Patrick O'Donovan (Limerick County, Fine Gael) | Oireachtas source

I move: "That the Bill be now read a Second Time."

I am very pleased to have the opportunity to introduce this Bill to the House. It was published in June and commenced in Seanad Éireann, where it received strong cross-party support. The Bill was actively engaged with by the Members of the Seanad and I look forward to further constructive debate in this House. Members may be aware of the number of amendments that were tabled and accepted in the Seanad.

The Data Sharing and Governance Bill proposes a series of reforms to the way the Government shares data to improve public services for the benefit of citizens and businesses, as well as measures to improve the safe handling of that data by bringing consistency and improved safeguards to the way it is managed. This legislation is just one part of our ambitious programme of reform in the digitalisation of public services and the use of data. The eGovernment strategy 2017-2020 sets out a vision of a Government using data and digital technology to increase efficiency and effectiveness, thereby constantly improving public services. The actions in Our Public Service 2020, the new framework for development and innovation in the public service, provide for a more integrated, shared and digital environment to enhance the delivery and evaluation of public services.

The Government must deliver on its commitments in this area. The advent and adoption of digitalisation and data analytics have revolutionised the global economy and changed business models and the nature of jobs. We can use our computers and phones, and now even our watches, to do many everyday things, including keeping up with our families and friends, reading the news, watching television, banking and shopping. Digitalisation also opens up new opportunities for innovation in how we design and deliver our public services. We must keep pace with public expectations of how people should be able to access services and with the availability of new technology. Achieving this objective requires modern laws on the use of data in public services to protect and use the information that enables us to deliver these services to the public.

Data sharing is carried out extensively across the public service under the existing legal framework. Indeed, it would not be possible to deliver many services effectively without this sharing taking place in the background. I will provide some examples. Details of birth registrations are forwarded by the General Register Office to the Department of Employment Affairs and Social Protection to generate child benefit claims automatically on behalf of parents. Student Universal Support Ireland, SUSI, shares data with the Department of Education and Skills, the Department of Employment Affairs and Social Protection and the Revenue Commissioners to streamline the processing of student grant applications, reducing the need for applicants to provide documents. The Revenue Commissioners share data with a number of sources, including the Property Registration Authority, for the purposes of maintaining the local property tax register. These are three simple examples of how sharing and reusing data benefits the public.

However, those who deliver public services often face problems in gaining access to information held by other public bodies. Data protection law requires that data sharing needs an explicit legal basis. The examples of data sharing I have just given are made lawful by the specific sectoral Acts of the bodies concerned. Access to the legislative schedule is limited and as a result the process of obtaining the required powers to share data can be painfully slow for public bodies.

Furthermore, the reliance on sectoral legislation as a basis for sharing data has resulted in a set of data sharing laws that have grown piecemeal over time to respond to specific policy needs. This patchwork of laws is complex and not very transparent to the public. There is a clear need, therefore, to update our legislative regime to provide for a flexible legislative gateway that will simplify the complex legal landscape slowing the pace of our efforts to modernise and improve the services we provide to people and businesses. We also need to allow for data sharing to be carried out in a systematic, consistent and transparent way so that members of the public can be confident that their information is being used for the right purposes and remains securely held.

When data are used effectively, everyone benefits from better services that can be delivered more responsively and efficiently at a lower cost to the taxpayer. Members of the public also have a strong expectation that their data will be used responsibly, proportionately and securely in a manner that respects their privacy and upholds their data protection rights. As the volume of data grows and our capacity to deliver digital services expands, the opportunities to improve services increase. So too must the governance and safeguards we have in place to keep people’s data safe.

