Oireachtas Joint and Select Committees
Thursday, 18 May 2017
Joint Oireachtas Committee on Finance, Public Expenditure and Reform, and Taoiseach
General Scheme of Data-Sharing and Governance Bill: Discussion
10:00 am
Gerry Horkan (Fianna Fail)
Link to this: Individually | In context | Oireachtas source
We are meeting to engage in pre-legislative scrutiny of the draft general scheme of data-sharing and governance Bill with officials from the Department of Public Expenditure and Reform and the Department of Justice and Equality, and Mr. Dale Sunderland, deputy commissioner, and Mr. Cathal Ryan, assistant commissioner, from the Office of the Data Protection Commissioner.
I welcome Mr. Barry Lowry, Government Chief Information Officer at the Department of Public Expenditure and Reform, Mr. Dale Sunderland, deputy commissioner at the Office of the Data Protection Commissioner, and Mr. Seamus Carroll of the Department of Justice and Equality, and their colleagues.
I wish to advise the witnesses that by virtue of section 17(2)(l) of the Defamation Act 2009, witnesses are protected by absolute privilege in respect of their evidence to this committee. If they are directed by the committee to cease giving evidence on a particular matter and they continue to so do, they are entitled thereafter only to a qualified privilege in respect of their evidence. They are directed that only evidence connected with the subject matter of these proceedings is to be given and they are asked to respect the parliamentary practice to the effect that, where possible, they should not criticise or make charges against any person, persons or entity by name or in such a way as to make him, her or it identifiable. Members are reminded of the long-standing parliamentary practice to the effect that they should not comment on, criticise or make charges against a person outside the Houses, or an official, either by name or in such a way as to make him or her identifiable.
I invite Mr. Lowry to make his opening remarks.
Mr. Barry Lowry:
I thank the committee for inviting us today to discuss the data-sharing and governance Bill. Let me start by introducing myself and my colleagues. I am the Government Chief Information Officer and I am accompanied by Ms Evelyn O'Connor and Mr. Pat Keane, both from the Government reform unit, and Mr. Owen Harrison, from the Office of the Government Chief Information Officer. The committee will have received a short briefing note in advance of today's session. Given that it is our second visit, I propose to keep the opening statement brief to maximise the time available for discussion and questions.
As previously advised, the principal aim and core focus of the Bill is to provide a generalised legal basis for the sharing of data between public bodies while also setting out appropriate principles and safeguards under which such sharing should take place. I will begin by outlining the three major drivers behind this Bill. These are the general data protection regulations, GDPRs, the digital Single Market and eGovernment action plan, and the national eGovernment strategy.
Beginning with the GDPRs, we believe this legislation is necessary to help the Government achieve its ambition that Ireland should be seen as an exemplar in data stewardship and data protection. GDPRs set out to protect the individual with regard to the processing of personal data. However, they also recognise and provide for the importance of the free movement of personal data within the European Union for the purposes of better government, better health care, economic growth, etc. We believe that the Bill being discussed today provides the regulation, especially governance, required to ensure full compliance with GDPRs.
As members know, the digital Single Market is being promulgated as an essential initiative to promote the economic growth of the Union and the prosperity of its citizens. The eGovernment action plan is a key aspect of digital Single Market and obliges governments to put plans in place to ensure government services can not only be accessed digitally but also ultimately accessed by any part of any member state. Governments are also expected to simplify government services by not expecting citizens to provide information to one agency that has already been provided to another and by implementing means of secure identification and safe cross-border access to goods and services.
I would like to touch on the national eGovernment plans. In the 2017 Civil Service customer satisfaction survey, conducted by Ipsos MRBI, 61% of those consulted agreed or strongly agreed that they would be more inclined to use online Government services as their preferred way of initial engagement with the Civil Service provided they were easier to find and easier to use. In the 18-34 age category, the total figure was 76%. Sixty-five percent felt a single digital identity would be very convenient or fairly convenient. In the 18-34 age category, the total figure was 82%.
All these initiatives require us to improve our data sharing between Departments, with other public service providers and ultimately with other states. We need to drive inaccurate or erroneous data out of our systems. We need to make it easier for the citizen to access our services and the data we hold on them and we need to ensure we do not duplicate or request data unnecessarily. We believe that the data-sharing and governance Bill helps create the platform for these things to happen.
I would like now to move on to the Bill itself. The initial draft proposals for this legislation were put out to public consultation in 2014. There was a significant response from a wide range of stakeholders to the consultation and the views aired during this process have made a substantial contribution to the development of the Bill, especially in regard to the governance of data sharing.
The key issues to be addressed by the Bill can be summarised in the following way. First, it ensures public bodies share data where it is appropriate to do so. At the moment, some public bodies can be reluctant to share data with other public bodies in cases where it would otherwise be beneficial because it is not clear to them that they have the authority to disclose such data. This Bill addresses this problem by establishing an unambiguous legal basis for data sharing between public bodies as well as specifying the conditions under which it can take place. The Bill also provides that the Minister for Public Expenditure and Reform, with the consent of any other relevant Minister, may direct public bodies to engage in data sharing when necessary.
Second, the Bill puts mechanisms in place to ensure data are collected and shared only where there is clear purpose and justification. A key part of the legislation is to provide governance over the data sharing agreements that must be put in place and published before the data sharing can take place. The Bill provides a mechanism for requests for data sharing to be rejected or ceased if there is no longer requirement for the data sharing to take place or where it might be inappropriate.
Third, it makes who whole process considerably more transparent. Specifically, it will be easier for citizens to find out what data about them is being shared, easier for them to correct data, and easier for them to challenge or complain about data sharing that is planned or has taken place.
To conclude, data is fundamental to the effective performance of public bodies and is one of the most important resources available to them. We believe that this legislation will deliver a number of concrete benefits to citizens, businesses and public bodies. Widespread data sharing between public bodies avoids the need to provide the same information multiple times to different bodies. The implementation of an "ask-once, use-many" approach can help to significantly reduce the administrative burden on citizens and businesses and allow them to avail of higher quality, more efficient and seamless public services on a cross-sectoral basis. For public bodies, data sharing provides efficiency gains and cost savings by reducing manual document checking, removing unnecessary registration processes and providing more and better data for control activities. Sharing of data also supports better evidence-based policy analysis and policy making and improved service planning and design. This challenge is not unique to Ireland, as I have demonstrated earlier, and is recognised and being addressed across Europe.
In a digitally dominated age, it is important for Ireland to retain its place as an EC exemplar and leader. The governance provisions in the Bill and enhanced data management arrangements will give data subjects greater confidence that data concerning them is being managed and shared in a responsible manner and in compliance with national and EU data protection law. Publication of data sharing agreements will also ensure transparency of data held and shared by public bodies. The Bill will help public bodies comply with data protection requirements under national and EU law. I hope my opening statement has been helpful. We are happy to listen to the committee's views and answer any questions.
Gerry Horkan (Fianna Fail)
Link to this: Individually | In context | Oireachtas source
Mr. Sunderland might like to make his opening remarks now.
Mr. Dale Sunderland:
I thank the Vice Chairman and members of the committee for the opportunity to meet to discuss the provisions of the general scheme of the data sharing and governance Bill. I am Dale Sunderland, deputy commissioner with responsibility for the consultation function of the data protection authority. My colleague, assistant commissioner Cathal Ryan, is the office's head of consultation for the public sector and health. The Data Protection Commissioner, DPC, recognises the intended benefits of the proposed Bill and is supportive of the aim of developing more efficient and customer-centric public services. We accept, therefore, the rationale for the proposed Bill in so far as it will provide a legal framework for public sector authorities to carry out the requisite analysis and balancing tests that respect the fundamental EU right of individuals to have their personal data protected. The proposed legal framework should have the benefit of providing confidence to all public sector bodies to explore and carry out legitimate data sharing opportunities.
