GDPR and Social welfare

lifeandtimes

Hi,

I have a question regarding the new European GDPR that is due to come into effect in May.

Part of this new legilsation details:

Right to be Forgotten
Also known as Data Erasure, the right to be forgotten entitles the data subject to have the data controller erase his/her personal data, cease further dissemination of the data, and potentially have third parties halt processing of the data. The conditions for erasure, as outlined in article 17, include the data no longer being relevant to original purposes for processing, or a data subjects withdrawing consent. It should also be noted that this right requires controllers to compare the subjects' rights to "the public interest in the availability of the data" when considering such requests.

Say someone had signed up to avail of a social welfare benifit before, would they be within their rights to contact the social welfare to ask for some or all their details to be removed.

Example: someone receive unemloyment benifit for a time and now wishs that the information held on them regarding that time is withdrawn?

Or if someone signed up to get paternity benifit and need to provide information of the thep ublic service card but no longer wish to have their details stored can they be removed?

To take it one step further could someone ask for their enitre details held to be remove from the government body ultimately removing their ppsn?

The only identities i can see that this doesnt effect is the courts.

Can anyone provide further insight into how far people can go with this?

Clareman

lifeandtimes wrote: »

Hi,

I have a question regarding the new European GDPR that is due to come into effect in May.

Part of this new legilsation details:

Right to be Forgotten
Also known as Data Erasure, the right to be forgotten entitles the data subject to have the data controller erase his/her personal data, cease further dissemination of the data, and potentially have third parties halt processing of the data. The conditions for erasure, as outlined in article 17, include the data no longer being relevant to original purposes for processing, or a data subjects withdrawing consent. It should also be noted that this right requires controllers to compare the subjects' rights to "the public interest in the availability of the data" when considering such requests.

Say someone had signed up to avail of a social welfare benifit before, would they be within their rights to contact the social welfare to ask for some or all their details to be removed.

Example: someone receive unemloyment benifit for a time and now wishs that the information held on them regarding that time is withdrawn?

Or if someone signed up to get paternity benifit and need to provide information of the thep ublic service card but no longer wish to have their details stored can they be removed?

To take it one step further could someone ask for their enitre details held to be remove from the government body ultimately removing their ppsn?

The only identities i can see that this doesnt effect is the courts.

Can anyone provide further insight into how far people can go with this?

You have the right to have your data erased or to amended to keep it accurate, there is also a requirement for the data controller to retain data only which is necessary.

I think this case study is a good reference point for your examples, if someone avails of Social Welfare there would be a requirement for the department to keep a record of the payments as these happened.

The whole public services card is a Data Protection nightmare and I would think it would be best to wait for the ruling of the DPC on it BUT I would imagine that there would be a requirement to capture at least the data below

• Name
• Address
• PPS
• Date of birth
• Location of payment
• Amount of payment

The weakest form of legal rights for data processing is consent so if an organisation is relying on consent to process the data the consent can be removed at any time, if there is another legal basis for processing the data then that can be used.

lifeandtimes

Clareman wrote: »

You have the right to have your data erased or to amended to keep it accurate, there is also a requirement for the data controller to retain data only which is necessary.

I think this case study is a good reference point for your examples, if someone avails of Social Welfare there would be a requirement for the department to keep a record of the payments as these happened.

The whole public services card is a Data Protection nightmare and I would think it would be best to wait for the ruling of the DPC on it BUT I would imagine that there would be a requirement to capture at least the data below

• Name
• Address
• PPS
• Date of birth
• Location of payment
• Amount of payment

The weakest form of legal rights for data processing is consent so if an organisation is relying on consent to process the data the consent can be removed at any time, if there is another legal basis for processing the data then that can be used.

Thanks for your comment, its very helpful.

It will be interesting to see waht happens in may when this all comes into effect, particularlly with the public service card because as you have said it is currently a nightmare where data protection is confirmed.

I would be of the belief they would need to keep records of the payments for a short period of time to ensure now fraud is happening but after a time i cant see why they would need to keep it indefinitely

Clareman

lifeandtimes wrote: »

Thanks for your comment, its very helpful.

It will be interesting to see waht happens in may when this all comes into effect, particularlly with the public service card because as you have said it is currently a nightmare where data protection is confirmed.

I would be of the belief they would need to keep records of the payments for a short period of time to ensure now fraud is happening but after a time i cant see why they would need to keep it indefinitely

Data retention policies are extremely important, I would imagine you would need to retain payments history for tax purposes.

