Tuesday, 19 June 2018
Data Sharing and Governance Bill 2018: Second Stage
I thank the House for the opportunity to move this Bill. I am pleased to be here to introduce the Data Sharing and Governance Bill 2018 in Seanad Éireann. This Bill proposes a series of reforms to the way government shares data in order to improve public services as well as measures to improve the safe handling of that data by bringing consistency and improved safeguards to the way it is managed. I look forward to hearing the contributions from Members of this House and I hope they will support this Bill. Officials from the Department of Public Expenditure and Reform are encouraging engagement with all Senators who have any concerns or questions on the Bill or who require clarification on any points of the Bill in coming days or weeks.
This legislation is just one part of our ambitious programme of reform for the digitalisation of public services and the use of data. The eGovernment strategy 2017 to 2020 sets out a vision of a Government using data and digital technology to increase efficiency and effectiveness and constantly improving public services. The actions in Our Public Service 2020, the new framework for development and innovation in the public service, provide for a more integrated, shared and digital environment to enhance the delivery and evaluation of public services.
It is imperative that the Government delivers on its commitments in this area. We now live in a digital economy and a digital society, and data is its lifeblood. Since the turn of the millennium, the way we go about our daily business has been changed fundamentally by digital technology. We get our news from online newspapers and journals. We also get news from the press, I would not want them to feel upset they were not mentioned. We bank and shop over the Internet. We share our lives on social media. Government must keep pace with public expectations regarding how people should be able to access services and with the availability of new technology. Achieving this objective requires modern laws on the use of data in public services to protect and use the information that enables us to deliver these services to the public.
Data sharing is currently carried out extensively across the public service under the existing legal framework. Indeed, it would not be possible to deliver many services effectively without this sharing taking place in the background. For example: details of birth registrations are forwarded by the General Register Office to the Department of Employment Affairs and Social Protection to automatically generate child benefit claims on behalf of parents; Student Universal Support Ireland, SUSI, shares data with the Department of Education and Skills, the Department of Employment Affairs and Social Protection, and the Revenue Commissioners to streamline the processing of student grant applications, reducing the need for applicants to provide documents; and the Department of Employment Affairs and Social Protection forwards the details of people who are about to turn 100 years of age to the Office of President so that the President may send them a congratulatory letter and the centenarian bounty of €2,450.
These are three simple examples of how data sharing benefits the public. However, those who deliver public services often face problems gaining access to information already held by other public bodies. Data protection law requires that data sharing needs an explicit legal basis. The examples of data sharing I have just given are made lawful by the specific sectoral Acts of the bodies concerned. Access to the legislative schedule is limited and, as a result, the process of obtaining the required powers to share data can be painstakingly slow for public bodies.
Furthermore, the reliance on sectoral legislation as a basis for sharing data has resulted in a set of data sharing laws that have grown piecemeal over time to respond to specific policy needs. This patchwork of laws is complex and not very transparent to the public.
There is, therefore, a clear need to update our legislative regime to provide for a flexible legislative gateway that will simplify the complex legal landscape that currently slows the pace of our efforts to modernise and improve the services we provide to people and businesses. We also need to allow for data sharing to be carried out in a systematic, consistent and transparent way so that the public can be confident that their data is being used for the right purposes and remains securely held.
When data is used effectively everyone benefits from better services that can be delivered more responsively and efficiently at a lower cost to taxpayers. The public also has a strong expectation that their data will be used responsibly, proportionately and securely in a manner that respects their privacy and upholds their data protection rights. As the volume of data and our capacity to deliver digital services grows, the opportunities to improve services increases, but so too must the governance and safeguards we have in place to keep people’s data safe.
This House will be aware of the EU’s general data protection regulation, GDPR, which came into effect on 25 May. The work of this House this year included the passage of the Data Protection Act 2018, which gave effect to the GDPR and the EU directive on the processing of personal data for law enforcement purposes. The GDPR and the Data Protection Act represent a very significant reform of the data protection regime to keep pace with the many technological advances and new business models that have emerged in recent years. The GDPR strengthens the public’s control over their personal data and the purposes for which it may be used.
