Seanad debates

Tuesday, 6 March 2018

Data Protection Bill 2018: Committee Stage (Resumed)

 

2:30 pm

Photo of Alice-Mary HigginsAlice-Mary Higgins (Independent) | Oireachtas source

I could not see the relationship, but I am happy to speak to them as determined.

Section 32 was one on which I thought that if we were able to engage constructively, we might be able to address a number of concerns. It relates "suitable and specific measures" for processing. This term is invoked 16 subsequent times in the Bill. It was conceived originally to be used in respect of special categories of personal data. In the general data protection regulation it is indicated that the processing of special categories of personal data may be necessary for reasons to do with the public interest in the areas of public health without the consent of the data subject and that such processing should be subject to suitable and specific measures so as to protect the rights and freedoms of natural persons. The term "suitable and specific measures" appears throughout the Bill where the measure will replace consent, although it might not be mentioned in the sections, particularly a number of sections in the 40s. These are cases in which the obtaining of individuals' consent will no longer be a requirement for data to be processed. Where legislative permission has been given for the processing of personal data that bypasses the requirement for consent, suitable and specific measures are to be brought forweard as a further safeguard, given that the key and primary safeguard of a requirement to obtain consent has been removed.

The Minister might note that I have tabled a number of amendments on this issue, but I will not push all of them. This section is not very clear and is quite wide. I was concerned that what was clear in it was that elements such as explicit consent; measures to prevent unauthorised use, the disclosure or erasure of data; time limits for the erasure of data; and training for those dealing with data were entirely optional and at the discretion of the Minister. The section states specific measures may be taken and regulations made under the Bill which "may" include these areas. I had hoped we could deal with concerns about the many sections later in the Bill, but I hoped that we could first replace the word "may" with "shall" so as to ensure the toolbox of protections for individuals and their data would always be used in its fullest sense. However, looking at places where the phrase "suitable and specific measures for processing" is used, it seems that it is utilised in a wide set of circumstances, which presents a problem. It is used in parts that are not clearly framed within the GDPR.The GDPR is clear, for example, that suitable and specific measures might be appropriate for archives, public health and certain other areas. However, the GDPR does not want suitable and specific measures to be used as a mechanism to bypass consent when it comes to how personal data is used in, for example, elections or political opinion, which is dealt with later and we will discuss that later. The problem is that the phrase "suitable and specific measures" is widely used. I may proceed with my amendment that seeks to change the word "may" to "shall" but I recognise that there are situations, such as instances where criminal proceedings are under way or archival work, where consent may not be appropriate or even possible.

I am still extremely concerned about this section and I wish to advise that I shall return to it on Report Stage. In the interim, I am intent on proposing a measure today as a basic safeguard, which I hope the Minister will accept because it will indicate the grounds for us to work on the improvement of this section. I wish to refer to section 32(b) that reads: "limitations on access to the personal data undergoing processing," which refers to instances where consent has been removed and bypassed. In cases where permission has been given for the processing of specific personal data, I want to ensure that there are limitations placed on the access to that data in order to "prevent unauthorised consultation, alteration, disclosure or erasure" of personal data.

Minister, I cannot foresee any situation in which any Minister, making regulations on the processing of personal data, would not wish to ensure and, indeed, needs to ensure that there are limitations on how that data is accessed in order to prevent unauthorised use, consultation or other actions.

My amendment No. 9b reads:

In page 23, to delete lines 28 to 33 and substitute the following:“must be necessary and proportionate, shall include limitations on the access to the personal data undergoing processing within a workplace in order to prevent unauthorised consultation, alteration, disclosure or erasure of personal data, and may include—
a) explicit consent of the data subject for the processing of his or her personal data for one or more purposes,”.

