of the school.
- For children under 5 years old, please insert details overleaf of the doctor they attend or details of the playschool/créche they attend if applicable.
Initially, my client returned the forms. When they continued to arrive on an annual basis, my client wondered how the provision of this information was necessary, what it proved to DEASP and what they might do with the information to confirm entitlements. My client wondered whether this was an excessive request for personal information about children and whether DEASP was entitled to request it. The information provided in the forms sent by DEASP did not provide answers to any of these questions.
On querying this DEASP relied on various provisions of the Social Welfare Acts that regulate child benefit payments and in particular a provision that states that the Minister can require information to be furnished by a beneficiary where the Minister forms the opinion that the furnishing of that information would assist in deciding (among other things) whether a beneficiary is entitled to continue to receive child benefit.
My contention was that those provisions were not an adequate legal basis for the processing that was being carried out and that insufficient information was provided to beneficiaries about the use of the information obtained. DEASP did not accept this and so a complaint was made to the (then) Data Protection Commissioner. (This complaint was made, and dealt with, under the pre-GDPR rules established by the Data Protection Acts 1988 and 2003.)
Following a lengthy investigation and consideration of the complaint, the Commissioner has now issued a lengthy, detailed decision which finds:
- DEASP’s stated rationale for processing the personal data involved is limited to a general description of policy objectives and control measures, and does not provide a detailed justification for the specific processing operations performed.
- The forms issued by DEASP do not, of themselves, account for the necessity of the specific processing operations performed by the Department in this context.
- The limited information supplied by DEASP regarding its processing is insufficient to conclude that such processing was necessary.
- DEASP did not comply with the fairness principle because the Department selectively emphasised positive outcomes for child benefit recipients when describing the purposes of processing, which did not reflect the fact that the purpose of the processing was, to a substantial extent, the identification of persons who were no longer eligible to receive child benefit.
- Because its information requests were mandatory and because of the types of information obtained, a significant duty of transparency fell on DEASP to explain the further processing which it intended to perform in relation to the information obtained.
- DEASP should have provided at least information on its acknowledged “data-matching initiatives”, and specifically, information on the categories of personal data that may be processed in the course of data-matching initiatives, the purposes of processing for such data-matching and the identities of third party data controllers engaged in data-matching initiatives with DEASP.
The Commissioner notes the mandatory nature of the information requests and the fact that DEASP can suspend or terminate payments. In fact, DEASP repeatedly threatened to terminate my client’s payments and earlier this year, suddenly took the step of suspending the payments despite the fact that the Commissioner’s investigation was then at an advanced stage. Following objections, DEASP lifted the suspension pending the decision of the Commissioner.
The decision is very welcome and represents a significant challenge to the extensive and comprehensive data-gathering activities of DEASP and, indeed, other statutory bodies. It highlights the fact that the mere existence of a statutory provision or function is not sufficient to justify demands for personal data which go beyond that provision or which are not adequately explained or justified. While the decision concerns child benefit eligibility certificates in particular, it has relevance beyond those forms to many data-gathering activities of DEASP and other State bodies.
As mentioned, this is a pre-GDPR investigation and decision. The Commissioner did not refer to any intention to utilise the enforcement provisions in the pre-GDPR rules, but because DEASP continued to send out these forms and sent one to my client in 2019 (after the GDPR had come into force) that request for information by DEASP will now be considered by the (now) Commission under its GDPR complaint procedures. It is worth noting that the core data protection principles have not substantially changed, however, while the enforcement provisions have changed substantially.