Charles Flanagan (Laois, Fine Gael) | Oireachtas source

I move amendment No. 86:

In page 76, to delete lines 12 and 13 and substitute the following:“(c) ensure that the data protection officer—

(i) reports directly, in relation to his or her functions under subsection (5), to the highest level of management of the controller,

(ii) does not receive any instructions regarding the exercise of such functions, and

(iii) is involved in an appropriate and timely manner in all matters relating to the protection of personal data, and”.

During the discussion on Committee Stage I agreed to examine the content of what are now amendments Nos. 87, 88, 90 and 91, tabled by Deputies Clare Daly and Mick Wallace. Arising from that examination, I have tabled Government amendments Nos. 86 and 89 by way of response to concerns raised on Committee Stage. I thank the Deputies for raising these issues.

I regret that I am unable to accept amendment No. 92 tabled by Deputy Donnchadh Ó Laoghaire, even though I have to admit I have some sympathy for its objective. It deals with the risk a data protection officer may encounter non-co-operation, duress, harassment or victimisation in the workplace and may as a result be unable to perform his or her duties. I had the opportunity to consider this issue during earlier discussions in the Seanad and I am still of the view that a more effective remedy is available to data protection officers under the Protected Disclosures Act 2014. The House will be aware that a disclosure of relevant information is protected under that Act. If, in the reasonable belief of a worker, it tends to show a relevant wrongdoing and it came to his or her attention in connection with his or her employment, "relevant wrongdoing", as defined in section 5(3) of the Act, includes that a person has failed, is failing or is likely to fail to comply with a legal obligation. This includes the data controller's obligation towards the data protection officer.

Section 7 of the Protected Disclosures Act 2014 provides for protected disclosures to an external person prescribed in an order made by the Minister for Public Expenditure and Reform in Statutory Instrument 339/2014, in which the Data Protection Commissioner has been prescribed as a recipient of disclosures in respect of all matters concerning compliance with data protection law.

In SI 339 of 2014, the Data Protection Commissioner has been prescribed as a recipient of disclosures in respect of all matters concerning compliance with data protection law. This provides an effective remedy where a data protection officer, DPO, is experiencing difficulty in performing his or her functions. A further advantage, and an important aspect, is that any DPO making such a protected disclosure will enjoy the extensive protections against dismissal, victimisation and detriment provided under Part 3 of the 2014 Act.

Another shortcoming in Deputy Ó Laoghaire's amendment No. 92 is that it would, if accepted, apply only to DPOs appointed by law enforcement authorities operating under Part 5 and would not protect the larger number of DPOs operating under the GDPR. All DPOs, whether operating under the GDPR or Part 5 of this Bill, will have protection under section 7 of the Protected Disclosures Act 2014 as elaborated by SI 339 of 2014. I have considered this carefully since we last debated it and, while I appreciate the motivation for this proposal and have some sympathy with the import of the amendment, I cannot accept it because we have a more effective remedy under the Protected Disclosures Act 2014. I do not want a situation to arise where in terms of practice there is not only uncertainty but also confusion between two Acts, one of which is specifically designed to meet the protected disclosure, and not have new amendments here in this legislation that have particular relevance to the 2014 Act.

See this speech in context