Mr. Barry Lowry:

I might perhaps assure the Deputy by outlining some of the layers of governance in this process. As Mr. Sunderland said in his submission, it would be wrong to treat government as a single entity with regard to the GDPR. For its purposes, therefore, each Department should be considered as a single entity. Under the GDPR, each Department is required to establish the role of the data protection officer. Article 39 of the GDPR clearly sets out the responsibilities of the data protection officer. We expect any requirement for data sharing to be closely monitored in terms of its purpose and the amount of data to be shared, as well as the reason for sharing and the period of time for which the data will be held. All of these things will be carefully scrutinised by the data protection officer in any Department. In fact, they will use the instruments set out in the GDPR, such as privacy rights impact assessment and screenings, to inform their judgment. At this point the data sharing may be underpinned by a data sharing agreement. That is the view of the Attorney General's office. For standard, benign purpose data sharing, things that are in line with good e-government such as not asking a citizen to retype information already held will be underpinned by the use of these instruments. The role of the legislation and governance is to ensure compliance. In sensitive areas of data sharing - the Deputy mentioned health care as a primary example where benefits and risks are significant on both sides - specific legislation is planned because the Government recognises its importance in terms of public profiles. We believe there is a governance framework in place and planned that will handle most data sharing requirements without the need for undue bureaucracy and pressure on the system. Equally, it is to be carried out in a transparent, simple and understandable way.

On the second point concerning complaints, the objective is that transparency requirements will mean that data sharing agreements will be published and will be open to challenge.

Obviously individuals have the right to ask not only for the data that any specific public body holds about them, but also with whom the body has been sharing that data. Again, there is a very clear framework, through the Data Protection Commissioner, where complaints can be made, escalated and investigated at an appropriate level.