Alice-Mary Higgins (Independent) | Oireachtas source

There is serious concern about amendment No. 1. I appreciate that the Minister is suggesting that it is important that a data processor would be appointed in companies that are contracted by the HSE and I understand that is what he is trying to get at. However, the amendment does not do that in the most appropriate way and it opens up other potentially unforeseen dangerous provisions. For example, there is nothing to prevent the Government inserting a separate section on Report Stage which specifically addresses companies, voluntary and private, that are contracted by the State and requires them to have in place a data processor and to meet the highest standards in processing the data of individuals. There is a concern that provisions have not been put in place throughout the legislation in respect of the procedures private companies must follow to implement the GDPR. The regulation will stand regardless and any individual can take a case, but in respect of legislative guidance or procedures or processes for companies based in Ireland to demonstrate to us as legislators, who are the first point of call, that they are compliant with the GDPR, there are few provisions in the Bill unfortunately. It seems the Bill is more focused on actively finding points at which data protection may not apply to public authorities rather than enforcing data protection requirements on private companies. There is a double concern in this regard - the removal of responsibility on public companies and the failure to give clear guidance. For example, there should be a provision that requires every corporate entity, whether voluntary or non-voluntary, to have a data processor, to have clear criteria in place for data processing and to show how they will implement GDPR provisions such as the right to be forgotten.

However, the way the Minister proposes to deal with the concern of companies contracted by the HSE is to amend the definition of "public authority", which is significant, so that a public authority can be any private company contracted by the HSE. He indicated the responsibilities he wants public authorities to take on and there is nothing to preclude him from placing those responsibilities on them in their own right without them having to be a public authority, but section 54(3)(iii) outlines restrictions to data protection rights for individuals, which can be applied "for the administration of any tax, duty or other money due or owing to the State, a local authority or other public authority or body,". This would seem to give any body classed as a public authority under section 2 the right to bypass data protection rights if money is involved. That raises a serious concern. We cannot in this early section of the legislation leave hostages to fortune in later sections. I regret that the Bill is being rushed thorough. We requested an additional week to tease these issues out. Now that it is bring rushed through, we have been told that the debate will be curtailed, which is unfortunate.

I oppose amendment No. 1. Powers are given to public authorities in later sections in circumstances in which the right of individual data subjects can be bypassed. Public authorities are given the potential authority to collect biometric data, for example. There are also implications for the protection of children. Article 6.1(f) of the GDPR states: "Processing shall be lawful... processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child." Will children who access services that are contracted out by the HSE be subject to lesser protections? Private companies may have a contract with the executive in one area of the health service but may have a number of contracts in other areas. I respectfully suggest that the Minister may wish to address this important issue of the regulation of contracted parties with a separate explicit section, which sets out proper provisions and protections, rather than by amending the definition of "public authority" in this regard or if he must bring in a category of public authority, let it be a separate category explicitly excluded from the exceptions given to public authorities later in the legislation. There are a number of ways the issue may be tackled but it is crucial that it should be.

I did not realise my amendments would be grouped like this and it is unfortunate to have to jump to amendment No. 37. There are nine mentions of the phrase, "necessary and proportionate", throughout the legislation. It is invoked where general data protection rights of an individual may be overridden. I understand that is a European framework and there is no clear European definition.There is a concern. Perhaps the Minister could clarify what processes will be in place to determine what is "necessary and proportionate". Will it be entirely in reference to European case law or will the Minister be drawing on other processes? That is a clear issue because the definition is missing from section 2.

The justice committee requested that the full text of the GDPR with all of its provisions might be included in section 2, yet this is also missing. I may table amendments in this respect on Report Stage. The argument has been that we need to have a separation of European and domestic law and that they cannot simply be transferred. The concern is that many of the provisions in the GDPR have not been reflected in comparable or complementary sections in the Bill. One very blunt solution would be to include the text or a reference to the text of the GDPR.

My other amendments in this group are to a much later section. I do not see how they are connected with amendment No. 1 but I will not challenge a judgment of the Chair in that regard. Amendment No. 37 is to section 63 of the Bill, which is a very important section that sets out a definition of biometric data. The definition included in the Bill at present is contrary to understood definitions of biometric data in Europe and elsewhere. This is a crucial point because the definition of biometric data included in section 63 at present is complementary to the interpretation the Government has chosen to employ in the context of the public services card debate.

Biometric data as largely understood in most contexts means personal data relating to physical, physiological or behavioural characteristics of an individual that allow or confirm the unique identification of the individual, including facial images or dactyloscopic data. That is the common definition. However, a reference has been inserted here by the Government, which I seek to remove, to "personal data resulting from specific technical processing" A person's biometric data is their data. One's fingerprints are one's fingerprints, one's blood is one's blood, one's facial profile is one's facial profile, and one's irises are one's irises. However, the insertion of "from specific technical processing" would mean an individual's biometric data is not really his or her biometric data unless it is processed in a specific way.

This argument has been used in respect of the public services card, for which biometric data such as photographs and potentially, in the future, fingerprints, etc., are gathered. Unless there is a particular kind of technical processing involved in what they do with that data, they are claiming that it is not biometric data. That claim has been widely challenged by most parties and has been named as a specific issue of concern for the Data Protection Commissioner in the section 10 investigation she is currently conducting into the public services card. The commissioner expressed her lack of satisfaction with the Government's answers in respect of biometric data and how the Government was choosing to define it. The Government is now seeking to embed that chosen interpretation into a new piece of legislation which would no doubt be retrospectively applied. I am sure it will not be retrospectively applied and it certainly would not be retrospectively applicable. When we come to vote on this amendment at a later stage, I urge the House to strongly consider that the very simple deletion of the phrase "from specific technical processing" will give us a definition that is comparable to the most internationally accepted understanding of biometric data.

Amendment No. 38 is related to amendment No. 37. Later in section 63, the Government includes a definition of genetic data. I note that it is choosing to change its definition of genetic data by way of amendment No. 38. It is probably doing so because some of its legal advisers have informed it that it will run into the same problem. Perhaps the Minister can confirm that point.

The current definition in section 63 of the Bill is as follows:

“genetic data” means personal data—(a) relating to the inherited or acquired genetic characteristics of an individual that give unique information about the physiology or health of the individual, and

(b) that result from an analysis of a biological sample from the individual in question;

Paragraph (a) reflects the normal understanding of genetic data, but paragraph (b) limits the definition to genetic data resulting from an analysis of a biological sample. Obviously, that narrows what will be considered genetic data and also opens up the scope for all kinds of things to be considered genetic data which do not result from a biological sample. The Government has recognised that this is a problem and the new definition it is proposing in amendment No. 38 is as follows:

“genetic data” means personal data relating to the inherited or acquired genetic characteristics of an individual that give unique information about the physiology or the health of the individual and that result, in particular, from an analysis of a biological sample from the individual in question;

This is a tacit acknowledgement that although it may result specifically from biological sample, that is not the only way genetic data can be transferred. It is still a woolly attempt to bring the biological sample into the wording in a woollier way. Given that the Government has acknowledged that it cannot make technical processing a criterion for how data is determined in terms of genetics, I suggest that it may wish to provide a similar frame of reference in respect of biometric data and may similarly wish to reconsider the current definition and its reliance on a specific form of technical processing.

I will leave it at that. I had not expected to be speaking to these amendments to a later section of the Bill at this point but I am sure we will have a chance to return to the wider questions of biometric data, if not the particular amendments, in the future.