Alex White (Dublin South, Labour) | Oireachtas source

I agree with Deputy Moynihan that we must exercise considerable care with regard to the data protection implications of any legislation such as this. I do so, and have done so, and I regard it as being of considerable importance.

Section 66C(2) of the Bill clarifies that section 6A of the Data Protection Act 1988, which relates to the processing of personal data which is likely to cause damage or distress, does not apply where processing is necessary to undertake a legitimate activity in relation to the postcode. This would cover a situation in which an owner or occupier of a property disagrees with the matching of his or her address to an Eircode and in particular to the routing key element of that code - the number - despite the accuracy of such matching. That is why section 66C(2) is an essential provision in the Bill.

Section 7 of the Data Protection Act 2003 provides that data controllers and processors owe a duty of care to data subjects which relates to the collection and use of personal data. That is the law and that is not being disturbed. The provisions of the Data Protection Acts apply in respect of breaches of the rights contained in those Acts. Section 30 of the Data Protection Act 2003 provides that the Data Protection Commissioner may bring summary proceedings for an offence under that Act. Section 31 of the Act provides for penalties for offences under the Act.

It is neither appropriate nor necessary to provide for offences of breaches of data protection rights when such provisions already exist in the Data Protection Acts. In addition, the Bill provides that the Minister can make regulations providing for a power to suspend or terminate a value-added reseller licence, as well as the power to carry out audits. The activities covered by this Bill are only those which are essential to the delivery and maintenance of the postcode system. End users will still be subject to the full rigours of the data protection legislation. If any Deputy can persuade me otherwise I will listen for as long as it takes to understand the point. I say that with every respect to all the Deputies in the House.

Deputies Colreavy and Catherine Murphy already raised the extra-territorial effect on the last day we debated this. The Data Protection Acts apply to all data controllers established in the State.

Section 11 of the Data Protection Act provides for restrictions on transfers of personal data outside the State. The transfer of personal data by a data controller to a country or territory outside the European Economic Area may not take place unless that country or territory provides an adequate level of data protection. This provision is already in the Data Protection Act. While the issue may arise in this discussion, it does not turn on any of the provisions in the Bill, given that it is addressed in existing legislation.

Furthermore, under section 11 of the Data Protection Act, the Data Protection Commissioner may prohibit the transfer of personal data from the State to a place outside the State. The commissioner can serve a prohibition notice on the data controller or data processor. These provisions will continue to apply. Moreover, the Bill provides that the Minister may make regulations requiring a value-added reseller to provide evidence of having registered with the relevant data protection authority, where applicable, before a value-added reseller licence will be granted. This requirement is not limited to registration with the Irish Data Protection Commissioner.

I propose to respond to some of the issues raised by Deputies. In the first instance, I respectfully do not accept the suggestion that there is a mindset at work here which seeks to exclude or have no regard to data protection issues. Deputy Moynihan made a fair point in stating that Deputies raised issues at a certain time. The former Minister, Deputy Pat Rabbitte, examined this issue, as did I, and we both decided to introduce what may be colloquially described as belt-and-braces legislation in so far as there could be any concern about the application of data protection principles. This Bill deals with postcodes simpliciter- in other words, the Eircode number on its own. When a person is allocated a postcode, the number will be meaningless on its own. However, if it is linked to a person's name or by means of another identifier, it becomes something that can be treated in a certain way - Deputy Catherine Murphy used the word "commodity" to describe it - and people will have legitimate concerns about how it may be treated. This is only the case where the postcode is linked to some other identifier because, on its own, it is nothing more than a number.

All the existing protections for personal data in the Data Protection Act apply in this scenario. The only reference to a separate treatment, as it were, is to the postcode where it is used on its own. However, once it is linked to anything else, all existing data protection legislation applies. This Bill introduces rigorous protections in respect of what can be done with postcodes simpliciter.

A privacy audit was conducted on my instruction, and while the executive summary has been published, I will furnish Deputy Catherine Murphy or any Deputy with the full report if he or she wishes to have a copy. It can also be published.

It is not true that the Data Protection Commissioner was in some way peripheral to this Bill. The current Data Protection Commissioner has acknowledged its publication and views the legislation as positive, describing it as "underpinning the implementation and operation of the Eircode system and ensuring that essential data protection safeguards are in place".

On offences and ensuring compliance, the existing Data Protection Acts 1988 to 2003 provide stringent penalties for summary offences in sections 30 and 31. All the penalties are set out and substantial fines may be imposed where a person is found guilty of an offence under the Act.

On the commodification of data, it is worth remembering that the information we are discussing is already sold by GeoDirectory and addresses are sold commercially. The postcode is effectively an address that is referable to a premises rather than an individual. Once it becomes referable to an individual, all of the data protection provisions with which we are familiar and which we regard as being of such great importance apply. The addresses simpliciter are already sold commercially by GeoDirectory. We hear a great deal about consultants and so forth. A financial benefit will flow to the State from the contract that has been agreed, which includes a gain-share mechanism.

Having listened carefully to the arguments made by the Deputies opposite, I am not persuaded, nor could the House be persuaded, that this Bill in any way sets aside the important and precious principles outlined in the Data Protection Act 1988, extremely important legislation that was subsequently amended in 2003. These principles continue to apply, as do the mechanisms for making complaints under the Data Protection Acts. In addition, a separate complaints procedure has been established solely in respect of postcodes. I draw the attention of Deputies to section 66C on personal data protection, as it emphasises the point I have been making. It reads:

(1) Nothing in this Part shall be construed as authorising the processing of personal data contrary to the provisions of the Data Protection Acts 1988 to 2003.

(2) Section 6A of the Act of 1988 shall not apply in respect of such processing of personal data as is required for purposes related to the carrying out of a legitimate postcode activity.

My point is that once the postcode or Eircode has been linked to another identifier, all the protections of the principal Act apply. If a concern arises about legitimate postcode activity, namely, this narrow area of dealing only with Eircodes, section 66D sets out the complaints procedure that would apply.

Deputy Catherine Murphy argued that there is no facility available to individual citizens who feel aggrieved. Citizens may avail of the existing protections under the Data Protection Act in respect of personal data, and where a complaint is related solely to the simple Eircode, they have available to them a new complaints procedure, which is set out in section 66D.

For all of these reasons, I regret that I do not propose to accept the amendments.

See this speech in context