Dáil debates

Wednesday, 7 November 2018

Data Sharing and Governance Bill 2018 [Seanad]: Second Stage (Resumed)

 

Question again proposed: "That the Bill be now read a Second Time."

6:00 pm

Photo of Róisín ShortallRóisín Shortall (Dublin North West, Social Democrats)
Link to this: Individually | In context | Oireachtas source

I am glad to have the opportunity to contribute to the debate. Every state relies on the trust of its citizens to be able to deliver vital services. The Revenue Commissioners have access to the details of our personal finances because they need them to collect tax equitably. The Department of Employment Affairs and Social Protection has access to details of our work and family circumstances because it needs them to deliver the correct payments. People accept the legitimacy of these uses of their data because they clearly understand who will process them and for what reason. The general data protection regulation, GDPR, codifies this right in law and is directly binding on State bodies as much as everyone else. The Court of Justice of the EU, in the Bara case, confirmed that EU law "must be interpreted as precluding national measures that allow a public administrative body of a Member State to transfer personal data to another public administrative body and their subsequent processing, without the data subjects having been informed of that transfer or processing". Yet this is exactly the model of data collection and the subsequent sharing of that data between public bodies with which this Bill persists, despite the clarity of EU law. The Government must realise that to force this Bill forward without addressing this contradiction is to invite inevitable litigation, wasted costs and likely claims of compensation and fines from the European Commission. More important, to press on with this quixotic Bill is to strike at the root of that vital relationship of trust with citizens. Plainly put, then, the modern State needs good data to produce good governance, and it will not get this if citizens do not trust the Government to be an honest and plain dealer.

We have experienced the limits of the Government's coercive approach to data collection in the public services card project. The Road Safety Authority, RSA, was instructed that it was Government policy to force people to get public services cards before it would allow them to get driving licences. The RSA spent €2 million building an online applications system on the basis of this requirement. Then, a year after it was declared the rule was compulsory, the authority was told that the Attorney General's office had found no legal basis for the requirement. Civil society groups such as Digital Rights Ireland had been warning for years that there was no legal basis for making the card compulsory. The same groups have been warning that the model of this Bill is misconceived. Why can the State never acknowledge it should change direction until it has cost us all dearly? There are umpteen examples of this.

We can look abroad to see how this kind of behaviour plays out. The British Government pressed on with its plan to share medical records without taking account of citizens' concerns. There was a collapse of confidence among the public as it realised the government could not answer basic questions of legality and governance. After more than 1 million people refused to participate, the NHS Care.data project ended up being scrapped at a cost of £8 million - £8 million which was wasted. A similar scheme was introduced in Australia, where a voluntary, centralised medical records system was converted to one automatically enrolling every citizen unless he or she opted out. The consequential collapse in public trust in this scheme contributed to the sudden end to Malcolm Turnbull's tenure as Prime Minister and required the government to promise emergency amending legislation.

Ireland is not by any means a nation of Luddites. It is not backward to be careful about the privacy consequences of technology and sloppy data projects. Data experts, the people who know the most about the consequences of these issues, are the most cautious about the potential for misuse and mistake. Research has shown that, whether in private or public systems, approximately 68% of IT projects fail. Success is not achieved by rushing forward and ignoring constructive criticism or by denying the plain reality of what is and is not legal.

This Bill was introduced with the claimed purpose of implementing the EU's public sector information directive, but that directive is intended to create a culture of open data, encouraging the release of state information for the benefit of the economy and society. The plan to take citizens' personal data and reuse them between public bodies without further notice to citizens does not address that directive's purpose at all. Either the Government has misunderstood the public sector information directive or it is citing it simply as an attempt to bluff its way past the lack of a legal basis for the plan it wants.

I have spoken about some of the examples from abroad of government data schemes failing at great cost, but we have had one relevant example closer to home. The abject and expensive failure of the Reach public service broker project was described in the Comptroller and Auditor General's special report No. 58 on eGovernment as follows:

The Broker was innovative [and ambitious]. However, [its] feasibility ... was not examined early on and planning was weak.

The Comptroller and Auditor General estimated the eventual spend on the project to have reached in excess of €37 million.

