Fergus O'Dowd (Louth, Fine Gael) | Oireachtas source

If Deputy Fitzpatrick wishes to share time, I will do so. This is very important legislation. It is being driven by a consensus in Europe. It is time for significant change for all of us in the area of data protection. Everybody who deals with people's data needs training in the subject, whether they are in the public or private sectors.

As politicians, we deal every day with data from people who come into our offices. We write letters and send correspondence and emails on their behalf. What is important for me is not that there is no data protection but that the same protocols are in place across State agencies with which Deputies and other public representatives deal. When a constituent comes into a Deputy's office they are, by their very presence, giving consent by imparting data in the form of their address, their date of birth which I do not often like to ask for but sometimes have to depending on the organisation being dealt with and a PPS number. I rang a public body recently with all this information to hand about a gentleman who was in front of me. I told them he was in the office and that he wanted to discuss an issue with them but the person on the other end of the phone would not talk to him or me, because they needed his consent in writing to me speaking on his behalf. That was impossible because the poor man could not read or write, which is one of the reasons he was with me to assist him. I asked the wonderful person on the other end of the phone if we needed to get a solicitor to swear an affidavit or what we would have to do. The bureaucracy was being unreasonable and unfair and it distressed this poor unfortunate person.

We need the sort of protocols we have on Louth County Council. A person is taken on good faith if he or she is a public representative. One gives a name and address and some personal data, such as a PPS number. Because we are dealing with people we know, that system works well. At other times a public body may look for a date of birth. There were difficulties relating to SUSI because an adult student seeking a grant may have parents who have split up and one may not know what the other person is earning. I accept that, in such cases, it is appropriate and proper that both parents or guardians have to give their consent for assessment of income. We need to sit down with the HSE, with county councils and with the bodies with which we deal most frequently to put in place efficient, effective, common protocols so we avoid the embarrassment for constituents which I had recently.

I acknowledge that the Department of Employment Affairs and Social Protection is the best Department. It has an excellent relationship with the public and with public representatives and the data it looks for is the PPS and address. When I ring about cases the person is always in my office so common sense is required. We also need to have vigilance about how data are kept, whether they are stored in paper form or stored digitally. If there is a data leak such as that we are reading about currently - I will not comment on the court case - and it enters the public domain and is part of a person's personal data, it is a hugely important issue and can create huge difficulties. There are legal cases on these things.

The penalties for a private company which does not protect its data which is then abused in some way or other are quite severe. There is due process and a fine at the end of the process and a significant chastisement. It is hugely important that the HSE and other such bodies face financial and administrative penalties when personal data has repeatedly been leaked. In two or three cases, personal data have come out of the Lourdes Hospital and been found floating around on the streets of Drogheda. The data is about people's medical conditions and their health, which should never be allowed out of a hospital or even kept in paper form. It is beyond me how this happens. Notwithstanding the entreaties of public representatives and pressure from the community to protect data, they have not adequately done so. I do not know if the Minister proposes to apply a penalty for such breaches but if it is not in the legislation, it ought to be. I know the Minister is consulting widely with public representatives on this issue. There must be no division in accountability or responsibility between public bodies and private entities in the case of data that is not properly respected and which is released into the public domain. There are many things one would not mind being leaked such as one's water bill etc., but private health, the operations one has had or the medication one is on are more serious matters. Therefore, in terms of the HSE, health records are particularly sensitive and there should be a special penalty for their misuse or abuse, even inadvertently, or the release of records onto the streets of Drogheda and other places. I urge that there be a significant penalty.

The argument is made that if one hits the HSE for €5,000, it comes off its budget. It should not come from the operational budget but by God it should come from the administrative budget or the budget for non-front-line services. We should be able to put in a significant deterrent which does not affect front-line services but would soften the cough of those who treat the private data of people so carelessly and improperly.

The situation which arose in Drogheda was silly. Data left Lourdes Hospital and lay on a public street. A person picked the material up because they did not know what to do with it. They brought it to a radio station and the radio station reported it. In theory, the radio station could be fined for having the document in its possession while the Lourdes Hospital got off scot free. The Lourdes Hospital is an excellent hospital and it does fantastic work. It is one of the best hospitals in the country in terms of the improvements it has made but we have to come down extremely hard on the failure to protect data.

It is important that we are increasingly aware of data protection, of the security it must entail and of data being released over the Internet without a person's knowledge.

If Deputy Peter Fitzpatrick is ringing me, his app might be telling Senator Ged Nash he is doing so. I am only joking when I say that but what I am saying is that we do not know what the apps on our phones are doing when we are ringing people. How many of these damned apps, for playing games or looking at football matches, are listening to one? A considerable issue arises concerning the use of apps on a mobile phone. We do not know whether they are recording or using one's data without one's consent, or perhaps doing so with one's implied consent. I do not believe anybody reads all the conditions to which one must consent when signing up to an app. They go on forever. We need to adjust and make sure there is a very simple, clear message in large font stating what is actually happening to one's data in the context of access and the transfer of data to others because of silent listeners to every telephone conversation or any communication we may have.

Now that my colleague, Deputy Peter Fitzpatrick, is here, I am happy to hand over to him.

See this speech in context