Oireachtas Joint and Select Committees
Tuesday, 23 May 2017
Joint Oireachtas Committee on Finance, Public Expenditure and Reform, and Taoiseach
General Scheme of Data-Sharing and Governance Bill: Discussion (Resumed)
I welcome from Digital Rights Ireland Dr. Dennis Jennings, adviser; Mr. Daragh O'Brien, data protection expert; and Mr. Antóin Ó Lachtnáin, director. I also welcome Mr. Denis Kelleher, barrister-at-law. The committee is resuming its scrutiny of the draft general scheme of the Data-Sharing and Governance Bill.
By virtue of section 17(2)(l) of the Defamation Act 2009, witnesses are protected by absolute privilege in respect of their evidence to the joint committee. If, however, they are directed by it to cease giving evidence on a particular matter and continue to so do, they are entitled thereafter only to qualified privilege in respect of their evidence. They are directed that only evidence connected with the subject matter of these proceedings is to be given and asked to respect the parliamentary practice to the effect that, where possible, they should not criticise or make charges against any person or an entity by name or in such a way as to make him, her or it identifiable. Members are reminded of the long-standing parliamentary practice to the effect that they should not comment on, criticise or make charges against a person outside the Houses, or an official, either by name or in such a way as to make him or her identifiable.
I invite Dr. Jennings to make his opening remarks.
Dr. Dennis Jennings:
I thank the joint committee for giving us the opportunity to meet it to discuss the provisions of the general scheme of the Data-Sharing and Governance Bill. I have a background in technology, computing and communications. I headed up the computing services department in University College Dublin for 22 years. I am an Internet pioneer, having made significant contributions to the development of the global Internet in the 1980s. More recently, I have been an early stage investor and non-executive director. I also serve on the Open Data Governance Board of the Department of Public Expenditure and Reform.
It is evident that the modern state requires personal information to run effectively and efficiently and support the individual citizen and resident. It is also evident that, as citizens, we expect more of State services than ever before. We expect them to be efficient, timely, cost-effective, fraud free and driven by automated processes. However, we also expect to be protected and safe when we use them. Part of this safety involves the protection of our privacy and personal data.
When I read the draft Bill last year, I was shocked and disappointed, but it stimulated me to consider the principles that should underpin a shared e-infrastructure to enable the public sector to properly serve the citizens of the State. A copy of the current version of my paper entitled, Implementing Public Service Shared e-Infrastructure: The Individual & the Irish State – The Grand Bargain, has been submitted to the committee. The paper outlines the ten principles that I believe should be adopted before the implementation of any shared State-citizen e-infrastructure is even contemplated. I would like to focus on some of the issues highlighted in my paper.
The first issue concerns identity and opting in. Little can be done to implement an appropriate shared services e-infrastructure without agreement - I stress the word "agreement" - on a unique, rigorously authenticated, biometrically and multi-factorial secured identity mechanism for each individual. Current identity mechanisms – passports, driving licences, public service cards and medical cards, for example – are all poor substitutes for what is actually required. General buy-in to the use of unique identifiers can and will be achieved by the State offering compelling value propositions – better, faster, slicker, more convenient, more accurate and more efficient services – in order that, in due course, when public confidence in the data protection provided by the systems has been established, the identification system may be made compulsory.
The State and civil society organisations representing the individual's rights to data privacy need to agree on the necessary identity approach and solutions. The current situation, in which the Department of Public Expenditure and Reform is trying to introduce 3 million public service cards using data from multiple sources under the provisions of social welfare legislation that I believe to be very old and out of date, is truly shocking and a gross breach of this principle and the trust required. In addition, we should be talking about queries and responses through data access, not data sharing. A fundamental principle to be adopted in any shared services e-infrastructure implementation is that individual personal data are never copied and shared, with consequential loss of control over access and authenticity, but are always accessed dynamically online. In addition, no general access to the underlying data may be given; rather, such access is provided so as to respond with answers to a predefined and pre-approved set of queries. The data-sharing concept underlying the Bill is fundamentally flawed.
With regard to authentication and access, to ensure confidence in the new shared services e-infrastructure, access to personal data held by the State must be restricted to the individual data subject and data owner and only to legally authorised and EU GDPR-compliant organisations and personnel. Strict multi-factorial authentication of all individuals with query access must be required. Not only must they be authorised but also authenticated to establish their true identity. The Bill, as drafted, is almost silent on the need for rigorous authorisation and authentication of every person in the public service with access to data. That is a major defect.
With regard to data logging by requestor and responder and data logging centrally, it is self-evident that access to personal data must be logged and recorded in order that audits can be undertaken and individual citizens can easily track by whom, why and when their personal data have been accessed.
It is also self evident that all access to personal data must be logged and recorded so that audits can be undertaken and individual citizens can easily track by whom, why and when their personal data has been accessed. Both the requesting and the responding organisations' data privacy gateways, however that is implemented, must automatically log an encrypted hashed record of all queries and data requests, and the resulting responses, that access data relating to an individual. The Bill has no mention of the data access logging that is a central component of any trusted shared e-infrastructure.
There are other matters in my paper but the last one I want to highlight is a secure online portal for individuals. A vital part of any shared services e-infrastructure is the citizens’ portal, where citizens and residents can track the State services provided and the details of the use and access to their data. The Bill makes the briefest mention of a single customer view and future online authentication. That is ridiculous. Citizens' access to their own data must be an integral part of any implementation from the beginning.
This Bill needs a great deal of work. None of the issues I have outlined can be taken separately. They have to be combined to make a safe and trusted e-infrastructure. I will pass over to my colleague, Daragh O'Brien, who will talk about the governance aspects of what should be in place.
