Dr. Fred Logue:

The GDPR is a comprehensive law. I will go back to the threat of destruction. Destroying personal data comes under the definition of processing under the GDPR and this can only be done if there is a lawful basis to do it. We have already heard that the legal requirements is to dispose of records and not destroy them. Any interpretation of that must be compatible with the GDPR.

The data controller must retain the information for as long as necessary. There is a retention obligation and the Department of Education and Skills, or specifically whoever is the controller, cannot just destroy the information on a whim. There must be a retention policy. There is a debate about what happens to these records so any destruction, unless mandated explicitly by law, could be a breach of the GDPR and expose the controllers to compensation claims.

If a controller destroys information that it knows people want or there is a debate about it, in and of itself, that would be a breach of the GDPR. All the scenarios must be considered through the lens of the GDPR data protection rights. Any kind of threat or suggestion that unless a particular law is passed everything will be lost would be hollow. The Department of Education and Skills must be specifically asked what is the legal basis for any potential destruction. It must be examined explicitly and in detail by this committee or the Legislature.