Alex White (Dublin South, Labour) | Oireachtas source

I am anticipating the case the Deputy makes in what I say. I do not propose to accept amendment No. 6. There are clear definitions of personal data and sensitive data under the existing Data Protection Acts 1988 to 2003. Personal data means data relating to a living individual who is, or can be, identified from the data or from the data in conjunction with other information that is in, or is likely to come into, the possession of the data controller. The meaning of sensitive personal data includes personal data as to the physical or mental health of an individual and under the Data Protection Acts, sensitive personal data also means the racial or ethnic origin, the political opinions or the religious or philosophical beliefs of the data subject, whether the data subject is a member of a trade union, the sexual life of the data subject, the commission or alleged commission of any offence by the data subject, or any proceedings for an offence committed or alleged to have been committed by the data subject, the disposal of such proceedings or the sentence of any court in such proceedings.

The HSE may hold personal information relating to the health of an individual. Therefore, in order to avoid a lacuna in the future wrong operation of this provision, it is necessary to clarify to which personal data these exchange provisions relate. Given that the HSE may hold health-related data about a person, it is necessary to be clear that these provisions, as well as the Data Protection Act, apply to such sensitive data. I do not propose to open up the definitions of sensitive personal data in the existing Data Protection Act, which reflect the provisions of the Council of Europe data protection convention. If the amendment was accepted, it would introduce a degree of uncertainty as to whether or how the exchange of personal data could take place, solely on the grounds that the data held by the HSE is health-related. For example, if the Revenue Commissioners ask the HSE to confirm that an individual is in receipt of drugs under the general medical scheme or the drugs payment scheme with respect to a medical expenses tax relief claim, the amendment would leave it unclear as to whether the HSE could respond to such a request.

Furthermore, under the section, as well as the existing data protection legislation, there are limits on what the Revenue Commissioners and the Department of Social Protection can request from the HSE. Under subsection 2, the Department may only request personal data required for the purpose of calculating the means of persons to assess or review the entitlement of such persons to receipt of benefits and services under the Social Welfare Act. Under subsection 3, the Revenue Commissioners may only request personal data required for the purpose of assessing or collecting a tax, duty or other charge payable to the Revenue Commissioners. For the HSE, the purpose of data exchange is set out in subsection 1. It relates to checking the means of applicants for medical cards or GP visit cards and the review of the cardholder's means in order to ensure a person's eligibility is accurate and valid. In its entirety, section 8 provides an explicit legal basis enabling the HSE to exchange personal data with the Revenue Commissioners and the Department of Social Protection for the purposes of the performing its functions. These provisions are entirely in line with the existing data protection legislation. In addition, these provisions have been developed in consultation with the Office of the Data Protection Commissioner. I do not propose to accept the amendment.

Nor do I propose to accept amendment No. 7. For similar reasons to those outlined in connection with amendment No. 6, it is inappropriate to exclude sensitive personal data from subsection 10. There are clear definitions of sensitive data and sensitive personal data under the existing Data Protection Acts. Excluding the reference to sensitive personal data would leave its meaning in the Bill ambiguous. It should be clear the term sensitive personal data has the same meaning as defined by the existing Data Protection Acts 1988 and 2003. It would be inappropriate to leave a question mark over its meaning when it has been already defined in the existing Data Protection Acts, which reflect the provisions of the Council of Europe data protection convention. I do not propose to accept these amendments.

See this speech in context