Of itself, the sharing of data is neither good nor bad. Quite clearly, it can have benefits in some cases for the public in not having to supply the same information multiple times. In other cases, however, data sharing can lead to public bodies holding excessive and unnecessary data on individuals. In contemplating data sharing initiatives, it is important to start out with the understanding that Government does not represent one data controller under data protection law. Each Government Department has its own individual responsibilities under the law. Sharing of data between public bodies may only occur where it is provided for by law and the core data protection principles of purpose limitation and transparency, in particular, to the public are met. This fundamental principle of data protection compliance has been underscored by the ruling of the ECJ in the Bara case. Therefore, it must be clearly understood that the general scheme of the Bill before the committee cannot create a new legal basis for sharing data in any given case that does not otherwise exist. Instead, the Bill seeks to provide a process for public sector managers to assess whether sharing can lawfully occur in respect of purpose limitation and transparency and with appropriate safeguards. It is the assessment process in the proposed Bill that is key and the outcome of that assessment will dictate if sharing of data can occur and on what basis it can occur.
I emphasise that legislation on its own is not sufficient to prevail over data protection law in light of its status in the European Charter of Fundamental Rights. In accordance with the jurisprudence of the European Court of Justice, each data sharing arrangement envisaged under this Bill will require a careful balancing test to justify why the right to data protection must cede, in a proportionate manner, to the legitimate interests of the public body concerned. While the DPC welcomes the safeguards set out in the proposed Bill, we believe it would benefit from the addition of further provisions underpinning the responsibilities of public sector bodies in carrying out adequate and robust data protection assessments. The Bill would benefit from the inclusion of a requirement for a statutory instrument to legally underpin each data sharing arrangement in addition to the memorandum of understanding. This would provide public bodies with the additional legal and administrative certainty to pursue legitimate sharing of personal data within a framework that provides for the proper data protection assessments to be undertaken and the necessary safeguards applied. While we welcome the provisions of the Bill to provide for screening tests and privacy impact assessments, we recommend in the interests of transparency to the public a provision in the Bill for the publication of the results of any screening assessment or privacy impact assessment.
While it is our understanding that the Bill is not intended to provide a legal basis for large structural data sharing Government projects, which would still need specific primary legislation, the general scheme is not sufficiently clear in this regard. We recommend that provisions be included to clarify the scope of the legislation and the data sharing arrangements to which it will apply. For the avoidance of any doubt, we also recommend that further clarity be provided on the agencies and bodies that will fall under the scope of the Bill. The Bill must also comply with the new general data protection regulation which comes into effect on 25 May 2018 as well as being consistent with the general scheme of the data protection Bill as published last week by the Tánaiste and Minister for Justice and Equality. There may be further amendments our office suggests as the drafting continues. We are quite happy to share further detailed proposed amendments with the committee if that would be helpful.
In summary, the DPC accepts the rationale of the general scheme to support lawful sharing of personal data where justified. I acknowledge the Department of Public Expenditure and Reform's open and engaged approach with our office in seeking our observations on the proposed Bill. We commend the Department on undertaking a public consultation to inform the drafting of the Bill. As I have outlined, we believe further enhancements are necessary so that the Bill will achieve its intended objective by providing a robust legal framework whereby public sector bodies have the authority and clarity to confidently engage in legitimate data sharing initiatives. I thank the Chairman and committee members. I am happy to answer any questions.
Mr. Seamus Carroll:
I thank the Chairman and the committee for the opportunity to attend and participate in discussions on the data sharing and governance Bill. I am Seamus Carroll from the Department of Justice and Equality and I am accompanied by Ms Noreen Walsh and Mr. Conor O'Riordan from the civil law reform division of the Department. Reference has already been made by Mr. Lowry and Mr. Sunderland to the general data protection regulation and I will start by saying a few words on it.
Following several years of intense negotiation, agreement was reached in early 2016 on the content of the general data protection regulation, or GDPR. It was published this time last year and will take effect from 25 May 2018. Its purpose is to update and streamline data protection law across the EU. Broadly speaking, the GDPR strengthens the rights of individuals to the protection of their personal data, clarifies the obligations on bodies that process personal data in both the public and private sectors and greatly expands the functions and powers of data protection authorities, including in our case those of the Data Protection Commissioner. These extended powers include a power to impose substantial administrative fines for infringements of data protection law, albeit not generally in the case of public authorities and bodies. Adoption of the GDPR has been accompanied by adoption of a law enforcement directive which contains rules that will govern the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences, or the execution of criminal penalties. This directive must be transposed into national law by May 2018.
While an EU regulation is a directly-applicable legal instrument and does not normally require any national law to give it legal effect within a member state, the GDPR contains a number of provisions which allow member states a limited margin of flexibility.
For example, it recognises that reconciling the right to protection of personal data with the right to freedom of expression and information is a matter for national law. The same applies to reconciliation of the right of access to public documents, in other words freedom of information with the right to protection of personal data. As Mr. Sunderland has said the Government has approved the drafting of a data protection Bill last week and the draft has now been forwarded to the Joint Committee on Justice and Equality for pre-legislative examination. It is a lengthy text, running to more than 95 sections and contains provisions which are intended to give further effect to the GDPR in areas in which member states retain some flexibility; transpose the law enforcement directive into national law; and to equip the Data Protection Authority with effective mechanisms and procedural safeguards in order to perform the expanded range of tasks and exercise the enhanced powers set out in the GDPR and the law enforcement directive.
TheGeneral Data Protection Regulation, GDPR, emphasises the need for greater transparency in relation to the processing of personal data; Article 5.1(a) provides that personal data must be processed lawfully, fairly and in a transparent manner. Article 26 goes on to provide that where two or more bodies are involved in determining the purposes of processing, they become joint controllers and they are required to determine their responsibilities for compliance with general data protection regulation, GDPR obligations in a transparent manner.
Provisions in the proposed data sharing and governance Bill will help to promote greater transparency and ensure that individuals are aware of sharing arrangements between public authorities and bodies. This will help to facilitate effective exercise of their data protection rights.
Data processing by public authorities and bodies is normally undertaken on the basis of one of the following: first, processing is necessary for compliance with a legal obligation to which the controller is subject or second, processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. Article 6.3 of the GDPR requires that this basis must be laid down in EU law or national law. It can be expected that the provisions of the Bill will promote consistency of approach and coherence in respect of data sharing across the entire public sector.
The Bill has been in the drafting process for some time and it contains references to our law, the Data Protection Acts 1988 and 2003. This legislation will be largely overtaken by the GDPR. The text of the Bill will need to be updated to have regard to the text of the GDPR in order to ensure the necessary level of coherence and consistency.
I thank the Chairman and members. The Department of Justice and Equality is available to answer any further questions on the data protection dimension.
Gerry Horkan (Fianna Fail)
Link to this: Individually | In context | Oireachtas source
I thank Mr. Carroll. I call Deputy Sherlock.
