Barry Cowen (Offaly, Fianna Fail) | Oireachtas source

I welcome the opportunity to speak to the Bill. Fianna Fáil supports and welcomes the Bill which has been designed to better enable public bodies to share personal data with each other with the consent of the individual citizen. It will also regulate the process by which public bodies can share data.

In the modern technology driven world the issue of individual rights and privacy is crucial. For Government and public bodies, a balance must always be struck between efficiency in administering tasks for the benefit of the citizen and the protection of the citizen's personal information and data. The general data protection regulation, GDPR, sums up these often conflicting issues. Even today, the issue of GDPR was brought up on "Liveline", in particular the inconvenience of implementing it for companies and individuals throughout the country. On the other side of the coin, when one considers the special categories of personal data under the GDPR which include people's racial or ethnic origin, political opinions and sexual orientation, among other things, nobody can deny that these details must be protected. The balance is now more important than ever. We live in a world where, all too often, people's personal information is treated as a commodity or something to be shared without consent or control. The basic right to privacy has been gradually chipped away, both with the rise of unfettered social media and also the rise of data hacking by the more sinister elements in this world. The State gathers a vast amount of information on each citizen on an almost daily basis. The Revenue Commissioners and social welfare offices possess detailed financial data for the vast majority of citizens. The Department of Health and the Health Service Executive possess detailed information on our health and health history. The State knows exactly where we live and work. In view of this, it is crucial for any democratic state that appropriate protections be put in place to prevent data from being transferred without consent. It is crucial that the State take the lead when it comes to protecting the right to privacy for the individual citizen. It was for this reason that the European general data protection regulation was brought into force and it is vital that the Bill be cognisant of it, not only legally but also in spirit. In that regard, I must recognise, as the Minister of State has done, the work done during the passage of the Bill through the Seanad, which served to strengthen it and put extra protections in place.

When a citizen deals with the State, be it with regard to a tax submission, a social welfare claim or a medical card application, he or she has an expectation that this work will be undertaken in an efficient manner. For the State to serve the citizen better and process actions faster, it needs to be better able to transfer data from one public body to another. For many citizens, it is frustrating, for example, to provide data for one public body and then have to replicate the process with another public body and give the exact same information. Of course, this will not be eradicated entirely, but with the Bill, the process should be improved.

Another key consideration that is at least partially addressed in the Bill is fraud. The vast majority of Irish citizens do not commit fraud, but it must be said a small proportion do. By collaborating in such a manner, the instances of fraud should reduce and the State should be better enabled to detect and tackle fraud. When someone commits fraud, be it in claiming social welfare benefits not owed to them or when he or she fail to pay his or her tax, it costs everyone else.

I turn to the specific sections of the Bill. Part 2 deals with the application in practice of the Bill and how it will interact with the Data Protection Acts and the general data protection regulation. It outlines what aspects of the Bill need to comply with the general data protection regulation and provides a framework by which the Bill will interact with the Social Welfare Consolidation Act 2005.

Section 9 defines precisely what data sharing is for the purposes of the Bill. Data sharing means the disclosure of information, including personal data, by a public body to another public body. Section 10 defines precisely what is a public body.

Section 12 sets out the areas where the Bill will not apply. It does not apply to data sharing for the purpose of the prevention, detection or investigation of offences and everything that follows thereafter. It does not apply to data sharing in the defence of the State.

Part 3 of the Bill regulates the data sharing process and sets out the conditions under which public bodies may share personal data. Section 12(2) provides that public bodies may only share data for the purpose of the performance of one or more of their lawful functions and only for one or more of the following: to verify the identity of a person where a public body is providing a service for that person; to identify and correct erroneous information held by a public body; to avoid the financial or administrative burden that would otherwise be imposed on a person to whom the service is being delivered; to support the "once only” principle that persons should not have to provide the same information multiple times; to facilitate the administration, supervision and control of a service, programme or policy; to facilitate the improvement or targeting of a service, programme or policy; to enable the evaluation, oversight or review of a service, programme or policy; and to facilitate the organisational study of a public body.

Part 4 of the Bill deals with data sharing agreements which must be completed in order for data to be shared between public bodies. Part 5 of the Bill deals with information on public service pension schemes. Part 6 of the Bill deals with the transfer of business information. Part 7 of the Bill deals with base registries.

Part 8 of the Bill seeks to establish a personal data access portal, whereby a citizen can exercise his or her right to see what data public bodies hold on him or her. This is a crucial check on the State and will add a level of transparency that is essential for the citizen to be able to hold the State to account.

Part 9 of the Bill provides for better governance in the management of all data held and processed under the Bill. This will enable the Minister to establish a data governance board. Section 46 sets out the functions of the board, while section 47 sets out its membership. Chapter 2 involves the review of data sharing agreements. This will be a crucial role for the board which will be charged with reviewing such agreements. It is crucial that the board be truly independent because, when things go wrong, we know what the standard response from any institution has been and, in many cases, continues to be - to circle the wagons. It is crucial that the board, in reviewing data governance, act independently and genuinely hold public bodies to account. Chapter 3 deals with the governance of personal data, including special categories of personal data.

To reiterate, Fianna Fáil will be supporting the Bill and engage constructively on Committee Stage. However, I take the opportunity to raise issues that, while not directly related to the Bill, are nonetheless relevant to the debate. We are living in a world in which there is unprecedented risk when it comes to data security. On an almost weekly basis we hear and read about another hacking incident in which people's personal data have been stolen, often for malicious purposes. These crimes are being perpetrated against public bodies, governments and companies. It seems nobody is beyond this scourge. We in Ireland are no exception and are as vulnerable to this threat as those in any other country.

In the coming years and decades, to protect citizens and the companies that operate here, Ireland will have to significantly beef up its defence and law enforcement capabilities. The threats are becoming ever more sophisticated by the day and we need to keep step with the perpetrators.

Another area of data security not directly related to the Bill but that is nonetheless crucial is the regulation of social media platforms. The increase in online bullying is becoming ever more difficult to detect and stop before it is too late. People are losing control of their online data as they are shared and passed on to individuals and parties unknown to them. In the coming years we also will need to address this threat. People's individual right to privacy is coming under threat in an unprecedented way. While technology can offer better ways of doing things, it brings with it threats that we must not underestimate.

See this speech in context