Source: Lawyers for Justice on facebook
Several people have contacted us to express concern at the level of personal data required in order to obtain an EU Digital Covid Certificate of Recovery using the online gove.ie portal. In particular, in order to apply for an EU Digital Recovery Certificate online a person must enter their PPSN as well as date of birth and mobile phone number. This also applies for people applying for an EU Digital Covid Certificate based on vaccination certificate if they do not receive the automatically generated Certificate.
The potential storage of private data on a central database in Ireland linking a person’s vaccination and/or proof of recovery status to their PPSN is an issue that could potentially affect ALL citizens if that information is accessed by bodies for reasons other than for the generation and issuing of EU Digital Covid Certificates. This is precisely why the most important principle enshrined under EU privacy law (the General Data Protection Regulation, 2018) is that any data processed must be necessary and proportionate taking into account the balance of harm test.
EU DIGITAL COVID CERTIFICATE REGULATIONS
Under Article 10 (1) of Regulation (EU) 2021/953 of the EU Parliament on a framework for the issuance, verification and acceptance of interoperable EU Digital Covid Certificate it states that Regulation (EU) 2016/679 applies to the processing of personal data carried out when implementing the Regulation. Under Regulation 39 of Regulation (EU) 2016/679 it stipulates that any processing of personal data should be:
‘…..adequate, relevant and limited to what is necessary for the purposes for which they are processed. This requires, in particular, ensuring that the period for which the personal data are stored is limited to a strict minimum. Personal data should be processed only if the purpose of the processing could not reasonably be fulfilled by other means…’
The Appendix to the EU Digital Covid Certificate Regulations lists the data that should be included in the EU Digital Covid Certificate. For example, the EU Digital Covid Certificate of Recovery includes the name, surname and forename of the person, the date of first positive test and the unique certificate identifier number.
THIS RAISES QUERSTIONS AS TO WHY A PERSON IS REQUIRED TO ENTER HIS/HER PPSN TO OBTAIN AN EU DIGITAL COVID CERTIFICATE, HOW LONG THIS INFORMATION IS BEING STORED ON THE DATABASE AND WHO HAS ACCESS TO THIS INFORMATION.
If one compares the system of applying for an EU Digital Covid Certificate in Germany using the online Robert Koch Institute online portal, for example, the name, date of birth and unique certificate identifier is entered to generate the Certificate. There is no reference to other personal data such as a social insurance number.
Paragraph 5.2 of the Data Protection Impact Assessment Version 0.6 issued by the Government of Ireland, the Department of Health and the HSE refers to the processing of various categories of personal data required to generate and issue the EU Digital Covid Certificate such as forename, surname, date of birth, email and home address BUT NO REFERENCE IS MADE TO A PERSON’S PPSN NUMBER.
WHO ACCESSES THE DATA?
Paragraph 2.3 ‘Data Controllers and Data Processors’ lists all ‘key parties who will provide data or have access to data processed for the purpose of the Digital Covid Certificate scheme’ (see below). They include:
PM us or email us on email@example.com for further assistance.
- The Department of Health
- DPER (OGCIO)