Catherine Murphy (Kildare North, Independent) | Oireachtas source

I move amendment No. 2:

In page 7, to delete lines 19 to 21 and substitute the following:"(2) A person who breaches the Act of 1988 in relation to postcodes shall be liable in damages in tort.".

The nature of this legislation is that it deals with something that was not dealt with in the basic initial legislation that set up the postcodes. I suggest that the mindset associated with the way that legislation was designed made this information a commodity. I do not think data protection and privacy were at the core of what was being talked about. The subsequent review conducted by Gemserv - the privacy audit - showed that there were concerns about privacy. A summary, more or less, was produced, but not the actual audit itself. It seems to me that data protection was not at the heart of the mindset of the Government and the Civil Service when they were approaching this issue.

Essentially, my aim in this amendment is to create some sanctions for breaches. It seems to me that one will have to prove there is a breach. One will have to prove damage if it is an individual. I do not think individuals are going to breach this. I suggest that big organisations will be far more likely to use information as a commodity. I do not see where there will be a sanction for companies outside Ireland, and indeed companies outside the European Union. Once they have bought information, they will be able to sell it on. Given that the Office of the Data Protection Commissioner has the statutory authority to deal with breaches of data protection, I do not understand why it was not central to the thinking when this legislation was being put together.

I do not see where this Bill provides the means for an individual to prove damage. A system that means that one has to rely on going to the courts to spend a long time dealing with a matter of this nature is really not accessible to the average person on the street. All of what I am trying to do is aimed at the bigger entities. I think there is a real risk that a company outside the EU will buy the whole data set in order to replicate it and sell it on. If our data audit says something different, it is important for the Minister to tell us about it. I think there is a mindset that the Government will have to change. On one hand, the Minister for Public Expenditure and Reform, Deputy Howlin, is talking to us about a more open approach to government - I am quite energised by what he is saying - yet on the other, this initiative is putting the Office of the Data Protection Commissioner on the periphery and using data as a commodity.

If we examine what is happening across Europe, particularly in the UK, we will see that an intuitive approach is being taken. If we were taking a more open approach, we might use the prefix "KE" for Kildare, followed by a code like "300" for Leixlip and another code like "200", "155" or "A" for the relevant housing estate. We could choose any combination of letters and numbers. It is only at that point that we would need to include the individual householder's name. It is not as if addresses are particularly secret at the moment. I know people complain about the misuse of the electoral register for the purposes of marketing and things like that. Obviously, that is a data set that is sold. It is not entirely correct. The 31 individual registers comprise a fairly comprehensive data set. We seem to be going the opposite way here in terms of the approach to this. It is in place now. I presume there is a contract. The very least we need to do is put in place some real safeguards.

I do not think we are particularly great at designing institutions or things like this. I had a recent experience with regard to the Stock Exchange where there was at least a possibility of insider trading. I am using this as an example. When I wrote to the Stock Exchange, I was told to write to the Central Bank. When I wrote to the Central Bank, I was told to write to the Office of the Director of Corporate Enforcement, which essentially told me that it does not have a role in this regard, or at least that there was nothing to complain about. Given that there is no route for making a complaint, is it a big surprise to us that, years after the legislation making insider trading an offence was put in place, there has not been a single solitary prosecution? In the absence of a practical means for individuals to make a complaint when they believe damage has been done to them, there is no sanction. The lack of a reasonable sanction in support of those whose data is potentially compromised is a real flaw in this legislation. I really do not see where the sanctions are. This is all aimed at large corporations that engage in wholesale marketing. I do not see where there is an adequate sanction in this legislation. I am seeking to remedy that in some of the amendments I have proposed.

See this speech in context