Seán Sherlock (Cork East, Labour)
Link to this: Individually | In context | Oireachtas source
I thank the individual speakers for their contributions. I wish to question Mr. Sunderland on his submission. If I am reading between the lines correctly, there is a sense that there is a great deal more work to be done on the Bill before the Office of the Data Commissioner is satisfied that it passes muster. Is Mr. Sunderland confident that the issues he flagged are being dealt with at present? If so, how and what is the level of engagement around the issues he is talking about?
In the course of his address Mr. Sunderland stated, "It is our understanding that the Bill is not intended to provide a legal basis for large structural government projects which would still need specific primary legislation provision for any data-sharing that would be required". Will he elaborate on this? He also states, "We would also expect to see significantly more detail to provide clarity in terms of how the governance ... and security arrangements ... are to be dealt with". Will he also elaborate on this and give us a sense of where or how his concerns or flagged issues are being dealt with?
Mr. Dale Sunderland:
I thank the Deputy. We have had very good engagement with the Department of Justice and Equality, as I mentioned already on the drafting of the heads of this Bill. We are quite certain that engagement will continue and the Department has very positively received all of our views to date.
As I said at the outset this Bill is about giving certainty, clarity and confidence to public sector managers and public sector policy makers to actually engage in data sharing but it does not address some of the issues that are required under the data protection law, such as the lawful basis for sharing information in the first place, the transparency requirements and the data minimisation that one only shares as much data as is required. They will always need a legal basis but also a proper assessment and that will be in part carried out by a privacy impact assessment. The issues we have raised and suggested we believe will enhance and underpin the clarity and certainty that is required, for example a statutory instrument proposal will give that further legal certainty to Departments and agencies that what they are doing is based on a proper legitimate legal basis.
Seán Sherlock (Cork East, Labour)
Link to this: Individually | In context | Oireachtas source
Is Mr. Sunderland getting traction for that argument?
Mr. Dale Sunderland:
It is not something on which we have had in-depth discussions with the Department yet but we will be talking to officials as the drafting of the Bill continues.
In regard to large structural data sharing projects, an example could be the individual health identifier, where there is sharing of data with the Department of Social Protection and that is set up under primary legislation. That is what we are thinking of, something large-scale in terms of the information to be shared or the national data infrastructure plans. In our view it would need a proper assessment and primary legislation to give it the legal certainty that is required under EU and national law.
Seán Sherlock (Cork East, Labour)
Link to this: Individually | In context | Oireachtas source
It is interesting that Mr. Sunderland has articulated this point. I speak from the research perspective and specifically in the health space to which Mr. Sunderland referred. I am going a little bit off kilter and am not speaking directly to the legislation here, but I am a great believer in the idea that if we are talking about longitudinal studies and anonymising data and so on, there is a mine of information that could be used effectively for positive societal outcomes, particularly in the area of health. I am trying to understand at present if there is a move or an initiative that would allow for that. We have the unique patient identifiers but is there a mechanism that we can drive in a country that is open and has a very strong research infrastructure, where we can begin to look at data and analyse it and drive positive outcomes?
Mr. Dale Sunderland:
I might refer to Mr. Carroll, who can talk about General Data Protection Regulation, GDPR in provisions that allow for restated views for research purposes. What our office wants to ensure is not to inhibit in any way the sharing of information or we recognise fully, as is set out in European law, that data sharing and processing of personal information is to serve mankind. It is there for good societal reasons. What we are concerned about is that it is done in the right way. That is why we emphasise the importance of doing the proper analysis, the proper privacy impact assessments and the proper balancing tests. If they are properly worked into any project and the proper assessments are worked through, one will make the right decision on whether it is possible to share the data on the existing legal basis or whether a new legislative basis is required and whether that respects EU law.
There is certainly scope to allow issues such as Deputy Sherlock raised to be progressed but from our view what is important is the way in which they are progressed and that the proper assessments are done.
Seán Sherlock (Cork East, Labour)
Link to this: Individually | In context | Oireachtas source
I appreciate that. The Bill provides for what Mr. Sunderland describes as an unambiguous legal basis for data sharing between public bodies. Can any of the three witnesses articulate exactly what is meant by that? What are the underpinning conditions for an unambiguous legal basis? I have not yet read the legislation as we have not had sight of it. I am taking that on trust. I presume that in order to derive an unambiguous legal basis, one will have to be very prescriptive as to how that is done.
In other words, he will be kicking the tyres to ensure the consumer, whose data are being used, will have the requisite protections built in.
Mr. Dale Sunderland:
Others may have views on it, but from our perspective and as Mr. Carroll mentioned, under the general data protection regulation, GDPR, on a legislative basis in national member states, a Union law is required. It depends on the level of interference with an individual's privacy rights. It may be that if there is a low level of interference, the legislation under which a body is established will be sufficient in processing the data. However, if the level of intrusion is much greater in terms of the protection of an individual's privacy rights, it may be the case that more specific legislation will be required. That is part of of the analysis.
It is important to note that the core themes of the new general data protection regulation are accountability and transparency. It is essential that there be transparency for the public and the individual on how their data are being used, the purposes for which they are being used and how they will be kept. That is an essential core aspect of meeting compliance requirements under data protection law. Accountability in an organisation relates to how it meets the requirements under the law. We recommend - it will be an absolutely essential requirement under the GDPR - that every organisation approach its data protection obligations from these two perspectives and ensure it meets the necessary standards.
Seán Sherlock (Cork East, Labour)
Link to this: Individually | In context | Oireachtas source
Therefore, the underpinning will be in the statutory instrument, if I understood Mr. Sunderland correctly.
Seán Sherlock (Cork East, Labour)
Link to this: Individually | In context | Oireachtas source
Not necessarily.
Seán Sherlock (Cork East, Labour)
Link to this: Individually | In context | Oireachtas source
Mr. Sunderland should correct me if I am wrong.
Seán Sherlock (Cork East, Labour)
Link to this: Individually | In context | Oireachtas source
When Mr. Sunderland speaks about the statutory instrument, will he articulate in simple language what it means for each public body? To be honest, I am unclear in my mind.
Mr. Cathal Ryan:
I will take up from what my colleague, Mr. Sunderland, finished. Effectively, the Bill involves the creation of a framework in which to carry out the appropriate assessments under data protection legislation leading to a legal, lawful data sharing arrangement. While the Bill will set out various steps to be taken in a privacy rights impact assessment or a screening assessment to meet transparency requirements by publishing a memorandum of understanding or agreements, we also believe that while it allows for that framework, a statutory instrument should be created to underpin the process. For example, if a privacy rights impact assessment is carried out and shows that the risk cannot be mitigated or that the data protection rights of an individual cannot be ceded in the light of the objectives of a Government body, it cannot go any further, irrespective of the legal basis. That is because one has not shown that the justification has been necessarily proportionate. The Bill creates a framework in which to explore these issues as regards design, analysis and implementation of a data sharing arrangement. The statutory instrument will provide the legal certainty for data managers in being able to act on it in the future.
Seán Sherlock (Cork East, Labour)
Link to this: Individually | In context | Oireachtas source
Where do the Department of Justice and Equality and Mr. Lowry stand on that issue?
