Decision
Mr. X and Department of Social Protection
From Office of the Information Commissioner (OIC)
Case number: OIC-200017
Published on
From Office of the Information Commissioner (OIC)
Case number: OIC-200017
Published on
Whether the Department was justified, under section 15(1)(a) of the FOI Act, in refusing access to records relating to the processing of PPS Numbers and Public Services Cards outside of statutory settings, on the ground that relevant records do not exist.
14 April 2026
On 13 October 2025, the applicant made a request for access to seven categories of records held by the Department relating to governance surrounding the processing of PPS Numbers and Public Services Cards. The request was for the following:
1. Policies and Procedures – Any current or historical policies, procedures, or internal guidance documents concerning the use, verification, or display of Personal Public Service Numbers (PPSNs) or Public Services Cards (PSCs) in environments outside Department-controlled premises, such as shopping centres, hotels, outreach events, or recruitment and training fairs;
2. Staff Guidance and Training – Any instructions, training materials, or internal correspondence issued to staff or contractors regarding the collection or processing of PPSN or PSC data in such informal or semi-informal settings, particularly where such processing is not explicitly authorised by statute;
3. Risk Assessments and DPIAs – Any risk assessments, Data Protection Impact Assessments (DPIAs), or internal reviews concerning the risks associated with the use or verification of PPSN/PSC data outside statutory or departmental premises;
4. Control and Oversight – Any records describing the steps taken by the Department to prevent PPSN or PSC data from being used to create unauthorised databases or personal profiles, including those maintained informally by individual officials or contractors for purposes such as personal follow-up, monitoring, or administrative convenience;
5. Informal Systems and Shadow Data – Any records identifying the existence or management of informal systems used to store or process PPSN/PSC data, including but not limited to spreadsheets, locally stored files (e.g. Microsoft Excel or Access), or self-created databases. This includes any audits, reviews, or disciplinary findings where such systems were identified;
6. External Events and Partners – Any agreements, correspondence, or memoranda with third-party venues or event organisers where PPSN/PSC data has been used or checked for identity or attendance purposes outside the Department’s statutory remit; and
7. Preventive and Enforcement Measures – Any policies, technical controls, or disciplinary measures designed to detect or prevent unauthorised use, copying, or retention of PPSN or PSC data by individual officials or contractors.
The applicant emphasised that his request did not concern formal statutory settings such as post offices, banks, or other bodies explicitly authorised by law to use or verify PPSN/PSC data but informal or semi-informal contexts where such identifiers may have been requested, viewed, or processed without an explicit legal basis, including situations where citizens may have felt compelled to provide them.
On 11 November 2025, the Department refused the first part of the applicant’s request under section 15(1)(d) of the Act, stating that records containing information pertinent to this category were publicly available and providing a link to the relevant section of the Department’s website. The Department refused the remainder of the applicant’s request under section 15(1)(a) of the Act.
On 19 November 2025, the applicant made a request for an internal review of the Department’s original decision, stating that the publicly available records indicated by the Department did not correspond to what the first part of his request had sought. The applicant also stated that the Department’s decision did not provide search details relating to its reliance on section 15(1)(a).
On 10 December 2025, the Department affirmed its original decision to refuse access to the requested records, however this time appearing to rely only on section 15(1)(a).
On 11 December 2025, the applicant applied to this Office for a review of the Department’s internal review decision.
During the course of this review, the Department initially confirmed that it wished to continue relying on section 15(1)(d) for Part 1 of the applicant’s request but subsequently revised its position, saying that it wished to rely on section 15(1)(a) for the entirety of the request. It said that the applicant’s request seeks records concerning contexts in which PPSN/PSC processing takes place without an explicit legal basis, but that the Department only processes such data with an explicit legal basis. The Department explained that its initial reliance on 15(1)(d) had been driven by a desire to point the applicant to as much useful information as possible, but that upon consideration, this was not correct.
I have now completed my review in accordance with section 22(2) of the FOI Act. During the course of this review, the Investigating Officer provided the applicant with details of the Department’s submissions and offered him an opportunity to respond, which he duly did. While I do not intend to repeat either the Department’s submissions or those of the applicant in full here, I can confirm that I have had regard to both for the purposes of this review. I have decided to conclude this review by way of a formal, binding decision.
The Department refused Parts 2-7 of the applicant’s request for further records under section 15(1)(a) of the FOI Act, because it considers that the requested records either do not exist or cannot be found. This review is therefore concerned with whether the Department was justified in refusing to grant access to records under section 15(1)(a) of the FOI Act.
