Seán Fleming (Laois-Offaly, Fianna Fail) | Oireachtas source

I welcome this opportunity and appreciate all the comments that have been made. As people noted, many of the comments were not specific to this statutory instrument. Data breaches in financial institutions are one big issue that has been mentioned here on a few occasions. Some asked about the resourcing of the Data Protection Commission and whether it has sufficient resources to do the job from both an Irish and an EU perspective. Senator Higgins asked when some of the data protection regulations that have not been implemented to date, as there are issues with definitions, will be commenced. There was also the question of the banks being quite slow and tardy in their method of disclosing information. I have noted everything Senators have said and I will give this information to the Minister for Justice. Everyone here knows this legislation comes under the Department of Justice and I will be happy to pass on all the points that have been made. It is clear that this is very much a live issue.

We are here because of a minor technical issue of data protection which relates only to the Central Bank. It has nothing to do with the commercial banks. I can already tell that there is quite a debate to be had on many of these issues so I am sure the Seanad will take them up again. Resourcing will have to be dealt with in the forthcoming Estimates for the Department of Justice. That is where there should be a detailed thrashing out, and perhaps the Joint Committee on Justice will have a role in it as well. Those are my suggestions on that issue.

A couple of other points specific to these regulations were made. This motion was not discussed at the Joint Committee on Finance, Public Expenditure and Reform, and Taoiseach. It was decided that both sets of measures would be brought separately to the Dáil and the Seanad. The motion went through the Dáil a few days ago and it is now going through the Seanad. It was felt that it was necessary for both Houses to pass the motion in any event because of the data protection implications.

I want to make a point which I think everyone will accept. The right to data protection is not an absolute right. It must be balanced against other values, fundamental rights, human rights or public and private interests. There may be circumstances under which an organisation has grounds to refuse to grant an individual's request to exercise his or her data protection rights. That is enshrined and accepted and there must be procedures in place for it. These regulations are to facilitate that and they are vital to allow the Central Bank to investigate whether individuals in regulated financial services providers have committed wrongdoing to customers. It must be able to record where it has found breaches by individuals in order that it can prevent them from doing the same again in the future. In cases where the bank is processing personal information for a law enforcement purpose, it may withhold information from a requester if it believes doing so is necessary to avoid prejudicing the detection and investigation of criminal offences.I think everyone would accept that where the Central Bank is involved in a matter in connection with a criminal offence carried out by someone in a regulated institution, it goes without saying that the subject of the investigation cannot rock up to the Central Bank and demand to know what information it holds about him or her. The same applies if the Garda is investigating whether someone committed a criminal offence. The individual in question cannot simply walk into a Garda station and ask for the full file of the investigation. I think we understand that the right to data is not absolute. This provision applies only to those specific types of issues.

Since the 2019 regulations were made, the Central Bank has received 28 subject rights requests. The regulations were applied in five cases and in 23 cases the information was provided. Only in one case were the rules to withhold the entirety of the data requested invoked. That case focused on a request for three or four particular documents. After a robust evaluation of these documents, the Central Bank was satisfied that the decision to withhold the data would not result in any disproportionate detriment to the individual concerned. As such, no harm was done to the individual but it was necessary to withhold the documents because of the ongoing investigation. The Central Bank has a defined evaluation process for dealing with all cases where the regulations are invoked. These processes ensure the necessity and proportionality requirements are being robustly applied. This process also includes engagement with the Central Bank's data protection officer. To date, no complaints have been submitted to the Central Bank, nor is the Central Bank aware of any complaints submitted to the Data Protection Commission relating to the use of these regulations. The Central Bank's data protection officer has reviewed each of the various access requests where the exemption was applied under the 2019 regulation, of which there were five, and is satisfied that there would not have been any different outcome to these requests or to the level of exemptions availed of by the Central Bank if the exemption criteria had been applied according to the correct text of the original legislation compared with the printed text.

I confirm also that there have been no complaints to the Central Bank of the operation of this section. There is no harm done and the Central Bank examined each of the 28 cases. On that basis, I ask the House to approve the motion.