DSP Privacy Statement 2019
From Department of Social Protection
Published on
Last updated on
From Department of Social Protection
Published on
Last updated on
What is GDPR?
GDPR is the European Union General Data Protection Regulation. It comes into effect from 25 May 2018. It sets out a series of new EU laws concerning how data can be processed and used by organisations. The objective of the Regulation is to strengthen and standardise data protection laws for all EU citizens. This Regulation will apply to any organisation that collects and stores personal data (a Data Controller) and also any other organisation working on the instructions of the Data Controller (a Data Processor). Those responsible for adhering to this Regulation include employees of the relevant organisation, including contractors, consultants, agents and third parties who have access to data either directly or indirectly.
GDPR very significantly increases the obligations and responsibilities for organisations in how they collect, use and protect personal data. At the centre of the new law is the requirement for organisations to be fully transparent about how they are using and safeguarding personal data, and to be able to demonstrate accountability for their data processing activities. Further information on GDPR and the steps to take in ensuring compliance is available on the website of the Data Protection Commission (DPC) at GDPRandYou.ie or dataprotection.ie.
Data Privacy Summary
The Department of Social Protection take your privacy seriously. It is important that you know what we do with personal information that you and others provide to us, why we gather it and what it means to you. This document is being provided to you in line with our obligations under the General Data Protection Regulation (GDPR). From 25 May 2018, the GDPR, together with applicable Irish requirements, will amend existing data protection law and place enhanced accountability and transparency obligations on all organisations using your information. The GDPR will also introduce changes which will give you greater control over your personal information. Please take time to read this notice carefully. If you have any questions about how we use your information, please contact our Data Protection Officer at the details below.
The Data Controller
The Department of Social Protection (DSP) is the Data Controller for all personal data collected for the purpose of its business. The department decides what personal data we need to collect from you to allow us to operate our schemes and services. Our data processes are then documented and issued to relevant staff.
Each week, some 1.4 million people receive a social welfare payment. In the region of 625,000 families receive child benefit payments in respect of 1.2 million children each month. There are some 6,500 staff directly employed in the department. Operational guidelines for all our schemes are available on our website www.welfare.ie
You can contact the department at:
The Data Protection Officer
If you are concerned about what we do with your personal data, contact our Data Protection Officer (DPO).
You can contact our DPO here:
We collect information about you for a range of reasons and from a number of sources, as well as from yourself. The common situations where we collect personal data are as follows:
We would also receive information from other government departments, for example in relation to childcare applications from the Department of Children and from certain State agencies – such as from SUSI in relation to grant applications for third level colleges.
The department also has a range of contractors which would collect information from you for the department. These are all covered by legal contracts and would include Branch Offices, Local Employment Services, Jobs Clubs and Job Path providers.
We may also collect data from TDs or Councillors acting on your behalf, or from other people, approved by you to act on your behalf.
It is the department’s policy to only collect the information that is required for the immediate purpose, such as those outlined below.
Personal data we collect can include the following:
At times, we also need to collect personal data, such as health data and data such as photographs used for the purpose of identification. This may also include information concerning trade union membership. We acknowledge that we can also collect, indirectly, data in relation to the religious beliefs and sexual orientation of our customers.
The department has a number of Acts under which personal data may be legally processed. Our main legislation is included in the Social Welfare Consolidation Act, 2005, as amended. However, we have a number of other pieces of primary and secondary legislation which allows us to process personal data. Should you wish to know more about these, please see the list which is included as an appendix to this document.
The department is also entitled to process personal data under other legislative provisions that provide the basis for all government departments to administer the range of services and supports as set out by successive Government decisions.
We process personal data for the following purposes:
In certain situations, data may also be shared with other organisations, in accordance with legislation and as outlined in Section 5 below. In all cases, data sharing arrangements will be in place.
Note: The department undertakes to ensure that Data Protection Impact Assessments are conducted before any new data process is started and to update this document accordingly. In line with the GDPR, the department undertakes to consult with its Data Protection Officer and, if necessary, with the Office of the Data Protection Commission before commencing any new data processing activities.