Mr. Seamus Carroll:
As I mentioned in my opening remarks, the GDPR is clear that a legal basis is required. The question, therefore, is what constitutes an adequate legal basis. In section 66 of the Civil Registration Act 2004, for example, entitled, Power of the Ard-Chláraitheoir to give information to others, it is made clear that the Ard-Chláraitheoir, after consultation with the Minister for Social and Family Affairs, can give such information as may be prescribed on births, marriages, civil partnerships, decrees of divorce, decrees of nullity of marriage, decrees of dissolution or decrees of nullity of a civil partnership to the Minister for Defence for the purposes of the administration of schemes under the Defence Forces Pensions Acts or the Army Pensions Acts; to the Minister for the Environment, Heritage and Local Government for the purposes of registration under the Electoral Acts; and to the Minister for Foreign Affairs for the purposes of determining entitlement to a passport, etc. Here, therefore, is an example of a specific legal basis which allows for data sharing. There is something similar in the Social Welfare Consolidation Act 2005 which contains provisions on the sharing of information with other bodies. The data exchange provision, for example, allows the sharing of information with the Minister for Education and Skills.
Seán Sherlock (Cork East, Labour)
Link to this: Individually | In context | Oireachtas source
If I am reading Mr. Carroill's intervention in a particular way, there is perhaps a suggestion that there are already robust legal mechanisms in place.
Mr. Seamus Carroll:
In certain cases there is a robustness. There are different ways of doing it. This is primary legislation. The possibility of introducing regulations has been mentioned as an alternative and there is now the possibility of there being memoranda of understanding which have been agreed. I assume that the Department of Public Expenditure and Reform has received the necessary legal advice to the effect that this would meet requirements under the GDPR.
Seán Sherlock (Cork East, Labour)
Link to this: Individually | In context | Oireachtas source
From our perspective as the tribune of the people, we want to ensure - as does Mr. Carroll, I am sure - that the individual consumer, citizen or client will have the protections that are vital and that there will be a strong legal basis underpinning them. It seems, therefore, that there is still a little bit of work to be done in underpinning the robustness of the legislation to protect the consumer, which is fair enough. This meeting has been useful for me personally in understanding the dynamics.
I want to ask one last question about complaints that might be made a consumer, client or citizen. What protections are built in? Mr. Lowry might wish to answer that question.
Mr. Barry Lowry:
I might perhaps assure the Deputy by outlining some of the layers of governance in this process. As Mr. Sunderland said in his submission, it would be wrong to treat government as a single entity with regard to the GDPR. For its purposes, therefore, each Department should be considered as a single entity. Under the GDPR, each Department is required to establish the role of the data protection officer. Article 39 of the GDPR clearly sets out the responsibilities of the data protection officer. We expect any requirement for data sharing to be closely monitored in terms of its purpose and the amount of data to be shared, as well as the reason for sharing and the period of time for which the data will be held. All of these things will be carefully scrutinised by the data protection officer in any Department. In fact, they will use the instruments set out in the GDPR, such as privacy rights impact assessment and screenings, to inform their judgment. At this point the data sharing may be underpinned by a data sharing agreement. That is the view of the Attorney General's office. For standard, benign purpose data sharing, things that are in line with good e-government such as not asking a citizen to retype information already held will be underpinned by the use of these instruments. The role of the legislation and governance is to ensure compliance. In sensitive areas of data sharing - the Deputy mentioned health care as a primary example where benefits and risks are significant on both sides - specific legislation is planned because the Government recognises its importance in terms of public profiles. We believe there is a governance framework in place and planned that will handle most data sharing requirements without the need for undue bureaucracy and pressure on the system. Equally, it is to be carried out in a transparent, simple and understandable way.
On the second point concerning complaints, the objective is that transparency requirements will mean that data sharing agreements will be published and will be open to challenge.
Obviously individuals have the right to ask not only for the data that any specific public body holds about them, but also with whom the body has been sharing that data. Again, there is a very clear framework, through the Data Protection Commissioner, where complaints can be made, escalated and investigated at an appropriate level.
Rose Conway Walsh (Sinn Fein)
Link to this: Individually | In context | Oireachtas source
I thank the witnesses for their presentations. It is correct to say that this is neither good nor bad and much will depend on how it is used. I find the way in which data is used in this country quite fascinating. I welcome anything that will protect the citizen. The citizen is looking for transparency, simplicity and confidence in the system. I welcome the fact that data sharing agreements will be published.
In terms of the original base register, peoples' main concern is about what information is held on them and whether that information is accurate and up to date. In that context, is this framework going to reassure people that the information held on them is accurate and updated? Is there going to be different data held by different Departments? Let us take the Department of Health as an example. One of the greatest bugbears for anyone who has ever attended a hospital is the fact that one is asked 20 times for the same information, over and over again. Is there anything in this framework that will stop that from happening?
Mr. Barry Lowry:
The framework is very much designed to prevent that type of thing from happening. In assessing how Government, Departments and public bodies currently deal with citizen data, I would not use the term "bad" but I would use the phrase "could do better". The role of this legislation and specifically the governance around it, is to help in the journey of getting to a much better place. Through the national e-government strategy, which will be published next month, the vision is a single place that anyone can go to and find out the data held by a body, what that data has been used for and with whom it has been shared. The individual will also be able to either correct the data, ask for it to be removed or no longer used, or challenge its use. Obviously, with the investment the State has made in the systems that it has, this will not be available overnight but we will start to develop processes and mechanisms through the governance associated with this Bill, to start to deliver that over a period of time. The vision is very much that government will use data appropriately for the citizen's benefit and absolutely have checks and balances in place to make sure that the data is not used inappropriately and not retained any longer than necessary.
Rose Conway Walsh (Sinn Fein)
Link to this: Individually | In context | Oireachtas source
The success of this framework will depend on its implementation and the resources that are attached to it. The compatibility of the information management and IT systems will be crucial and if there is not a coinciding investment in upgrading and protecting all of that from cyber attacks and so forth, then this in itself will not mean anything to the citizen. Are there many complaints about breaches of data protection in the system at the moment?
Mr. Barry Lowry:
They would be addressed by Departments and obviously such complaints are referred to the Data Protection Commissioner. I guess the answer is "too many" because any complaints at all are too many. That said, as a percentage of the number of transactions, the number of complaints would be relatively low. In terms of the Senator's previous point, one must consider the investment that the State has made in setting up the Office of the Data Protection Commissioner. Government has also set up a cross-departmental body chaired by the Minister of State, Deputy Dara Murphy, which has been tasked with trying to accelerate good data protection at departmental level and across all organisations in the State.
One must also consider the investment the State has made in the public service card and the MyGovID initiative, which was launched by the Minister for Public Expenditure and Reform, Deputy Donohoe, and the Minister for Social Protection, Deputy Varadkar, a month ago. The key principle behind this is that the worst possible scenario would be if I asked for data about me but was given data about somebody else. The whole robustness behind MyGovID, the public service card and the SAFE process is to absolutely provide assurance to citizens that their data will not be erroneously provided to someone else who has similar data but not a full data match. Huge investment is being made by all Departments and across Government to try to not only provide these assurances, but to also provide robust audit processes so that we know that we are doing the best that we can and are checking constantly that we are getting the positive outcomes from that work.
Rose Conway Walsh (Sinn Fein)
Link to this: Individually | In context | Oireachtas source
As late as last week I had a case involving the Revenue Commissioners where information relating to one individual was attached to another individual's file and the latter was sent a bill in error. Such things are happening all of the time and that is why this legislation is so urgent.
Let us take the example of a local authority where hundreds of emails from public representatives are being read by the chief executive or some other senior manager. What sanctions are in place to deal with that type of behaviour? If an audit is done and that information is uncovered, what happens?