The Reach programme was effectively the State's last major attempt to share citizen data between Departments. As such, it is important that the lessons are learned from its failure. The Comptroller and Auditor General concluded that it was likely that Reach could have delivered the broker system in a more timely and cost effective manner had the governance, staffing and risks been managed more rigorously.

The Comptroller and Auditor General's report did not consider the benefits of data transfer to be sufficient to justify the project's costs. The willingness to put a halt to a bad plan is as much the hallmark of a strong Minister as is his or her ability to implement a good one. I call on the Minister of State to acknowledge that this Bill, as it is currently conceived, will harm public trust and create significant potential risks for the public purse beyond any value which it offers. I urge the Minister of State to go back to the drawing board and rethink the entire approach of this Bill.

6:10 pm

Photo of Fergus O'DowdFergus O'Dowd (Louth, Fine Gael)
Link to this: Individually | In context | Oireachtas source

Fáiltím roimh an díospóireacht seo. Dearbhím go bhfuil sé an-tábhachtach. Caithfimid díriú ar chúrsaí sláinte ach go háirithe agus ní bheidh mé ag cuidiú leis an méid a dúirt an Teachta Shortall mar tá ceist eile an-phráinneach le phlé agam. This is a welcome debate and important issues have been raised. I want to come at it from different perspectives. One is supporting the legislation, two is supporting further changes and three is pointing out significant anomalies and problems with the lack of data sharing where people's health, lives and limb are at stake. These are of grave concern to me and, indeed, I have no doubt to the people who make these complaints to the authorities. It is important to share data. It is important when somebody comes into my office, or that of any other Deputy, that he or she fill in the data protection form.

I find an increasing awareness, alertness and willingness to sign that form. I thought there would be some difficulty with it but now automatically when somebody comes into my office, on the reverse of the form that he or she fills in, we put in the data protection notifications and ask him or her to sign and date it. That is useful because it protects the individual, the data received and it is also useful for records management that everything is clear and transparent. The record includes who came in, what was said, what was done, where it went and that consent was received. I welcome that. I also welcome sharing of data between Departments. It is hugely important if anybody is trying to find out what happened to a social welfare application that data can be shared, an answer found and the query followed through effectively and efficiently.

I welcome the speed with which public authorities generally, and in particular the Department of Employment Affairs and Social Protection which deals with most of my queries, respond to them. All of that is good, healthy and the right way to go, notwithstanding concerns people might have. I have serious concerns about data given to the Health Information and Quality Authority, HIQA, and which is not transferred. I will explain my case to the House. The difficulty is that currently about 4,800 individual items of information are mandatorily reported by private or HSE nursing homes to HIQA every year. There are also unsolicited complaints from people like us who might be visiting a relative or from somebody who works in a nursing home about concerns about the care and people being at risk.

The data is treated differently in different cases. I refer to the mandatory requirements for data transfer. If a nursing home is legally obliged to state that Mary Jones fell and broke her femur or she has very bad bed sores, the data is only given in numeric form. The individual is never identified. Of the thousands of reports which HIQA gets, it only knows where they come from. It does not know who the individual is and it is not able to go in and look at the file. It cannot look to see what happened to Mary Jones, why she fell, how she fell and why she had ten or 15 falls in the last year. HIQA is not able to inquire into that level of data. I believe there is a need to look at that anew and to make sure that HIQA, if it wishes, should be able to go into private or HSE nursing homes to follow the facts and get the full facts. That is protecting people who are extremely vulnerable and people who, unfortunately, in many of these incidents have significant adverse impacts on their health.

If the nursing home mandatorily reports data, it is in alphanumeric format and nobody knows who the individuals are or what they are. All that is known is the name of the home and HIQA cannot inquire and get to the bottom of what in many cases is abuse. Second, I refer to the case where, if I am a member of a family or a visitor, I ring up and say I am concerned about Mary Jones, that I found her lying on the floor where she was covered in sores or faeces or whatever the issues are. There have been hundreds of issues, in fact thousands of them, over the last few years. HIQA can state that is terrible and record everything. Guess what happens? Nothing.

