A DATABASE THAT stored information on when and where free travel passes were used was in place at the Department of Social Protection up to 2020 — when it was then deleted in its entirety.
This deletion occurred just three months after the then chair of the Public Accounts Committee (PAC), Minister of State Seán Fleming, requested a report from the Department on the free travel card, and two months after the Department sent this report back to PAC.
The December 2019 report, provided to Noteworthy by the Department of Social Protection (DSP), referenced the collection of this data by the Department. It stated that it received free travel (FT) pass “usage data” which “indicates that a FT Travel Pass was used at a particular time and date”.
It added that: “This data is non-identifying and does not provide journey duration or fare collected.”
However, this journey data was linked to an Integrated Ticketing System (ITS) number which the Department of Social Protection (DSP) generates for free travel customers and can be linked back to their personal details including names, addresses, photos and contact details through a separate DSP database.
Everyone aged 66 and over, as well as many carers and disabled people, can avail of the free travel scheme. That now encompasses over one million people across the country.
Noteworthy has learned that the Department has informed the Data Protection Commission of the deletion of this database as part of answers to queries following a complaint by Martin McMahon, co-founder of the Tortoise Shack podcast platform and employment status expert.
This complaint against the DSP – made by McMahon in 2019 – is now proceeding.
The Data Protection Commission (DPC) is examining the alleged excessive data gathering by the Department “through the use of the travel pass when scanning the card on different modes of transport, as well as any issues surrounding the transparency of these processing activities in this regard”.
Following a landmark ruling in 2018, the DPC already found that that a public services card (PSC) should not be required to receive State services such as obtaining a driver’s licence or passport and the Department acknowledged in December 2021 that there is no legal basis for people to be compelled to get a public services card for anything other than social welfare payments and benefits.
At Noteworthy, over the past number of weeks, our FREE DATA investigation delved into data gathering by the Department, the National Transport Authority (NTA) and a number of transport providers and can now reveal:
- Alleged excessive data gathering by the Department of Social Protection (DSP) is being examined by the Data Protection Commission
- The DSP held individual journey data of free travel pass holders it obtained from the NTA until 2020 when it deleted this database and all access records
- A data protection expert told Noteworthy that current practice indicates “there was no necessity and no legal basis for those transfers” and monitoring journeys of hundreds of thousands of individuals “would represent a profound interference” in their “privacy and data protection rights and freedoms”
- The Department no longer holds free travel journey information, but the NTA and some transport operators maintain a database of ITS numbers associated with journey times and this data is retained for more than a year
- Journey data retention is not only an issue for FT card holders as the Leap card system keeps usage records, including when a card was used, for over a year
- Between 2017 and 2021, the gardaí made 28 formal requests to the DSP and obtained information including names, addresses and photos of FT card holders
- There are a very low number of fraudulent presentations of FT passes – representing an average of 0.0004% of free travel journeys
This investigation was funded in its entirety by the Noteworthy general fund which you can support here>>
‘All the data has been deleted’
Key to this issue is the Integrated Ticketing System (ITS). Once a free travel card – which is integrated into a person’s Public Services Card – is produced, the Department generates an ITS card serial number which is linked to that particular card holder.
This ITS number “is the only personal data provided to the NTA by the Department”, according to a DSP spokesperson. The NTA then operates the ITS system which uses this number when card holders use their card e.g. tagging onto a bus or Luas.
A letter to the Data Protection Commission from Department of Social Protection’s Data Protection Unit, seen by Noteworthy, stated that “prior to February 2020, information was transferred from the ITS ticket system to the Department to assess the usage of Free Travel for the administration and funding of the scheme”.
In February 2020, this data transfer arrangement was stopped by the Department. All ITS data received by the Department prior to February 2020 has been deleted.
Another recent letter from the Department seen by Noteworthy stated: “The data transferred was in respect of individual journeys. It included details of the start point of each journey but did not include details of the end point.”
The Department’s Free Travel Section Management was the data controller for this particular data transfer. When Noteworthy asked about the legal basis for it, a spokesperson said that “the rationale for the data transfer was to assist with scheme management” and cited the Social Welfare Consolidation Act and Data Protection Act.
However, in late 2019, then Minister for Social Protection, Regina Doherty referred to this collection of travel information in a Joint Oireachtas Committee on the public services card and said “it was necessary to determine how we pay our providers” and this was “the only purpose of keeping that data”.
It was in response to Senator Alice Mary Higgins commenting that “the travel pass is another area of blanket indefinite retention”. She stated: “We have learned that the movements and journeys of over 1 million people who are on the statutory pension or have a disability are tracked.”
In response Doherty said “they are not”, and later added: “The Senator is inaccurate when she says we know the data of people’s travel journeys. If somebody gets on a train in Wexford, we know they have got on a train in Wexford and they have used their travel pass.”
Fianna Fáil TD Willie O’Dea, who supported the findings of the Data Protection Commissioner and put a number of questions to Doherty at the same Joint Oireachtas Committee meeting, told Noteworthy that collection of individual journey information “is completely inappropriate” and “was never the intention”.
He added that “the public services card shouldn’t have been used as a cover for that”.