As outlined above, the Department also initially refused the first part of the applicant’s request under section 15(1)(d), maintaining that the requested information is in the public domain. However, the Department subsequently withdrew its reliance on section 15(1)(d), indicating that it wished to rely on section 15(1)(a) alone for the entirety of the applicant’s request.
Consequently, this review is solely concerned with whether the Department was justified in refusing to grant access to records for all parts of the applicant’s request under section 15(1)(a) of the FOI Act.
Before I address the substantive issues arising, I would like to make a number of preliminary comments.
Firstly, in his application to this Office, the applicant said that he was unhappy that the Department holds no governance records for PPSN and Public Services Card processing outside statutory settings. He said that the absence of these records leaves citizens exposed to identity theft and system misuse. It is important to note that this Office has no remit to investigate complaints or to adjudicate on how FOI bodies perform their functions generally. Furthermore, a review by this Office is not concerned with the question of what records should exist. If a record does not exist, that is the end of the matter, regardless of the applicant’s views as to the appropriateness or otherwise of the absence of certain records.
Secondly, during the course of the review, with regard to the Department’s position that no relevant records exist for Part 1 of his request, the applicant said that he wished to raise a separate issue concerning transparency obligations. He said that the identity of the data controller is statutory information under Article 13 of the GDPR and must be provided to data subjects and that, in this context, the Department has not clearly identified the data controller in relation to the processing in question. He said that this is a legal requirement, not a discretionary matter, and that the absence of this information raises concerns as to whether the processing was conducted in compliance with transparency obligations. He said that if the Department maintains that no records exist, it is unclear how it can also fail to identify the controller responsible for the processing. I would like to remind the applicant that this Office’s review is solely concerned with the 2014 FOI Act and that it is not within this Office’s remit to consider the GDPR.
Finally, I must address an aspect of the scope of the applicant’s request. As outlined above, there are seven parts to the applicant’s request, each seeking various categories of records relating to use/processing of PPSN/PSC data. As also explained above, the applicant clarified the scope of the whole request in a summarising paragraph. He writes:“For clarity, this request does not concern formal statutory settings such as post offices, banks, or other bodies explicitly authorised by law to use or verify PPSN/PSC data. It concerns informal or semi-informal contexts where such identifiers may have been requested, viewed, or processed without an explicit legal basis, including situations where citizens may have felt compelled to provide them.” The applicant seems to distinguish between formal/statutory settings on the one hand and informal (or semi-informal)/non-statutory settings on the other. It appears that he considers that formal settings such as banks or post-offices are explicitly authorised by law to use or verify PPSN/PSC data, whereas processing in other semi-informal/informal settings is not explicitly authorised by the law.
The Department for its part maintains that it does not process PPSN/PSC data outside of settings where there is no explicit legal basis for doing so. In the absence of evidence to the contrary, I have no reason to doubt the accuracy of the Department’s position in this matter. I must therefore conclude that the applicant’s understanding is incorrect.
Nevertheless, I believe that the apparent confusion in the applicant’s understanding makes the scope of his request somewhat ambiguous. It could be understood as seeking records relating to processing outside of “formal” settings (such as Department premises, banks, etc.) or as seeking records relating to settings in which there is no explicit legal basis for processing. The Department has confirmed that it interpreted it in the latter sense. Having considered the wording of the applicant’s request, I believe that it was reasonable for the Department to interpret it in this way. My decision will therefore proceed on this basis. Consequently, I believe that those parts of the request in which the applicant mentions such informal settings must be understood as only referring to settings in which there is no explicit legal basis for processing PPSN/PSC data.
Section 15(1)(a) of the Act provides for the refusal of a request where the records sought do not exist or cannot be found after all reasonable steps to ascertain their whereabouts have been taken. The role of this Office in a case such as this is to review the decision of the FOI body and to decide whether that decision was justified. This means that I must have regard to the evidence available to the decision maker and to the reasoning used by the decision maker in arriving at his/her decision and also must assess the adequacy of the searches conducted by the FOI body in looking for relevant records. The evidence in “search” cases generally consists of the steps actually taken to search for the records along with miscellaneous and other information about the record management practices of the FOI body, insofar as those practices relate to the records in question.