A key principle underpinning the development of this legislation has been that the Bill should not weaken the protections afforded by data protection law, including the GDPR. Therefore, as well as providing a clear legislative gateway for public bodies to share data, this legislation must also provide a framework for public bodies to share data in a manner that is compatible with the requirements of the GDPR, in particular that bodies must be transparent with the public about exactly what data is to be shared and for what purpose.
In this regard, I would like to take the opportunity to thank the Members of this House who undertook the pre-legislative scrutiny work in their capacity as members of the Joint Committee on Finance, Public Expenditure and Reform, and Taoiseach. The committee’s report made many useful recommendations which we have tried to address as much as possible during the drafting process. A clear theme that emerged from these recommendations is that the committee was concerned not only about the risks to people’s data protection rights arising from the sharing of data but also from the misuse and mismanagement of data by public bodies generally.
I share these concerns and this is why this legislation is on the one hand a data sharing Bill but on the other hand is also a data governance Bill. The scope of the governance provisions in this Bill go beyond just regulating how we share data and into strengthening how the public service manages its data in respect of how data is collected and processed, how data is kept secure and how access to data is controlled, monitored and logged. The guidance, concerns and contributions of the committee underpinned the governance structures which are proposed in the Bill and I thank the Members for that.
Introducing greater consistency across the public service in how data is collected, managed and stored will also support our ambitions to build a national data infrastructure underpinned by a set of common identifiers for people, places and businesses.
Many of these governance provisions have been added to the Bill since the pre-legislative scrutiny and I believe they go a long way to addressing the concerns raised by the committee. I believe that these provisions will give people greater confidence that data concerning them is being held, processed and shared in a responsible manner and in compliance with data protection law.
I will now outline to the House the main provisions of the Bill. The purpose of this Bill is to provide for the following: regulation of the sharing of information, including personal data, between public bodies; the regulation of the management of information by public bodies; the establishment of base registries; the collection of public service information; to establish a data governance board; and to provide for related matters.
The Bill comprises the following Parts. Part 1, comprising sections 1 to 4, inclusive, contains a number of standard legislative provisions concerning the Short Title, commencement, orders and regulations and expenses. Part 2, comprising sections 5 to 11, inclusive, provides that the Bill shall not affect the operation of the GDPR and also sets out how it will interact with certain existing sectoral legislative provisions concerning data sharing. This Part also defines the term "public body" for the purposes of the Bill. It is my intention that the Bill should apply to the widest possible number of public bodies and so the definition encompasses, among others, the Civil Service, local authorities, the HSE, An Garda Síochána, the Defence Forces and the non-commercial State agencies. A list of bodies excluded from the Bill - mainly the commercial semi-State bodies - is set out in the Schedule.
Part 3, comprising sections 12 and 13, sets out the conditions under which public bodies may share personal data using this Bill.It provides that public bodies may share data only for the purpose of the performance of one or more of their lawful functions and only for one or more of the following purposes: to verify the identity of person where a public body is providing a service to that person; to identify and correct erroneous information held by a public body; to support the once-only principle, namely, that persons should not have to provide the same information multiple times to different public bodies; to establish the entitlement of a person to the provision of a public service; to facilitate the administration, supervision and control of a service, programme or policy; to facilitate the improvement or targeting of a service, programme or policy; to enable the evaluation, oversight or review of a service, programme or policy; and to facilitate an organisational study of a public body. This part also provides that public bodies must comply with regulations and orders made by the Minister under Part 9 of the Bill concerning proper data management and that data sharing be carried out in accordance with a data-sharing agreement. It also gives the Minister the power to direct two or more public bodies to share data, subject to the provisions of the Bill.
The provisions contained In Part 4, comprising sections 14 to 21, inclusive, oblige public bodies to enter into a formal data-sharing agreement before sharing data. This part also specifies what information should, at a minimum, be included in a data-sharing agreement. Among other things, public bodies must be explicit in these agreements about the purpose of the data sharing, what data will be shared and how the data will be further processed and kept secure in accordance with the principles of data protection.
