Paul Kehoe (Wexford, Fine Gael) | Oireachtas source

I thank the Deputy. As I stated previously on Committee Stage, the requirement to develop a centralised register of Civil Defence volunteer members was introduced in the Civil Defence Act 2002 and a web-based electronic register now is in use by all local authorities. Prior to that, there was no effective centralised register apart from an amalgamation of local authority manual records. The register contains personal and confidential details on Civil Defence volunteers and captured information, other than that specified in the Act, such as health, training and qualification records. As this information is of a confidential nature, it must be protected in accordance with the data protection guidelines. What is proposed in the Bill is largely a continuation of what is contained in the 2002 Act. The Civil Defence is registered with the Office of the Data Protection Commissioner as a data controller under the Data Protection Acts 1988 and 2003. The aforementioned Acts place the responsibility for the duty of care owed to personal data on the data controller. A data controller must have a sound, clear and legitimate purpose for collecting personal data and must ensure the data are securely retained. To maintain registration, the Civil Defence must complete an annual registration form outlining a description of the data, the purpose for which the data are held, as well as the permitted disclosees of the data. In the case of the Civil Defence, the stated purpose of retention of data is the provision of a voluntary support service to the primary emergency services and the local authority or local community.

The list of disclosees, that is, those who can access the data is limited to Civil Defence headquarters personnel and designated local authority employees who have legitimate need to access the register in the course of their work. The guidance note for data controllers on purpose limitation and retention issued by the Office of the Data Protection Commissioner is very clear and states:

Data Controllers who obtain personal data from a data subject may do so for one or more specific, lawful and clearly stated purposes. It is unlawful to collect information about people routinely and indiscriminately – a data controller must have a sound, clear and legitimate purpose for collecting personal data. An individual has a right to question the purpose for which you hold his [or] her data and you must be able to identify that purpose.

Information in the register is inputted at local authority level by the Civil Defence officer. Individual members can be given access to their own records on the register on any occasion. The Civil Defence officer may also access the records for his or her own local authority area and selected Civil Defence headquarters staff, in the course of their work, can access all records on the register through a password-protected system.

Since its introduction, no issues have arisen with regard to the operation of the volunteer register and training database and it is working very well in its current format. I also emphasised on Committee Stage that this pertains to volunteers and not to local authority employees. The protection of the privacy of Civil Defence volunteers is paramount and potential volunteers could be reluctant to join the Civil Defence if they thought their personal information was being made more widely accessible. Volunteers have confidence in the confidentiality of the register, as structured, that persons accessing their information have a sound, legitimate purpose for so doing and this is a key to its successful operation. In conclusion, I note that a previous company with which I worked had access to a huge database and I recall that just before I left the company, the Data Protection Commissioner indicated that the database in question could not be shared with anyone. As for the database in the Deputy's own constituency, I presume it contains personal information. While he is not talking about going public with it, one keeps to a small number those with whom one would share that personal information. As this is how the data should be kept, I therefore will not accept the Deputy's amendment.

See this speech in context