Mr. Dale Sunderland:

I thank the Vice Chairman and members of the committee for the opportunity to meet to discuss the provisions of the general scheme of the data sharing and governance Bill. I am Dale Sunderland, deputy commissioner with responsibility for the consultation function of the data protection authority. My colleague, assistant commissioner Cathal Ryan, is the office's head of consultation for the public sector and health. The Data Protection Commissioner, DPC, recognises the intended benefits of the proposed Bill and is supportive of the aim of developing more efficient and customer-centric public services. We accept, therefore, the rationale for the proposed Bill in so far as it will provide a legal framework for public sector authorities to carry out the requisite analysis and balancing tests that respect the fundamental EU right of individuals to have their personal data protected. The proposed legal framework should have the benefit of providing confidence to all public sector bodies to explore and carry out legitimate data sharing opportunities.

Of itself, the sharing of data is neither good nor bad. Quite clearly, it can have benefits in some cases for the public in not having to supply the same information multiple times. In other cases, however, data sharing can lead to public bodies holding excessive and unnecessary data on individuals. In contemplating data sharing initiatives, it is important to start out with the understanding that Government does not represent one data controller under data protection law. Each Government Department has its own individual responsibilities under the law. Sharing of data between public bodies may only occur where it is provided for by law and the core data protection principles of purpose limitation and transparency, in particular, to the public are met. This fundamental principle of data protection compliance has been underscored by the ruling of the ECJ in the Bara case. Therefore, it must be clearly understood that the general scheme of the Bill before the committee cannot create a new legal basis for sharing data in any given case that does not otherwise exist. Instead, the Bill seeks to provide a process for public sector managers to assess whether sharing can lawfully occur in respect of purpose limitation and transparency and with appropriate safeguards. It is the assessment process in the proposed Bill that is key and the outcome of that assessment will dictate if sharing of data can occur and on what basis it can occur.

I emphasise that legislation on its own is not sufficient to prevail over data protection law in light of its status in the European Charter of Fundamental Rights. In accordance with the jurisprudence of the European Court of Justice, each data sharing arrangement envisaged under this Bill will require a careful balancing test to justify why the right to data protection must cede, in a proportionate manner, to the legitimate interests of the public body concerned. While the DPC welcomes the safeguards set out in the proposed Bill, we believe it would benefit from the addition of further provisions underpinning the responsibilities of public sector bodies in carrying out adequate and robust data protection assessments. The Bill would benefit from the inclusion of a requirement for a statutory instrument to legally underpin each data sharing arrangement in addition to the memorandum of understanding. This would provide public bodies with the additional legal and administrative certainty to pursue legitimate sharing of personal data within a framework that provides for the proper data protection assessments to be undertaken and the necessary safeguards applied. While we welcome the provisions of the Bill to provide for screening tests and privacy impact assessments, we recommend in the interests of transparency to the public a provision in the Bill for the publication of the results of any screening assessment or privacy impact assessment.

While it is our understanding that the Bill is not intended to provide a legal basis for large structural data sharing Government projects, which would still need specific primary legislation, the general scheme is not sufficiently clear in this regard. We recommend that provisions be included to clarify the scope of the legislation and the data sharing arrangements to which it will apply. For the avoidance of any doubt, we also recommend that further clarity be provided on the agencies and bodies that will fall under the scope of the Bill. The Bill must also comply with the new general data protection regulation which comes into effect on 25 May 2018 as well as being consistent with the general scheme of the data protection Bill as published last week by the Tánaiste and Minister for Justice and Equality. There may be further amendments our office suggests as the drafting continues. We are quite happy to share further detailed proposed amendments with the committee if that would be helpful.

In summary, the DPC accepts the rationale of the general scheme to support lawful sharing of personal data where justified. I acknowledge the Department of Public Expenditure and Reform's open and engaged approach with our office in seeking our observations on the proposed Bill. We commend the Department on undertaking a public consultation to inform the drafting of the Bill. As I have outlined, we believe further enhancements are necessary so that the Bill will achieve its intended objective by providing a robust legal framework whereby public sector bodies have the authority and clarity to confidently engage in legitimate data sharing initiatives. I thank the Chairman and committee members. I am happy to answer any questions.