Mr. Barry Lowry:
Each organisation will have procedures in place with regard to ensuring that only the appropriate people within that organisation are entitled to see certain pieces of information. I am not well placed to talk about a local authority specifically but so will use the example of the Department of Social Protection. That Department has had procedures in place for many years to ensure that people cannot browse welfare records just to see what their neighbours, friends or relatives are getting and there are very clear disciplinary rules and regulations that underpin that. The State has had those in place for some time and they will continue to be there and will be enhanced. That provides a level of assurance but the Senator is quite right, in that errors do happen and they are invariably human errors. There has been a lot of investment made in training and so on to ensure that people are aware, as State employees, of their individual obligations under the Act, of what they are supposed to do and what they are absolutely not supposed to do.
Rose Conway Walsh (Sinn Fein)
Link to this: Individually | In context | Oireachtas source
When Mr. Lowry refers to the disciplinary process, is he speaking of the disciplinary process within the organisation or Department?
Rose Conway Walsh (Sinn Fein)
Link to this: Individually | In context | Oireachtas source
Are there criminal sanctions for such behaviour?
Rose Conway Walsh (Sinn Fein)
Link to this: Individually | In context | Oireachtas source
Does Mr. Lowry think that might be a gap, the fact that there are no criminal sanctions for such behaviour? There are no penalties included in this draft legislation either.
Mr. Barry Lowry:
This legislation would not address a specific departmental matter. Obviously, the general data protection regulation, GDPR, will address organisational deficiencies if they are found out. The GDPR is very strong on penalties. As Mr. Carroll said, it approaches the private and public sectors slightly differently in terms of penalties, but the GDPR looks at the organisational role in good data stewardship.
Individual organisations such as the Department of Social Protection and Revenue will and have always had procedures and disciplines in place and so on for individual responsibilities within that system.
Rose Conway Walsh (Sinn Fein)
Link to this: Individually | In context | Oireachtas source
I have two final short questions. With regard to the discretionary powers that this draft legislation affords to the Minister to introduce changes via secondary legislation, we do not know how any given Minister might use those discretionary powers for legislation. Is that something that would concern the Department?
Mr. Barry Lowry:
It is a very good question because our Minister gave a similar response in that it is important that checks and balances are in place to ensure that Ministers behave appropriately. Obviously, the whole governance model and the ability to challenge under GDPR makes sure that there are appropriate checks and balances in place at State level, individual Department level or indeed public and private sector level. The governance role is very much there to show full compliance with the GDPR. It is not there to supersede or to try to act in tension with GDPR. It would be inappropriate if it was.
Rose Conway Walsh (Sinn Fein)
Link to this: Individually | In context | Oireachtas source
In terms of private institutions, the sharing of data with financial institutions, Revenue, the Department of Social Welfare and all that, will this Bill impact on that or is there sufficient sharing there already?
Mr. Barry Lowry:
Individual Departments would look specifically at the purposes of those types of bodies in the role of data sharing. For example, if one looks at the Department of Agriculture, the role of agents in certain dealings with the Department have long since been established. Departments' specific legislation will take care of requirements for data sharing with agents and the permissions that need to be given by the individual and so on. This legislation would not get into that level of detail. As Mr. Sutherland said, there is an expectation that there would be specific legislation for that level of sharing.
Rose Conway Walsh (Sinn Fein)
Link to this: Individually | In context | Oireachtas source
Internationally, do we share data with Britain and America?
Mr. Barry Lowry:
As far as I am aware, we do not specifically share data repeatedly with America. The concerns about America were that some organisations have been using commercial data centres and those data centres have backed up to America and so on. Any of those companies are fully bound by European law. Therefore, the expectations of the stewardship of that data are exactly the same regardless of whether it is actually held in a state anywhere in the European Union or outside the boundaries of the European Union.
Gerry Horkan (Fianna Fail)
Link to this: Individually | In context | Oireachtas source
I have a few points myself. This is quite technical and not necessarily information that is going to hit the front page of any newspaper, initially at least. Could the witness outline a real-life situation that this particular legislation is going to change and compare what is happening now with what will happen if and when this legislation is passed, or is the legislation just a general kind of tidying up of what is already happening?
Mr. Barry Lowry:
There are elements of it that are tidying up what is already happening. To give a specific example, when we did the customer survey for the Department of Public Expenditure and Reform that I referred to in my opening submission, one of the frustrations that really came across was that the public does not like being asked for data that we have already collected from them. If someone is applying for his or her first driving licence after he or she has applied for a first passport, we already know all the data about the person. For us to populate fields, etc., on the person's behalf is simply good government. Many of the European initiatives are very much aimed at governments making that happen. That would be an example of where we would put in place the mechanisms in order that if an individual provides us with obvious data about name, address, marital status and so on, we will reuse that information. The other really important part of the legislation is to ensure that no one Department can hold data that is not required for the purposes of their business. For example, sexual orientation is a piece of data that only very specific bodies would be entitled to hold and use. The legislation provides a framework where data like that would simply not be used and not be shared.
Gerry Horkan (Fianna Fail)
Link to this: Individually | In context | Oireachtas source
It only relates to the public sector. Is that correct? Is that the public sector in its broadest meaning or more narrow meaning? Does that include Irish Water, the ESB and other 100% State-owned entities? The ESB is obviously a commercial semi-State company. We are not sure exactly what Irish Water is at the moment, but it is probably neither one nor the other. Is it in or out of this? For example, one could understand the TV licence body wanting data. I think it is able to get it already from cable companies, Sky and so on to work out if a house has a television service subscription and whether there is a requirement to have a TV licence. Cross-matching there would make sense, but is it covered by this arrangement or is it purely public sector related?
Ms Evelyn O'Connor:
We have set out a general definition of what is covered in the draft Bill. The Senator is correct. It is quite a wide definition of public bodies. We have also set out in a schedule to the general scheme the list of commercial State bodies. They will be exempt from the Bill. That is what is proposed-----
Gerry Horkan (Fianna Fail)
Link to this: Individually | In context | Oireachtas source
They cannot use the provisions of the Bill.
Gerry Horkan (Fianna Fail)
Link to this: Individually | In context | Oireachtas source
So making sure that everyone whose car is taxed also has car insurance and vice versais not affected by this Bill, but there is other legislation covering those kinds of schemes in the first place.
In terms of access to data, there is FOI on one side and data protection on the other. In terms of data, we are all concerned about garbage in, garbage out. At the moment, almost a million random breath tests that never happened have appeared on a system. That is something that would frighten many ordinary members of the public as to whether they can rely on the systems. Unfortunately, the systems have been letting us down in terms of giving the ordinary public that we represent confidence in knowing what is there. The witness is saying that there will now be a system by which anybody can access their own information in the broader sense more than they ever could before. With a PPS number and a password I could see what the Department of Health, the Department of Transport, Tourism and Sport or the Revenue Commissioners have on me. Is that a part of the overall strategy?
Mr. Barry Lowry:
Yes, that is what is envisaged. That is obviously a requirement under GDPR as well. In delivering those services, we are basically aligning ourselves with the requirements of the legislation. There is also the issue that goes back to the first example I gave of actually being a good government and providing good government services. To provide a good government services, if someone tells one State agency that he or she has changed address and forgets to tell another agency, we should know that information and should be able to automatically update that address in all of our records. That is where the legislation will help to start to encourage data-sharing where appropriate. There are obvious areas in which we can share to the benefit of the public data that is not contentious and would not cause concerns by being shared. The Senator gave a few examples earlier in which there would be a strong argument for the sharing of data. Those are specific areas that would need to be looked at and legislation enacted for to allow that data-sharing to take place.