Part 5, comprising sections 22 to 31, inclusive, gives the Minister for Public Expenditure and Reform, or another Minister of the Government, where he or she has responsibilities in this area, the power to collect and process specified information regarding public servants arising from their membership of a public service pension scheme. This is a very important part of the Bill as it allows us to properly administer the schemes. The information includes provisions for the administration of pension scheme benefits for beneficiaries earned over a public servant’s entire career in the public service. It provides the basis for the establishment of a centralised pension system to support the long-term administration of the single public service pension scheme. It also provides for the Minister for Public Expenditure and Reform to collect and analyse information on the number of public servants employed and on expenditure on pay and pensions, including the carrying out of actuarial evaluations, to inform public service expenditure estimates and support public service resource planning and policy development.
Part 6, comprising sections 32 to 35, inclusive, gives the Minister for Public Expenditure and Reform the power to issue a unique business identifier number, UBIN, for the purpose of uniquely identifying any undertaking that has a transaction with a public body. It also specifies a set of business information that can be shared between public bodies in the performance of their functions. This UBIN and business information dataset will assist in building the business data element of the national data infrastructure.
Part 7, comprising sections 36 to 42, inclusive, gives the Minister for Public Expenditure and Reform the power to designate a database owned by a public body as a base registry to act as an authoritative source in respect of basic information that is frequently used by public bodies in the performance of their functions. It obliges base registry holders to keep this information up to date, accurate and complete and to make this information available to other public bodies for lawful purposes. It also obliges public bodies to use the information on a base register rather than collecting it directly from the data subject.
The intention of Part 8, which comprises sections 43 and 44, is to facilitate the creation of a portal to make it easier for members of the public to exercise their access rights under the GDPR to see what information public bodies hold about them and the purposes for which the information is collected and processed. A provision to enable the development of such a portal was one of the key recommendations of the pre-legislative scrutiny report.
Part 9 of the Bill, which is split into three chapters and comprises sections 45 to 68, inclusive, provides for better governance in the management of all data held and processed under this Bill or under another enactment by public bodies and will help public bodies to comply with their obligations under the GDPR.
Many of the provisions here have been influenced by the recommendations in the pre-legislative scrutiny report on the Bill. I acknowledge the contributions of the participants in that regard.
Chapter 1, comprising sections 45 to 52, provides for the Minister for Public Expenditure and Reform to appoint a data governance board to advise on the operation of this Bill.
Chapter 2, comprising sections 53 to 62, sets out the process for enhancing transparency regarding data sharing and for advance scrutiny of any proposals for data sharing between public bodies, as follows. Public bodies will be required to publish an advance draft of any proposed data-sharing agreement and invite the public to comment on the proposal. The draft data-sharing agreement, along with a summary data protection impact assessment, if one has been carried out, as well as any comments received during the consultation will then be submitted to the board for consideration. The board may issue a set of recommendations in respect of the draft data-sharing agreement, which the public bodies shall incorporate into the final agreement before signing. The signed data-sharing agreement shall be submitted to the Minister for Public Expenditure and Reform and laid before both Houses of the Oireachtas. The Minister for Public Expenditure and Reform shall publish the signed data-sharing agreement along with the summary data impact assessment and any recommendations made by the board.
Chapter 3, comprising sections 63 to 68, gives the Minister for Public Expenditure and Reform the power to prescribe binding rules, procedures and standards for the management of data across the public service; issue guidelines for management of data across the public service; and prepare model data-sharing agreements that public bodies shall use as the basis for any data-sharing agreements into which they may enter.
Part 10, comprising sections 69 to 72, inclusive, includes a number of miscellaneous provisions, including giving the Minister for Public Expenditure and Reform the power to prescribe certain documents that public bodies should not collect directly from a person but should instead avail of data sharing in order to avoid unnecessary requests for documents; direct public bodies to collect information in a format specified in the direction; and direct public bodies to provide information in regard to all data-sharing arrangements being carried out under this Bill or any other enactment.
Data are the key to sound decision-making and efficient operations for all organisations. Proportionate, secure and well-governed sharing of data between public bodies will deliver very substantial benefits. Citizens and business can receive better services. Public bodies can operate more effectively and efficiently together. Better access to, and usage of, data can help us make better-informed decisions as to how and where we can spend the public’s money to make the most impact and achieve the best possible outcomes for our people.