Mr. Daragh O'Brien:
I will summarise the submission as I am conscious of time. As Mr. Jennings said, the potential value of the sharing of data between organisations cannot be lightly dismissed. Data is neutral. It does not care what it is being used for. That is why governance structures around data are essential.
We have seen recent cases where the careless handling of information in State agencies resulted in a fact being created and a process put in train that impacted on the private life of at least one whistleblower. In the scenario where data has been shared with agencies, the veracity and lineage of data becomes even more important in that context, and the Bill is silent on that question.
We have also seen a constant procession of cases before the Data Protection Commissioner and the courts where data has been accessed inappropriately and without authorisation. That goes back to Mr. Jennings's point about access logging. In these cases, personal data has been disclosed to third parties by people in the employment of the State who already have access to significant amounts of personal information.
I know from my work with civil servants in a professional capacity as a consultant and trainer that individual civil servants are dismayed when they see those headlines about information being shared in that way. In a data sharing context, when more information is potentially made available in a general scheme of legislation, civil servants are equally aware of how it easy it is for the trust between the citizen and the State to be breached, whether by the conscious action of an individual or the ill-considered acts of an official body.
The presentation of data sharing as a panacea for efficiency and effectiveness needs to be considered in the context of the quality of data sets that are being linked together, the impact of the processing of data on the fundamental rights and freedoms of individuals and, as Mr. Jennings alluded to, the transparency of the processing to the individuals. In 2014, we were engaged by Digital Rights Ireland to do a review of the proposed scheme of the Bill. I understand a copy of our analysis at that time has been included in our submissions. In terms of summarising that submission, we concluded that the cart had been put before the horse. The focus was on sharing and not on governance. It needs to be the other way around. The focus on improving efficiency through sharing in the Bill as proposed does not do anything to ensure the robustness of governance necessary to ensure that the right data is being shared in the right way at the right time, with the right clear basis.
Essentially, the Bill proposes to tell the citizen to "trust us, we’re the Government", but does very little to put in place anything by way of standards, structures or accountability upon which that trust may be grounded. I listened with interest to the video of last week’s presentation to the committee and I found it very difficult to square the views of the Data Protection Commissioner's office that the Bill was simply a framework that would allow additional legislation to be enacted with the view from others who presented that the Bill was an umbrella piece of legislation that would allow sharing to take place without additional legislative measures. It is either one thing or the other. It is either a skeleton or an umbrella; it cannot be both. The fact that almost three years after the scheme of this Bill was first published there is still a lack of clarity on the purpose, intent and scope between the Office of the Data Protection Commissioner, which is tasked with enforcing the fundamental right to data privacy, and the Civil Service on what this Bill is intended to do is a matter of concern.
I also noted Mr. Sutherland’s written remarks in which he pointed out that, "In itself, this legislation will not be sufficient to validate the processing of personal data to the standard required under EU law and it cannot provide a basis for automatically sanctioning public sector authorities to share personal data". There is a missed opportunity to learn from prior experience of other projects where the State has attempted to share personal data across the organisation. Based on experience from private sector data governance projects and successful models of implementation that I have studied and applied with clients over the years, effective cross-functional approaches to the governance of data in organisations is essential to make sure that the promise of efficiency is delivered on. I have lost track of the number of organisations I have worked with where one department's definition of a "customer" was different to that of the team sitting next to them, but I remember vividly the late nights at the end of a reporting period where everyone sat sweating the figures trying to make them match. This simple example of cross-departmental communication in an organisation is because of poor data definition. In the absence of standards for codifying the meaning of a simple term or concept, confusion reigns.
In the public sector we see examples of this type of metadata challenge in a variety of contexts. For example, on the definition of "means" and sharing of means data, different organisations have a different understanding of what "means" is because the terms of a means tested benefit can differ based on the schemes that are being applied. Likewise, the definition of "income" can also differ depending on the perspective of the organisation, the nature of the schemes that are applied etc. In terms of what is an "address", in a given context, an address can have different meanings for different purposes in different organisations. When we ask for an address from one organisation to be given to another, there must be some definition as to how that is governed and controlled to ensure there is clarity of meaning, given the potential for sub-optimal outcomes if the wrong data is applied for the wrong purpose.
A far better and valuable focus of the Bill would have been to mandate the improvement, standardisation and professionalisation of data governance functions and data protection officer functions in Departments. This is particularly significant given the critical role effective governance of information plays in compliance with the general data protection regulation, which comes into force in a little over 260 working days from today.
I will not dwell on the Bara ruling. Mr. Kelleher will discuss that briefly, but suffice it to say that the interpretation of EU law has moved on and evolved. Some of the assumptions that may have been made when this Bill was being formulated no longer apply.
The Bill represents a missed opportunity in its current form. There is a host of aspects that Dr. Jennings has already alluded to, which I will not repeat. Data sharing on foot of umbrella legislation is not compatible with the necessity and proportionality principles of EU law. Clear statutory grounds should be created, and should be open to scrutiny. If sharing is important, it should be open to discussion. That is particularly true of large-scale bulk sharing of data. The Bill requires much more detail to be introduced in terms of effective frameworks for data governance and appropriate standards. The data sharing arrangements in the public sector need to provide protections equal to or greater than those already enjoyed by citizens since the Bara ruling.
Mr. Denis Kelleher:
I will look at the compliance of the proposed heads of the Bill with the general data protection regulation, GDPR. I will not go into the Bara ruling, given that the draft heads of the Bill are only being discussed now. The GDPR will apply from 25 May next year so the reality is that this legislation will not be enacted before then. I will look at this in the context of the forthcoming legislation and what it will have to comply with in the future.
