Mr. Seamus Carroll:

I thank the Chairman and the committee for the opportunity to attend and participate in discussions on the data sharing and governance Bill. I am Seamus Carroll from the Department of Justice and Equality and I am accompanied by Ms Noreen Walsh and Mr. Conor O'Riordan from the civil law reform division of the Department. Reference has already been made by Mr. Lowry and Mr. Sunderland to the general data protection regulation and I will start by saying a few words on it.

Following several years of intense negotiation, agreement was reached in early 2016 on the content of the general data protection regulation, or GDPR. It was published this time last year and will take effect from 25 May 2018. Its purpose is to update and streamline data protection law across the EU. Broadly speaking, the GDPR strengthens the rights of individuals to the protection of their personal data, clarifies the obligations on bodies that process personal data in both the public and private sectors and greatly expands the functions and powers of data protection authorities, including in our case those of the Data Protection Commissioner. These extended powers include a power to impose substantial administrative fines for infringements of data protection law, albeit not generally in the case of public authorities and bodies. Adoption of the GDPR has been accompanied by adoption of a law enforcement directive which contains rules that will govern the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences, or the execution of criminal penalties. This directive must be transposed into national law by May 2018.

While an EU regulation is a directly-applicable legal instrument and does not normally require any national law to give it legal effect within a member state, the GDPR contains a number of provisions which allow member states a limited margin of flexibility.

For example, it recognises that reconciling the right to protection of personal data with the right to freedom of expression and information is a matter for national law. The same applies to reconciliation of the right of access to public documents, in other words freedom of information with the right to protection of personal data. As Mr. Sunderland has said the Government has approved the drafting of a data protection Bill last week and the draft has now been forwarded to the Joint Committee on Justice and Equality for pre-legislative examination. It is a lengthy text, running to more than 95 sections and contains provisions which are intended to give further effect to the GDPR in areas in which member states retain some flexibility; transpose the law enforcement directive into national law; and to equip the Data Protection Authority with effective mechanisms and procedural safeguards in order to perform the expanded range of tasks and exercise the enhanced powers set out in the GDPR and the law enforcement directive.

TheGeneral Data Protection Regulation, GDPR, emphasises the need for greater transparency in relation to the processing of personal data; Article 5.1(a) provides that personal data must be processed lawfully, fairly and in a transparent manner. Article 26 goes on to provide that where two or more bodies are involved in determining the purposes of processing, they become joint controllers and they are required to determine their responsibilities for compliance with general data protection regulation, GDPR obligations in a transparent manner.

Provisions in the proposed data sharing and governance Bill will help to promote greater transparency and ensure that individuals are aware of sharing arrangements between public authorities and bodies. This will help to facilitate effective exercise of their data protection rights.

Data processing by public authorities and bodies is normally undertaken on the basis of one of the following: first, processing is necessary for compliance with a legal obligation to which the controller is subject or second, processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. Article 6.3 of the GDPR requires that this basis must be laid down in EU law or national law. It can be expected that the provisions of the Bill will promote consistency of approach and coherence in respect of data sharing across the entire public sector.

The Bill has been in the drafting process for some time and it contains references to our law, the Data Protection Acts 1988 and 2003. This legislation will be largely overtaken by the GDPR. The text of the Bill will need to be updated to have regard to the text of the GDPR in order to ensure the necessary level of coherence and consistency.

I thank the Chairman and members. The Department of Justice and Equality is available to answer any further questions on the data protection dimension.