The data is not used. Why is it not used? It is because the person who makes the complaint is not the individual concerned. There is an issue about that. A third party who rings up HIQA, be it a family member, a personal visitor or a friend, will give data. That is recorded but not used and not acted on because it is not legally allowable for HIQA to act on it. The third case is also worrying. If I work in a nursing home and if I ring up and tell HIQA that I have seen abuse of an elderly person - it could be financial, sexual, emotional, or under many different headings - that data cannot be acted on either because it works under different legislation. The legislation that applies there relates to work and employment. That data is not followed up. Wherever the data comes from, if it concerns the health, welfare and well-being of an elderly vulnerable person, it should be capable of being acted upon quickly and efficiently by HIQA or the relevant authority.

The other problem with data protection is that in 2015 HIQA agreed a memorandum of understanding with the Office of the Ombudsman. There were about six meetings. They were great meetings and everything was going to happen. Guess what happened in 2016, 2017 and 2018? No data transferred, not one single bit. I think that is a disgrace. I do not doubt the intentions of the people who did up the memorandum in HIQA because I have met and spoken to them. I also do not doubt the intentions of the Office of the Ombudsman to do it. Nothing, however, has happened.

When I brought this matter to HIQA's attention it said it would deal with it. Earlier this year, HIQA assured me that data transfer would now take place between HIQA and the Office of the Ombudsman so these matters could be investigated properly. The problem is that HIQA also said in the same letter to me that it was now reviewing all of the memoranda of understanding under the Data Protection Act 2018. It was reviewing every single one of them because the issues I had raised with HIQA might, could and probably will apply to all other memoranda that it has.

The law, while it is there to protect the individual, and I do not doubt the intention when we did that as lawmakers, needs to be more flexible. That is particularly the case where there is a health risk and a report of a concern. The sharing of data between statutory agencies, and I hope that is what this Bill is about, should be automatic without any of this bureaucracy which is unhelpful. A question then arises. If I ring up HIQA with an unsolicited complaint, as it is called, that data should automatically transfer. I do not know if this is in the law or not, but perhaps it might be looked at on Committee Stage. If a complaint is made, implicit in making that complaint is the intention that the person making it is acting in good faith and that the person wants it acted upon. If that complaint is made, it ought to go automatically to the person who has the statutory powers to investigate it, namely the Office of the Ombudsman. That would make much sense if it were to happen seamlessly and automatically. It would protect many vulnerable people. I ask that the Minister of State and his Department deal with that.

I have a few other things that I want to mention.

Data is very valuable, particularly in politics. I specifically refer to information and facts as to who did what where and when and how something happened. The former Minister of State, Deputy Shortall, raised the question of spending millions of euro on a system that does not work. Unfortunately, there is nothing new in that regard in the context of the public service. We need to ensure that people are accountable. Part of the problem is that the Freedom of Information Act needs to be reformed. There must be a much quicker method and means of getting at facts. There are unnecessary delays and obfuscation. I will raise the matter of a particular body at a different event after I get information from a freedom of information request. It holds up information about serious and significant internal audits that account for tens of millions of euro. It means we cannot get at the facts because the body hides behind the freedom of information process. I will be going to the Office of the Information Commissioner shortly about this matter. I hope that when I eventually get to the truth, the legislation will be changed. We should abridge some of the times in the freedom of information process.

There is the question of how data is treated. On the one hand, data might not be transferred when it should be. On the other, we need to change the law so that people not deemed to be the individuals in a case but acting in good faith can get through to an investigating authority. There is also the matter of how the HSE, my favourite organisation, dealt with medical data that just happened to end up approximately 30 miles from the hospital where it originated. The medical records of 12 patients were found on a public road beside the River Boyne near Baltray. I read about this in the newspapers and submitted a parliamentary question to find out what happened to the data and whether the Minister would investigate the breach. The question specifically referred to the personal medical data found at Baltray relating to accident and emergency department patients at Beaumont Hospital and it went in on 18 October. On 1 November, I submitted another question as more medical data relating to personal health information of patients was found. We do not know what is the problem or the hospital in question. The question asked for an outline of the results of an inquiry into the reasons significant personal and medical data was found for the second time in a few weeks at the same place. It was an unacceptable breach of privacy and data protection laws and the hospital must be held accountable for this second very serious breach. I do not know if it is the same hospital. We want absolute assurance that this will not happen again.

