Mr. Dale Sunderland:

I thank the Chair for the invitation to contribute to members' deliberations on the general scheme of the electoral reform Bill. I am one of the deputy commissioners at the Data Protection Commission, DPC, with responsibility, among other things, for the DPC’s supervision, consultation and guidance functions. Also in attendance with me is Mr. David Murphy, assistant commissioner, from the DPC’s supervision and consultation section.

The DPC welcomes the opportunity to engage with the committee on the proposed Bill and to provide our views on the draft provisions that impact, in our view, on the processing of personal data. By way of background, I can inform the committee that the Data Protection Commission submitted contributions to the public consultation on proposals to modernise the electoral process held in 2019. In contributing to the public consultations, we welcomed the Department’s goal of building an electoral register that is secure, comprehensive and accurate, while also being fully compliant with data protection legislation. In view of the very substantial volume of data involved, the establishment and maintenance of an accurate and secure central electoral register, in particular, is of critical importance to the public’s trust in the proposed reforms. Our observations in the public consultations related to the use of the PPSN, in particular, and to the sharing of personal data for the purposes of updating and maintaining the register.

Regarding the proposed use of the PPSN, the DPC advised that any use of the it must be shown to be a justifiable solution to identified issues with the electoral register, while not having a disproportionate impact on an individual’s right to data protection. We stated that the assessment should address known vulnerabilities with the PPSN such as the potential for fraudulent use. In looking at the use of the PPSN, it may also be necessary to examine whether the legal basis for the PPSN, as found in the social welfare Acts, can support the issuance of a PPSN to an individual for the sole purpose of registering as an elector. This is a scenario that could conceivably arise in the case of European and local elections while recalling that the purpose of a PPSN is to allow an individual to engage with the State in the course of a transaction with a State body. There may be scenarios where not everyone has a PPSN. We do not have a definitive answer on that but we have certainly think it is something worth considering.

As part of a general recommendation to adopt a data protection-by-design approach, we recommended the use of a data protection impact assessment, DPIA, to explore fully the data protection risks involved and to consider the implementation of suitable and specific safeguards. We also pointed out that any use of MyGovID or the public services card for optional online registration should be examined to ensure that there is a valid legal basis for such processing.

The Committee should also be aware we engaged with the Department of Housing, Local Government and Heritage on the Bill. We understand the Department is currently conducting a data protection impact assessment and the DPC will be formally consulted under Article 36 of the General Data Protection Regulation, GDPR, during this process. In particular, the Department’s assessment should set out the rationale and justification for the mandatory collection of the PPSN and use of the public service identity set. The Department must remain open to alternative solutions should the justification of the use of those data elements not be satisfactorily grounded, or where there is potentially an inability to mitigate any identified high risk to the personal data of individuals, whether or not those persons are included on the electoral register. That is not to prejudge the issue. It is simply to say that the purpose of a DPIA is to go through all of those issues, to ensure there is a justifiable basis and the processing is proportionate and necessary. We also recommend the publication of any DPIAs and ancillary supporting documentation developed during the process in the interests of transparency for the public and trust of the public in the process, and to provide the reasons why certain data sets may be required.

In our submission to the committee we made a number of remarks on our view on specific provisions of the general scheme. In the interest of time, I will not mention them all but I will go through some of them. In relation to the national electoral register shared central database, we understand under head 90 that the database is for the purpose of management of registration data by a registration authority on behalf of others, including the provision of a public interface. We recommend the carrying out of a data protection impact assessment prior to the implementation of this proposal, given the national scale of the database, and in particular to identify risks and appropriate safeguards.

The registration authorities must also determine their roles and responsibilities with regard to the controllership of personal data, and to ensure that these are underpinned by appropriate data processing agreements where necessary. Further clarity may be required as to the operation of these provisions such as how discrepancies will be avoided between records held by registration authorities and the central database. It may be the case that all records will be specifically held on the central database but it is not absolutely clear to us at this point how this would work in practice. Any data processing must also be subject to appropriate safeguards including, where necessary, the implementation of data protection policies. We also recommend consideration be given to whether further provisions are required in the Bill to set out how it is intended the existing electoral registers will be updated with additional personal data, such as the PPSN, on the enactment and commencement of this legislation.

In terms of the use of the electoral register, as provided for under head 92, we note it is limited to electoral or other statutory purposes, with reference to the provisions of Sections 39 and 40 of the Data Protection Act 2018. To underscore the point, any processing of personal data for a statutory purpose must comply with the data protection and e-privacy legislative frameworks in general, and in particular with the requirements of Article 6(3) of the GDPR, which requires that the basis of any processing necessary for compliance with a legal obligation or in the performance of a task carried out in the public interest be laid down by EU or member state law.

Head 93 sets out the legal basis for the sharing of personal data for the purposes of verification of the accuracy of the register of electors and its updating and maintenance. As I stated, the carrying out of a data protection impact assessment, DPIA, should be undertaken to establish the justification for the use of each element of the verification data set on the basis of necessity and to identify a clear legal basis for processing.

As with previous legislated uses of this data set, such as for the individual health identifier, it is expected that any use of the PSI data set will be limited to verification purposes and that the PPSN will not become a de facto unique identifier in the electoral register. That is our understanding from our engagements with the Department. The governance of, and access to, personal data used for verification purposes will be a key consideration for the DPIA process as well as the retention of any such data.

We note that consideration will be given to the timing of the commencement of the relevant provisions of the Data Sharing and Governance Act 2019 and its bearing upon this section. Notwithstanding that Act, the DPC recommends, for the purpose of providing an explicit legal basis in primary legislation for data sharing, that this head be retained and consideration be given to further specifying the modalities of data sharing in this Bill. That is simply for the purpose of having specific clarity on the legal basis for data sharing.

We note head 121 on online political advertisements. In part, this head sets out increased transparency around the public information requirements for online political advertisements. Anyone engaging in online political advertising involving the processing of personal data must adhere to the relevant provisions of the data protection legislative frameworks. We welcome this provision as it will bring an extra level of transparency to online political advertising, in particular as it relates to data protection, micro-targeting or the use of other advertising targeting lists.

I thank the committee for the opportunity to present to it this evening. I hope these comments will be of assistance in its deliberations and I am very happy to answer the questions members may have.