Alan Shatter (Dublin South, Fine Gael) | Oireachtas source

I move amendment No. 13:
In page 113, line 17, to delete “section 118(2)” and substitute “section 117(2)”.
The purpose of the substantial amendments in this group, amendments Nos. 21 to 26, inclusive, with which I will deal first, is to delete the provisions of Chapter 4 of the Bill and replace them with new provisions to more fully provide for the data protection requirements of Chapter 6 of Council Decision 2008/615/JHA of 23 June 2008.

Usually referred to as the Prum Council decision, it regulates the automated searching or comparison of DNA and fingerprint databases and the exchange of the results of such searches or comparisons by the member states and Norway and Iceland as well as dealing with the exchange of DNA profiles following a request pursuant to Article 7. Where a member state is requested to provide a DNA profile, and that profile is not available, Article 7 requires the requested state to obtain the profile.
Giving effect to the data protection provisions of the Prum decision requires both the modification of the existing data protection law as contained in the Data Protection Act 1988 and some additional new provisions. The modifications are contained in amendment No. 22 and the new provisions are contained in amendments Nos. 23 to 26. There is also a new data protection provision to be inserted into Chapter 5 in relation to mutual assistance but I will come to that later.
I will briefly outline the content of amendments Nos. 21 to 26. Amendment No. 21 replaces section 113 of the Bill, as published, with a new section 113. The section provides definitions of the key terms used in the chapter, many of which are assigned the meanings they are given in the Data Protection Act 1998, as amended. Amendment No. 22 provides for a new section 114 which sets out a number of modifications which are needed to ensure that the data protection measures in the Prum Council decision are fully applied to the processing of data supplied or received under Chapters 2 and 3 or pursuant to an Article 7 request. I will describe each of the seven modifications in turn.
The first modification provided by subsection (2)(a) inserts in the interpretation section of the Data Protection Act a small number of additional definitions. The second modification provided by subsection (2)(b) is to section 2 of the Data Protection Act and inserts additional subsections after subsection (1), the main effect of which is to ensure compliance by the data controller with the rules in respect of the correction and destruction of inaccurate or incorrectly supplied data as set out in section 116 of the Bill.
The third modification provided by subsection (2)(c) is to section 2C of the Data Protection Act. This is a substitution of subsection (1) necessitated to incorporate the security measures mandated by Article 29 of the Council decision. Fourth, subsection (2)(d) modifies section 4 of the Data Protection Act to ensure that a data subject whose data are processed under Chapter 2 or 3 of this Act, or under an Article 7 request, may access information on data held about him or her, as provided in section 4, regardless of any exemption from this right of access contained in section 5 of the Act.
The fifth modification provided by subsection (2)(e) to section 7 of the Data Protection Act addresses the duty of care owed by a data controller and a data subject’s right to damages as set out in Article 31 of the Council decision. The sixth modification provided by subsection (2)(f) to section 8 of the Data Protection Act is to ensure that the exemption in that section that applies to data processed for the investigation of crime cannot override the data protection requirements of the Prum Council decision as provided for in this Part.
The final modification provided by subsection (2)(g) is to section 9 of the Data Protection Act and appoints the Data Protection Commissioner to be the competent data protection authority in the State for the purposes of a European Union or international instrument and sets out some specific monitoring functions accordingly.
Amendment 23 inserts section 115 which sets out the limited purposes for which DNA and dactyloscopic data, and related reference data, supplied to or received from a designated state can be processed. The purposes are: comparing the data in order to find out whether there is a match of the data on the relevant database system in the State; providing automated responses to the designated state that supplied the data; entering a note of a match on the DNA database system; and creating the required records of the supply and receipt of data.
Data supplied by a designated state must be destroyed once a response is issued to the designated state unless there is a need to retain the data for mutual legal assistance purposes under the Criminal Justice (Mutual Assistance) Act 2008 or for the creation of required records. The limitations on processing are to ensure the data protection rights of an individual, whose DNA or fingerprints etc. are the subject of a search or comparison, are protected and that the data may not be processed for any other purpose other than those permitted by the European Union or international instrument under which the search or comparison occurred.
Amendment No. 24 inserts section 116 which sets down in subsections (1) to (5) obligations on a national contact point or a data controller in the case of an Article 7 request, to take certain actions where it comes to his or her attention that the data supplied for processing or received as a result of processing, are incorrect or are data that should not have been supplied to the national contact point or data controller concerned. The section provides for communication of the existence of the error between the national contact points or data controllers in the states concerned, so that the data involved can be corrected, in the case of incorrect data, or destroyed in the case of data that should not have been provided in the first place.
Subsections (6) and (7) provide that data must be destroyed in any event once the time mandated by the state in which the data originated expires. Subsection (8) provides for an exception to the requirement to destroy the data in cases where to destroy the data would be detrimental to the interests of the data subject. Subsection (9) provides for action to be taken where a data subject contests the accuracy of data and it is not possible to establish its accuracy.
Amendment No. 25 inserts section 117 which provides for the appointment of authorised officers by the national contact points. Authorised officers are those members of staff of the forensic science laboratory or the Garda technical bureau who will operate the systems for searching and comparing DNA and dactyloscopic data. Authorised officers are appointed in writing and their authorisation ceases by default once they are no longer working for the national contact point to which they were appointed. The authorisation can also be revoked by the national contact point. The section also provides for details of the authorised officers to be provided to the Data Protection Commissioner or the data protection authority in a designated state on request.
Amendment No. 26 inserts section 118 which prescribes the requirements for the creation of records that are necessary in relation to the automated processing under Chapters 2 and 3. The Prum decision sets down the information that needs to be recorded and the format of the records. The purpose of these records is to facilitate the Data Protection Commissioner in monitoring and checking the security or legality of the processing of personal data. The recorded information should include a description of the data concerned, the date and time it was supplied and a means of identifying the national contact points or authorised officers involved in the supply or receipt.
The use of these records is restricted to monitoring data protection and ensuring the data is secure. A two year mandatory time limit applies for the retention of the records created. The Data Protection Commissioner, for the purpose of his or her functions under the Act, shall be provided with the records on request. There is an obligation on the national contact points to conduct random checks of the records for the purpose of ensuring the lawfulness of the supply and receipt by them of data. I will shortly propose a similar amendment in Chapter 5 in relation to recording of Article 7 requests.
Amendments Nos. 13 and 14 are minor, technical amendments arising from the re-numbering of section 118 as section 117 and are consequential to amendment No. 25.