Clare Daly (Dublin Fingal, Independent) | Oireachtas source

This is a very important grouping but, unfortunately, it is cumbersome and deals with many issues, some of which are similar but not identical. It is an important group of amendments for us and I will break them down because some are more interconnected than others.

Amendments Nos. 36 to 41, inclusive, involve tweaking what we call suitable and specific measures and how we get around that. We have to see it in the context of section 35 which deals with these suitable and specific measures for processing data. In general throughout the Bill, these measures apply to the processing of special categories of data and are used as a substitute for getting a person's consent to process his or her most sensitive data. What is contained in these sections is significant. Under Article 9 of the GDPR, processing of these categories is strictly prohibited unless one of ten conditions apply. The first of those conditions is that the person has to give explicit consent. That is fairly clear. The other nine categories involve matters such as processing being legal if it is necessary to protect the vital interests of the data subject, for the purpose of public health, cross-border threats to health and other such matters. Most of the conditions allowing special categories of data to be processed, apart from the one on explicit consent, have some aim to protect either the data subject's interests or the public interest.

Suitable and specific measures, which is the term we are examining, are used as an alternative to the obligation to get explicit consent. That is contained in sections 39, 43, 45 to 47, inclusive, 49, 50, 54 and 65. They will apply in many circumstances. This is a significant part of the Bill for processing sensitive data in the context of employment and social welfare law, scientific or other research purposes, pensions, if the Government gets its way, getting a mortgage, and in the context of a substantial public interest, which we discussed previously. The idea of suitable and specific measures is that they are technical and organisational safeguards such as limiting access by staff to sensitive data and so on. We all remember the fellow who was selling the data in the then Department of Social Protection for €23 a throw and all the rest.

In the Bill as it stands, there is a list of measures that might be in section 35(1) but none of them is mandatory. In the case of the first one, consent, there is a reason they cannot be mandatory in every case. For example, for statistical purposes it might not be viable for somebody from the Central Statistics Office, CSO, to get consent to process statistics on the number of people of a particular religion in Ireland or whatever. There are others, the ones that are subject to our amendment No. 38, that face no obstacle in terms of being mandatory. Those are limitations on access to prevent unauthorised consultation, alteration or disclosure of this most sensitive data by staff, time limits on the length of time an organisation can hold on to data and targeted training for people who will be handling the data.

We believe it is reasonable that when suitable and specific measures are being used to give carte blancheto organisations or public bodies to access and process sensitive data, access limits, time limits for storage and training should be mandatory. That is our key concern. Also, the Government clearly envisages situations where measures to safeguard data should be mandatory in some instances. We are saying we should not leave it to the individual Ministers but make it somewhat clearer now. I will not go into a huge amount of detail but we want to have safeguards implemented to stop invasion. We want that to be obligated rather than a minimum standard to apply. That is the purpose of amendment No. 38.

Amendment No. 36 simply seeks to add the words "in particular" before a list of possible, suitable and specific measures. The phrase "in particular" is used elsewhere in the Bill. It is also used in the GDPR and the shorthand for it is that we should look at the measures first before we go looking for any others because the list of possible suitable and specific measures spelled out in section 35(1) are in part taken from the GDPR itself. As they are important and potentially strong technical measures to safeguard people's privacy, we believe they should be considered first, in particular the measures that are being either implemented or laid out in the regulation.

In terms of amendment No. 37, the idea is to add to the list of measures that might be included among the suite of suitable and specific measures. The ones we are proposing are modelled on the German law which incorporated the GDPR but seek to add other options such as testing the effectiveness of technical, organisational and security measures regularly to ensure the confidentiality, integrity, availability and resilience of processing services and systems related to the processing of personal data, including the ability to restore availability and access rapidly in the event of a physical or technical incident. It could be the case that a given Minister might specify additional measures such as these in regulations. I accept that could happen but it appears to us that it would be far better and more useful to have a reminder in the legislation about, first, the importance of mandating organisations to test their safeguarding measures regularly rather than just putting them in place and realising ten years later that they are not fit for purpose and have leaked a great deal of data and, second, to keep their security systems up to date and ensure they cannot lose a pile of sensitive data just because there is a power cut or whatever. That is perfectly reasonable. That is the first grouplet. I know this is difficult, technical and monumentally boring stuff, but as the amendments have been grouped in this way, we have to persevere.

Regarding amendment No. 42, if our amendments Nos. 37 to 41, inclusive, succeed, this one can probably be withdrawn because we have provided something similar in the previous amendments. We are proposing in this amendment that, first, any regulations made under the section either to identify suitable and specific measures or specify that some of those measures are mandatory shall first identify different measures for different categories of personal data, different categories of controllers and so on and, second, specify that at least one of the measures set out in the list in section 35 is mandatory. Regulations in regard to suitable and specific measures are a requirement in many different processing situations throughout the Bill. They are crucial to safeguarding people's rights on their data, and because of that they should be granular and detailed. They take into account the kinds of data being processed, by whom and the types of processing actions that are being taken. It is important that at least one, but ideally more, of the measures listed in section 35 is made mandatory if the Minister is going to the bother of drawing up the regulations.

Our last amendment, No. 43, is another backstop. We are placing an obligation on the Minister to seek the advice of the Commission before drawing up regulations under section 35 on suitable and specific measures. If he decides to go ahead and ignore the advice of the commission, that will be his prerogative but he will have to give a statement to the Committee on Justice and Equality outlining the reason. It is just another backstop.

It is a little like amendment No. 5 to section 6, which the select committee passed, in that it provides for greater oversight by the Oireachtas. It would not impose a significant burden on the Minister to seek the advice of the data protection commission and he may choose not to adopt this advice, provided he informs the joint committee of his reason for not doing so.