Mr. Denis Kelleher:

I will look at the compliance of the proposed heads of the Bill with the general data protection regulation, GDPR. I will not go into the Bara ruling, given that the draft heads of the Bill are only being discussed now. The GDPR will apply from 25 May next year so the reality is that this legislation will not be enacted before then. I will look at this in the context of the forthcoming legislation and what it will have to comply with in the future.

I would suggest a number of changes, and I do not believe there will be any surprises in that regard. Data sharing by the State requires a law. The model used in the proposed heads is one of memorandums agreed between Departments. Under the new GDPR, a law will be needed. Some flexibility is allowed for different situations. Members may hear reference to issues like recycling 41 and so forth, but there is a clear requirement under the GDPR that a law must be in place in that regard. The best way to go about that is to have secondary legislation.

Members will see on slide 3 of my presentation a suggestion that the Government should move away from memorandums. A statutory instrument would have to be made. A Minister would have to make a decision that there was an objective public interest and legitimate aims that required the making of a statutory instrument. Under the GDPR, that statutory instrument might have to set out general conditions, types of data, data subjects, disclosees, purpose and storage periods. If the Government were to do that, it would have a very secure base for data processing. It would be avoiding two risks in that regard, namely, the risk to data subjects and the risk that this expensive system would be set up but then finds it is not in compliance with data protection law.

It is very important to set up a secure process for data processing from the start. In terms of the data to be processed in the system, it would be wise for the legislation to distinguish between data that is processed for the purpose of prevention, detection, investigation and prosecution of crime and more general purposes. Quite different legal regimes apply to both sets of data. It would be wise to split them out in the legislation. If one shares data for a general purpose, one would not necessarily be able to use that personal data for the prevention, detection and investigation of crime. It does not mean that one cannot share data for that purpose, rather that one would need a different framework for sharing it. That will be quite important down the road in terms of what use is made of that data.

The sharing of comprehensive data sets is highly problematic. One would have a concern about the excessive sharing of data, which is a major issue with regard to data processing. The goal has to be data minimisation under the GDPR. At the same time, the accuracy of personal data is an issue. Citizens, data subjects, have the right to insist that their data is as accurate as possible. If one does not want excessive data sharing, but wishes to ensure the accuracy of data across the public sector, I suggest the best way to go about achieving that is to set up a system whereby people in different departments can query the accuracy of data in a data set. One does not move the entire data set from one Department to another, rather one just lets another Department query whether the data is accurate and correct in individual cases. Under the case law review of the European Union, they have a very major concern about mass sharing of data sets. On the other hand, if one looks at the recent case in Sweden, the EU is less concerned about very focused queries, where one is not sharing mass surveillance. The Bill in some ways allows for that with the setting out of base data sets. That is a model that perhaps could be built upon in terms of the legislation.

In terms of information, Mr. Daragh O’Brien, mentioned the Bara case. In the Bara case, there was a query about the legal basis for the data which was transferred. The model in Bara is quite similar to the model in this legislation. The primary legislation was very high level, and the Romanian Government department of health agreed to share data underneath that very high level description using memorandums, which is quite similar to this model. The European Court of Justice shut that down, saying it was illegal because the subject was not informed of what was going on.

What I suggest should change in the heads of the Bill to give a more secure legal basis is to have a statutory instrument allowing for that data sharing. In addition, subjects are still entitled to information. Under the new GDPR, some leeway is allowed, so one does not necessarily have to inform data subjects that his or her data is being transferred from the Department of Social Protection to the Department of Health if one can show that they are plainly disclosures that are expressly covered by law, as I am suggesting they should be, regarding the control of the subject's data and one provides appropriate measures to protect the subject's legitimate interests. In addition to a legal basis, one needs what are termed appropriate measures. If one looks at the other exceptions, it must allow for personal data to remain confidential subject to the obligation of professional secrecy. We need to bring in those sorts of controls as well, if one wants to adopt this model of sharing on the basis of statutory instruments and when that sharing takes place there must be appropriate measures in place and there has to be professional secrecy protections.

Another area that needs to be looked at, and I think Dr. Jennings mentioned this at the start, is the idea of portals to enable subjects to access their data. One of the major changes coming through the system with the new GDPR is that, at present, people effectively have a right to get a copy of their personal data. For example, if a Member of the Oireachtas decided that he or she wanted to see the personal data that is processed by the Houses of the Oireachtas Commission, one writes and makes an access request, and the commission sends back a copy of the Member's data. The GDPR actually goes beyond that where one has the right to get a copy of the data, the right to information about how the data is being processed as well as the right to access the data. If one looks at the recitals, that means one has to provide remote access to a secure system which provides the data subject with direct access to his or her personal data.

It looks like that the GDPR will require that we build this sort of portal. There is a whole range of security concerns about who gets access to that portal. If one is building a portal that will allow me to access my personal data that is being processed by the State, my number one concern is to ensure that the only person accessing that information is me. That was one of the major challenges coming down in terms of how the State governs data. It will be very interesting and will be challenging to see how we will build that sort of system.

In terms of governance, one of the clear messages we are getting from the European Commission is that it wants to see a minimum of variation in how member states implement the GDPR. There are many provisions in the GDPR that allow member states to adapt to their own purposes. In terms of governance, it does not want to see variations and would query why there is a specific provision requiring data protection impact assessments. Its preference would be to allow the governance provisions, which are very onerous and very complex to apply to processing personal data in the State directly without any variations of this implementing measure except for one of those instances that are specifically allowed in the GDPR. There would need to be some variation there.

The last suggestion is the need to consider creating a specific offence of illegally accessing personal data that has been processed by the State. As members will see, the Data Protection Commissioner has been very active in prosecuting people who have accessed it from outside. There is provision under the new scheme of the data protection Bill for two offences and I think members should look into creating an offence specifically of wrongfully accessing personal data that is processed by the State. That would create an incentive for members of the Civil Service and public service to say that if they do not have direct authority to process this data in this way, they would be committing a criminal offence. That will push the decision down to individuals, so that when somebody is asked to process personal data in this particular way, he or she would ask if he or she has been given the authority to do that. Obviously, an individual does not want to be put in a position of creating a criminal offence. I do not know if members wish to go down that route. There are a great many offences of illegally processing of personal data and illegal processing of data and I think members should look into the regime that applies and the controls that are applied to wrongful processing of personal data in the State.