I would suggest a number of changes, and I do not believe there will be any surprises in that regard. Data sharing by the State requires a law. The model used in the proposed heads is one of memorandums agreed between Departments. Under the new GDPR, a law will be needed. Some flexibility is allowed for different situations. Members may hear reference to issues like recycling 41 and so forth, but there is a clear requirement under the GDPR that a law must be in place in that regard. The best way to go about that is to have secondary legislation.
Members will see on slide 3 of my presentation a suggestion that the Government should move away from memorandums. A statutory instrument would have to be made. A Minister would have to make a decision that there was an objective public interest and legitimate aims that required the making of a statutory instrument. Under the GDPR, that statutory instrument might have to set out general conditions, types of data, data subjects, disclosees, purpose and storage periods. If the Government were to do that, it would have a very secure base for data processing. It would be avoiding two risks in that regard, namely, the risk to data subjects and the risk that this expensive system would be set up but then finds it is not in compliance with data protection law.
It is very important to set up a secure process for data processing from the start. In terms of the data to be processed in the system, it would be wise for the legislation to distinguish between data that is processed for the purpose of prevention, detection, investigation and prosecution of crime and more general purposes. Quite different legal regimes apply to both sets of data. It would be wise to split them out in the legislation. If one shares data for a general purpose, one would not necessarily be able to use that personal data for the prevention, detection and investigation of crime. It does not mean that one cannot share data for that purpose, rather that one would need a different framework for sharing it. That will be quite important down the road in terms of what use is made of that data.
The sharing of comprehensive data sets is highly problematic. One would have a concern about the excessive sharing of data, which is a major issue with regard to data processing. The goal has to be data minimisation under the GDPR. At the same time, the accuracy of personal data is an issue. Citizens, data subjects, have the right to insist that their data is as accurate as possible. If one does not want excessive data sharing, but wishes to ensure the accuracy of data across the public sector, I suggest the best way to go about achieving that is to set up a system whereby people in different departments can query the accuracy of data in a data set. One does not move the entire data set from one Department to another, rather one just lets another Department query whether the data is accurate and correct in individual cases. Under the case law review of the European Union, they have a very major concern about mass sharing of data sets. On the other hand, if one looks at the recent case in Sweden, the EU is less concerned about very focused queries, where one is not sharing mass surveillance. The Bill in some ways allows for that with the setting out of base data sets. That is a model that perhaps could be built upon in terms of the legislation.
In terms of information, Mr. Daragh O’Brien, mentioned the Bara case. In the Bara case, there was a query about the legal basis for the data which was transferred. The model in Bara is quite similar to the model in this legislation. The primary legislation was very high level, and the Romanian Government department of health agreed to share data underneath that very high level description using memorandums, which is quite similar to this model. The European Court of Justice shut that down, saying it was illegal because the subject was not informed of what was going on.
What I suggest should change in the heads of the Bill to give a more secure legal basis is to have a statutory instrument allowing for that data sharing. In addition, subjects are still entitled to information. Under the new GDPR, some leeway is allowed, so one does not necessarily have to inform data subjects that his or her data is being transferred from the Department of Social Protection to the Department of Health if one can show that they are plainly disclosures that are expressly covered by law, as I am suggesting they should be, regarding the control of the subject's data and one provides appropriate measures to protect the subject's legitimate interests. In addition to a legal basis, one needs what are termed appropriate measures. If one looks at the other exceptions, it must allow for personal data to remain confidential subject to the obligation of professional secrecy. We need to bring in those sorts of controls as well, if one wants to adopt this model of sharing on the basis of statutory instruments and when that sharing takes place there must be appropriate measures in place and there has to be professional secrecy protections.
Another area that needs to be looked at, and I think Dr. Jennings mentioned this at the start, is the idea of portals to enable subjects to access their data. One of the major changes coming through the system with the new GDPR is that, at present, people effectively have a right to get a copy of their personal data. For example, if a Member of the Oireachtas decided that he or she wanted to see the personal data that is processed by the Houses of the Oireachtas Commission, one writes and makes an access request, and the commission sends back a copy of the Member's data. The GDPR actually goes beyond that where one has the right to get a copy of the data, the right to information about how the data is being processed as well as the right to access the data. If one looks at the recitals, that means one has to provide remote access to a secure system which provides the data subject with direct access to his or her personal data.
It looks like that the GDPR will require that we build this sort of portal. There is a whole range of security concerns about who gets access to that portal. If one is building a portal that will allow me to access my personal data that is being processed by the State, my number one concern is to ensure that the only person accessing that information is me. That was one of the major challenges coming down in terms of how the State governs data. It will be very interesting and will be challenging to see how we will build that sort of system.
In terms of governance, one of the clear messages we are getting from the European Commission is that it wants to see a minimum of variation in how member states implement the GDPR. There are many provisions in the GDPR that allow member states to adapt to their own purposes. In terms of governance, it does not want to see variations and would query why there is a specific provision requiring data protection impact assessments. Its preference would be to allow the governance provisions, which are very onerous and very complex to apply to processing personal data in the State directly without any variations of this implementing measure except for one of those instances that are specifically allowed in the GDPR. There would need to be some variation there.
The last suggestion is the need to consider creating a specific offence of illegally accessing personal data that has been processed by the State. As members will see, the Data Protection Commissioner has been very active in prosecuting people who have accessed it from outside. There is provision under the new scheme of the data protection Bill for two offences and I think members should look into creating an offence specifically of wrongfully accessing personal data that is processed by the State. That would create an incentive for members of the Civil Service and public service to say that if they do not have direct authority to process this data in this way, they would be committing a criminal offence. That will push the decision down to individuals, so that when somebody is asked to process personal data in this particular way, he or she would ask if he or she has been given the authority to do that. Obviously, an individual does not want to be put in a position of creating a criminal offence. I do not know if members wish to go down that route. There are a great many offences of illegally processing of personal data and illegal processing of data and I think members should look into the regime that applies and the controls that are applied to wrongful processing of personal data in the State.