Gerry Horkan (Fianna Fail)
Link to this: Individually | In context | Oireachtas source
This may be a question for the Data Protection Commissioner or perhaps for Mr. Lowry. I am not sure. It is regarding audit trails and the track being kept of what everyone is looking at and inputting.
Is that all included in the legislation? It emerged when somebody won €120 million or whatever it was in the EuroMillions lotto that approximately 70 people in the Revenue Commissioners decided to investigate the individual just because he or she had became interesting. It would frighten most people to hear their next-door neighbour who happens to work in a particular part of the public service or down the road is checking to see who they are, what age they are, what is in their bank account and the tax they paid. These data are relevant to certain people, but not to everybody. People expect to have a right to privacy. Are there controls in place? If there are audit trails being planned, will they be monitored? Much of the activity might be recorded but may never be flagged or examined. Are flags supposed to appear on the system if an employee who generally works in a certain area suddenly starts looking at information that has nothing to do with him? Will it be asked why this is happening? Is that all built into this or not?
Mr. Dale Sunderland:
Under data protection law, there are very onerous obligations on data controllers to protect and use information in accordance with the law. This is about protecting all of our personal information so it is not used in inappropriate ways. In any organisation, it must be ensured that anyone who accesses data has a legitimate reason for doing so. Looking up information about somebody because they have won the lotto or to see who they are would certainly be inappropriate.
Senator Conway-Walsh referred to outcomes, implications and the Department of Social Protection. We have initiated a number of investigations into private investigators inappropriately and unlawfully accessing data about individuals from the Garda Síochána and the Department of Social Protection, in particular. We have taken a number of successful prosecutions. We understand, however, a number of persons in the Department were dismissed. One, in particular, was dismissed from her post because of her gaining inappropriate access to personal data. This is about protecting individuals. We want to ensure legitimate data-sharing can take place, however.
To return to a point I made earlier, every public sector body is a data controller in its own right. If Department A collects information for a particular purpose, it cannot share that, without a lawful basis, with Department B unless there is approximate use. If it is shared for a reason that is in no way related to the reason for which it was originally collected, it may not be shared automatically. There would need to be a proper, lawful and legal basis for that to happen.
While we want to facilitate legitimate data-sharing, it is very important that the principles and requirements of data protection law be met. For example, the data must be accurate. A concept known as the "digital footprint" or "digital shadow" is now being built up. That will potentially be built up through data-sharing. What the Government knows about one is not absolutely accurate in respect of one's individual circumstances. If one Department shares information with another that is not correct or accurate, thus affecting an application for a grant, for example, it could have implications for the individual. That is why we are really emphasising that this Bill will provide the legal mechanism to allow for the sharing of information, but in accordance with all the proper data-protection impact assessments and the law, as in making sure one transfers only information that is relevant and accurate and not providing information to another Government body that one has no lawful reason to share. These principles are very important and must be adhered to under the data protection Acts.
Mr. Seamus Carroll:
I was going to respond to Senator Horkan's question on whether anything will change. It is true that individuals already have data-protection rights and that the Office of the Data Protection Commissioner has certain remedies. The GDPR, however, strengthens the rights of individuals. It also strengthens the range of remedies of the Office of the Data Protection Commissioner. If an individual wants to exercise his data subject right at the moment and wants to find out whether a particular body has his personal data and what it is doing with it, he may apply to the relevant agency or Department and it will tell one. It will not necessary tell one, however, that it has shared that information with another Department. One is actually obtaining information on the processing that has taken place in the first Department but not necessarily on where the data has been shared. This legislation will make it transparent, through these memoranda, that the data have been shared. On the basis of that information, one may go to the other Department or agency and exercise one's rights. This will be very important in bringing about increased transparency so individuals can exercise their data-protection rights against all the agencies that are processing their personal data.
Gerry Horkan (Fianna Fail)
Link to this: Individually | In context | Oireachtas source
Do they still need to go to individual Departments? It is data-sharing but is there a suggestion that there will be a central database to which the Department of Transport, Tourism and Sport will have access to parts and the Department of Health to other parts, for example? Are we still talking about 20 different databases with my address in each? If one is updated, are those responsible for the other 19 supposed to check whether information has been changed so they may update theirs? What will be the actual impact?
Mr. Barry Lowry:
As I stated earlier, this is a road to improvement and the Bill is just one step on that road. The State has invested a lot of money in legacy systems so we cannot just replace those systems overnight. It would not represent the best use of public money if we did. The role of governance, particularly as outlined in this Bill, is to start the process. First, it is a question of our having procedures in place for doing the things that public bodies need to do. In other words, it is a matter of making sure the data are accurate and that data changed in one area are updated in others. Ultimately, we would like to have electronic connectivity of databases so master records would be held in one area from which agencies would pull data, as appropriate, in order to use them for the purpose for which they are set up. That would be a significant improvement. As I said earlier, one of our immediate objectives under the eGovernment strategy is to create a portal where citizens can, at least, start an easier process of engaging with the public bodies that will hold their data and more easily find out how these bodies connect up. As Mr. Carroll stated, data-sharing agreements will be published so it will be easy for an existing customer of the Department of Social Protection to check the State bodies with which that Department has shared data and then inquire of those bodies as to whether they actually have data on him or her.
Gerry Horkan (Fianna Fail)
Link to this: Individually | In context | Oireachtas source
Mr. Sunderland was talking about the obligations of data controllers and organisations that hold data. Most of us realise these regulations exist. Is it required that every single user of data on a system must have his or her own audit trail based on what he or she looks at? One hears of passwords being shared and of people being able to access data on general terminals. Is everybody protected in this regard? If my account is being examined, is there an audit trail indicating everybody who has examined it? Are there checks so people in Limerick cannot look at data related to people in Donegal unless they have a particular reason for it? Are there flags and checks in the system such that every employee using the public service databases, in their various locations, can log in individually and that there will be a record of their updates, activity and amendments they make? Is this all being recorded? If it had been recorded in the case of some of the circumstances we are now talking about, we would have a record of the 937,000 tests, who inputted them and where the base data came from. Do we have the safeguards in place? Will we have them if they are not in place already?
Mr. Dale Sunderland:
The Senator raised a very important point indicating what good practice means. It would be a demonstration of how a data controller would meet its obligations. We in the Office of the Data Protection Commissioner do not necessarily set precise obligations because the law is principle based and there are general high-level obligations on data controllers. The onus is on each individual organisation to work out what systems, governance measures, protections and audit trails it needs to make sure it meets all its data-protection obligations. What the Senator is talking about is certainly an example of good practice, and we would certainly advocate that every organisation be able to demonstrate to us how it protects data and prevents unauthorised accessing of information by its employees where they have no grounds for doing so.
Gerry Horkan (Fianna Fail)
Link to this: Individually | In context | Oireachtas source
Is the witness satisfied that this is the case in the bulk of the public sector or are there still significant flaws whereby people do not have to use an individual identifier to gain access to systems or no record is being kept of the updates made by individuals on people's files? Is there much work still to be done or are we there or thereabouts? Clearly, if nobody can tell us where these almost 1 million breath tests came from, there must have been no audit trail of who inputted them.
Mr. Dale Sunderland:
Obviously, our focus has been on personal data but it is our understanding, from what we see through our audit work, that there is an emphasis within public bodies on the need to have these systems in place. Many of them are not there yet but big Departments such as the Revenue Commissioners and the Department of Social Protection have been very active in this area in recent years. I outlined earlier the example of information being illegally shared with a private investigator. That is inappropriate and should never happen----
Gerry Horkan (Fianna Fail)
Link to this: Individually | In context | Oireachtas source
Sorry to intervene, but the witness was able to find out who in the Department had been doing it-----
Gerry Horkan (Fianna Fail)
Link to this: Individually | In context | Oireachtas source
-----based on the private investigator's information. It had to come from somebody and the Office of the Data Commissioner could look at that person's file and see who had accessed it inappropriately.