As to what was deleted and if the deletion also included access records, a DSP spokesperson said: “In the interest of data minimisation, the data transfer arrangement ceased and all information held by the Department was deleted.”
It is not possible to provide any further information in relation to that data… All the data has been deleted, including all audit logs. No access records remain.
When asked if the Data Protection Commission (DPC) was notified of any breach in relation to this database, the Department spokesperson referred Noteworthy to the DPC. A DPC spokesperson said that it didn’t “have any breach notifications” in relation to this.
The Department’s letter to the DPC stated that from May 2020, it received “monthly summary-only data” from the NTA which only includes information on “the number of journeys undertaken by Free Travel cardholders, by card type (single or spouse or companion card)” and not individual journeys.
Legal basis needed
Simon McGarr of Data Compliance Europe, and solicitor with McGarr Solicitors told Noteworthy that “between May 2018 when the GDPR came into effect and February 2020 when the Department stopped receiving data relating to individual ticket usage, the Department needed a legal basis for those transfers”.
He continued: “No legal basis is valid unless it meets the test of necessity and unless something changed in February 2020, the fact that it has stopped now, with no ill consequences, indicates there was no necessity and no legal basis for those transfers.”
Necessity and proportionality are key principles when it comes to EU law, including GDPR and the protection of personal data.
Martin McMahon, who made the complaint to the Data Protection Commission, believes that the Department could “tell exactly who was where, when” using the now deleted database.
He wants to know the amount of data that was deleted, given millions of free travel journeys are made each year. There was an average of 50 million free travel journeys made in the years leading up to the pandemic, according to NTA statistics. McMahon also feels that there was no reason to delete the access logs.
The public services card version of the free travel pass uses the Standard Authentication Framework Environment (SAFE) – a process to “establish and verify a person’s identity”, according to its website. McMahon referenced this process and argued: “The work is meant to have gone in before you show it to a driver, so why are they recording any data at all?”
Prior to the introduction of the public services card version of the free travel pass, holders used a paper pass which was shown at ticket stations and to drivers. People with valid paper passes can still use them but they are no longer being issued.
McMahon’s complaint to the DPC – made over two years ago and now proceeding – originated from a Subject Access Request to the Department to receive a copy of his personal data in relation to his own free travel card.
He told Noteworthy that the catalyst for making this request happened in June 2018 when then Secretary General at Department of Public Expenditure and Reform, Robert Watt, called for a ban on those using free travel passes on public transport during rush hour – something that led to calls for Watt’s resignation at the time.
An Irish Independent article on the issue stated that between 8-10% “of all trips at peak times are on the free travel scheme”. McMahon then wondered how the Government had that data and made his request to the Department in early 2019 after gathering the relevant information.
The same year, Seán Fleming also raised the issue of retaining free travel journey data at the Public Accounts Committee and this was discussed a number of times in late 2019.
Journey data still retained
Though individual journey data is no longer transferred from the National Transport Authority (NTA) to the Department of Social Protection, the NTA still maintains a database of such journeys that are associated with ITS numbers.
Given this data is associated with ITS numbers it is considered pseudonymised data. However, guidance from the Data Protection Commission states that “pseudonymisation is not the same as anonymisation and should not be equated as such” and that “the information remains personal data”.
When asked about this database, a spokesperson for the NTA stated: “The way free travel-enabled PSCs [public service cards] are used varies depending on the mode of transport, and in many cases no electronic record is generated at all.” They added:
Consequently [the] NTA does not have a complete record of all PSC journeys and has partial information for the majority of journeys.
Irish Rail, Dublin Bus and Go Ahead Ireland stated they did not have a database associated with free travel.
However, a spokesperson for Bus Éireann stated both of their ticketing systems “record passenger journeys and generate a database of the ITS number of all transactions on our services”.
“The only employees in Bus Éireann who have access to this data are those who have a legitimate business reason,” and added that its “standard retention policy on ticketing data is that this data is stored for six years plus the current year, seven years in total”.
In addition, a spokesperson for Transdev said that Transdev Dublin Light Rail retain a record on their electronic standard fare notice database “of the number Leap Cards that are checked daily on Luas”. They stated that “this information is purged after two years”.
Noteworthy focused on the main transport operators for this investigation, but many others operate the free travel scheme, including certain private bus and ferry services.
Retaining Leap card journeys
During the course of our enquiries, it became apparent to Noteworthy that the NTA and some operators also had databases relating to the Leap card – in particular the Taxsaver Leap card. When asked about retention of journeys, data protection expert McGarr told Noteworthy:
Monitoring the journeys of travel pass users and/or Leap card holders on an indiscriminate mass basis would represent a profound interference in the privacy and data protection rights and freedoms of hundreds of thousands individuals for years on end.
The NTA spokesperson told us that “there is only one Leap system for all cards”. The free travel ITS number is inputted into the Leap system so that includes free travel card holders.
When asked if this Leap database can be associated with journey data for individual card holders, the NTA spokesperson said:
“The Leap system can only report that a particular card was used at a particular transport operator at a particular time. Furthermore, this record does not mean that the card was used by any specific individual, as NTA has no way of knowing who was using the card at the time it was tagged-on.”