I got a lovely reply from Mr. Ian Carter, the chief executive of Beaumont Hospital, in response to both my queries. He stated that a recent incident occurred whereby personal health information on patients was found outside Beaumont Hospital. It was found 30 miles away from the hospital, which is a bit different from it being blown out the window or falling out of a waste bin. On review of the incident - there was more than one - Mr. Carter indicates that the source of the information was identified as an accident and emergency department summary clinical handover report used by nursing and medical staff during shift changes. As a result of the incident, Mr. Carter indicates that all accident and emergency department staff have been directed to use the "confidential" bins provided for such reports prior to leaving the hospital. There we have it. Data protection amounts to putting the data into a confidential bin. How can a bin be confidential and the data relating to very serious medical histories of patients who may be extremely ill end up 30 miles away beside the River Boyne in County Louth? That is entirely and absolutely unacceptable.

The current position regarding protection of data, certainly within Beaumont Hospital, is unacceptable. I do not know what is this confidential bin or how it works but there is no reason in the world any doctor, nurse or anybody else working in a hospital would have to bring personal medical records to a place in County Louth and leave them in grass beside the River Boyne. It is unacceptable, appalling and disgraceful. I rang the gentleman who signed this letter and told the person on the phone I was not happy with the reply, which is insulting and disgraceful. I said that it did not answer the question. I asked if a person had been sent to the site or if the incident had been reported to the Garda or the Data Protection Commissioner. I am still awaiting a reply, despite the fact that I stated my intention to raise the matter during this debate. This is a direct message to Mr. Ian Carter and Beaumont Hospital. I want to know the facts and the public is entitled to that knowledge. I am challenging the hospital here. The people responsible for this matter are unaccountable and they are acting in a very high-handed manner. What they are doing is shameful and disgraceful.

That problem demonstrates another lacuna in the law. If data in the private sector were allowed to fall into the public domain, there would be a fine or sanctions. The HSE is not held accountable, however, and certainly not through parliamentary questions. It will face no fine. This is a major problem because authorities such as those at Beaumont Hospital have very sensitive personal records but they can allow them, through weak and appalling management of the data, be found 30 miles away. This happened once and probably twice, although I do not know that for sure. With the second incident I got a call because somebody found the data and asked me what to do with it. I asked if the name of the hospital was on the data but it was not. I told the person to take the data to the Garda station in Drogheda and put it in its safekeeping. That is where it went. I asked that gardaí should look to see if there is more data at the location, as it would not be acceptable to have it left there.

I welcome the legislation and the changes being proposed. I welcome the fast-tracking of exchange of information, on the one hand, but, on the other, I am pointing out weaknesses and where data is extremely vulnerable. I have particularly referred to personal medical data held by at least one hospital in this country that was found, in a disgraceful fashion, on the side of a road. The question arises of how many confidential bins are there in Beaumont. Why does the hospital need them in any event? I do not work in a hospital but we all work with computers. If a worker wants to find out how a patient is doing, I am sure he or she could access the data electronically. Why is there a need to print physical copies of data across the public sector when everybody has computers and millions of euro have been spent by the HSE on all sorts of computer systems? It is just wrong and it is not acceptable. I thank the Minister of State. I will speak to him later about some of the changes that I hope he will help to introduce. We could learn from other jurisdictions about some of these matters. I welcome the legislation and I will vote for it. Nevertheless, I would like to see those changes enacted.

6:20 pm

Photo of Patrick O'DonovanPatrick O'Donovan (Limerick County, Fine Gael)
Link to this: Individually | In context | Oireachtas source

I thank the Deputies who made contributions. Many were in line with those made in the Seanad.

Is important to remember the Bill relates to data sharing and governance, not data collection. It will facilitate a legal basis for what is already happening in many instances. This is the transfer of data from one public body to another in a supervised and governed fashion. The person at the centre of the data transition would have access to a data portal so it can be seen where the data has been moved, for what purpose and who has viewed it. A board would be established to ensure this is done properly and in accordance with the law, as laid down in previous Acts of the Oireachtas and the GDPR. It would also provide for other issues that the Minister sees as being appropriate in terms of data sharing. It does not get into the collection of data for each of the individual public bodies, which are sectoral matters. I know a number of these were raised last night and tonight, including matters relating to adoption, HIQA or the public services card.

