Mr. Dale Sunderland:

Under data protection law, there are very onerous obligations on data controllers to protect and use information in accordance with the law. This is about protecting all of our personal information so it is not used in inappropriate ways. In any organisation, it must be ensured that anyone who accesses data has a legitimate reason for doing so. Looking up information about somebody because they have won the lotto or to see who they are would certainly be inappropriate.

Senator Conway-Walsh referred to outcomes, implications and the Department of Social Protection. We have initiated a number of investigations into private investigators inappropriately and unlawfully accessing data about individuals from the Garda Síochána and the Department of Social Protection, in particular. We have taken a number of successful prosecutions. We understand, however, a number of persons in the Department were dismissed. One, in particular, was dismissed from her post because of her gaining inappropriate access to personal data. This is about protecting individuals. We want to ensure legitimate data-sharing can take place, however.

To return to a point I made earlier, every public sector body is a data controller in its own right. If Department A collects information for a particular purpose, it cannot share that, without a lawful basis, with Department B unless there is approximate use. If it is shared for a reason that is in no way related to the reason for which it was originally collected, it may not be shared automatically. There would need to be a proper, lawful and legal basis for that to happen.

While we want to facilitate legitimate data-sharing, it is very important that the principles and requirements of data protection law be met. For example, the data must be accurate. A concept known as the "digital footprint" or "digital shadow" is now being built up. That will potentially be built up through data-sharing. What the Government knows about one is not absolutely accurate in respect of one's individual circumstances. If one Department shares information with another that is not correct or accurate, thus affecting an application for a grant, for example, it could have implications for the individual. That is why we are really emphasising that this Bill will provide the legal mechanism to allow for the sharing of information, but in accordance with all the proper data-protection impact assessments and the law, as in making sure one transfers only information that is relevant and accurate and not providing information to another Government body that one has no lawful reason to share. These principles are very important and must be adhered to under the data protection Acts.