Off the top of my head, the Data Subject here would be the person receiving the payment (Customer), the Data Controller would be the Dept. of Social Protection (Dept) and the Data Processor the Dept. again for fraud protection. There would be other processors, for example An Post for payments, but I'll ignore those for now.

As part of the "contract" between the Dept and the Customer there should be a
definition of the data that's being captured, why it's being captured and how long it will be retained BUT there would be other issues to be aware of outside of Data Protection that would need to be taken into account.

lifeandtimes

Clareman wrote: »

As part of the "contract" between the Dept and the Customer there should be a
definition of the data that's being captured, why it's being captured and how long it will be retained BUT there would be other issues to be aware of outside of Data Protection that would need to be taken into account.

I wonder how this effects people who have already signed up with the social welfare, as obviously going forward (you would hope) they are getting their ducks in a line with t&cs advising all new applicants of their rights under this new legslation.

Will they be notified by letters or contacted regarding thier new rights or is it up to them to know what they are enititled to about their retention of their data

Clareman

lifeandtimes wrote: »

I wonder how this effects people who have already signed up with the social welfare, as obviously going forward (you would hope) they are getting their ducks in a line with t&cs advising all new applicants of their rights under this new legslation.

Will they be notified by letters or contacted regarding thier new rights or is it up to them to know what they are enititled to about their retention of their data

It is my understanding that by continuing to use the service that customer's automatically sign up to the T&Cs but it is up to the Data Controller to prove that consent was given so I'd imagine signs in a lot of places. I'm not sure how they'd deal with people not agreeing to the new T&Cs. I'd also imagine that they would have their data retention policy in place already and won't be just bringing in a new 1 in May.

lifeandtimes

Clareman wrote: »

It is my understanding that by continuing to use the service that customer's automatically sign up to the T&Cs but it is up to the Data Controller to prove that consent was given so I'd imagine signs in a lot of places. I'm not sure how they'd deal with people not agreeing to the new T&Cs. I'd also imagine that they would have their data retention policy in place already and won't be just bringing in a new 1 in May.

I dont think a few signs around the place will be considered consent under the definition on the homepage https://www.eugdpr.org/key-changes.html

Consent
The conditions for consent have been strengthened, and companies will no longer be able to use long illegible terms and conditions full of legalese, as the request for consent must be given in an intelligible and easily accessible form, with the purpose for data processing attached to that consent. Consent must be clear and distinguishable from other matters and provided in an intelligible and easily accessible form, using clear and plain language. It must be as easy to withdraw consent as it is to give it.​

Will probably have people sign over consent when trying to draw their social welfare or tell them they risk losing it if they dont, just like they said with the public service card

Clareman

lifeandtimes wrote: »

I dont think a few signs around the place will be considered consent under the definition on the homepage https://www.eugdpr.org/key-changes.html

Consent
The conditions for consent have been strengthened, and companies will no longer be able to use long illegible terms and conditions full of legalese, as the request for consent must be given in an intelligible and easily accessible form, with the purpose for data processing attached to that consent. Consent must be clear and distinguishable from other matters and provided in an intelligible and easily accessible form, using clear and plain language. It must be as easy to withdraw consent as it is to give it.​

Will probably have people sign over consent when trying to draw their social welfare or tell them they risk losing it if they dont, just like they said with the public service card

Consent after May will need to be clear and concise, etc. etc. but before then it doesn't have to be, it could be argued that because the Data Controller informed the Data Subject in advance of the changes that they are covered, but that would need to be challenged in the courts/DPC for confirmation. Also, I would assume that when someone signs up to receive the payments that they are agreeing to the terms of service.

I would also think that consent wouldn't need to be given for the data to be processed as there are other reasons for it, some of which could be argued are in the public interest, but this would need to go in front of the DPC.

On a side note, that site you referenced is owned and ran by a company selling software to "manage customer consent & data subject rights" so I would say get your own opinion first as IMHO a lot of these companies are simply selling their wares.

Vetch

Public bodies / statutory agencies will be relying on the legislation underpinning them to lawfully process personal data rather than consent of data subjects. 1(c), 1(e) and 3 here all apply https://www.privacy-regulation.eu/en/article-6-lawfulness-of-processing-GDPR.htm.
The underpinning legislation might have something to say as well about data retention periods.