I emphasise the words "shall include limitations on the access to the personal data". At the start of my amendment No. 9b I introduced the words "necessary and proportionate" because that element is used as a standard test throughout the GDPR and, therefore, should be reflected in this legislation. My amendment also stipulates "may include" when it comes to the other elements of the toolkit. I wish to advise that more work may need to be done on this aspect on Report Stage. As amendment No. 9b may need further work I shall refrain from pressing my amendments Nos. 10 and 11 now.

My amendment No. 11a is another key amendment. It provides that a Minister may make regulations on what safeguards may be put in place in terms of how personal data is processed. It reads "the Minister has consulted with such other Minister of the Government as he or she considers appropriate and has also consulted with and sought the advice of the Commission". I included that provision because we have seen, and we have very visible examples at the moment, whereby Ministers may well consult with the current Data Protection Commissioner or the new data protection commission. However, consulting the data protection commission does not give us any assurance that the Ministers will take on board the advice that they receive from the Data Protection Commissioner or the data protection commission. I shall outline a worrying example that is in play at present. The Data Protection Commissioner has indicated her extremely serious concern about the manner in which the public services card has been rolled out. These are serious concerns not only about the legislative basis but about the facilities to ensure appropriate access. A number of concerns have been expressed but I will not fully elucidate them here. Despite such concerns the roll-out of the public services card has been accelerated, not only by the Department of Employment Affairs and Social Protection but also the Department of Public Expenditure and Reform. Recently these issues were discussed by the Oireachtas Joint Committee on Employment Affairs and Social Protection, of which I am a member. On that occasion we specifically discussed the card with the Department official from the Department of Public Expenditure and Reform who directly advised us to talk to the Minister for Justice and Equality about the Data Protection Bill as the legislation is the best way to address the matter.I am now trying to follow up on that advice and address the concern that a Minister may disregard the advice given by the data commission and proceed with suitable and specific regulations which the data commissioner may consider inadequate. Given that the data commissioner constitutionally cannot trump the Minister, which I recognise, I have put forward an additional safeguard whereby the Minister, having sought the advice of the commission and consulted with any other Ministers he or she considers appropriate, should, if he or she intends to set out regulations which are not compliant with the advice of the commission, produce a written rationale for the decision not to take the advice of the commission, and seek and receive Cabinet approval for the proposed regulations. This is a very mild additional safeguard that will ensure that if the very serious decision to disregard the advice of the data commission is taken, we will have the rationale for it and it will at a minimum be discussed at Cabinet. Having spoken to other Oireachtas Members since submitting this amendment, I know that others may seek to strengthen it further. Other Members may wish to ensure that where the advice is not taken, that would be discussed by the Oireachtas committee or the Houses of the Oireachtas and a rationale laid before them. My amendment is comparatively mild and simply calls for collective Cabinet responsibility of in terms of addressing this issue.

Amendments Nos. 12 to 14, inclusive, regard the deletion of "may" and substitution of "shall" in various parts of the section. The problems involved in the earlier discussed deletion of "may" and substitution of "shall" do not apply in these instances.

Amendment No. 14a amends section 32(5) by inserting that whatever regulations for suitable and specific measures are made under subsection (2) as discussed should have regard to "the necessity and proportionality of the processing" in addition to the current provision for "the nature, scope, context and purposes of the processing". This addresses the necessity and proportionality test that used to be applied throughout. It is important that it should be directly considered in this section. I particularly hope the Minister might be able to accept this amendment because it is quite mild and very much in tune with the aims of the general data protection regulation, GDPR.

As regards amendment No. 18, we will have a more lengthy debate on section 42 when we reach it so I will not speak at length on this amendment. It concerns the example I gave of an area where suitable and specific measures have been added in and it is very important under such circumstance in regard to electoral activities that there be no bypassing of the issue of consent. The GDPR addresses appropriate safeguards for the use of data by political parties but there are numerous problems with that section so perhaps it is not appropriate to dive into it in too much detail now. I note that under the wide frame that is currently put on it, the consent of a person whose political opinions are being discussed would and should be a requirement.

Comments

No comments

Log in or join to post a public comment.