I thank the witnesses for their presentations, which were very technical and legally based. We are trying to deal with the heads of Bill and I welcome the presentations that were given.
Would it be fair to say Dr. Jennings seemed to be concerned about the lack of safeguards for citizens? If that is a fair assessment, what would be his main concerns in regard to the lack of safeguards in the Bill?
Mr. Daragh O'Brien talked about the cart being put before the horse and that the focus is on data sharing whereas the initial focus should be on governance and then looking at the scope and purpose of data sharing. Will he expand on that point?
He also referred to the Bill as a missed opportunity because we have not learned from past experience. Will he elaborate on what are those past experiences? He spoke about a cross-functional approach with a promise of efficiencies delivered upon. Can he give me some clarity on that? He spoke about the definition of means, and that different organisations have different interpretations of means. I assume he is speaking about people's income, their details and so on. How would that be problematic in his view? When he says that we need definitions to ensure clarity of meaning, will he give us other examples where there is a need for clarity of meanings? He stated that some of the assumptions in the Bill no longer apply. I know he had to go through his presentation quickly, but what assumptions were being talked about?
I have some understanding but I am curious about what Mr. Kelleher means when he states that data sharing requires a law, that it is not underpinned by law - he specifically referred to head 4 of the Bill. That seems to be underpinned by the very fact that this Bill will be enacted and it refers to other Bills. Will he clarify what he means by the phrase "underpinned by law"?
Mr. Denis Kelleher:
Yes, it is, but it is still not a law. It is an administrative scheme. I am not saying there would be no difficulty but essentially there would be less difficulty if one turned the memorandum into a statutory instrument. There is a clear distinction to be made between a law and an administrative scheme. I understand from where the difference originates. Essentially, the GDPR is European legislation. In many European civil law systems memoranda cannot be laws; therefore, they would have laws where, in many cases, we would simply have memoranda. In a sense, the Irish legal system is disadvantaged by this in terms of data protection. The European law requires that one process personal data on the basis of a legal obligation that must be set out in legislation. In this case, a memorandum will not be adequate to provide that legal basis. There must be a law, be it a statutory instrument or primary legislation, setting it out. If one wishes to share data between the Department of Social Protection and the Department of Health, there must be legislation that allows for this. In the example I give the legislation would be a statutory instrument. There are other examples such as the Health (Alteration of Criteria for Eligibility) Act 2013 where it is set out in primary legislation. It enables the transfer of data between Departments. A law is required as opposed to a memorandum. It is an obligation under the GDPR which specifies that under Article 6(3) the processing of personal data by a Government Department must only be done on the basis of legislation. I have provided a detailed memorandum for the committee. Where I discuss head 4 I point out that the legal basis must be set down in member state law to which the controller would be subject. A memorandum is not a law.
Section 6(c) states the agreement - it is referring to a memorandum of agreement - "must specify the legal basis for the data-sharing, with reference to primary legislation, to include provisions made under this Bill and other Acts". It goes on to refer to a number of other laws also.
Paragraph (b) states, "The agreement shall specify the purpose of the data-sharing, having regard to the provisions of this Bill...", while paragraph (c) states, "The agreement [the memorandum] must specify the legal basis...".
Dr. Dennis Jennings:
If one is to implement a system that will allow data to be accessed - I wish to insist on using data access, not data sharing - between Departments, one must create an infrastructure that will allow anybody in a Department to have access to data in any other Department and put controls in place. A number of matters fall from this automatically, one of which is identity in order that one can identify individuals across the system. The second matter is authorisation; one has to authorise people to access data. The third is authentication to make absolutely sure the authorised person is who they say they are and can access the data, that the individual whose data are being accessed also has that right and that any access is logged in order that the individual who owns the data can find out who has been using their data. These are the components of a system that provides security, privacy and, most importantly, trust. If the system is not based on trust, it will fall apart. If the citizen does not trust the State or public service Departments to handle things properly and procedurally with the appropriate governance procedures, which is demonstrable by the type of infrastructure I am describing, there will be no trust and that will be a disaster. One cannot have part of it. One needs the set to ensure trust. This is not new stuff. Other nations have had such infrastructure in place for many years and built that trust. There is no reason we cannot use those models to build our infrastructure with the same level of trust.
He spoke about a portal being made available to members of the public to access data. Obviously, that is logical. Does he also envisage difficulties and problems? Where does he envisage difficulties in making it happen and putting it in place?
Mr. Denis Kelleher:
Ultimately, someone is entitled to have a right of access. He or she is entitled to access his or her personal data, but that appears to be a separate right to the existing right to a copy of one's personal data. It will require some secure portal. How that will be managed and rolled out will obviously be very challenging. However, that is what the GDPR seems to expect, that a person will have a right to access his or her personal data, a right to see the purposes for which his or her data are being processed and so forth and a right to obtain a copy of his or her personal data, if required. It is a very onerous obligation.
Mr. Daragh O'Brien:
With reference to the cart being put before the horse, the essence of that comment is a key lesson from private sector organisations in sharing data between departments within an organisation with a linear chain of command, although public sector organisations and Departments are slightly more fluid in their structures. Before sharing happens, there must be a clear definition and standards to allow for commentator interchange. The analogy I draw is taking a three-pin plug on holidays to France. It does the same job, but it does not work in the other area. In that context, governance models and frameworks become extremely important for interoperability. Parts of the governance standards and frameworks are matters such as common definitions, common meanings and commonality in the understanding of different business rules.
