Mr. Billy Hawkes:

On the question of whether we could be accused of soft touch regulation, in Ireland we have a culture of talking to people. That translates into explaining clearly to companies and organisations what is expected of them. Data protection is a set of principles that must be applied in particular circumstances. It is not always easy to interpret those so we see it very much as part of our duty to set out our expectations to companies and organisations. We expect them to comply with them. Organisations are left in no doubt that if they do not comply we will take enforcement action. Our law does not give us direct fining powers.

It gives us the power to order organisations to stop doing things with personal data. We use this power when we believe it is justified to do so. We also have the power in certain areas to bring companies to court, for example, for spamming, and we use it extensively. I recognise the issue raised and the importance of being seen to be a firm regulator. Culturally, as an Irish person, we have a tradition of speaking to people. The Garda Síochána is not armed, which is something I am sure all committee members support. It means a different approach vis-à-visthe State and the citizen which the committee probably wants to retain.

On the passing of data, we have been involved in the issue and it is a clear breach of data protection law. We are engaged in a detailed audit of the Garda Síochána in which this issue, among others, is being considered. We continue to have a very significant focus on high standards of data protection in the Garda Síochána because of the amount of sensitive information it holds. We show this by the detailed nature of the audit we are carrying out and regularly have contact with the Garda Síochána with a view to ensuring its obligation to protect data is fully understood and respected throughout the force. We continue to insist on this as we carry out our work.

We do not have the power to fine the Garda Síochána, but we do have the power to take enforcement action, if necessary. If we were to find a blatant example which it was not correcting - this has not happened to date - we could order it to take actions with which it would have to comply. To be fair to it, at a corporate level, it understands its responsibilities in this area. We understand the challenges in having to deal with an organisation with 13,000 members and trying to get them all into line. On what we are most focused is getting across to the culture of the organisation that it is not in order to pass on private information outside the force.