Alice-Mary Higgins (Independent) | Oireachtas source

I thank the Minister of State for his attendance. I welcome the opportunity to contribute to the debate on the Bill. Although it is important to recognise that very important work needs to be done in terms of clarity and governance, my colleague, Senator Conway-Walsh, touched on the question of rationale, which is crucially important because the test of necessity and proportionality is the overarching fundamental concern in all data sharing. The Minister of State correctly recognised that one can establish a legal basis for the sharing of data. No matter what legislative and legal arrangements are put in place, the over-riding test of necessity and proportionality still applies and the rationale is that that must be present. Although we may wish to make our systems more effective and efficient, and it is appropriate to recognise that, it is important that we do not compromise on security or appropriate safeguards. In that regard, there are some concerns with the Bill. Legislation such as the Data Protection Act 2018 and the implementation of the general data protection regulation, GDPR, demonstrate an increasing focus on the area of data governance. What some may regard as painstaking measures are increasingly seen as appropriate and important safeguards.

The Bill sets forward some constructive proposals in terms of a framework on data governance but it also seems to carve out quite a wide set of circumstances and exemptions under which data sharing may be allowed. I recognise and welcome the work done by the finance committee in terms of pre-legislative scrutiny of the Bill and I am sure the Minister of State will take that on board as he brings the Bill forward, perhaps through amendments and working with all parties. However, there was a significant amount of debate on many of these issues previously, such as on a similar Bill in 2014 in which serious concerns were addressed by actors including the Data Protection Commissioner. I am concerned that issues raised in 2014 may not have been adequately addressed. That must be done for such issues and for concerns raised during pre-legislative scrutiny.

There are concerns in regard to the compatibility of the Bill with EU law and the Data Protection Act 2018. An example thereof is that section 5 of the Bill provides that section 38 of the Data Protection Act would not apply to data sharing between public bodies. Section 38 of the Data Protection Act, which was passed by these Houses, requires consultation with the Data Protection Commission and that the test of necessity and proportionality apply. It would be of concern were those very appropriate and reasonable safeguards to be removed for a very wide range of public bodies.

It is also of concern that, as the Minister of State stated, the definition of "public bodies" is extremely wide. Senator Conway-Walsh also touched on that issue. In many cases, it may involve companies which are subject to public procurement or other contracts. There are also concerns that the definition of "public body" in the Bill is different to that in the Data Protection Act and on the importance of ensuring a level of compatibility in that regard. The other concern is in respect of private companies, their role and accountability and whether private companies or voluntary bodies which receive funds from the State come under the public body definition. There is some concern and possibly a need for clarity in that area.

Another concern is in regard to the definition of data sharing put forward in section 8, which may not give enough clarity in terms of different types and volumes of data. Under the GDPR, it is usually quite clear that different types of data and sharing require different types of regulation. I am concerned that the Bill does not clearly allow for those differences.

I note a tension between two sections of the Bill. Section 12 provides clarity that special categories of personal data would not be affected by the Bill, and that was also the position put forward in the address of the Minister of State. However, section 6 of the Bill addresses the personal public service number, PPSN, and the public service data set, although I acknowledge it limits it to specified bodies. Of course, that data set includes biometric photographs, which are special categories of personal data under the GDPR.

Section 11 provides for several exclusions to the data sharing regulation in regard to the security of the State. That seems quite different from Part 5 of the Data Protection Act, which deals with personal data for law enforcement purposes. There is an inconsistency in that respect, in particular in regard to a clause in section 12(a)(ii)(III) which permits bodies to share data in certain circumstances. That is crucial and it is my key point.

Do I have much time remaining? I have other issues to raise.