The very nature of the subject matter of this Bill means that it does contain a number of quite technical provisions. In this regard, my officials and those in the Department of Public Expenditure of Reform are available to assist any Member who requires clarification regarding any of the technical aspects of this legislation, if required. I reiterate my thanks to the Members of both Houses who worked on the pre-legislative scrutiny report on this Bill, which has greatly influenced its development in the Department. I thank the various stakeholders who have contributed to the development of this Bill, including those who took the time to make submissions to the public consultation when the general scheme of the Bill was being developed and those who attended the pre-legislative scrutiny hearings at the committee. Their input has also provided great help in the preparation of this Bill. I thank the Senators for their attention and I look forward to their contributions this evening. I commend this Bill to the House.
I thank the Minister of State, Deputy O’Donovan, for his very comprehensive opening statement, amounting to all of 18 minutes. I appreciate the detail in his opening speech.
I welcome the opportunity to speak on the Bill this afternoon. Fianna Fáil supports it. With the exception of Senator Higgins and the Acting Chairman, all four Members in the Chamber are members of the finance committee. We considered the Bill for a long time and met various stakeholders, civil servants and others involved in the process. Senator Conway-Walsh, Senator Paddy Burke and I, and our parties, are supportive of the concept of data sharing in government once there are suitable and appropriate controls in place to ensure people do not abuse the idea. It makes an awful lot of sense. As ordinary members of the public, we have all availed of taxation services online and paid for motor tax online.It is a fantastic resource. All the data are there already and are available. Different Departments can share information, as can the local authorities, the Revenue Commissioners, the Department of Health, the HSE and other people. It is important that all the data stack up, make sense and communicate with each other. Equally, it is important not to have situations such as when a certain individual won €170 million in the EuroMillions lottery and suddenly 67 or 68 people in the Revenue Commissioners took a look at her accounts to see what she was up to. I am not suggesting this Bill has anything to do with that. I believe that person was from the Minister of State's constituency.
Well, it was the county and I am sure the Minister of State is not so parochial that he would not involve the city in his deliberations. It is important to have appropriate safeguards. Equally, as the Minister of State mentioned, there are audit trails in place to ensure that people are safe and that if people move into an area, their neighbours, people who work in the Civil Service or the Revenue Commissioners or whoever else are not looking at their information purely for frivolous matters or because they wish to.
It is important that data sharing exists and that the laws are there to ensure that we comply with both national and EU law. I will not go over the Minister of State's comprehensive speech on every section of the Bill but we must ensure that people are only getting involved with the lawful functions or sections and they are doing so to verify identity and identify erroneous information. There is a portal so people can see what is available and correct their own information. The Minister has significant powers under the Bill and we do not oppose that, but it is important that the sections of the Bill provide for appropriate data sharing and governance. We want a legal framework for the holding and sharing of data by public bodies and we want data more widely and fairly shared, but we must ensure there is enough cybersecurity. I have spoken on this previously on behalf of my colleague, Senator Clifford-Lee, in terms of cybersecurity in the Garda Síochána. We must ensure there are no issues with cybersecurity. That security must be ramped up to ensure the citizens' data are intact in the various Departments and are protected in a shared portal.
I commend the Bill. We had at least two sessions on it in the finance committee, which involved Senator Paddy Burke and Senator Conway-Walsh. I am the only one here who is not from Mayo and I apologise for that. Senator O'Mahony, the Acting Chairman, is also from Mayo. It is like Mayo on tour.
-----and I have a third grandparent from Roscommon to keep Senator Higgins happy as well. I cannot do Galway, but I have done my best.
In conclusion, this is welcome legislation and I commend the Minister of State for bringing it to the House. We have had a detailed debate on it both in the Seanad and in the finance committee, in which three of the four Members present were involved, so I will not delay the House further.