Electronic Storage of Your Personal Data
The majority of personal data stored by the department is stored electronically on our internal ICT systems. These systems are fully protected by anti-virus and anti-malware software. Electronic data includes scanned copies of application forms, evidence of identity, contact information, financial information, family details, educational and training achievements, copies of electronic correspondence, social insurance contributions, employment history and claim history.
Access to personal data is restricted to those staff members who need the information to carry-out their official duties. Access is controlled by every staff member having a unique login username and password and with usernames being linked to the minimum permissions necessary to allow the staff member to work in a secure environment and to only access the personal data that they need for their jobs.
Storage of Hard Copy (Paper) Files
Where the department holds paper records containing your personal data, these are stored on individual files which are secured on our premises and where only our staff can access them.
This is achieved through physical security, where access to a department office is by a swipe card or access card and where visitors are screened, signed in and accompanied by a member of staff, so that they cannot access any personal data stored by the department.
In addition, our staff members are not allowed to deal with claims from relatives and close friends.
Categories of Recipients with Whom We May Share Your Personal Data
The department is allowed to share your data with a range of organisations, but only where legally enforceable data sharing agreements are in place. In addition, the Social Welfare Consolidation Act allows that the department can share a person’s public service identity* details with a range of organisations that are listed in schedule 5 of that Act.
In general, the types of organisations that the department would normally share information with are as follows:
*Public Service Identity information includes your name, date & place of birth, contact information and nationality – used to confirm identity for services that are being provided
Will Your Personal Data be Transferred out of The European Economic Area?
No, your personal data will generally not be stored outside the European Union or the European Economic Area or EEA (EU 27, plus Iceland, Norway, and Liechtenstein). Where we do share information outside the EEA or if there are exceptional arrangements for storage of your data outside the EEA, we will always take steps to ensure that any transfer of information outside of the EEA is carefully managed to protect your privacy rights under the GDPR. This is provided for under EU Social Security Regulations.
Are We Allowed To Transfer Your Data Outside of The EU And EEA?
We may transfer information about you to a country or international organisation outside the EEA. We will always take steps to ensure that any transfer of information is carefully managed to protect your privacy rights in accordance with Data Protection law.
Are There Any Other Appropriate and Suitable Safeguards?
Personal data may only transferred if appropriate safeguards are provided and on the condition that enforceable data subject rights and effective legal remedies are available. Appropriate safeguards may include:
We will keep information relating to you for only as long as required to provide you with access to supports and services. DSP has an overall policy that states that certain personal data will be kept at least for the lifetime of a customer. There are a number of reasons for this.
The main reasons are that we need to keep your social insurance contribution data to figure out what benefits you might be entitled to in the future, for example, the State Pension. Some of these entitlements may even pass to your dependents. Also, we must keep any past claims information in case there might be future appeals where we may need to refer to the original documents (or scanned copies of these). In addition original documentation, including photographic images underpinning identity authentication ( SAFE registration) are retained for the purpose of internal audit requirements or instances where an offence may be subsequently investigated or prosecuted under either Social Welfare or Criminal Justice legislation.
We must also adhere to the rules of the National Archives’ Office for disposal of records and various other administrative and legal requirements.
However, the GDPR states that we cannot store any information for longer than is required and therefore each business area is also responsible for the data that it collects, for business reasons, which doesn’t need to be retained indefinitely.
It would normally be the case that such data is deleted after 7 years, in accordance with the national archives rules that apply to the business area, but each area will consider the issues affecting the storage of personal data.
Where data is captured and required for specific reasons and does not need to be retained beyond a set timeframe, then this data will be deleted as soon as its purpose has been served. An example of this is where the department may generate customer lists for invitations to jobs fairs. These lists would then be deleted once the event that they were prepared for has concluded.
Will Your Personal Data Collected Be Used For Any Other Purposes?
