Mr. Daragh O'Brien:

With reference to the cart being put before the horse, the essence of that comment is a key lesson from private sector organisations in sharing data between departments within an organisation with a linear chain of command, although public sector organisations and Departments are slightly more fluid in their structures. Before sharing happens, there must be a clear definition and standards to allow for commentator interchange. The analogy I draw is taking a three-pin plug on holidays to France. It does the same job, but it does not work in the other area. In that context, governance models and frameworks become extremely important for interoperability. Parts of the governance standards and frameworks are matters such as common definitions, common meanings and commonality in the understanding of different business rules.

I have experience in both private and public sector organisations. I am constrained in what I can say about projects on which I have worked in the public sector owing to non-disclosure agreements; therefore, anything I say should be taken as hypothetical and based on experience. Let us take as an example something as simple as income. At a point in time the Revenue Commissioners will have a different view of what somebody's income is if he or she is self-employed based on what another organisation might require at a particular time because it might view income differently. Likewise, the calculation of income from a particular scheme perspective might differ from one organisation to another because the nature of scheme A requires particular categories of social welfare payment to be included as income but scheme B might not require these categories to be so included. What is required to enable sharing to happen is a transparent layer from a business process and governance perspective where these differences can be understood before the sharing happens rather than after it has happened and a decision has been made to the detriment of a citizen or, alternatively, his or her unjustified benefit. There has been comment in the media on fraud versus error in the Department of Social Protection. The Comptroller and Auditor General is quite clear that error represents the larger proportion compared to fraud and that it is down to the definition of standards and clarity of meaning in terminology within one Department which causes problems in terms of quality.

The Deputy asked for examples of previous failures. We referred in our 2014 paper to REACH, which was three years late and two and a half times over budget. It did not deliver on any of the substantive benefits it promised. As the Comptroller and Auditor General identified, the cross-boundary governance of data flows became problematic when different budget holders were calling the shots and competing in that context. I do not have the precise quote in front of me, but it is in the submission.

The sharing or processing of data in any public sector organisation can become problematic in the absence of the governance structures and rules that need to be in place. There are rules in place to govern the use of phone interception in An Garda Síochána, to mention a topical example. It appears from media commentary that those rules were not necessarily enforced in all cases.

This brings me back to the point made by Mr. Kelleher and Mr. Jennings about the difference between bulk sharing and query-by-query sharing on a base-by-case basis. The governance model needs to have sanctions for abuses of the sharing regime when the scope of sharing has been broadened. It also needs to define clearly who can do what, with what data, and when. When we worked on the e-draft scheme of the Bill in 2014, we identified that there was no clear definition of what is meant by sharing. Such a definition needs to be clearly set out and supported by effective governance with clear sanctions.

The only State agency I am aware of that has a statutory basis for doing anything to staff members or contractors who unlawfully disclose data that come into their possession in the course of their dealings with that agency's data is the Revenue Commissioners. Under section 851A of the Taxes Consolidation Act, it is an offence to unlawfully disclose taxpayer information. If the Department of Social Protection had an equivalent provision in legislation, more rigorous attention would be paid to who has access to what and to the logging of data. We have already heard about the need for control in the context of a governance framework.

Ultimately, two levels of governance need to be considered. The first level involves the standards and the communication for sharing. There is a need to ensure everyone is sharing the right thing. When a request is made for fruit to be shared between one Department and another, the Department that is expecting to get an apple must know that it will get an apple. It must not wind up with a bag of oranges because that would be completely useless to it. The second level involves the sharing that can take place internally. When larger amounts of data are available to public servants, access to that data must be governed in an appropriate way with clear sanctions.