I have experience in both private and public sector organisations. I am constrained in what I can say about projects on which I have worked in the public sector owing to non-disclosure agreements; therefore, anything I say should be taken as hypothetical and based on experience. Let us take as an example something as simple as income. At a point in time the Revenue Commissioners will have a different view of what somebody's income is if he or she is self-employed based on what another organisation might require at a particular time because it might view income differently. Likewise, the calculation of income from a particular scheme perspective might differ from one organisation to another because the nature of scheme A requires particular categories of social welfare payment to be included as income but scheme B might not require these categories to be so included. What is required to enable sharing to happen is a transparent layer from a business process and governance perspective where these differences can be understood before the sharing happens rather than after it has happened and a decision has been made to the detriment of a citizen or, alternatively, his or her unjustified benefit. There has been comment in the media on fraud versus error in the Department of Social Protection. The Comptroller and Auditor General is quite clear that error represents the larger proportion compared to fraud and that it is down to the definition of standards and clarity of meaning in terminology within one Department which causes problems in terms of quality.
The Deputy asked for examples of previous failures. We referred in our 2014 paper to REACH, which was three years late and two and a half times over budget. It did not deliver on any of the substantive benefits it promised. As the Comptroller and Auditor General identified, the cross-boundary governance of data flows became problematic when different budget holders were calling the shots and competing in that context. I do not have the precise quote in front of me, but it is in the submission.
The sharing or processing of data in any public sector organisation can become problematic in the absence of the governance structures and rules that need to be in place. There are rules in place to govern the use of phone interception in An Garda Síochána, to mention a topical example. It appears from media commentary that those rules were not necessarily enforced in all cases.
This brings me back to the point made by Mr. Kelleher and Mr. Jennings about the difference between bulk sharing and query-by-query sharing on a base-by-case basis. The governance model needs to have sanctions for abuses of the sharing regime when the scope of sharing has been broadened. It also needs to define clearly who can do what, with what data, and when. When we worked on the e-draft scheme of the Bill in 2014, we identified that there was no clear definition of what is meant by sharing. Such a definition needs to be clearly set out and supported by effective governance with clear sanctions.
The only State agency I am aware of that has a statutory basis for doing anything to staff members or contractors who unlawfully disclose data that come into their possession in the course of their dealings with that agency's data is the Revenue Commissioners. Under section 851A of the Taxes Consolidation Act, it is an offence to unlawfully disclose taxpayer information. If the Department of Social Protection had an equivalent provision in legislation, more rigorous attention would be paid to who has access to what and to the logging of data. We have already heard about the need for control in the context of a governance framework.
Ultimately, two levels of governance need to be considered. The first level involves the standards and the communication for sharing. There is a need to ensure everyone is sharing the right thing. When a request is made for fruit to be shared between one Department and another, the Department that is expecting to get an apple must know that it will get an apple. It must not wind up with a bag of oranges because that would be completely useless to it. The second level involves the sharing that can take place internally. When larger amounts of data are available to public servants, access to that data must be governed in an appropriate way with clear sanctions.
Mr. Antóin Ó Lachtnáin:
I would like to add to that on behalf of Digital Rights Ireland. We need to think about cases in which information on vulnerable people, such as children, is spread among a number of institutions. It is one type of data when it is spread among schools, but it is another type of data when it is taken into a central shared resource. It is like an Excel spreadsheet or a customer relationship management system. If someone with access to data of this nature does a search, he or she might be able to find a list of all the vulnerable children or pensioners in a particular area. Suddenly a humdrum database for the administration of education or social services becomes a source of information which might be useful to someone who wants to exploit the people on that database. It is important to understand that the sharing of data can change the characteristics of that data. It is not just a matter of moving it from place to place.
The Deputy has proposed that the committee should seek legal opinion on certain aspects of the GDPR, and specifically on whether the sharing of data requires a legislative legal basis, as opposed to the memorandums that are proposed under head 4 of the draft heads.
Mr. Denis Kelleher:
It is straightforward. Article 6(1) of the GDPR provides that "processing shall be lawful only if and to the extent that .... [it] is necessary for compliance with a legal obligation to which the controller is subject". The basis for such processing, and for processing that "is necessary for the performance of a task carried out in the public interest"-----
We are taking the point. We will take on board the request that has been made. I want to get the agreement of the committee to seek a legal opinion from the legal service of the Houses of the Oireachtas. Is that agreed? Okay. I wanted to get that formally agreed while everyone who has been involved in the discussion is here. Are Members happy with that?
I commend the witnesses on their comprehensive presentations. I ask them to expand on the lack of robust safeguards to ensure data privacy. For example, there are no penalties in the draft legislation for breaches of data privacy.
Mr. Denis Kelleher:
It is important to say that the GDPR will take over the governance role to a significant extent. This means much of the impetus in this regard will come from Europe. The role of the Oireachtas and the Government will be to implement controls like the assessment of the impact of data protection and the appointment of data privacy officers. Mr. O'Brien might have more to say about what those controls will look like. They will be driven by the European legislation in a very real sense. The Deputy also referred to the lack of penalties. One of the reasons I wanted to flag the possibility of creating an offence was that it might increase the understanding of public servants who are asked to share data. The advantage of creating an offence is not that it will necessarily lead to a whole load of prosecutions, but that it will give public servants who are asked to transfer or process data in a particular way the authority to say that the existence of a criminal offence in this sphere means they need clear instructions on how they should process that data. The big benefit of creating an offence in this area is that it would empower public servants to raise questions about these activities.