The Bill does not in any way change the Social Welfare Consolidation Act 2005. It does not set out to do that and it is not about that but what it is about is to give a legal framework for what we are already doing. An example of what we are already doing is the collating of information for public servants who have worked in a number of different aspects of the public service to make sure that their pension can be properly accrued, for example.

Each data transition from body A to body B will require an agreement being laid out that goes through a consultation on which people have a right to have a view. Outside all that is the Data Protection Commission, which will stand in a watchdog position, that is, maintaining its current position in respect of the collection and use of individual personal data.

Nothing will change in the existing legal framework and this measure will enhance it because for the first time, it empowers and obliges the State to handle data in specific ways for public services. That is all this Bill does. It underpins what we are doing at present without a legal basis and as I noted in the Seanad, is a lacuna in the law. At present, we are transferring information from public bodies such as Student Universal Support Ireland, SUSI, the Revenue Commissioners, the Department of Agriculture, Food and the Marine and the Office of Public Works, OPW, on the basis that it is for the good of the person for whom the service is being provided but it is being done without a legal basis and this Bill provides that legal basis. An example of it is in Part 5 of the Bill pertaining to public servants who may have worked in different elements of the public service and who I am sure would welcome the provisions laid down in the Bill that allow for their individual and personal data to be shared in a manner that is governed by a board. While attempts were made here last night to disparage the board's construction, it will have, among others, ex officiomembers who are public servants who deal with this issue on a regular basis in different Departments and who have an expertise that may have to be called in from the outside and it also will have a gender balance. The parent Department in this regard will be the Department of Public Expenditure and Reform. This is part of the reform agenda and is an acknowledgement from the Government that it is finally addressing an issue that has long needed to be addressed. A legal basis is being provided in the law for the transition of public personal data and data in general from body A to body B.

As for some of the comments made last night, I welcome Deputy Cowen's support for the Bill and he referenced hacking. Section 64 of the Bill provides for the issuing of data management standards, which is important. I agree with the sentiments he expressed on social media, its abuse and how it is construed at the moment. Unfortunately it is outside of the scope of the Bill but I am sure the Departments of Children and Youth Affairs and Justice and Equality are looking at the matter. I was a member of a previous Oireachtas committee that looked at it as well and Deputy Burton also referred to it.

Deputy Jonathan O'Brien asked that the officials from my Department would be made available to help in teasing out any potential amendments and I assure him that will happen. He has availed of that facility previously and I make the same invitation to other Deputies with the Bill because there seems to be confusion as to what the Bill is about versus what it might be about because of the Title. If anybody wants to engage with my officials or with me at any stage between now and Committee Stage I will be delighted to do that.

Deputy Jonathan O'Brien also asked about mechanisms to have data corrected or removed. The GDPR underpins a lot of what we are doing here anyway but specifically, section 44(2)(c) provides that people will be able to use their personal data access portal. We are signatories to the Tallinn Declaration on eGovernment. I agree with the comments that have been made here regarding snooping within the public service and the question of whether people's information is being accessed and for what purpose. That would leave a fingerprint and a trail and it functions in the same way as online banking because customers would be able to log on and see that the Revenue Commissioners, for example, looked at their data on a particular date. That is important and this provides a legal structure in which that will be able to take place.

I recognise the difficult case Deputy Burton to which referred and she was speaking in a personal capacity on adoption last night. As I have said on other issues such as cyberbullying, it is outside of the scope of the Bill but I sympathise with many of the issues that she raised. I refer to what Deputy O'Dowd has just said on the HIQA data that have been used inappropriately in Beaumont Hospital and which ended up on the side of the road. That is totally unacceptable, as were the difficulties Deputy Burton experienced to which she referred to last night.

I have already referred to section 64 of the Bill, the standards that are being used and the concerns around logging and how these logs are being made available. The data access portal will allow people to use those logs and it will identify inappropriate accessing of data from different elements of the public service. It is fair to point out that this already is an offence under the Data Protection Act 2018 and there are criminal actions for the breach of same. People might not be aware of that but there are.