In its submissions to this Office, the Department said that it had responded to the applicant’s request on the basis that PPSN and PSC data cannot be used without an explicit legal basis. The Department provided some background on the use of PPSNs and PSCs, saying,inter alia , that section 262 of the amended Social Welfare Consolidation Act (SWCA), 2005, allows the PPSN to be used by a specified body in certain limited ways in the course of a transaction with a member of the public. The Department said that the Register of Users of the PPS Number sets out all bodies legally authorised to use the PPSN, along with the statutory provisions under which such use is permitted. According to the Department, every relevant body is obliged to comply with the requirements of the SWCA 2005 in relation to the use of the PPSN/PSC, as well as the body’s own obligation to comply with the requirements of the Data Protection Act 2018 and GDPR. The Department said that, as data controllers in their own right, it is incumbent on all specified bodies to comply with data protection law and to act in compliance with relevant legislation.
The Department also provided information on how it deals with inappropriate usage of PPSNs. The Department said that it is a data controller and a specified body as outlined in the SWCA 2005 and that it is also obliged to comply with data protection legislation. The Department said that, where inappropriate use is brought to its attention, it writes to the relevant employer or organisation explaining why its action is inappropriate, requesting it to take whatever steps are necessary to remedy the situation and asking it to advise the Department’s Client Identity Services when these steps have been completed.
The Department said that, as it does not process data outside of settings where there is no explicit legal basis, the records requested by the applicant do not exist and have never existed. The Department focused on each part of the applicant’s request separately, explaining why the records sought do not exist. It said,inter alia , that there is no collection or processing of PPSN/PSC data in the informal settings described, that staff do not retain information on an unauthorised basis, only being permitted to use data for lawful departmental work and through official Department systems, and that the Department’s Privacy Statement and the SWCA 2005 are the only instruments that set rules for the authorised use and protection of PPSN/PSC data.
The Department said that, notwithstanding the fact that the request was for records which were highly unlikely to have ever existed, a comprehensive internal and cross-departmental search was undertaken, the results of which re-affirmed that the Department does not engage in PPSN or PSC processing beyond its statutory functions and that it would therefore not create or hold records of the type described in the applicant’s request. According to the Department, these searches confirmed that no such records have ever been internally created or exist.
The Department provided a breakdown of the steps undertaken by its Employer Relations Division (ERD), Client Identity Services, Finance Unit and Data Protection Unit to locate relevant records. The Department said that, between 15 and 24 October 2025, its ERD undertook consultations with internal staff who searched and confirmed that no documentation was ever created on the matters referenced in the applicant’s request. The Department said that reasonable and proportionate searches were carried out across shared network drives, divisional electronic folders and Department-issued workstations. The Department added that PPSN/PSC-related guidance specific to job fairs was searched for and confirmed as never having been documented or disseminated. The Department stated that, on 30 October 2025, its Client Identity Services unit, its Finance Unit and its Data Protection unit were all consulted and asked to consider the request in the context of any records that might fall within their areas of responsibility and to confirm whether any material relevant to the request existed. Finally, the Department said that on 4 December 2025, its ERD re-engaged with senior staff members with substantial institutional knowledge and experience who searched and confirmed that no documentation was ever created on the matters referenced in the FOI request. According to the Department, no records falling within the scope of the applicant’s request were identified through these searches.
The Department concluded that all reasonable steps have been taken to identify any records within the scope of the applicant’s request, and that no relevant records exist.
As set out above, the Investigating Officer provided a summary of the Department’s submissions to the applicant, and the applicant provided submissions in response.
In response to the Department’s submissions, the applicant said that the scope of its searches was unclear. Listing various kinds of accounts, registers and systems that he considered ought to be searched, he said that, given the nature of the request, governance and compliance records may reasonably be expected to exist outside of shared drives. The applicant also said that it was unclear to him whether listed kinds of records typically generated by training and compliance programmes were searched. With regard to the Department’s statement that no PPSN or PSC guidance specific to job fairs was ever created, the applicant requested clarification on whether relevant email correspondence, communications or other documentation were searched or examined.
The applicant also questioned the Department’s position that the requested records never existed. He said that, in circumstances involving the use of PPSN and PSC data, governance documentation would ordinarily be expected to exist independently of any confirmed breach. He asked this Office to examine the evidential basis on which the Department concluded that no risk assessments were ever conducted, no internal reviews were ever documented, no compliance oversight documentation was ever created and no guidance, however informal, was ever issued.
The applicant said that he was not asking this Office to determine what records ought to exist, but whether the Department has demonstrated that all reasonable steps were taken to identify records falling within the scope of his request. The applicant submitted that further clarification of the Department’s search methodology was warranted.
