Mr. Daragh O'Brien:

I will summarise the submission as I am conscious of time. As Mr. Jennings said, the potential value of the sharing of data between organisations cannot be lightly dismissed. Data is neutral. It does not care what it is being used for. That is why governance structures around data are essential.

We have seen recent cases where the careless handling of information in State agencies resulted in a fact being created and a process put in train that impacted on the private life of at least one whistleblower. In the scenario where data has been shared with agencies, the veracity and lineage of data becomes even more important in that context, and the Bill is silent on that question.

We have also seen a constant procession of cases before the Data Protection Commissioner and the courts where data has been accessed inappropriately and without authorisation. That goes back to Mr. Jennings's point about access logging. In these cases, personal data has been disclosed to third parties by people in the employment of the State who already have access to significant amounts of personal information.

I know from my work with civil servants in a professional capacity as a consultant and trainer that individual civil servants are dismayed when they see those headlines about information being shared in that way. In a data sharing context, when more information is potentially made available in a general scheme of legislation, civil servants are equally aware of how it easy it is for the trust between the citizen and the State to be breached, whether by the conscious action of an individual or the ill-considered acts of an official body.

The presentation of data sharing as a panacea for efficiency and effectiveness needs to be considered in the context of the quality of data sets that are being linked together, the impact of the processing of data on the fundamental rights and freedoms of individuals and, as Mr. Jennings alluded to, the transparency of the processing to the individuals. In 2014, we were engaged by Digital Rights Ireland to do a review of the proposed scheme of the Bill. I understand a copy of our analysis at that time has been included in our submissions. In terms of summarising that submission, we concluded that the cart had been put before the horse. The focus was on sharing and not on governance. It needs to be the other way around. The focus on improving efficiency through sharing in the Bill as proposed does not do anything to ensure the robustness of governance necessary to ensure that the right data is being shared in the right way at the right time, with the right clear basis.

Essentially, the Bill proposes to tell the citizen to "trust us, we’re the Government", but does very little to put in place anything by way of standards, structures or accountability upon which that trust may be grounded. I listened with interest to the video of last week’s presentation to the committee and I found it very difficult to square the views of the Data Protection Commissioner's office that the Bill was simply a framework that would allow additional legislation to be enacted with the view from others who presented that the Bill was an umbrella piece of legislation that would allow sharing to take place without additional legislative measures. It is either one thing or the other. It is either a skeleton or an umbrella; it cannot be both. The fact that almost three years after the scheme of this Bill was first published there is still a lack of clarity on the purpose, intent and scope between the Office of the Data Protection Commissioner, which is tasked with enforcing the fundamental right to data privacy, and the Civil Service on what this Bill is intended to do is a matter of concern.

I also noted Mr. Sutherland’s written remarks in which he pointed out that, "In itself, this legislation will not be sufficient to validate the processing of personal data to the standard required under EU law and it cannot provide a basis for automatically sanctioning public sector authorities to share personal data". There is a missed opportunity to learn from prior experience of other projects where the State has attempted to share personal data across the organisation. Based on experience from private sector data governance projects and successful models of implementation that I have studied and applied with clients over the years, effective cross-functional approaches to the governance of data in organisations is essential to make sure that the promise of efficiency is delivered on. I have lost track of the number of organisations I have worked with where one department's definition of a "customer" was different to that of the team sitting next to them, but I remember vividly the late nights at the end of a reporting period where everyone sat sweating the figures trying to make them match. This simple example of cross-departmental communication in an organisation is because of poor data definition. In the absence of standards for codifying the meaning of a simple term or concept, confusion reigns.

In the public sector we see examples of this type of metadata challenge in a variety of contexts. For example, on the definition of "means" and sharing of means data, different organisations have a different understanding of what "means" is because the terms of a means tested benefit can differ based on the schemes that are being applied. Likewise, the definition of "income" can also differ depending on the perspective of the organisation, the nature of the schemes that are applied etc. In terms of what is an "address", in a given context, an address can have different meanings for different purposes in different organisations. When we ask for an address from one organisation to be given to another, there must be some definition as to how that is governed and controlled to ensure there is clarity of meaning, given the potential for sub-optimal outcomes if the wrong data is applied for the wrong purpose.

A far better and valuable focus of the Bill would have been to mandate the improvement, standardisation and professionalisation of data governance functions and data protection officer functions in Departments. This is particularly significant given the critical role effective governance of information plays in compliance with the general data protection regulation, which comes into force in a little over 260 working days from today.

I will not dwell on the Bara ruling. Mr. Kelleher will discuss that briefly, but suffice it to say that the interpretation of EU law has moved on and evolved. Some of the assumptions that may have been made when this Bill was being formulated no longer apply.

The Bill represents a missed opportunity in its current form. There is a host of aspects that Dr. Jennings has already alluded to, which I will not repeat. Data sharing on foot of umbrella legislation is not compatible with the necessity and proportionality principles of EU law. Clear statutory grounds should be created, and should be open to scrutiny. If sharing is important, it should be open to discussion. That is particularly true of large-scale bulk sharing of data. The Bill requires much more detail to be introduced in terms of effective frameworks for data governance and appropriate standards. The data sharing arrangements in the public sector need to provide protections equal to or greater than those already enjoyed by citizens since the Bara ruling.