The House will be aware of the EU’s general data protection regulation, GDPR, which came into effect on 25 May. The GDPR and the Data Protection Act 2018 represent a very significant reform of the data protection regime to keep pace with the many technological advances and new business models that have emerged in recent years. The GDPR strengthens the control of members of the public over their personal data and the purposes for which this information may be used. A key principle underpinning the development of this legislation has been that the Bill should not weaken the protections afforded by data protection law, including the GDPR. Therefore, as well as providing a clear legislative gateway for public bodies to share data, this Bill must also provide a framework for public bodies to share data in a manner that is compatible with the requirements of the GDPR. I refer in particular to the requirement that bodies must be transparent with people about exactly who is sharing their data, what data are being shared and why this is necessary.

In this regard, I would like to take the opportunity to thank the Members of this House and Seanad Éireann who undertook the pre-legislative scrutiny work on this legislation in their capacity as members of the Oireachtas Joint Committee on Finance, Public Expenditure and Reform, and Taoiseach. The committee’s report made many useful recommendations which we have tried to address as much as possible during the drafting process. A clear theme that emerged from these recommendations was the committee's concern not only about the risks to people’s data protection rights arising from the sharing of data but also from the misuse and mismanagement of data by public bodies generally.

I share these concerns. This is why this legislation is a data sharing Bill and a data governance Bill. The scope of the governance provisions in this Bill goes beyond just regulating how we share data. The Bill also strengthens the way the public service manages its data in respect of how data are collected and processed, how data are kept secure, and how access to data is controlled, monitored and logged. Many of these governance provisions were added to the Bill following the pre-legislative scrutiny and I believe they go a long way to addressing the concerns raised by the committee. I believe that these provisions will reassure people that their information is being held, processed and shared in a responsible manner and in compliance with data protection law.

I wish to outline to the House the main provisions of the Bill. The purpose of this Bill is to provide for the regulation of the sharing of information, including personal data, between public bodies; to provide for the regulation of the management of information by public bodies; to provide for the establishment of base registries; to provide for the collection of public service information; to establish a data governance board; and to provide for related matters.

The Bill comprises the following parts. Part 1, comprising sections 1 to 4, inclusive, contains a number of standard legislative provisions concerning the Short Title, commencement, orders and regulations and expenses.

Part 2 comprises sections 5 to 12, inclusive. Section 5 provides that the Bill shall not apply to the sharing of the special categories of personal data specified in article 9 of the GDPR. These include data revealing racial or ethnic origin, political opinions, religious beliefs and trade union membership as well as genetic and biometric data and data concerning a person’s health, sex life and sexual orientation. There are three specific instances where the Bill does apply to special category data and I will address these when I reach the specific parts of the Bill that relate to this.

Section 6 contains an explicit statement that the Bill shall not affect the operation of the GDPR or the Data Protection Acts. Sections 7 and 8 set out how the Bill interacts with certain existing sectoral legislative provisions concerning data sharing, including the Social Welfare Consolidation Act 2005. Section 9 defines data sharing for the purpose of this Bill as being “the disclosure of information, including personal data, by a public body to another public body”.

Section 10 defines the term “public body” for the purposes of the Bill. I want this Bill to apply to the widest possible number of public bodies and so, among others, the definition encompasses the Civil Service, local authorities, the HSE, An Garda Síochána, the Defence Forces and the non-commercial State agencies.

7 o’clock

A list of bodies excluded from the Bill, mainly the commercial semi-State bodies, is set out in the Schedule.

Section 11 provides that the Bill applies to data concerning deceased persons. This is to allow for records to be updated upon a person's death.

Section 12 provides that the Bill does not apply to data sharing for the purposes of law enforcement, national security and defence.