When notified of the Department’s revised position regarding Part 1 of his request, the applicant said that his request was expressly framed to capture informal or semi-formal contexts, which, he said, includes situations where identifiers may have been requested, handled, or observed outside of formally defined processes. He said that the Department’s response does not engage with this distinction. He said that he has been told by a Department representative that attendance at such events is recorded and may affect eligibility for Jobseeker’s Allowance, which, the applicant argued, shows that records must exist. The applicant also said that, on two occasions, he was instructed by the Department through its Circulator system to bring his PSC to an event, which, he says, shows that the use or presentation of a personal identifier formed part of the operational context of the event. The applicant also argued that the Department had not provided search details and that its subsequent reliance on section 15(1)(a) for the entirety of the request represents a material change in position which has not been adequately explained.
The Investigating Officer asked the Department further questions regarding Parts 4, 5 and 7 of the applicant’s request. In response, the Department provided two records which it said it now considered relevant to Parts 4 and 7 but did not say whether it was prepared to release these records to the applicant. The Department also said that, where a contract exists with any section of the Department, the respective responsibilities of both the contractor and the Department, regarding handling of personal data including PPSN, are set out in the relevant executed contractual agreements. With regard to Part 5 of the request, the Department reiterated that it considers that no relevant records exist. According to the Department, its final response was based on a search of Employer Relations records and consultation with Client Identity Services, which confirmed that it does not hold any further relevant records. The Department said that it had focused on the area most directly connected to the matters in question but that its Client Identity Services section has advised that further consultation could be undertaken with other units of the Department, in particular with the Internal Audit and Data Protection sections. The Department said that this consultation would require at least an additional week to complete.
According to the Department, records relating to Parts 1-3 and 6 do not exist and have never existed because it does not engage in PPSN/PSC processing outside of statutory settings. Having regard to the information before this Office, and in the absence of any evidence to the contrary, I have no reason to dispute the Department’s position that it does not process PPSN/PSC data in the settings described by the applicant in these parts of his request. In my view, the scope of Part 6 is clearly limited to non-statutory settings. While the applicant has argued that his request was expressly framed to capture informal or semi-formal contexts and while Parts 1, 2 and 3 of the request apparently seek to differentiate between informal and statutory settings, as noted in the Preliminary Matters section above, I consider that the applicant’s clarifying statement can be read as effectively limiting the scope of Parts 1, 2 and 3 to non-statutory settings and that it was therefore reasonable for the Department to interpret it as such. Further, the Department has made it clear that, whether the setting is formal or informal, all processing it carries out is done on an explicit legal basis.
Having carefully considered the matter, I have no reason to contest the Department’s assertion that the records requested by the applicant in Parts 1-3 and 6 do not exist and have never existed. As such, I see no reason to require the Department to carry out further searches for records in relation to these parts. Accordingly, I find that the Department was justified in refusing Parts 1-3 and 6 of the applicant’s FOI request under section 15(1)(a) of the Act on the basis that the records do not exist or cannot be found after all reasonable steps to ascertain their whereabouts have been taken.
With regard to the other three parts of the request, while the Department initially said that no relevant records exist, it subsequently acknowledged that it does hold two records which it would appear to consider to be relevant to Parts 4 and 7 of the applicant’s request. In addition, while the Department said that it had carried out further searches in its Employer Relations section, in consultation with Client Identity Services, for records relating to Parts 4, 5 and 7, it accepted that further consultation could be undertaken with other units of the Department, most particularly with two named units.
In the circumstances, while I acknowledge that the Department has provided certain information about the searches it said it carried out to find records relevant to Parts 4, 5 and 7, I am not satisfied that the level of detail given by the Department with regard to these searches is sufficient for me to conclude that it has undertaken all reasonable steps to locate the records requested. It would appear that, at a minimum, the further searches which the Department has undertaken in the course of this review have resulted in two relevant records being found. Therefore, I simply cannot find that the Department was justified in effectively refusing access to further records relating to Parts 4, 5 and 7 of the applicant’s request under section 15(1)(a) of the FOI Act.
Having carried out a review under section 22(2) of the FOI Act, I hereby vary the Department’s decision. I affirm the Department’s decision to refuse access to records relating to Parts 1-3 and 6 of the applicant’s request under section 15(1)(a) of the FOI Act. However, I find that the Department was not justified in refusing records relating to Parts 4, 5 and 7 under section 15(1)(a) and direct it to undertake a fresh decision in relation to these parts of the applicant’s request.
Section 24 of the FOI Act sets out detailed provisions for an appeal to the High Court by a party to a review, or any other person affected by the decision. In summary, such an appeal, normally on a point of law, must be initiated not later than four weeks after notice of the decision was given to the person bringing the appeal.
Mary Connery
Investigator