There has been a media debate about the definition of "disclosure" under the legislation. It has attracted some attention. Do the witnesses have any concerns about the lack of a definition of "disclosure" in the Act?
Mr. Denis Kelleher:
I have suggested a model for how data should be disclosed. It is not surprising that the heads of the Bill are vague. It is really a drafting issue. Obviously, the definition of "disclosure" would need to be drafted appropriately. If we are to move to the statutory instrument model, we must bear in mind that the GDPR sets out requirements for what that statutory instrument needs to contain. If the legislation is clear on the principles and policies that have to be followed by the Minister when making a statutory instrument in this area, and on what such an instrument needs to contain, many of the concerns in question will be addressed.
Mr. Daragh O'Brien:
It was not fit for purpose in 2014. Things have moved on since then. The Deputy asked about the definition of "disclosure". When we reviewed the original scheme of the Bill for Digital Rights Ireland in 2014, we highlighted the lack of such a definition. We identified three possible categories of sharing that might take place, with different levels of risk associated with each. We proposed three possible definitions that could be used. Since then, we have had the GDPR and the Bara ruling and there has been a shift in the public perception and awareness of the impact of data sharing. It would be unfair to suggest we thought the Bill was fit for purpose in 2014 or 2015. Today, we are concerned that it lacks governance controls and definitions.
Deputy Burke mentioned offences. As Mr. Kelleher has correctly said, the GDPR takes care of offences and administrative sanctions at the organisational level, but there is a gaping hole at the level of the individual person being asked or put under pressure to do a thing. If people in such circumstances had something to point to, they would be able to say that they will carry a personal liability at criminal or civil level if they do that thing without appropriate authorisation or control. The only comparable model is the offence of unauthorised disclosure of taxpayer information by a current or serving office of the Revenue Commissioners or a contractor who processes data on behalf of the Revenue Commissioners. Something like that would be a valuable addition to the Bill. As it stands, it would be remiss of me to say it is anywhere near being fit for purpose.
Mr. Denis Kelleher:
The GDPR is the European legislation. That is a general data protection regulation so it will apply to virtually all forms of data processing in the State outside the criminal justice area. It is the overarching framework with which this legislation must comply. There is the historic question of whether it was adequate in 2014 and so forth. The main point about the legislation is that it must be updated to take account of the new legal environment it will encounter after next year. That is the key point.
I thank the witnesses for their presentations. The more we learn about this subject and the more revealed in discussion of this Bill, the more concerned we are and the more concerned individuals will be. I take the point in particular about governance rather than sharing being the problem. The success of this or how it is done will depend on the infrastructure that underpins and the investment made therein. Has anybody quantified how much would be necessary in order to make this work? Do we have any comparable figures from other states where this has been implemented? What are the thoughts of the witnesses with regard to resources on the public services card, for example? Why did the figures for that rise from €19.8 million to €60 million?
We do not have a great track record in this country if we remember the likes of PPARS and many other systems. I would say we have never got it right with any of the information management systems, whether it is PULSE, PPARS or others we could all mention. How are we going to get it right and how much will it cost us? Why, even with something as simple as an identity card, has the cost risen so much?
Dr. Dennis Jennings:
I cannot answer the last question except to say that perhaps the rush has caused additional costs. These are very complex matters, like any information technology, IT, project, internal or external. This is an IT project under the Government's framework that is required to build an infrastructure across all Departments, with their existing proprietary and other systems. It is truly enormously complex. That is the case unless it is done in a way that is standardised and scalable so once there is a beginning in place, other Departments can simply adopt a set of rules and connect. It is like the Internet or the web in that regard, with a set a rules that allow people to join and scale up, or else it will not work. It will cost a fortune and not work. The next time it is attempted, it will also cost a fortune and not work.
That is why this legislation or its replacement is really important, as it redefines the way we think about and access data, as well as privacy, with regard to the relationship between the State and the citizen. That must be thought through at the macro, legal, Government, technical and semi-technical level, so it will work and we can implement components between two Departments for example. If we demonstrate that it works, we can add a third Department. If it is not scalable and all of this is ad hoc, it will cost a fortune again and again.
The best example, albeit in a different environment and so on, is Estonian. Coming from the Soviet Union, it had all recognised functions of the State but not the budget for 1.2 million people. It built a very structured, open and scalable system that allowed it to build what is considered the best infrastructure for the management of the relationship between the state and the citizen on the globe. I had the opportunity to look at that, which is what helped me to write some of these principles, and I was very impressed. What really impressed me is its neighbouring country, Finland, after years of ad hocexpenditure and costs, adopted and implemented the Estonian system, which was designed to be comprehensive from the ground up. Not only have they the right sort of legal, policy, governance and technology basis in a scalable system that Estonia had, tailored to the Finnish needs while using the same technical infrastructure, but Finland can also share data - legally and appropriately - between the two States.
This is a dramatic example that I would commend to the committee and ask them to have a good look at. I am not saying everything about the Estonian model is right or perfect. For example, do not get involved with their e-voting system, as it is completely irrelevant to our complex system.
Dr. Dennis Jennings:
It is irrelevant. However, it is extremely impressive how they have built a scalable system. We need to bring this from the flat manila file and the fingers with rubber caps to thumb through it to the online, accessible web and digital era. It is a huge transformation and therefore we must think not in terms of sharing files but querying distributed files to get the relevant answers. We can get down to categorising in law what queries are allowed so people can write a series of new queries; if they can pull data to answer a query - not keep the data - they can then do some further processing. That is what I would look for with the replacement of this Bill. It would be very empowering but very complex, as one cannot half do it. We cannot do a bit and say it is grand because we have a national individual identifier. We cannot have that unless there are other components, which are trust, security in access and so on.
