Ms Helen Dixon:

Thank you, Vice Chairman. I thank the members of the committee for the invitation to discuss the provisions of the general scheme for the health information and patient safety Bill, in particular those provisions relating to a proposed role for the Data Protection Commissioner, which is Ireland's national data protection supervisory authority.

I am joined by my colleague, Dale Sunderland, deputy commissioner. He leads the function of consultation for the data protection authority. Public and private entities consult and seek guidance from the office in respect of the planned implementation of measures that may interfere with the data privacy rights of individuals.

The 1995 EU data protection directive requires each member state to have a national supervisory authority which must "exercise their functions with complete independence". This is recognised in the text of the directive as an essential component of the protection of individuals with regard to the processing of personal data. In the course of infringement proceedings issued against Germany, Austria and Hungary in 2010, 2012 and 2014 by the EU Commission, the Court of Justice of the European Union further underlined the requirement for complete independence from government of data protection authorities. Equally, Article 8 of the EU Charter of Fundamental Rights came into legal force in 2009 and provides for the right of every individual to have personal data protected. It also stipulates that compliance with these rules shall be subject to control of an independent authority.

The independence of data protection authorities is a necessity in terms of performance of their obligations to hear complaints from individuals who consider their data protection rights may have been contravened. Where a data protection authority is prescribed a role in making executive decisions of government in relation to specific projects that concern the processing of personal data, it becomes unable to fulfil its primary obligation of supervising the public authorities engaged in personal data processing and of independently examining the complaint of any individual who brings forward evidence that his or her rights have been contravened.

It is precisely this scenario that would arise under heads 33, 34, 35 and 54 of the health information and patient safety Bill as the Data Protection Commissioner would be required to take on the role of the organisations to which the obligations under data protection law apply. While recognising the important safeguards the Bill introduces in respect of health-related personal data and fully respecting the prerogative of the Oireachtas to enact legislation as it deems appropriate, we respectfully request that the committee give due consideration to the concerns we have raised in our written statement in light of our view that the roles prescribed for the Data Protection Commissioner conflict with EU legislation. We are pleased to note that the Department of Health, with which we have engaged in recent months on these issues, has acknowledged and is committed to examining the concerns we have highlighted. Further, the committee may wish to consider if it would be useful to hear from the Department of Justice and Equality on these matters as it has policy oversight for data protection legislation. The Data Protection Commissioner is aware of the determination of the Department of Justice and Equality to ensure that the commissioner is not only completely and concretely independent in the performance of tasks and exercise of powers as required by law, but is equally determined to ensure that the perception of independence is not compromised or undermined in any way.

Finally, I wish to highlight to the committee - we are aware the Department of Health has also made reference to this point - that a new legal framework in the form of a general data protection regulation will govern personal data processing in the EU from May 2018. Provisions of this new regulation, which deals with public health research as a subset of scientific research, now set out new potential legal bases for health research without obtaining the consent of a data subject, but subject to appropriate safeguards to be set out in national legislation.

We would be very happy to take questions from members of the committee.