Ossian Smyth (Dún Laoghaire, Green Party) | Oireachtas source

I thank the Chairman and members of the committee for inviting me to speak today. I will begin by introducing in general terms the draft statutory instrument and the background to it. The Office of the Ombudsman performs a vital role in ensuring good administration across the civil and public service. Part of this role includes investigating complaints in regard to particular incidents and issuing findings. Decision letters issued by the office to complainants will include all the basic facts and evidence gathered during the investigation process. They also outline the position of the service provider as reported to the Ombudsman as well as the Ombudsman's evaluation of the merits of the case and the basis for any of his findings and recommendations. To make the investigation process effective, there must be a certain space where the Ombudsman can engage with complainants, public bodies and staff members. This is reflected in section 9 of the Ombudsman Act which restricts the dissemination of information relating to an investigation. This facilitates the full co-operation of bodies under remit in the provision of all the necessary records required for the examination of complaints, the nature of which is often highly sensitive. This approach is in line with what is seen globally in similar institutions.

On the other hand data protection rules provide for a number of rights to seek access to personal data as well as asking for personal data to be amended or deleted in some circumstances. When the general data protection regulation, GDPR, was passed, it was anticipated there would be a need in certain instances to balance individual data protection rights with the ability of public bodies to carry out their statutory functions. Accordingly Article 23 of the data protection regulation allows for data protection rights to be restricted in appropriate circumstances. Under the previous data protection legislation, investigations by the Office of the Ombudsman were completely excluded by way of a statutory instrument. That exclusion lapsed when GDPR and the 2018 Data Protection Act were passed. This statutory instrument is part of the implementation process for the GDPR and will regularise the position of the Ombudsman’s office in line with what was anticipated in the data protection regulation.

Under Article 23 of the data protection regulation as well as section 60 of the Data Protection Act, rights may be restricted to protect what are referred to as important objectives of general public interest. One of these is identified as avoiding obstructions to any official or legal inquiry, investigation or process. In practical terms, what is at issue here is the potential for data protection rights that are fundamentally directed at privacy and the fair use of personal data to be used in a way that was not intended as a means of undermining, delaying or derailing the Ombudsman's office in the performance of its functions. For example, an official named in a complaint to the Ombudsman may attempt to use data protection rights to access personal data relating to them and from there to seek amendment or erasure of those data to undermine or delay the investigation being carried out by the office. Similarly, a complainant may attempt to use repeated data protection requests as a means of micromanaging the conduct of an investigation. Such scenarios as these are far removed from the core purpose of data protection and would have a seriously detrimental impact on the ability of the Ombudsman’s office to do its important work. In this context it is necessary to give the office of the Ombudsman the option to refuse to act on data protection requests only in some circumstances.

However, it is not a blanket exemption, as was the case under the previous legislation. The proposed regulations take a measured and proportionate approach, providing for a number of safeguards to ensure they are not applied in a disproportionate way. The draft statutory instrument is the product of a long and detailed engagement between my Department, the Office of the Ombudsman and the Office of Parliamentary Counsel. It has been approved by both the Data Protection Commission and the Department of Justice as being in compliance with the letter and spirit of the GDPR in accordance with sections 60(9) and 60(10) of the 2018 Act. Under these regulations, data subject rights can only be restricted to the extent that it is necessary and proportionate to prevent an interference with the performance of the Ombudsman's functions in the particular circumstances. Whether and to what extent a restriction applies to a particular request will to be determined case by case. Where an individual is unhappy with the approach taken by the Ombudsman, it will be open to him or her to make a complaint to the Data Protection Commission. The regulations are supported by a set of organisational policies maintained by the Ombudsman’s office. Under section 6(5) of the 2018 Act these regulations may be made once it has been laid before both Houses and approved by way of positive resolution in each.

In the circumstances, I recommend to the committee both that these regulations are necessary and that the approach taken is a meticulous and balanced one. I thank the Chairman and members of the committee for their time today and am happy to take any questions.