I do not know how much it would cost but it would probably cost €1 billion. It would cost several billion euro over the next three, four, five or ten years if we do not do it in an incremental, scalable fashion.
Mr. Daragh O'Brien:
As somebody who advises on these types of projects for a living, it would be inappropriate for me to give a quote today. I do not fully understand the requirements at this point. However, what I can speak of in general terms is the root cause of cost overruns in data management projects. The average cost to an organisation from poor quality information is between 10% and 30% of turnover. This figure has been tested and communicated for the 20 years I have been doing this for a living. My good friend, Dr. Tom Redmond, one of the world's leading experts in the field, puts the figure at 30% of turnover. The root cause of the poor quality of information can be hidden information factories, people reworking data and people using data for different purposes etc. A key root cause is a lack of clear and common definition and understanding of where data is different or means different things in different areas and contexts. When people run a report or do an analysis, for example, it does not work and they must redo it.
I worked on a project in an EU institution in 2013 where the entire motivating force for the data governance programme was that the president of this organisation had been given three different figures for the same fact. It concerned him that his smart people could not give him a consistent figure. The root cause of systems like PPARS going horrendously over-budget was the assumption being made about the data and its meaning and structure. When the HSE project teams went to implement PPARS, there was an assumption that there was a contract for nurses but when they drilled into it, there were 300 or 400 contracts for nurses, depending on the structures that were put in place. That is why projects overrun. It is ultimately about assumptions being made about data because of a lack of clarity of governance and communication about what the data means. Data has wonderfully fluid powers as an asset in an organisation but one is it can mean different things to different people, depending on context. In order to tame these issues and avoid problems in any project, organisations must move away from thinking of these as a technology project where there is a business requirement stated before somebody does a bit of programming and it works. Professor Richard Mason of the University of Amsterdam developed a model in the 1990s looking at why between 70% and 80% of customer relationship management, CRM, programmes in private sector organisations failed.
CRM systems had a horrendous failure rate in the 1990s and early 2000s. The root cause was that it was being treated as a business strategy with a technology component. No one stopped to look at the definition, meaning and use of information. When organisations realised that and started doing that bit, failure rates dropped, success rates improved and end-user and customer satisfaction with the outputs improved. Going back to Mr. Kelleher's point about trust, the ability for people to trust what was happening with the data improved.
I thank Mr. O'Brien. That is all very useful. I am thinking of the Department of Agriculture, Food and the Marine and the confusion about digital mapping and the introduction of different bits and pieces into existing systems that are not compatible, and the impact that has on the citizen in terms of delayed payments and so on.
I take what Mr. O'Brien said earlier about income streams being discounted in one area of social protection and allowed in another, school grants and so on. The more he talks, the more of a quagmire I see. As a committee, we need to slow this down and get it right as much as our scrutiny can allow in terms of comparables.
Mr. O'Brien referred to the need for open and scalable models so that trust can be built up. It is crucial in the management of the relationship between the State and citizen. It can be wonderful, and save a lot of time and prevent mistakes, such as in our health system, but it can also lead to a lot of destruction and distress for citizens. I look forward to expanding on this even more. I thank the witnesses for their presentation.
Mr. Denis Kelleher:
The Revenue Commissioners are generally regarded as being very robust and having very good systems. That is a positive example in an Irish context. I am here as a lawyer. In legal terms, it will be very expensive to build systems like this and they will require a very robust legal basis. If we are going to invest substantial amounts of money in building systems like this, it is logical to begin with the most secure and robust legal basis, and there has to be some form of legislation setting out how the system is going to work.
The ROS system has been an administratively successful system. It can be done in an Irish context. At this stage, the ROS system must be 15 years old or more.
I have a broader question. Prior to computers everything was manual, and systems were based on the written word. Everything is now moving towards data access, the cloud and so on. Has the legal framework that was in place to protect people's fundamental rights prior to the computer age kept pace with change?
Mr. Denis Kelleher:
That is the idea behind the general data protection regulations, namely, that they update European rights. The Senator is correct. The legislation before the computer age did not anticipate the Internet. It does now, and that is the idea behind the GDPR.
The legislation can be criticised in various ways. It is a very clever piece of legislation and does a very good job of addressing many of the issues raised in the modern digital world. How it applies in practice will be known from May of next year. It will be very interesting over the coming years to see how all of this will actually work in practice. A very clever model for regulating the Internet, modern social media, profiling and so forth has been developed. It addresses a lot of issues and it will be very interesting to see how it works.
Mr. Daragh O'Brien:
In regard to the ROS system, it is a wonderful public sector IT success story. One of the key elements of Revenue is that they have a very strong culture of guarding their powers over data and guarding the data over which it has powers incredibly carefully because, ultimately, everything it does, in particular in the self-assessment context, is based on trust. If people stop trusting the taxman, there is a concern that will undermine the ability to use automated online systems and result in a return to the 1980s. My father is ex-Revenue, and I remember Revenue audit work in the 1980s and the pressure people working in the public sector were under at that time.
In terms of whether the legislation is keeping pace with change, it is worth bearing in mind that European law is principles-based, rather than technology-based. One word one will not find in the Data Protection Acts, the current directive or the GDPR is the word "computer". It applies to physical and electronic records. In that context, the legislation is keeping pace with change.
As Mr Kelleher said, the GDPR is a very clever piece of legislation because it creates some interesting governance requirements and structures and makes it an offence not have them in place. That is a very strong evolutionary step in the legislation.
In the context of public sector data sharing, it is important that any legislative framework that is put forward to underpin that sort of sharing reflects the theme and ethos of principles-driven legislation within a very strong governance component, rather than focusing on a linear enabling of technology. That is where we have found problems in the private sector with data sharing, the integration of datasets and introducing customer relationship management systems or integrating 11 different customer views.