For customers who have registered [on the Leap system] their usage records are available for 13 months.
This is too long, according to McMahon, who said that the purpose of this data in the case of the free travel scheme is for payment. He added that since the report is sent from the NTA to the Department on a monthly basis, “that’s all that data needs to be retained for” and “after that, it is superfluous to requirements”.
Solicitor McGarr said that “we have already seen that European law does not allow mass data retention of records of citizens in case an undefined event should occur in the future and just as this applies to mobile phone companies, so it applies to travel companies”.
When queries regarding the Leap system were put to transport operators, Irish Rail, Dublin Bus and Bus Éireann told Noteworthy that they had databases of the Leap card Taxsaver system. Transdev – who operate the Luas – have a “TaxSaver website which Customer Service Agents have access to”.
Irish Rail and Dublin Bus also have a data retention period of 13 months, but Bus Éireann are keeping this data for 18 months.
Taxsaver is a Government scheme introduced in 1999 to incentivise public transport that allows ticket costs to be deducted directly from employees’ salaries.
A spokesperson for Irish Rail said that “Taxsaver staff [Irish Rail employees] can see tag [on] and off information if they have the card number but can’t search using personal data”.
Both Irish Rail and Dublin Bus spokespersons stated that they have another separate “SAP system” to the Taxsaver database so their employees would need access to both systems “to link the information to an individual”.
When asked if their Taxsaver database associates journey data for individual card holders, a Dublin Bus spokesperson said: “Certain designated Dublin Bus employees can look up partial journey data on our SAP system. This will show electronic validations/ tag on points on Dublin Bus services only.”
They added that “with the exception of Tax Saver customers, employees cannot link the validations to a name or determine where the customer disembarked”.
A spokesperson for Bus Éireann stated that it does “not collect Taxsaver data by individual card numbers” but “by general ticket type usage”.
However, they added: “If required for investigative purposes on a customer’s behalf… the employees within Bus Éireann who administer the Taxsaver system can access raw data to get details on individual card numbers, which can be matched to a name and employer.”
Go Ahead Ireland stated it “does not administer Taxsaver tickets and does not have a database of Leap Card journeys”.
Gardaí requested free travel holder data
The Department may not have access to data associated with the ITS numbers, but written requests can be made by both the gardaí and Irish Rail to re-associate this pseudonymised number with the public service card / free travel pass holder.
In the five-year period from 2017 to 2021, the gardaí made 28 formal requests in regards to free travel, according to recent correspondence – seen by Noteworthy - from John McKeon, Secretary General of the DSP.
When asked why this information was required, a garda spokesperson referenced section 41 of the Data Protection Act which allows processing of data in cases such as “preventing a threat” to national or public security or “investigating or prosecuting criminal offences”.
They added: “An Garda Síochána does not provide specific details of activities undertaken in individual investigations.”
When asked what information was obtained by the gardaí, a Department spokesperson stated that “generally, the name and address of the Free Travel card holder” is given and “on occasion” the customer’s photo and contact details.
They added that they do not hold “details of individual journey dates and times” when asked if information that can be obtained from these requests includes journey dates and times. McKeon also stated that “the Department cannot access details of any journeys undertaken by the cardholder” when writing about these requests recently.
However, for most of the period from 2017 to 2021 – up to February 2020, the Department did hold journey information so it is unclear whether journey data was provided in the past.
The spokesperson stated that Irish Rail, no other transport providers or the NTA had ever made a written request to re-associate ITS numbers with the free travel card holder.
There have been 95 written requests to verify the free travel card’s validity. However, when Noteworthy asked if a record of verbal requests is kept, a Department spokesperson said that it “does not record verbal requests from transport operators to verify the validity” of a free travel public services card.
Low free travel fraud
From 2010 to November 2021, almost €120 million was spent on the public service identity management framework – which includes SAFE ID verification, public service card development, production and issuance as well as MyGovID development and product.
When speaking about the implementation of the public services card in 2018, then Minister Regina Doherty, argued in the Seanad that the SAFE 2 process was “introduced to protect the high value services of this and other Departments”. She stated:
I cannot speak for other Departments, but my Department’s fraud control measures show that we are now capturing people who are providing different identities with the same face in different locations and claiming twice and three times in some cases. This assures us that one person with one identity can only get access to a scheme to which he or she is entitled.
At the time, Senator Higgins stated that this could give the impression there was large-scale fraud but figures showed that “the amount of money lost internally through error was higher than the amount of money lost through fraud”.
Noteworthy obtained fraud figures for the free travel scheme for the past five years from the Department of Social Protection.
An average of 169 fraudulent presentations of free travel cards occurred each year over the past five years, with smaller numbers during the pandemic years – 30 in 2020 and 79 in 2021.
When Noteworthy put these fraudulent presentations against the annual free travel journeys – as reported by the NTA – between 2017 and 2020, this equated to just 0.0004% of free travel journeys during that period.
McMahon said that this low level of fraud is key as for years people have been saying that “the travel pass is abused” but “it never was”. His hope is that in the future cards are no longer scanned as he said that is the safest way to prevent data being held on people.