Dr. Fred Logue:

I thank the Chair. I will be quick as Mr. McGarr went over some of the matters I have addressed in my opening statement. I have a law practice and we act for quite a few adopted people trying to access their information, so we have some experience of the practicalities and what it is like for them at the moment. My first thought when I read the draft heads of the Bill was that it was starting from the wrong place. It is a classic case of "If I was going there, I would not start from here". The heads are drafted from the point of view of giving people a new right that they do not already have. As Mr. McGarr has said, that is misconceived because there is an existing right of access to one's personal data, including adoption information. Even leaving aside GDPR, birth certificates are open documents. Anyone can go in and get any birth certificate. These are public documents. The problem for adopted people is that the barriers to access are not legal but practical. They do not have enough information about themselves, such as their actual dates of birth and their mother's maiden name, to identify their birth certificate. That being said, many adopted people can and do get their birth certificates so they are already being accessed.

In addition, the GDPR gives adopted people a right of access to their personal information, including from private and public data controllers, the Adoption Authority of Ireland and Tusla. However, in these cases access is being blocked, unlawfully in my view, by what I consider to be an unwritten or de facto policy to deny access to most adoption information, and certainly information that would help adopted people find out the identity of their parents and other relatives. This is achieved through misinterpretation of European law and a policy of applying national law above European law. Combined with weak enforcement by the Data Protection Commission, the result is that individuals do not have an effective way of enforcing their rights of access to their information. The point I am trying to make is that these rights exist and will continue to exist irrespective of the legislation because they are EU rights. There is a risk, however, that if this legislation is passed in this format, it will create a limited parallel system that will create confusion and lead to it being preferred over the GDPR rights.

The drafters of the Bill need to go back to the drawing board and start from the point of view that they are giving greater effect to GDPR rights. Some of these conflicts I have pointed out have already been highlighted. First, the material scope is too narrow and granular. The proposed age limit conflicts with GDPR as there is no age limit on exercising those rights. The proposed fee in head 3 is in conflict with GDPR because there is a right of access free of charge. The mandatory information session is a restriction on the right of access under GDPR. The requirement to give medical information to a medical practitioner is also a restriction. In fact, there is no reference in GDPR to medical information. The correct terminology is "health information". While the non-disclosure aspect of head 13(4) is well intentioned, it will inevitably be interpreted as displacing the right of access. The restrictions are not being applied correctly, particularly the restriction in head 40, which is a kind of catch-all restriction and is completely outside the way such things are supposed to be done under GDPR.

The European Data Protection Board has produced very good guidance on restrictions of rights under Article 23 of the GDPR so I suggest the drafters read that. The attempt to restrict the right of compensation is completely incompatible with GDPR. I am stunned that anyone decided to put that in the heads of a Bill because it is so obviously unlawful. Where there are new registers or new information created as part of the tracing system, there will be a right of access to that as well. To avoid all the issues we are seeing, there should be express provisions for the right of access and if there are to be restrictions on it, they have to be set down in the legislation and they have to meet the requirements of Article 23.

Finally, I do not think the Adoption Authority of Ireland or Tusla should be allowed make guidelines that regulate their obligations as data controllers. There are obvious conflicts of interest there. All substantive provisions must be in the legislation. There should not be substantive provisions in guidelines and if there are to be guidelines they should be adopted by the Minister and not by any of the agencies or other bodies that have to give effect to the rights of access. I thank the committee for allowing me to make this opening statement.