Alice-Mary Higgins (Independent) | Oireachtas source

I move amendment No. 43:

In page 63, between lines 34 and 35, to insert the following:“(9) Should a data subject request information in relation to a personal data breach which affects them they have the right to be provided with all the pertinent information in respect of that breach and nothing in subsection (2), (4) or (6) shall place a restriction on their access to that information.”.

Section 81 is an area of very serious concern which I will fully pursue. The report of the data commissioner highlighted the very large number of breaches of personal data that have taken place in the State. For example, in regard to the HSE, personal files have been left in public places or found in the street. Those are examples of accidental and inadvertent but nonetheless very serious data breaches. Crucially, there have also been cases of criminal and inappropriate data breaches such as the case in Donegal involving an official in the Department of Employment Affairs and Social Protection who sold the personal data of individuals to insurance companies for less than €30 each. Prosecutions in such cases will, of course, follow in the normal course but this section relates to a person's right to know when their personal data has been compromised and breached. It deals with a person's right to know if his or her data has been hacked, his or her files have been left in a bag in a public place or his or her data has been sold. These are very serious concerns in terms of the right of the subject to know of such breaches. The subsection does not deal with the point of redress but, rather, the right of a person to know if there has been a breach of his or her data that should not have happened and is not allowed for under the Act or the many wide exemptions that are given.

However, section 81 introduces a number of circumstances under which a person might not be informed about a breach of his or her personal data. Subsection (2) provides that a person does not have to be told about a breach of his or her personal data where the controller has implemented appropriate technological and organisational protection measures and the measures, such as encryption, render the personal data difficult to understand or unintelligible to any person, or "the controller has taken measures in response to the personal data breach that ensure that the high risk to the rights and freedoms of a data subject from the breach is no longer likely to materialise". I am very worried by section (2)(b) because it removes the right to notification if the controller does not think anything bad will happen or a risk is unlikely to materialise because of the breach. Is it a three second rule or what are the rules in that regard? The phrasing of the subsection is very wide.

Subsection (4) is of particular concern. It provides that a controller does not have to tell an individual about a breach of his or her data where to do so would involve a disproportionate effort. The question of what constitutes a disproportionate effort arises in that context.

Subsection (6) introduces a measure governing a situation where a controller notifies the commission of a data breach but has not notified the data subject to whom the personal data relate under subsection (1) or (4), as the case may be, of the personal data breach. It is a safeguard whereby the controller can tell the commission of the breach and the commission may choose to notify the data subject.

Subsection (7) is entirely reasonable and provides that a controller may restrict the exercise of the right of a data subject to be notified of a personal data breach where to do so constitutes a necessary and proportionate measure in a democratic society. It sets a high bar.

Although I have concerns about all of these subsections, my amendment is extremely mild. It is milder than my concerns. I do not currently seek to remove those provisions, although I may do so on Report Stage. The amendment still allows for a controller to be permitted not to inform somebody of a data breach under these dangerously wide circumstances but I am trying to put in a very basic safeguard such that if a person inquires as to whether his or her data has been breached, the issues of whether the commission has been notified under subsection (6), the information was presented in an easily intelligible manner if a high level of effort was made to communicate it should not restrict the person's right to know whether his or her data has been breached.I will come back to our example in Donegal, or the example of the case files left in the street. I am not proposing that there should be a proactive requirement to inform an individual. I am saying that if an individual asks a data controller whether his or her information was hacked, sold or contained in a file that was left in a public place, the minimum that the data controller should have to do is answer the individual's query. This is a mild amendment to a section about which I have much wider concerns, to be honest. I hope the Minister will accept this mild amendment to provide for a stop-gap which will ensure an individual can get an honest answer from a data controller in respect of his or her own data.