Alice-Mary Higgins (Independent) | Oireachtas source

I move amendment No. 13:

In page 15, line 4, to delete “body.” and substitute the following:“body, and

(f) the sharing of personal data is necessary and proportionate.”.

Amendments Nos. 13 and 16 relate to necessity and proportionality, which are the guiding principles that underpin the GDPR. Again, this is about making clear that that test is being applied. In the Data Protection Act, it is clear that it should be applied in many cases and that was reinforced in several sections. There was strong agreement across the Oireachtas, from colleagues in Sinn Féin among others, to ensure that necessity and proportionality be made visible as a consideration. In regard to page 15 line 4, I suggest the insertion of reference to the necessity and proportionality test within the section on directions regarding personal data. I also suggest reference hereto on page 18 in regard to the content of the data sharing agreement, which is perhaps the most important place for it. Necessity and proportionality must be the underpinning consideration in a decision to share data between public bodies.There is a danger whereby the ease and smoothness of data sharing becomes the norm when we share data. Necessity and proportionality need to be applied consistently, and this is very clear in the general data protection regulations to every purpose to which data is put. It may be that every purpose meets that test, but necessity and proportionality must be applied. There is a concern in the establishment that these data-sharing agreements would bring in a level of complacency. Consider the Road Safety Authority, for example, and another entity - albeit semi-State agencies are excluded. I refer to cases where public bodies from this proposed wide list have established an agreed data-sharing agreement, even between the driver theory test section and the Department of Transport, Tourism and Sport, for example, it may cover everything. It is important there would be a reminder that every time data is shared and every decision that is made to share data must meet the tests of necessity and proportionality, and that the purpose to which data is being used is constantly put under that scrutiny.

This data belongs to the individuals in many cases. This is personal data that belongs to people and they need to be assured, as was said in the previous debate about rationale on Second Stage, that there is always a rationale for why their data are being shared, and that it is always necessary and proportionate. This does not mean a huge or exhausting process every time, it just means that the test applies. This is very clear under the GDPR.

I put it to the Minister of State that we are potentially talking about hundreds of data-sharing agreements because it covers a very large number of public bodies, and the Minister of State has quite rightly said it is a growing number, which are all sharing data with other public bodies. This is a large number of data-sharing agreements being established. If these data-sharing agreements are the key architecture of this Bill and how our State plans to share our information, then necessity and proportionality need to be built in at ground level. This is why I urge the consideration test. I have included it in two places, but the particularly important aspect is necessity and proportionality within the data-sharing agreement section.

The other two amendments that have been added to this section of the debate - I probably would not have added them but they are here - are around privacy sharing and data protection impact assessments. I recognise that a data protection impact assessment is not always needed, necessary or relevant. What is always needed and relevant, however, is a demonstration of consideration as to whether an assessment is needed or not. Although I had considered it in this section, I have not suggested that a data protection impact assessment would always be conducted, because I realise there are many cases where it is not necessarily pertinent. It is reasonable, however, to propose there would be consideration of whether it is needed or not. This is the level, namely, that it simply requires a demonstration that whether or not a data protection privacy impact assessment is needed, it has been thought about.

Has amendment No. 17 been included in this group of amendments under discussion?