Mr. Dale Sunderland:
The people were identified through the different investigative measures we undertake. However, there is a requirement in data protection law that if something is not compliant it must be put into compliance. Being able to see what went wrong after the fact is absolutely essential to ensuring the preventative measures are in place to ensure it does not happen again in the future.
Gerry Horkan (Fianna Fail)
Link to this: Individually | In context | Oireachtas source
Perhaps I can address the same topic to the representatives of the Department responsible for reform of the public service. Is this type of system in place in most parts of the public service or are there still significant parts of the public service where material is being input without a record being kept of who is inputting it or of who is accessing what?
Mr. Barry Lowry:
I cannot speak for every public service system, but I have been designing IT systems for more years than I care to remember. The obligation from day one was that key systems, especially systems that dealt with sensitive or public data, had audit trails within them whereby it was possible to produce reports on who had input which information. I expect that most of the high profile, sensitive systems that power the State have similar measures in place. Certainly in the examples we discussed earlier the computer systems and the audit trails of those systems played a big part in identifying individuals who made errors. That is what one would expect of a computer system. All high profile computer systems are subject to various programmes of audit, and one of the key objectives of an audit is to assess the risk of data breach or data misuse.
Gerry Horkan (Fianna Fail)
Link to this: Individually | In context | Oireachtas source
With regard to the role of the witness and his Department, has an analysis been carried out of public service data structures to ensure they are models of best practice for the future? I do not wish to labour the point about the 1 million breath tests but I still do not understand how somebody somewhere or many people all over the place were putting these non-existent records into these systems, effectively making them up as we are told. They did not just arrive by accident. They got into the system in some way and there must be a record of how they got there. If there is none, how could there not be?
Mr. Barry Lowry:
In that case I expect the investigation will discover exactly what happened. I am sure the role of the computer system will be investigated and if there are weaknesses in the system they will be fixed. In terms of the what the Office of the Government Chief Information Officer, CIO, is doing, we are working with the Departments to compile a list of systems that will require verified public identifiers. We are developing timelines for how those systems will start to use the MyGovID, the SAFE process, the public service card process and so forth, because that is the most robust means available to the State to ensure that somebody online who claims to be a person is actually that person. It is important that we use those systems. However, that is a considerable improvement step from where we are today, and I am not saying that where we are today is not a reasonable position.
Gerry Horkan (Fianna Fail)
Link to this: Individually | In context | Oireachtas source
When is it anticipated that the public will be able to use these systems, subject to the legislation being passed? Is it far into the future? Being able to access this means I could look at the Department of Transport, Tourism and Sport or the Department of Health online and see what they are saying about me or my circumstances.
Mr. Barry Lowry:
In May 2018, the Departments will be obliged to provide the data. They will establish means to do that through their departmental procedures. We are proposing to make the process much simpler for the citizen to enable them to go to one place and find out the data that is being held about them. We will start to build that up incrementally and the work we are doing with MyGovID is part of that process.
Gerry Horkan (Fianna Fail)
Link to this: Individually | In context | Oireachtas source
I thank the witnesses for the efforts they are putting into this and I look forward to the legislation being implemented for the benefit of all of us.
John McGuinness (Carlow-Kilkenny, Fianna Fail)
Link to this: Individually | In context | Oireachtas source
I have a different point of view. I believe you have too much information. It concerns me greatly that the State is collecting and sharing information, given what I know about what is generally described as a failure of the system or systemic failures whereby people are able to access information they should not be able to access. It also concerns me given the example of Tusla. I am not asking you to comment on an individual case but on the general case. It is shocking that what we discovered Tusla had on file about individuals - not just one but a number of individuals - was totally concocted. Were it not for a mistake being made which led to the individual seeing this information, those who knew about the information could have considered that he or she was a criminal. I worry, therefore, about the amount of information that the State has on individuals, to be honest. I particularly worry about agencies such as Tusla, because nowadays anybody can access all sorts of information about an individual. If the State collects it in an organised fashion, I do not believe it should have the information unless it has robust audit trails and IT systems. It concerns me greatly. I have seen some of the files that were created, obviously deliberately, where the individual did not even know they existed.
The other issue is the action that is taken as a result of the discovery of information. I will give a comparison and use my experiences with the Data Commissioner in two cases. One concerned the HSE and public access to files relating to people's medical records and so forth. I made a complaint to the Garda and I made a complaint to the Data Commissioner. I have not heard anything back since. When that loose, hard copy information about patients' records was available for the public to see I did not see the type of concern I would have expected. In comparison, the reaction of the Data Commissioner to using your database at election time, which is a concern for all of us, would be over the top in my opinion. I respect people's privacy. I am simply making the point that there is an imbalance in terms of how the State reacts to different things that happen. It is easy to act or react in a public way against a Member of the House, because we all scurry around the place trying to ensure that what we do is within the law, yet what happens in respect of bigger issues such as the Tusla files, the HSE files or other information relating to breath tests and so forth? We do not know. Gathering and sharing information is a very sensitive area.
I am not convinced we have the type of robust IT systems or understanding required to police it, if this legislation is passed.
Mr. Barry Lowry:
To reiterate, this legislation is essential to address the Chairman's concerns, it should not increase them. If we look at the GDPR itself, one of the reasons it became such a priority at European level were the concerns, not only of State bodies but organisations such as Facebook, LinkedIn and Twitter, and statements regarding what they were doing with people's data. The state should not be given any more privilege than those companies to do things that are inappropriate. This legislation very much aligns with the GDPR. The Chairman is correct that bodies hold too much data and one of the key parts of this legislation is to ensure that bodies do not hold data that they do not need to hold. It is to ensure that the data they do hold is accurate and that there is means for the data owner, the citizen, to check that is accurate and that there is means for it to be challenged if the subject feels it is being used for inappropriate purposes.
John McGuinness (Carlow-Kilkenny, Fianna Fail)
Link to this: Individually | In context | Oireachtas source
The point I am making is that the data, the information, is already collected. As Mr. Lowry says, there is already extensive information within Departments or agencies about individuals. There is also misinformation, or incorrect information, created within organisations and agencies about individuals. I do not know who has information about me and I can name the individuals who are concerned about Tusla and say they did not know the information existed - the wrong information, the misinformation - they did not know it. That information was shared. If one is sharing information, who is the person inside the Civil Service who will decide that does not seem to be correct information? One could be sharing information that might look relevant, because it tells a particular story, but could be totally irrelevant because it is untrue and the person out there does not know. It is down to human beings in there, using these systems, some being nosy or inquisitive, and wanting to know about their neighbour and some deliberately creating files that can damage individuals, but what if they do not know that they are there? That is the case.
Mr. Dale Sunderland:
The Chairman has raised very serious and legitimate concerns which we in the Office of the Data Commissioner equally share. While I do not want to say too much about Tusla, we are conducting an examination of the systemic processing of personal data in Tusla within the organisation itself and with other data bodies or organisations. That is an important piece of work which we have initiated and is under way.
On the HSE and access to files in public areas, in hospitals by both doctors, patients or individuals, we have initiated an investigation across the hospital sector into how personal information is handled within the hospital setting.
