What data does MyGovID actually collect?

Ask people what data MyGovID holds about them and the most common answer is "I don't know". This page documents what the Department of Social Protection actually stores about a verified MyGovID account, based on Subject Access Request responses from real account holders. We're publishing a structured summary of what an SAR response should contain, with annotations on what each item means.

The short version

• A verified MyGovID account is linked to a substantial Department of Social Protection identity record that goes well beyond what you typed into the registration form.
• The data covers identity attributes, login activity, services accessed, and (for app-verified accounts) document and biometric data captured during verification.
• Some of the data has been the subject of DPC findings of unlawful processing — particularly the indefinite retention of identity-document scans submitted during SAFE registration.
• You have a right to a copy of all of it. Free. One-month response deadline. Use our SAR template.

What the Department holds, in eight categories

1. Identity attributes

Field	Source	Notes
Full legal name	SAFE registration or app verification	Must match the document(s) you submitted.
Date of birth	Same	Used for age-related entitlements and verification.
Place of birth	Same	For Irish citizens, often "Ireland" without finer detail.
Gender	SAFE registration	As recorded on the documents you submitted.
Current address	SAFE registration + welfare records + updates	Linked to revenue, welfare and PSC card production.
Mother's birth surname	SAFE registration	Historically used as a knowledge-based authentication factor.
Nationality / citizenship status	Documents submitted	Particularly relevant for non-Irish/UK applicants.

2. PPS number and linked records

Your Personal Public Service Number is the anchor. Through it, the Department holds:

• Your tax record (linked to Revenue under specific data-sharing arrangements).
• Your welfare history (any payments received, claims made).
• Your free-travel scheme record, if applicable.
• Cross-references to other state services that use the PPS number (SUSI, NDLS, etc.).

3. Photographs and signature

Captured either at the SAFE appointment (high-resolution digital photograph + digital signature) or via the MyGovID app (document photograph + selfie + liveness video). These are retained on Department systems even after the physical Public Services Card has been produced.

4. App-verification data (if you used the app to verify)

Item	What it is
Document images	Photographs you took of your passport / national ID / driving licence during verification.
Selfie / liveness video	The face-capture used to match against the document photograph.
Document data extracted by OCR	Machine-readable zone text from the document.
Verification decision metadata	Whether verification was approved, score, reasoning.
Device identifiers	Phone make, OS version, app version at the time of verification.

5. Account metadata

• Email address (the account username).
• Recovery email (if set).
• Phone number used for 2FA.
• Password hash (not the password itself).
• Date the account was created.
• Date of verification (separately).
• Account status (basic / verified / locked).

6. Activity logs

For each login session, the Department typically holds:

• Date and time.
• Device or browser user-agent.
• IP address.
• Service accessed via single-sign-on (Revenue, MyWelfare, NDLS, etc.).
• Success or failure of the authentication.
• Failure category (wrong password, expired 2FA code, etc.).

Retention of these logs has historically been a point of contention with the DPC; current published retention periods should be in the Department's published Records of Processing.

7. Cross-government data sharing records

Where your MyGovID was used to sign into another service (e.g. Revenue), the Department maintains a record of the assertion sent to that service. Typically minimal — confirmation that you are who you say you are — but the existence of the assertion is logged.

8. Free-text notes, internal memos, correspondence

Often missed in SAR responses. If you've ever phoned MyGovID support, emailed them, or attended an in-person appointment, the Department may hold case notes about you. These are personal data and should be included in any complete SAR response. Push back if they're missing — see our SAR walkthrough.

What the Department typically does NOT hold

• The content of your tax returns (Revenue holds these separately).
• Your medical records (HSE holds these separately, even if the HSE Health App uses MyGovID for sign-in).
• Your banking transactions (banks hold these separately, even when KYC referenced state ID).
• Your social-media activity (the Department has no access to platforms' user data even when MyGovID-based age verification arrives).

The MyGovID identity record is the trust anchor for many things, not the storage location for them.

The 2019 DPC finding that matters most

The DPC's 2019 investigation found that the Department was retaining identity-related personal data — including documents submitted at SAFE registration — indefinitely and without a lawful basis. The DPC ordered the deletion of unlawfully retained data. Compliance has been partial; some retention practices have been tightened, others have not. If your SAR response includes documents you submitted at a SAFE registration in 2014, the question is whether their continued retention has a lawful basis today. See DPC ruling explained.

How to actually see your record

Use our Subject Access Request template. Address it to the Department's Data Protection Officer (contact on gov.ie). Specifically ask for:

1. The categories listed above (paste the categories into your SAR).
2. The internal audit log of which Department staff (by role, not name) have accessed your record over the past two years.
3. The records of any data-sharing assertions sent to other state services.
4. The retention period or criteria applied to each category.

What to do with what you find

• Rectification: if anything is inaccurate, file a rectification request under Article 16 GDPR.
• Erasure: in narrow circumstances (e.g. documents retained without lawful basis), file an erasure request under Article 17.
• Complaint: if you believe processing is unlawful, file a complaint with the DPC. See how to file.

If your SAR response is incomplete

Common omissions — annotated SAR responses we've reviewed show these are routinely missing on first response:

• Internal correspondence and case notes.
• Recordings of calls you made to support.
• Audit logs of staff access.
• Records of data sharing with other state bodies.
• App-verification document images (retention beyond initial verification).

Each one is personal data and you have a right to a copy. Reply specifically asking for each missing category. If they refuse, file a DPC complaint.

Related

• Subject Access Request template
• DPC complaints walkthrough
• DPC ruling on the PSC, explained
• MyGovID hub