Clare Daly (Dublin Fingal, Independent) | Oireachtas source

I move amendment No. 16:

In page 31, line 38, to delete “may” and substitute “shall”.

Section 35 deals with suitable and specific measures for processing data. In general, throughout the Bill these measures are used as a substitute for gaining somebody's consent to process the most sensitive data. It is obviously significant because the idea of these suitable and specific measures is that they are technical and organisational safeguards, things such as limitations on access by staff in an organisation to highly sensitive data or a logging-in system so it is clear who has access to data and when, that sort of thing. With this amendment, we are proposing that any regulations made under the section in order to either identify suitable and specific measures that have to be used in certain situations or to specify that some of those measures are mandatory shall first identify different measures for different categories of personal data, different categories of controllers and so on and, second, specify that at least one of the measures set out in the list in subsection 35(1) is mandatory. We think it is important that regulations in this regard are obligated to be fairly clear and detailed. That is because those measures are a requirement in so many different processing situations throughout the Bill and because they are so crucial to safeguarding people's rights and their data, the rules around them should therefore be pretty precise. In other words, those rules should take into account what kinds of data are being processed, by whom and what kinds of processing actions are being taken on them. We also think it is important that at least one, but ideally more, of the measures listed in section 35 have to be made mandatory if a Minister is going to the trouble of drawing up regulations and the measures listed in subsection 35(1) are fairly basic. It should not be a major cross to bear to make at least one of them mandatory.

I will give a very brief example. The Minister said on Committee Stage that schools hold data on children's allergies and other health issues so obliging them to implement limitations on access would be too onerous. Flipping that around, it implies the Minister is okay with any visitor to the school getting access to highly sensitive information about a young child's health. We do not really think in that context access limitations are too onerous at all. It would be great to think that regulations were mandatory in this particular context. To give another example, I recently heard of one school where staff were told the GDPR means the school has to hang on to permissions slips for school tours until the children are 21. It is utter madness. There is a huge misunderstanding out there. Targeted training is another measure listed in subsection 35(1). It should be made mandatory in certain contexts because we are opening the road to utter chaos otherwise.

See this speech in context