I welcome the Minister of State, Deputy O'Donovan, and I welcome the legislation, which is long overdue. It is a very sensible legislative measure. It is a complicated, technical and long Bill. As Senator Horkan said, we discussed it during the pre-legislative meetings of the finance committee. On Committee Stage we will be able to tease out the main sections of the Bill and discuss any amendments that could improve it. The Minister of State might also bring forward amendments to the Bill on that Stage.
It is not before time that the Bill was introduced. For far too long we have seen people who go into hospital having to fill out a form every time they go there. Hopefully, the Bill will deal with that. It sets out a series of important governance measures to ensure that personal data are shared by public bodies in a lawful, proportionate and transparent manner in accordance with national and EU data protection law, including the new general data protection regulation. Aside from the sharing of data, the Bill sets out how the public service manages its data in respect of how data are collected and processed, how data are kept secure and how access to data is controlled, monitored and logged. Keeping all this data will be an important job. A base register owner will be put in place. This will be very important. What happens if the information is not accurate? Will there be sanctions if it is not accurate, given that there could well be a situation where a medical card might not be processed properly or a pension or college grant could be lost? The base register owner to be established under this legislation will be very important.
This legislation will be important to ensure there is no duplication and that data will be shared and controlled. We welcome that. We had quite a good debate on the measure at the pre-legislative committee meetings. I welcome the Bill and I look forward to going through it in more detail on Committee Stage. It will be important and positive legislation in the future. It brings all the information together under one roof, one could say. How the data are processed, dealt with and stored is important with regard to the sharing of the data.
I thank the Minister of State for coming to the House. As Members have said, we dealt with the pre-legislative scrutiny of this Bill in the Oireachtas Joint Committee on Finance, Public Expenditure and Reform, and Taoiseach. The committee asked for the Bill to be published as soon as possible, so I welcome its introduction in the Seanad.
While the Data Protection Bill 2018 has been passed, this Bill deals with the data implications for citizens' interactions with the State. The Minister of State stressed the increased amount of State services being carried out online, so it is welcome that there will be clear guidelines for how the State agencies share personal data. In Our Public Service 2020 there is major emphasis on eGovernment and more services going online. Is the Minister of State's Department in contact with the Minister for Communications, Climate Action and Environment to ensure that with more services going online people will have access to high speed, regular broadband to avoid a situation of being excluded? Online services are no use to people if vast areas of the State still have no reliable access to high speed broadband.
In section 17 there is a reference to data sharing arrangements. Will the details of these arrangements be available to the public and will they be subject to freedom of information requests? Earlier this year in the finance committee I raised Brexit and the fact that some State services such as JobPath were tendered to companies based in a jurisdiction that might be out of the EU in the future. Can the Minister of State give any guarantees that all companies, domestic, EU and foreign, will be subject to the provisions in the Bill? Is there any provision in the Bill for the logging of data sharing, which the Minister addressed in his speech? Should an audit have to take place it is important that there is a record of what data were shared and for what reason. I welcome the proposal in the Bill that there be a citizens' portal where people can check what data belonging to them have been shared between agencies.A rationale must also be provided for why the data were shared. If one State agency asks another to pass data on to it, there should be an express reason for that which is understandable to the citizen. This is a very complex subject but we need to address it in an accessible and understandable way such that people can feel confident about the quality of data that is being shared and who is sharing it.
I thank the Minister of State for his attendance. I welcome the opportunity to contribute to the debate on the Bill. Although it is important to recognise that very important work needs to be done in terms of clarity and governance, my colleague, Senator Conway-Walsh, touched on the question of rationale, which is crucially important because the test of necessity and proportionality is the overarching fundamental concern in all data sharing. The Minister of State correctly recognised that one can establish a legal basis for the sharing of data. No matter what legislative and legal arrangements are put in place, the over-riding test of necessity and proportionality still applies and the rationale is that that must be present. Although we may wish to make our systems more effective and efficient, and it is appropriate to recognise that, it is important that we do not compromise on security or appropriate safeguards. In that regard, there are some concerns with the Bill. Legislation such as the Data Protection Act 2018 and the implementation of the general data protection regulation, GDPR, demonstrate an increasing focus on the area of data governance. What some may regard as painstaking measures are increasingly seen as appropriate and important safeguards.