Deputy Burton also had concerns about the governance board. We spent a lot of time teasing this out in the Seanad. I encourage people to look back on the debate that we had on the Seanad. To be honest it was highly constructive and I said at the time that the standard of the debate there was really high in terms of the level of detail to which we went down and we made changes to the board based on suggestions that were made. The majority of the members are ex officio appointments and they will be suitable officials from public bodies such as the Central Statistics Office, Revenue and the Department of Agriculture, Food and the Marine. They will come with the skill set that will be needed to give advice based on the agreements that will be laid out between the different public bodies. They also will give guidance on the implementation of the Bill when, as is hoped, it becomes an Act.

Deputy Wallace raised many issues last night on the public services card and the MyGovID and it was referenced again tonight. The Bill has no specific provisions on the public services card, it is covered under the Social Welfare Consolidation Act 2005, and the public service identity set remains restricted to those bodies specified in the Act.

Deputy Wallace also raised the issue of the once-only principle last night. The once-only principle is what service users of the State really want in many cases and it drives them off their heads when they have to give the same information to multiple bodies multiple times. This legislation on the once-only principle as put into the Tallinn Declaration on eGovernment allows Governments to use that information in a way that delivers for the public and for citizens. This Bill allows for that and, more importantly, it does so in a manner which protects the individual by way of the agreements that have to be put in place that are open to public consultation and on which people can provide submissions. The Data Protection Commission and GDPR are there in the background and there is also a situation where once those data sharing agreements are in place, the individual online application portal will allow people to go in and see why public bodies might have looked at their data.

The benefits are clear and they were laid out by a number of speakers in the Seanad, notwithstanding the fact that there are concerns and it is right that there are concerns because we have not historically had a great record in this regard. The example Deputy O'Dowd mentioned about Beaumont Hospital is illustrative of that because it was not acceptable.

Deputy Shortall made reference to the Bara case and mentioned transparency in how data is stored. The Attorney General advised on this Bill having reflected on the Bara case and one of the important points that came from it concerned the public data portal, which I ensured would be reflected in the Bill.

This is extremely important if we are to build trust and confidence between the State and the citizen with regard to how personal data is being used. More importantly, however, the whole system has to go through an element of public consultation, a data protection review and an impact assessment, with governance being assigned by way of a board. The Bill contains provisions dealing with how the governance board will be constructed in the first instance, how it will carry out its duties and how it will report. The report will ultimately come before the Houses of the Oireachtas and Members will be able to raise it with the Minister directly. The report will be a public document and will enable the general public to see exactly how data sharing is happening. Such sharing is going on currently but in a kind of legal fog, whereby we have not recognised as a State that the sharing of personal data in a public forum should have a legislative basis.

On the issue of breaches of data protection rules, there are already strict penalties and sanctions laid out in existing legislation in terms of the protection of data and respect for same. I must reiterate the point that this Bill is about sharing rather than collecting data. Reference is made in the Bill to the base registry and how that registry will be constructed. The base registry ultimately becomes the data collector. Data is collected by the base registry and it is the registry that is responsible for the sharing of that data. The collection and the sharing of data are two different issues. The data commissioner has a role to play with regard to the collection of data and making sure it is properly stored and respected. This Bill is specifically concerned with the public bodies listed in the Schedule and how they will share data. It does not get down into the minutiae of data collection, which is the subject of other legislation. That said, I understand the concerns that have been raised with regard to data collection generally. This Bill provides for certain rules, guidelines and obligations for public bodies to enable them to better manage their data. This legislation will also provide public bodies with the opportunity to reflect, not only on their data sharing practices, for which this Bill provides a legal footing, but also on the manner in which they collect and store data.

I look forward to the Committee Stage debate and a line-by-line appraisal of the Bill. I welcome the comments that have been made thus far. I stress again that I am available, as are departmental officials, to talk through the legislation with Members. The Bill has been through the pre-legislative scrutiny process and we have taken a lot of the suggestions made during that process on board. We have also taken on board a lot of the suggestions made in the Seanad. The Bill may have to return to the Seanad if Report Stage amendments are made but I am open and willing to listen to any constructive suggestions from Members on the construct of the Bill. There are other issues that are outside the scope of this Bill that we may be in a position to put to other Departments and Ministers and I would be happy to do so.

Question put.

6:40 pm

Photo of Frank O'RourkeFrank O'Rourke (Kildare North, Fianna Fail)
Link to this: Individually | In context | Oireachtas source

In accordance with Standing Order 70(2), the division is postponed until the weekly division time on Thursday, 8 November 2018.