Mr. Dale Sunderland:

I thank the Deputy. My colleague, Mr. Murphy may come in on one of the questions on medical information.

In respect of Article 23, it is a matter where we raised a note of concern with the Department. The Bill provides for very blanket provisions restricting all rights under GDPR to the extent necessary to enable persons to access birth and related information in accordance with the provisions of the Act and to enable the agency and authority to provide a tracing service in accordance with the provisions of the Act.

On the Deputy's latter questions, those restrictions or rights can only act insofar as the Act is concerned. If there was an intention to restrict in all forms, it would need to be much more explicit. Insofar as the restrictions apply, it will be in the context specified by the Act. That would be our reading of the matter.

The problem with a blanket exemption or restriction of rights is that it is not, we believe, in accordance with what the GDPR requires in Article 23. We raised this with the Department. We have questioned whether it meets the criteria set down in Article 23 and have recommended that it review the position.

For example, it is proposed to restrict the right of erasure, which may be a logical position to take. However, Article 17 of the GDPR already provides exemptions which may apply in certain circumstances. The right of transparency is a very important right. Why would there be a blanket restriction? These are the questions we are asking. It is something about which we want to hear further from the Department. If it is not that the restriction of rights is not legitimate in certain circumstances, that needs to be much more defined and specified in terms of the rights that are being restricted, the reasons and the specific sets of circumstances.

In respect of the Deputy's question on deceased person's access to data, I am only aware of this matter through some public commentary. I do not know all of the details. The GDPR sets out a process. An access request can be submitted by an individual for access to his or her data. There may be an element of mixed data such as, for example, a birth certificate which has someone else's name on it where that person is deceased. That is the very issue at the centre of discussions on this Bill. If another person is on the birth certificate, the Department has to carry out a balancing test in terms of the release of the data. It is possible that other third party data may be released in that context.

If the person is deceased it is another set of circumstances in the sense that GDPR is explicit in saying that the regulation does not apply to the personal data of deceased persons. The Department has to work through the analysis on that. First and foremost, any request from a person about access to his or her data is a valid request. I am not sure this is the case but it would not be possible to submit an access request for someone else's data, whether they are alive or deceased. That would not be a valid access request under GDPR. However, there may be alternative circumstances where the information of a deceased person is sought, but it is not sought under the GDPR, if I am being clear, because the right of access, first and foremost, relates to one's personal data. It then extends out and there is a concept of mixed personal data. A birth certificate is a very good example of that.

I am happy to come back on that further, if I have not been clear enough. I will hand over to Mr. Murphy to address the question on medical information.