Mr. Cathal Ryan:

The Chairman makes an interesting point. When we say 25 pieces, our function is set out in article 36 of the GDPR with regard to consultation that happened prior to a legislative or regulatory measure on foot of a legislative measure. It has to happen in advance of the processing of data. The appropriate timing for that consultation with us is really a matter for the Department or, if it was a Private Members' Bill, for the individual who sponsors the Bill to determine when is the appropriate time to consult with the data protection authority under article 36. To be fair, anecdotally it is the case that individuals or Departments are coming to us early - almost as a policy and as a sketch of where they feel the legislation is going. They know there is movement in terms of legislation, and while it may not have gone to the heads of a Bill, they may be worried that at a heads of Bill stage the policy approach is simply a red-line issue for the Data Protection Commission, DPC.

Sometimes, appropriately, they come to the DPC early to see that general approach taken by them will not contravene data protection law. The figures we have presented incorporate some of those engagements, which are at a very early stage in their processes, almost at the policy development stage.

We are very happy to engage at that level because there is no point in them going down a rabbit hole of data protection and for us to then turn around at publication of a Bill and say their situation is untenable.

We have previously looked at publishing all of our replies, but the problem is that our replies may have to be collated together over a period of time to get an overall sense. We may, for example, only get a question on a specific policy approach that is intended to be given legislative underpinning. Instead of looking at a heads of Bill, a piece of legislation or a whole Bill we may sometimes only get a policy approach on where a body is going and we would be involved at that level. We have looked at consultation and publication of our responses because not only would it help the Department it would also give transparency, and other Departments would learn of the particular approach taken or the way a data protection authority has viewed a certain matter.

With the creation of online registers for a public sector body, for example, in the recent past we have given observations many times on our views around the creation of online registers and the publication of same on websites. Instead of only the recipient of those observations learning from that, I am very happy to share them out. We would need to set up a process or format for how and when we do that. It comes back to when it is appropriate or when is the perfect time for a Department or a Member to come to us to get a full overview of our position, rather than a piecemeal effort that is almost out of context.

I note that we have been invited before by this committee during a pre-legislative scrutiny. If we make observations they are collated and shared currently through the Department of Justice and Equality, but we would also make our own observations as an independent authority in the future. We would look at how we might publish our observations for everybody's benefit. This is something we had considered prior to GDPR. We have also looked at other authorities in Europe and elsewhere, including around consultation about a project or initiative. The New Zealand data protection authority firmly states that it may publish its views on a project.

We must also practise what we preach with regard to transparency. If we are to demand transparency from everybody then we too must be transparent. From my perspective, consultation would be great because we would get our message across to the person who has asked the question and also to the wider audience. This is very important because it would help with understanding, awareness and a standard approach to data protection that would meet the requirements of GDPR or the law enforcement directive. I am very much open to suggestions on how that can be done effectively. I would not walk away from that. It is important. This could offer another access to information along with freedom of information requests - which we receive only under administrative functions and not necessarily for investigations and so on. These are important issues with regard to the data protection viewpoint. It is to our own benefit that by publishing our views of these matters they do not get hidden within everybody else's observations: we can highlight what the particular issues are for us. As legislators the Members would also be aware of the views of the DPC while they go through the various stages of the process in the Houses.