The Bill sets forward some constructive proposals in terms of a framework on data governance but it also seems to carve out quite a wide set of circumstances and exemptions under which data sharing may be allowed. I recognise and welcome the work done by the finance committee in terms of pre-legislative scrutiny of the Bill and I am sure the Minister of State will take that on board as he brings the Bill forward, perhaps through amendments and working with all parties. However, there was a significant amount of debate on many of these issues previously, such as on a similar Bill in 2014 in which serious concerns were addressed by actors including the Data Protection Commissioner. I am concerned that issues raised in 2014 may not have been adequately addressed. That must be done for such issues and for concerns raised during pre-legislative scrutiny.
There are concerns in regard to the compatibility of the Bill with EU law and the Data Protection Act 2018. An example thereof is that section 5 of the Bill provides that section 38 of the Data Protection Act would not apply to data sharing between public bodies. Section 38 of the Data Protection Act, which was passed by these Houses, requires consultation with the Data Protection Commission and that the test of necessity and proportionality apply. It would be of concern were those very appropriate and reasonable safeguards to be removed for a very wide range of public bodies.
It is also of concern that, as the Minister of State stated, the definition of "public bodies" is extremely wide. Senator Conway-Walsh also touched on that issue. In many cases, it may involve companies which are subject to public procurement or other contracts. There are also concerns that the definition of "public body" in the Bill is different to that in the Data Protection Act and on the importance of ensuring a level of compatibility in that regard. The other concern is in respect of private companies, their role and accountability and whether private companies or voluntary bodies which receive funds from the State come under the public body definition. There is some concern and possibly a need for clarity in that area.
Another concern is in regard to the definition of data sharing put forward in section 8, which may not give enough clarity in terms of different types and volumes of data. Under the GDPR, it is usually quite clear that different types of data and sharing require different types of regulation. I am concerned that the Bill does not clearly allow for those differences.
I note a tension between two sections of the Bill. Section 12 provides clarity that special categories of personal data would not be affected by the Bill, and that was also the position put forward in the address of the Minister of State. However, section 6 of the Bill addresses the personal public service number, PPSN, and the public service data set, although I acknowledge it limits it to specified bodies. Of course, that data set includes biometric photographs, which are special categories of personal data under the GDPR.
Section 11 provides for several exclusions to the data sharing regulation in regard to the security of the State. That seems quite different from Part 5 of the Data Protection Act, which deals with personal data for law enforcement purposes. There is an inconsistency in that respect, in particular in regard to a clause in section 12(a)(ii)(III) which permits bodies to share data in certain circumstances. That is crucial and it is my key point.
Do I have much time remaining? I have other issues to raise.
There is some concern in regard to the base register of the lead agency and the data controller and the intersection between the two. I mentioned section 12(a), whereby bodies can share data in order to avoid administrative or financial burden. That is at odds with the 2014 European Court of Justice ruling on a case taken by Google Spain. It stated that financial burden is not a sufficient rationale to avoid data protection adherence. I have a concern in regard to the quoting of the "once only" principle because that seems an extraordinarily wide get-out clause. Being able to share data based on the fact that one does not want to have to look for it again makes for a very wide category. That rationale would then always apply and we would lose the consideration of necessity and proportionality and consent being sought. I am concerned that public bodies may be discouraged from seeking consent in situations where it would be appropriate to so do.
A minimum time period should be specified in section 55 in regard to public consultations,.
I welcome the proposals in respect of the data portal and ask for clarification on whether all data requests processing and data breaches will be available for persons to view through that data portal.
I also have concerns on section 64 but I have no doubt that I will have an opportunity to discuss them with the officials and the Minister of State before Committee Stage.
I thank the Acting Chairman and Senators for their contributions. I welcome that there has been such engagement on the Bill from the Members of the House, who are obviously very up to speed with its contents.
I am very anxious to attend to the personal portal mentioned by Senator Higgins. The Tallinn Declaration, which I signed on behalf of the Government a number of months ago, is the EU response to how data sharing in public bodies should proceed. As part of that process, I engaged with our counterparts in Estonia on the concept of the portal. The portal is very important because it gives people an opportunity to see for what purpose the Government of Ireland, its agencies, Departments and public bodies are looking at their data and whether there is anything they can do about that. Legislation is needed to establish a portal of that nature and that is dealt with by a provision of the Bill.