Part 3, comprising sections 13 and 14, sets out the conditions under which public bodies may share personal data using this Bill. Section 13 provides that public bodies may only share data for the purpose of the performance of one or more of their lawful functions and only for one or more of the following purposes, namely, to verify the identity of a person where a public body is providing a service to that person; to identify and correct erroneous information held by a public body; to support the "once only" principle that persons should not have to provide the same information multiple times to different public bodies; to establish the entitlement of a person to the provision of a public service; to facilitate the administration, supervision and control of a service, programme or policy; to facilitate the improvement or targeting of a service, programme or policy; to enable the evaluation, oversight or review of a service, programme or policy; and to facilitate an organisational study of a public body. This section also provides that public bodies must comply with regulations and orders made by the Minister under Part 9 of the Bill concerning proper data management and that data sharing be carried out in accordance with a data-sharing agreement. Section 14 gives the Minister the power to direct two or more public bodies to share data, subject to the provisions of the Bill.

The provisions contained in Part 4, comprising sections 15 to 22, inclusive, concern the data-sharing agreements referred to in section 13. Section 15 clarifies that the provisions of this Part only apply to data sharing carried out under this Bill, while section 16 obliges public bodies to enter into a data-sharing agreement before sharing data under this legislation.

Section 17 sets out the formal requirements for a data-sharing agreement and section 18 allows for additional parties to be added to a data-sharing agreement, if required.

Section 19 specifies what information should, at a minimum, be included in a data-sharing agreement. Among other things, public bodies must be explicit in these agreements about the purpose of the data sharing, what data will be shared and how the data will be further processed and kept secure, in accordance with the principles of data protection.

Section 20 provides for the periodic review of data-sharing agreements. Section 21 provides that one of the parties to the agreement shall be designated as the lead agency responsible for the management of the data-sharing agreement. Section 22 sets out the conditions for the expiry or termination of a data-sharing agreement.

Part 5, comprising sections 23 to 32, inclusive, gives the Minister for Public Expenditure and Reform, or another Minister of the Government where he or she has responsibilities in this area, the power to collect and process specified information regarding public servants arising from their membership of a public service pension scheme. This information includes provisions for the administration of pension scheme benefits for beneficiaries earned over a public servant's entire career in the public service. It will be necessary to collect and process some special categories of personal data for these purposes, for example, to record if a public servant has retired due to ill health. Section 24 explicitly provides for this.

Part 5 also provides the basis for the establishment of a centralised pension system to support the long-term administration of the single public service pension scheme. It provides for the Minister for Public Expenditure and Reform to collect and analyse information, in pseudonymised or anonymised format, as appropriate, on the number of public servants employed and expenditure on pay and pensions, including the carrying out of actuarial evaluations. This data will be used to inform public service expenditure estimates and support public service resource planning and policy development.

Part 6, comprising sections 33 to 36, inclusive, gives the Minister for Public Expenditure and Reform the power to issue a unique business identifier number, UBIN, for the purpose of uniquely identifying any undertaking that has a transaction with a public body. It also specifies a set of business information that can be shared between public bodies in the performance of their functions. This UBIN and business information data set will assist in building the business data element of the national data infrastructure.

Part 7, comprising sections 37 to 43, inclusive, gives the Minister for Public Expenditure and Reform the power to designate a database owned by a public body as a base registry. Base registries will allow us to designate a single data set as the official source of that data that can be reused by other public bodies. This will improve the data quality across the public service by reducing the number of independent copies of data and allows us to focus our resources on the security and protection of a single data source, as opposed to many copies.

Section 38 obliges base registry holders to keep this information up to date, accurate and complete and to make this information available to other public bodies for lawful purposes. Section 42 obliges public bodies to use the information on a base register rather than collecting it directly from the data subject.

The intention of Part 8, which comprises sections 43 and 44, is to facilitate the creation of a portal to make it easier for members of the public to exercise their access rights under the GDPR to see what information public bodies hold about them and the purposes for which the information is collected and processed. A provision to enable the development of such a portal was one of the key recommendations of the pre-legislative scrutiny report. This will extend to special categories of personal data and this is provided for explicitly in section 43.

Part 9, which is split into three chapters and comprises sections 45 to 68, inclusive, provides for better governance in the management of all data held and processed under this Bill or under another enactment by public bodies and will help public bodies to comply with their obligations under GDPR. Many of the provisions have been influenced by the recommendations in the pre-legislative scrutiny report on the Bill.