As mentioned earlier, we are allowed by law to collect and process personal data for a range of reasons. We are also allowed to collect your data for a specific reason and use it for another related purpose. This is because the department provides a wide range of related services and it would be impractical for us to keep asking you for the same information over and over again. Again, the Social Welfare Consolidation Act allows us to collect information for a specific purpose and use it for related purposes – for other schemes and supports offered by the department in the area of Social Protection, or for statistical purposes.
An example of this is that information may be supplied by a customer for a Jobseekers claim, but this information may be used to later provide education or training supports. In this way, we will be better able to help this customer to find another job.
Another example is that information that may be provided by a customer for a State Pension and this information might be used to allow the customer to receive a free-travel pass or a household benefits package.
All our customers (data subjects) have certain rights under EU (General Data Protection Regulation or GDPR) and Irish data protection legislation:
The Right to Access to Your Personal Data (The Information That We Have On You)
You are entitled to ask us for copies of any of your personal data that we have collected and stored. Such requests can be submitted in writing or by e-mail to the Data Protection Officer at the address listed above. You will understand that we may need to verify your identity before we deal with any request for copies of your personal data. Under the GDPR, we normally have 30 days in which to process these requests.
The Right to the Correction of Incorrect Personal Data Held By The department And The Right To Object To The Processing Data Which May Be Incorrect
We always try to make sure that the information we have about you is accurate and up-to-date. Sometimes we may ask you to verify this information. If your information changes or you believe that we have information which is not up-to-date, please let us know.
You are entitled to ask the department to update any incorrect personal data that we may have in relation to you. We are always happy to do so, once we again verify your identity. We cannot allow anyone else but yourself to update your personal data, unless you have a fully authorised personal representative.
The Right to The Erasure of Personal Data
As mentioned, the department has an overall data retention policy that states that some customer data may be retained indefinitely, for various reasons. Where data is held or required for the ongoing administration of social security, then this data will not be subject to erasure, even if requested by the data subject.
However, each business area should only retain data for as long as is required for the purpose for which the data was collected. You have the right to seek that the department deletes any information which is not required, for ongoing business reasons, to be retained indefinitely.
The Right to Object To Automated Decision Making By the department
The GDPR gives you the right to object to automated decision making by DSP computer systems, where there is a legal or significant impact on you as a customer. An automated decision is a decision which is made entirely by a computer system, without the intervention of one of our officers.
We do use a number of automated processes, but in all cases, the automated decision is limited to successful awards. You will only receive an automated notification if you have been successful in your claim. This means, where a computer system indicates that you may not qualify for a payment, the computer will refer your application to one of our officers for checking and if you have been unsuccessful, it is that officer who will correspond with you, not the machine.
In this way, there is no situation in the department where a customer will be refused payment by a machine, or computer system. In addition, customers always have the right to appeal against a decision made by the department.
The Right to Data Portability (The Right to Receive Your Data From One Controller To Send It To Another)
Data subjects (customers) have the right to request their data from one controller, so that it can be given to another controller (company). This right is relevant to organisations such as utilities, financial institutions or even social media sites with which you have a contract and where you may wish to seek to change provider or possibly get a better deal.
This right says that you can get your personal data in a structured, commonly used, machine-readable format to pass on to another organisation. In the event of any customer asking for their rights under data portability, the department may have to ask for what specific data is required but we will try to provide the information as quickly as possible.
The Right to Be Notified of a Data Breach
As a customer, we are also obliged to let you know when your personal data may have been lost, destroyed or given to a person or organisation who shouldn’t have received it.
The Department of Social Protection (DSP) has a range of security measures in place to protect your personal data. It would be very rare that one person’s personal data would accidentally be sent to another person or where any of the personal data stored by DSP would be lost or stolen.
However, in the unlikely event that a data breach happens, the department will write out to you to confirm what happened and which of your data was affected. We will also inform the Office of the Data Protection Commissioner, should they wish to undertake an investigation.