Another very important provision of the Bill relates to situations such as that of a person who worked for Fáilte Ireland, the Shannon Foynes Port Company, Limerick County Council and the Department of Culture, Heritage and the Gaeltacht and then became a teacher and accrued pension entitlements in each public body. Although such information can currently be shared, that is done without legal basis. There is a tangible financial element in regard to public servants whose information may need to be transferred. That is currently being done in a fog because of the absence of legislation.
The Acting Chairman welcomed the Bill and I thank him for that. Senator Paddy Burke referred to the amount of work that had been done in terms of pre-legislative scrutiny.Senator Conway-Walsh was absolutely correct. I was very anxious that I would introduce the Bill in the Seanad as opposed to the other House for a number of reasons and I discussed it with the Leader, Senator Buttimer. I felt we would probably get a bit more time here on Committee Stage and that we might be able to tease out some of the elements to which Senator Higgins and Senator Conway-Walsh referred. I reiterate that this Bill is specific to public bodies, which are defined under section 9 of the Bill. Section 9(4) states that in the future, if a public body is not established today but is established in the future, the Minister for Public Expenditure and Reform at the time and the line Minister with responsibility for that public body can prescribe that the conditions of this Bill would apply to that public body. That is important because the definition of a public body is not restrictive. The Schedule relates to the commercial elements of some of our semi-State companies - the Central Bank, for obvious reasons, and the Defence Forces, for very obvious reasons as we do not want the security of the State being compromised and so on.
As to whether it will be subject to freedom of information, I have an open mind on that and we can discuss that again on Committee Stage. I am big fan of the Freedom of Information Act and if this is something that can improve the Bill, it is something at which we can look together.
We spent an awful lot of time in the Department discussing governance and part of the delay is probably down to me because, as a former member of the Committee of Public Accounts, governance is something I really value. On the type of board we are going to introduce in the Bill, I want it to be robust to ensure that when the data-sharing agreements are brought before the board, it can really challenge them and see the robustness of the agreements. Ultimately, these are agreements between public body A and public body B, with public body A being the database registry owner and B being the user. They have to be strong and robust and there is a requirement for a good governance board to assess that capability. As well as that, the board will have to have competence in regard to assessing what the public submits by way of consultation, which is very important. On exemptions, as I said, they are purely to ensure the commercial nature of it. On audit trails, the Bill provides for the Minister for Public Expenditure and Reform to introduce standards under a statutory instrument, which will undoubtedly lead to a greater level of commitment to transparency and robustness.
Is the Bill secure? We must ask ourselves whether the current situation is secure. The reason we are bringing forward the Bill is that we have identified, on foot of the GDPR and all the discussions we have had in these Houses on data sharing, that this is a fundamental weakness. The Government, public bodies and entities trying to deliver services are sharing information on behalf of, and on the instruction of, people and we need to put a legal framework in place. If we continue to do what we are doing, which is trundling along with a kind of it will be all right on the night attitude, we are not doing the right thing. This is a scaffold that will protect the people.
The Data Protection Commissioner was consulted but the commissioner and the commission made it clear they did not want to be part of the operation, governance and management of this Bill because they are the arbitrator ensuring things are done right. One cannot be the judge, jury and executioner and at the same time be the victim. It is important the data governance board is as strong as we have set out.
I believe I have answered the question necessity and proportionality. I refer to section 12 and it will be constituted and mirrored against the GDPR. We believe it is proportionate, timely and is in keeping with the advent of the GDPR. We have identified a gap in the market which we need to regularise.
I will welcome any engagement that will take place over the next couple of days. It is envisaged Committee Stage will be taken fairly soon. There is a tangible and real benefit to this in the short term in the context of pensioners. I will be open to suggestions on any improvements that can be made in terms of tidying up the Bill but ask for the continued support of the Seanad. I thank the Seanad and, in particular, the Senators who contributed by way of the finance committee and the Senators who are here this evening. I look forward to Committee Stage.