Chapter 1, comprising sections 45 to 52, inclusive, provides for the Minister for Public Expenditure and Reform to appoint a data governance board to advise on the operation of the Bill. Section 47 sets out the provisions concerning the membership of the board and includes provisions providing for gender balance and for external appointments to be made via the Public Appointments Service process.

Chapter 2, comprising sections 53 to 62, inclusive, sets out the process for enhancing transparency regarding data sharing and for advance scrutiny of any proposals for data sharing between public bodies as follows. Public bodies will be required, under section 55, to publish an advance draft of any proposed data-sharing agreement and invite the public to comment on the proposal. Section 56 requires that the draft data-sharing agreement, along with a summary data protection impact assessment - if one has been carried out - and any comments received during the consultation, will then be submitted to the board for consideration. Section 57 provides that the board may issue a set of recommendations in respect of the draft data-sharing agreement, which the public bodies shall incorporate into the final agreement before signing. Section 60 provides that the signed data-sharing agreement shall be submitted to the Minister for Public Expenditure and Reform and laid before the Oireachtas. The Minister for Public Expenditure and Reform shall publish the signed data-sharing agreement along with the summary data impact assessment and any recommendations made by the board.

Chapter 3, comprising sections 63 to 68, inclusive, gives the Minister for Public Expenditure and Reform the power to prescribe binding rules, procedures and standards for the management of data across the public service; issue guidelines for management of data across the public service; and prepare model data-sharing agreements that public bodies shall use as the basis for any data-sharing agreements they enter into.

Section 63 provides that this chapter shall apply to special categories of personal data as the intention here is to drive a set of robust common standards across the public service for the management of personal data. Clearly, such best practice standards must apply to the management of special category data in particular.

Finally, Part 10, comprising sections 69 to 73, inclusive, includes a number of miscellaneous provisions. Section 69 gives the Minister for Public Expenditure and Reform powers to prescribe certain documents that public bodies should not collect directly from a person but should instead avail of data sharing in order to avoid unnecessary requests for documents. Section 70 gives the Minister power to direct public bodies to collect information in a format specified in the direction. Section 71 gives the Minister powers to direct public bodies to provide information in relation to all data-sharing arrangements being carried out under this Bill or any other enactment. Section 72 is a technical amendment to section 17A of the Ministers and Secretaries (Amendment) Act 2011 to ensure compatibility with Part 5 of the Bill. Section 73 adds the National Shared Service Office to the list of bodies specified under the Social Welfare Consolidation Act to collect and process the PPSN.

A number of amendments have been identified which I will introduce on Committee Stage, most being of a technical nature. In addition, I agreed on Report Stage in the Seanad that I would consider adding some form of wording to exclude application of the Bill to any sharing of data that would support commercial activities of public bodies. I hope to bring forward a proposal to this effect on Committee Stage. I am also considering an amendment to provide for wider use of the Revenue online service digital signature, in keeping with the Government’s wider digital strategy. I will be proposing a minor technical amendment to the National Shared Services Office Act 2017 in regard to the Irish name of that office.

The nature of the subject matter of the Bill means that it contains a number of quite technical provisions. In that regard, my officials are available to assist any Member who requires clarification on any of the technical aspects of the legislation. I reiterate my thanks to the Members of both Houses who worked on the Bill during its pre-legislative scrutiny stage which greatly influenced its development. I thank the Members of Seanad Éireann for their support and contributions. I also thank the various stakeholders who contributed to the development of the Bill, including those who took the time to make submissions during the public consultation process when the general scheme was being developed and those who attended the pre-legislative scrutiny hearings at the committee. Their input was also a great help in the preparation of the Bill. I thank Members of this House for their attention. I hope they will support this important legislation and look forward to hearing their contributions throughout the debate.

See this speech in context