Mr. Seamus Carroll:

To refer back to a point made earlier by Mr. Lowry, which may have been before the Chairman arrived, there is an obligation under the general data protection regulation for all public authorities and bodies to designate a data protection officer. There will be an officer at a fairly high level in the organisation whose task is to focus on the data protection obligations and accommodate the exercise of rights by individuals vis-à-visthat organisation. The regulation goes into a lot of detail on the qualities required. It says that "the data protection officer shall be designated on the basis of professional qualities, and in particular, expert knowledge of data protection law and practices and the ability to fulfil the tasks of the data protection officer". It goes into quite a lot of detail about what the tasks of the data protection officer would be and one is to inform and advise the controller or processor and the employees who carry out processing of their obligations under the regulation and under other EU and member state law in regard to data protection. It goes on to emphasise the independence of this particular individual within the organisation. It says that the controller or the processor - that is the public body - shall ensure that the data protection officer does not receive any instructions regarding the exercise of the tasks. He or she shall not be dismissed or penalised by the agency for performing his or her tasks, and then, crucially, "the data protection officer shall directly report to the highest management level within the organisation". The data protection officer will not be reporting up through his line manager in a hierarchical structure in future, but will report directly to the highest level within the organisation.

Why have all these provisions been put in place? It is because there is a perception, not only in Ireland, that when it comes to public authorities and bodies there is need for further reassurance that data being held is being processed properly and used only for the purposes for which it is intended. I return to the point I made earlier on this Bill, this will improve the transparency because if an organisation is sharing personal data with another organisation, now for the first time it will be clear from these memorandums agreed within the bodies, what information is being shared and that will facilitate the exercise by individuals of their rights vis-à-visthese public bodies.