One of the key learnings from the private sector is that there is no such thing as a single view of the customer. There are different perceptions of the customer as they interact at a point in time. How best to represent the relationship is the next challenge from an information management perspective in that context.
To speak to the Senator's question, the law will always lag behind to an extent, in terms of how it is enforced or supported. From a European and Irish context, it is principles-based. In the first instance, referring to the principles and doing what feels right in the context of the principles is usually a good rule of thumb.
Mr. Antóin Ó Lachtnáin:
Senator O'Donnell asked specifically about the legal issues and whether the law is keeping up with change. The next issue that arises is whether practice is keeping up with change. There was an old system of practice – one could call it data governance - namely, the system of manila folders, archives in each Department and a very strict set of rules about who could handle the files, how long they were to have them for and when they had to return them. There was a system to manage how that information was used. Branches, such as Department of Social Protection branches, were run under a particular framework.
We now find that there is no strong framework or digital equivalent of the manila folder. There is no standard unit by which things happen. There needs to be a framework to deal with that. It is not just a legal issue. Rather, it is very much a practical issue in terms of how the public service is administered, costs are managed and the trust of the public is maintained.
Mr. Daragh O'Brien:
To echo Mr. Ó Lachtáin's point, the analogy I would draw is that, in theory, today it is very easy for someone to exit an organisation with a very large amount of data on citizens. A person can put such information on a phone, a USB stick or whatever. If one wanted to walk out with the records of 25,000 people 30 years ago, people would notice the filing cabinets were missing. We need to at least get to a point where we have the ability to count the existence of filing cabinets in an electronic context, from a security and control perspective.
The banking sector moved from a heavy prudential regulation system, which involved ticks, reconciliations and so on, to a principles-based system which then became light regulation. Is there a danger that regulation in the Internet age will lead to people abusing the principles-based system? The manila folder to which Mr. O'Brien referred, and a person wading through the night taking photographs of files with the small camera, involved physical evidence. Mr. Jennings spoke about trust. Is there a danger that, given the human condition, people will abuse principles?
Dr. Dennis Jennings:
I think it was Plato who first speculated that man or woman - let us not be sexist - unobserved would behave badly.
The past 40 years of the Internet have demonstrated conclusive proof that Plato's speculation was correct, that man unobserved will behave badly. That is just a fact of life and we need to put in place the controls, checks, authorisation, identification and authentication of that identity, the limits and the specific queries that are permitted and so on. If there is any looseness in this, then Plato is right. People will find a way of slipping through the cracks and abusing the system. It is much more complex in an online data environment than ever before, but it is not impossible if thought through.
Mr. Daragh O'Brien:
That is where principles-based regulation is not a bad thing, as long as it comes with strong enforcement and clear governance structures. One cascades from principle to policy to procedure to evidence to enforcement. Mr. Kelleher will forgive me for straying into his territory a little here. The lesson we can learn from the banking sector is that in the absence of an evidence-based accountability system - the GDPR is brilliant because it has this John F. Kennedy sentence in it - it is the obligation of the data controller to be responsible for compliance with principles, and to be able to demonstrate compliance. That little John F. Kennedy sentence, like saying that if we land a man on the Moon, we have to bring them back safely to the Earth, sets out a challenge in the second part. That is where clear governance structures are essential in organisations, both public and private sector, for handling personal data.
Mr. Denis Kelleher:
What is clever about the legislation is the manner in which it effectively enables subjects to bring their own enforcement actions and engage in their own supervision. It is a clever and quite unique piece of legislation in that there these rights of access, right to objection, the so-called right to be forgotten, and in addition there is the right to complain and initiate one's own legal action and potentially seek damages. As a piece of legislation, it is very clever in how it addresses this issue.
In conclusion, I thank all of our members and witnesses. Some were looking in on Thursday when we were asking various questions of our witnesses. Data sharing in itself is possibly a very good thing if the rules and the governance are there. We have all benefited from technology and the internet. I would have been a beneficiary of Dr. Jennings as a student of University College Dublin, UCD, when the internet was only starting and one was still looking at exam results on walls and ringing people to find out what was happening.
Technology is a good thing but the message coming loud and clear from today, to summarise it, is that this particular Data-Sharing and Governance Bill is not fit for purpose as far as all the witnesses are concerned and that we should really just be sending it back to the Department and saying to improve its efforts and to address the concerns that we and the witnesses have. I made points on Thursday and I am not going to repeat them all. One wonders how things can happen. If somebody wins EuroMillions, suddenly 60 or 70 people have just had a look at that person's file, because they were interested. At least there was a record that people had done it. How can 950,000 breath tests can just appear on a system without a record? Maybe somebody somewhere knows. Maybe a record exists and that will all come out.
Dr. Jennings referred to biometric security. Are we talking about people in social welfare offices and so on having to provide their thumbprints before they can input or access systems all the time? The greatest security is trust. Unfortunately, Irish society has seen systems break down and not work the way we would have expected them to work, whether banking, or personnel, payroll and related systems, PPARS, or various other systems. That undermines our capacity. There are simple things like passenger information. One could be looking at the bus and it could suddenly vanish. It is as simple as that in one way. That is data one relies on and then it is not reliable.
There was a time when one had to join a society to access the internet. One could not just get on the web. We have come a long way and much of it is very positive, but we as a committee need to write back. We have to form our views on this particular legislation. That is the job of pre-legislative scrutiny. I think the message from all here is that it is not fit for purpose and not where it should be, and that the Department needs to address our concerns and the witnesses' concerns.