Data Privacy Notice for the Passport Service
The following data is specific information in relation to the personal data processed for the purpose of assessing passport applications, provision of customer care in relation to passport applications and the issuance of passports.
The personal data is being collected/processed for the purpose of verifying the identity and Irish citizenship of the applicant, and issuing passports in line with the Passports Act 2008.
The Department’s legal basis for processing the personal data of applicants is provided for by the Passports Act 2008, as amended. The Department has also identified Article 6(1)(e) of the GDPR and Section 38(1)(a) of the Data Protection Act 2018 as lawful bases for processing personal data.
Transferred outside the EU:
No data is transferred outside the EU save in the circumstances outlined in this policy below.
The data collected for this purpose will be held by the Department only as long as there is a business need to do so in line with the purpose(s) for which it was collected. In the case of passport issuance, the data will be held for 15 years after the date of issuance (the validity of the passport plus five years). After this time it will be marked for destruction and will be destroyed in line with internal guidelines or guidelines for destruction received from the National Archives Office. A minimum amount of personal data is held beyond this period for the purpose of fraud prevention in order to maintain the integrity of the system for issuing passports.
Data provision being statutory or contractual obligation:
The data provided for the purpose of issuing a passport is being requested under the requirements of Section 8(1) of the Passport Act 2008, as amended, and if the citizen chooses not to provide this information their application for a passport cannot proceed. The Department retains the right to ask for additional documentation as per Section 7(2) of the Passports Act 2008, as amended.
Passport Online Applications using a verified MyGovID account:
MyGovID is a single account that lets you access Government services in Ireland. MyGovID’s privacy statement is available on its website.
The use of a verified MyGovID account when making an online application is entirely optional. Applicants with verified MyGovID accounts can make an adult first time or renewal application by using this service. In certain circumstances, the Department may still need to verify data, provided by an applicant when making an application using their MyGovID account. The Department conducted a Data Privacy Impact Assessment (DPIA), which concluded that the integration of the Passport Online system with MyGovID was designed in a robust and secure manner, in keeping with the principle of data minimisation and does not result in a high risk to the rights and freedoms of applicants.
Automated Decision Making:
No decisions based solely on automated processing are made during the application process.
Information Sharing with Third Parties:
Section 7 Passports Act 2008
In order to satisfy the conditions set out in section 7(1) of the Passports Act 2008 with regards to the identity and/or citizenship of an applicant for a passport, the Department may verify personal data provided by an applicant with other public authorities. This includes verification against the public service identity (PSI) dataset.
The PSI dataset is defined in Section 262 of the Social Welfare Consolidation Act 2005 (as amended). The PSI dataset includes:
- Personal Public Service (PPS) Number
- Date of birth
- Place of birth
- All former surnames (if any)
- All former surnames (if any) of his or her mother
- Photographic image
- Date of Death, where relevant
- Certificate of Death, where relevant
For children born in the State and where the child’s PPSN has been provided, the Passport Service will access the child’s birth certificate directly from the General Register Office, Department of Social Protection.
The Department also receives data from the Department of Justice for the purposes of verification of the authenticity of naturalisation certificates.
In addition, the Department may request confirmation from other public authorities that a document issued by it, where such a document it provided by an applicant in support of an application for an Irish passport, is valid and the details are correct. Where this public authority is outside of the EU, such processing will take place subject to the appropriate provisions and safeguards provided for under Chapter V, GDPR.
Section 41 Data Protection Act 2018
The Department may, after deeming it both necessary and proportionate to do so in accordance with Section 41(b) of the Data Protection Act 2018, disclose information to the appropriate competent authorities for the purposes of preventing, detecting, investigating or prosecuting criminal offences.
The term ‘competent authority’ is defined in Section 69 of the Data Protection Act 2018 and this includes public authorities that are “competent for the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties in the State, including the safeguarding against, and the prevention of, threats to public security”.
Confirming validity of an Irish Passport
Upon request from another public authority and only where satisfied that the public authority has a legal basis for processing the information, the Department may provide confirmation that an Irish passport is valid and details are correct. Where this public authority is outside of the EU, such processing will take place subject to the appropriate provisions and safeguards provided for under Chapter V, GDPR.
The Department engages external providers to assist in the delivery of services and operations, such as the hosting of the WebChat facility.
The service provider engaged to host this service is Edgetier. Please note that, while all WebChat operators are staff of the Department of Foreign Affairs, this software solution is powered by an external party. In its provision of this service, insofar as any personal data of WebChat users is processed, Edgetier acts as a data processor for the Department.
Passport data, including contact information, may in certain circumstances and subject to the appropriate safeguards, be used by the Department of Foreign Affairs where deemed necessary for the provision of consular assistance. The lawful basis for this further processing is provided in Article 6(1)(e) GDPR, Section 38(1)(a) of the Data Protection Act 2018 and Section 1 (xi) of the Ministers and Secretaries Act 1924-2013.
Technical information on data collected:
Technical information on the cookies used on the Department’s website is available at the following link: Cookies Policy.
Last updated, April 2023.