John McGuinness (Carlow-Kilkenny, Fianna Fail)
Link to this: Individually | In context | Oireachtas source
Across the board.
Mr. Dale Sunderland:
Absolutely, and our special investigations unit is leading on that process at the moment. It started earlier this year. We do take these things very seriously.
Also, while we understand, as does EU law, that there is a need for legitimate data sharing and data processing, we believe there is much greater need for transparency about what is happening at the moment. A fundamental part of data protection law is that the individual is fully aware of what data bodies hold about them, how they are using it, how they are protecting it and we are not convinced there is enough transparency into how Government itself is sharing data and for what purpose it is being used. This is a matter which we have raised with the Department and with the Department of Social Protection in particular, in relation to PPSN and the public services card. We believe much greater clarity needs to be provided to the public about how their data is being used across the Government sector. We are engaging with them on that matter at the moment.
John McGuinness (Carlow-Kilkenny, Fianna Fail)
Link to this: Individually | In context | Oireachtas source
I would ask that before that legislation is introduced that the Office of the Data Commission should look at, for example, the Members of this House and how they control the data they have. I will use my own situation as an example. I was elected in 1997 and now have 15,000 files, not created randomly, but created by people who gave us their birth certificates, wills, medical circumstances, the whole lot, and they are there in hard or soft copy on files. The Data Commissioner is asking individuals like me to come to that high standard that it is talking about. We operate a standard, it is moving to a different standard and there is no recognition of the cost necessary to get to that standard and comply with what is going on. There is a need for anyone creating this kind of legislation to understand the agencies or the individuals it is dealing with to assist them to have the appropriate storage and appropriate command of the data it holds. That is essential. As much as I think it is important for people within agencies to have access to information, to access it on a professional basis only and not merely to nose around, because one gets that.
Mr. Seamus Carroll:
To refer back to a point made earlier by Mr. Lowry, which may have been before the Chairman arrived, there is an obligation under the general data protection regulation for all public authorities and bodies to designate a data protection officer. There will be an officer at a fairly high level in the organisation whose task is to focus on the data protection obligations and accommodate the exercise of rights by individuals vis-à-visthat organisation. The regulation goes into a lot of detail on the qualities required. It says that "the data protection officer shall be designated on the basis of professional qualities, and in particular, expert knowledge of data protection law and practices and the ability to fulfil the tasks of the data protection officer". It goes into quite a lot of detail about what the tasks of the data protection officer would be and one is to inform and advise the controller or processor and the employees who carry out processing of their obligations under the regulation and under other EU and member state law in regard to data protection. It goes on to emphasise the independence of this particular individual within the organisation. It says that the controller or the processor - that is the public body - shall ensure that the data protection officer does not receive any instructions regarding the exercise of the tasks. He or she shall not be dismissed or penalised by the agency for performing his or her tasks, and then, crucially, "the data protection officer shall directly report to the highest management level within the organisation". The data protection officer will not be reporting up through his line manager in a hierarchical structure in future, but will report directly to the highest level within the organisation.
Why have all these provisions been put in place? It is because there is a perception, not only in Ireland, that when it comes to public authorities and bodies there is need for further reassurance that data being held is being processed properly and used only for the purposes for which it is intended. I return to the point I made earlier on this Bill, this will improve the transparency because if an organisation is sharing personal data with another organisation, now for the first time it will be clear from these memorandums agreed within the bodies, what information is being shared and that will facilitate the exercise by individuals of their rights vis-à-visthese public bodies.
John McGuinness (Carlow-Kilkenny, Fianna Fail)
Link to this: Individually | In context | Oireachtas source
I do not question that Mr. Carroll wants to get this right but take the example he has given where the data protection officer reports to the highest level. The risk managers in banks have legal obligations. They report to the highest level in the banks and thereafter to the Central Bank.
If they had all been doing their jobs, we would not have had the crash. It is fine to define it in legislation, but when it comes down to organisations and people, the system has to be strict in how a person interprets what it is attempting to achieve. One also has to take into account the size of agencies and operations. I am a public representative and the data specialist in my organisation. I report to myself and I am subject to the Data Protection Commissioner. That is what is happening in the country. We are creating wonderful agencies and introducing legislation without giving consideration to what actually happens in some of the entities that are lower in the pecking order than a well placed company or agency. I invite the delegates to come and spend a week in my office to see at first hand the information we have available and then tell me what they would do with it. I ask them to consider accepting that invitation.
Mr. Dale Sunderland:
We would be more than happy to meet the Chairman. I will try to provide some reassurance, if I can. While we are obliged to implement the law as it is - it will now be direct effect regulation - it is a risk-based law. Therefore, we approach our work in terms of determining where are the biggest issues in terms of systemic risk and the largest volumes of data processing and data sharing. We will continue to allocate our resources accordingly. We are interested in dealing with the areas which involve the greatest risk. There are, nevertheless, obligations on everyone who collects data to be compliant with the law. However, the obligations should be much more straightforward and less onerous in low-risk data processing. Our office is trying to get the balance right in that respect. We emphasise and focus our resources and efforts on the areas which involve the greatest risk. I am not sure if that provides the Chairman with any reassurance, but it is something of which are conscious. We are trying to improve how we do our work and carry out our regulatory functions.
Mr. Cathal Ryan:
I will add to that, as it might be of assistance to the Chairman. Under the current law on data protection such as, for example, security purposes, it is up to the data controller to choose the level of security that is appropriate to the data he or she is processing. Among the factors to be included are the resources that can be used to protect data. A lot of it is subjective. Organisations need to consider the resources they have to protect data. They must also consider the nature of the data they collect. Certain data will involve no detriment for an individual if left on top of a car and found, whereas other pieces would. Organisations may need proper security measures to protect certain sensitive data rather than for general data that involve no detriment for an individual. What we are trying to achieve in the office is to have a pragmatic common-sense approach. A recent Latvian case contained a preliminary reference to the European Court of Justice and the Advocate General, in its opinion which is not legally binding, started to discuss the common-sense approach to data protection. There is a recognition at European level and in our office of the application of a common-sense approach and understanding the resources the data controller has available in order to meet his or her obligations under the Data Protection Acts and the GDPR when the system goes live in May 2018.
John McGuinness (Carlow-Kilkenny, Fianna Fail)
Link to this: Individually | In context | Oireachtas source
It is nice to hear of a common-sense approach. We are short of it in this House.
Ms Evelyn O'Connor:
Mr. Caroll has outlined the data sharing agreements and how they are quite specific in respect of information held, the purposes for which they may be used and that they will, of course, be published. Organisations must be able to collect data as part of their functions. The Bill will allow the sharing of such data only where an organisation complies with data protection law and the GDPR. That means that the data an organisation holds and shares must be relevant, proportionate and so on. All of the security provisions about which the Data Protection Commissioner has talked will all be relevant. We need to improve public services. Before the Chairman came to the meeting, Mr. Lowry outlined the findings of a customer survey which found that a very high proportion of the public wanted to see improvements in public services and were happy to have data shared online. They will be allowed certain rights and to make complaints. The GDPR and the need for public bodies to comply with its requirements will ensure those rights will be met.
John McGuinness (Carlow-Kilkenny, Fianna Fail)
Link to this: Individually | In context | Oireachtas source
I will not delay the delegates any longer. I would like to see the application of common-sense and experiences in this country in how legislation is constructed. I would not necessarily be led by the European Union which is too nosy. I thank the delegates for their attendance. I am sorry that I missed the presentations, but I was attending a conference on how to make presentations to various Oireachtas committees.