How to Get In Touch With Us?
If you have any queries about this policy, please contact the Data Protection Officer (DPO). The DPO for the department can always be contacted at DPO@welfare.ie
The department works hard to handle your data responsibly and we take our data protection responsibilities seriously. If you are unhappy about the way that we do this, please contact the DPO. We hope that the DPO will be able to address any concerns that you have.
However, you also have the right to complain to the Office of the Data Protection Commissioner (ODPC). The ODPC can be contacted at:
How Can You Exercise Your Rights?
We must allow you to use the rights outlined above. You can make a request under any of these rights by contacting the department’s DPO at this address:
We may need you to confirm your identity first, as we cannot give your personal data to others.
Once we have verified your identity, we will seek to get the information that you have requested as soon as possible. However, we are committed to updating you on our progress within 30 days.
For complex requests or where there are large numbers of requests, we can extend our time to respond to you by a further 60 days (two months), but we must tell you we are going to do this within the first 30 days, together with the reason for the delay. If we are not going to respond to your request we must tell you this within 30 days. We must remind you that that you have the options of complaining to the ODPC.
If you make an electronic request, we must respond to you electronically, unless you prefer otherwise.
Anything we do in response to your request and any information we give you must be free. If you make excessive requests (e.g. make the same one repeatedly) or your requests have no basis in fact, we may either charge you a fee or refuse to act on it. We will not charge you a fee where you have made a mistake, such as the wrong location, but will not act on your request.
Due to the size of the organisation, we may ask you to clarify your request. You can help us to fulfil your request about personal data by being as specific as possible particularly about your dealing or contacts with us.
If you would like any more information on how an area of the department works and what is required to make a decision on a claim or service, then please go to our website.
Information on each of our schemes includes operational guidelines.
Primary legislation (all as amended)
Social Welfare Consolidation Act, 2005 | the Comhairle Act, 2000 |
the Protection of Employees (Employers’ Insolvency) Act 1984; | the Civil Registration Acts 2004 – 2014 |
the Pensions Act, 1990; | the Gender Recognition Act, 2015 |
Citizens Information Acts 2000 - 2007 | Redundancy Payments Act, 1967 |
Key secondary legislation (statutory instruments)
S.I. No, 142 of 2007 - Social Welfare (Consolidated Claims, Payments and Control) Regulations 2007 |
S.I. No. 412 of 2007 - Social Welfare (Consolidated Supplementary Welfare Allowance) Regulations 2007 |
S.I. No. 102 of 2007 - Social Welfare (Consolidated Occupational Injuries) Regulations 2007 |
S.I. No. 312 of 1996 - Social Welfare (Consolidated Contributions and Insurability) Regulations 1996 |
S.I. No. 108 of 1998 – Social Welfare (Appeals) Regulations 1998 |
S.I. No. 188 of 1998 - Social Welfare (Rent Allowance) Regulations 1998 |
Following an investigation conducted under the Data Protection Acts 1988 and 2003, the Data Protection Commission found that insofar as information was previously provided in relation to processing of personal data for the purposes of SAFE 2 registration and the issuing of PSCs this did not satisfy the requirements of Section 2D of the Acts in the following respects:-
(1) Section 2D(2)(d) of the Acts insofar as data subjects were not provided with:
(a) information as to the potential consequences of any failure on their part to update such of their personal data as was provided by them to the Minister in the context (and/or for the purposes) of SAFE 2 registration; and,
(b) information concerning the circumstances in which personal data provided by them to a public body other than DSP would in turn be passed by that public body to the Minister and used by the Minister to update the PSI dataset;
and,
(2) Sections 2D(2)(c) and 2D(2)(d) of the Acts, insofar as data subjects have not been provided with sufficient information concerning the purposes and justification for the indefinite retention by the Minister of documents and/or information containing or comprising their personal data, to the extent that any such documents and/or information were provided by data subjects to the Minister to verify their identity in the context (and/or for the purposes) of SAFE 2 registration.