Tuesday, 26 June 2018
Data Sharing and Governance Bill 2018: Committee Stage
I move amendment No. 1:
In page 9, between lines 24 and 25, to insert the following:“Interaction with Data Protection Acts and General Data Protection Regulation
5.Nothing in this Act shall affect the operation of data protection law.”.
This amendment proposes to delete the lines which would suggest that section 38 of the Data Protection Act, which recently went through these Houses, would not apply. I suggest that nothing in this Act should affect the operation of the general data protection regulation, GDPR, and indeed the Data Protection Act, which is required to implement the GDPR. We debated long and hard in respect of section 38 of the Data Protection Act. The Data Protection Act obliges the Minister to consult first with the Data Protection Commission before passing regulations. Perhaps more crucially, there is something about which I think there was strong feeling on all sides of the House and which was replicated in the Dáil. It is that when proceeding with regard to the advice given by the Data Protection Commission, the Minister must provide a written explanation as to the justification of why he or she is proceeding in that way and lay it before any relevant committee. That is one aspect. I know an alternative process is being proposed here. Perhaps the Minister will give his perspectives and reassurance to us on it. Does the alternative process meet the same standards as section 38 in ensuring there is compliance with the Data Protection Commission's advice and that there is scrutiny by committees?
There is another thing I will press on Report Stage unless there is movement on it. Section 38 of the Data Protection Act also makes explicit a requirement of necessity and proportionality with regard to actions taking place. If we are saying that this Bill will not abide by section 38 of the Data Protection Act, there is some concern that we may be diluting the commitments to necessity and proportionality which are a linchpin of the general data protection regulation.
The Senator's amendment proposes the deletion of section 5(2) and (3) of the Bill, which relate to section 38 of the Data Protection Act 2018. This section of the Data Protection Act provides that a Minister may make regulations for the processing of data for a task carried out in the public interest or in the exercise of official authority. Data sharing is included in the definition of data processing in the GDPR and the Data Protection Act. In regard to the Senator's comments, we are not doing anything to dilute or undermine anything. In effect, we are strengthening the existing provisions. Everything we are doing is with regard to the existing provisions. It means that it is currently lawful for a Minister to make an order under section 38(4) of the Data Protection Act authorising two or more public bodies to share data to carry out their functions. Section 5(2) and (3) of this Bill are intended to prevent public bodies from side-stepping this Bill by making regulations for data sharing under section 38 of the Data Protection Act. It is a reaffirmation of section 38. The Data Sharing and Governance Bill recognises that data sharing is of particular importance in the context of personal data processing and, as such, sets out additional processes that must be followed before data sharing is permitted. The Senator's proposed amendment would establish a more permissive data sharing regime than the one currently set out in the Bill. On that basis, I cannot support the amendment and encourage the Senator to withdraw it.
I would not concur that it is more permissive. We need to look to the elements in section 38. I certainly would not have an objection if additional standards were to be imposed on top of the standards implied in section 38 of the Data Protection Act at the moment. This is why it was such a key point of interest. Section 38 of the Data Protection Act relates to the public interest. We all recognise that public interest is an important ground for exemption where data might need to be shared. We felt that public interest requires scrutiny. I imagine that a large number of those cases where public interest will be invoked will be situations where public bodies are sharing data with other public bodies. We do not want to hollow out the operation of section 38. I am happy not to press it at the moment but the Minister of State has not addressed the key questions I had, which were the concerns relating to committee scrutiny in the full sense, necessity and proportionality, the taking of advice from the Data Protection Commission, and the publishing of rationale. Those are the elements of section 38. I know there is a new process and do not mind it being done too but any new process needs to have those core elements reflected. The process that is planned perhaps falls short on a couple of those elements. Perhaps some happy compromise can be found. Those are the specific elements in section 38 that I am looking to protect.
I think there might be some confusion because the Bill currently requires public bodies to enter into formal data-sharing agreements to share data that set out, among other things, that the data will be shared, the purposes for which it is shared, as outlined in the Bill, the processing that will be carried out in the data, and how the data will be kept. The Bill also requires that the data-sharing agreements be published in advance and open to consultation. Nothing in the Bill would preclude Members of this House, the other House, or the Data Protection Commissioner from making any kind of observations. The data protection officers in public bodies who are party to the data-sharing agreement must be satisfied in the first instance that there is agreement and compliance with the data protection law before the agreement is submitted to the data governance board for further scrutiny as to its compliance with data protection. We have to be confident that any public bodies entering into any agreement have to be satisfied that the existing legislative structure and the GDPR are complied with.That is being done because the data governance board, for which strict provision has been made in the Bill, will arbitrate on the agreements which will be subject to further scrutiny by the Data Protection Commissioner. They will also be laid before the Houses of the Oireachtas and, as the Bill lays out, the Minister of the day will also have a role in their compilation. None of what I have identified as part of the Bill is laid out in section 38 of the Data Protection Act. That goes to the core of what the Senator has said, namely, that the Bill reinforces the provisions and supports and scaffolds section 38 of the Data Protection Act in a way that is not done currently. On that basis, anything that would dilute or erode the provisions of this section would have unintended consequences which I know is not what the Senator intends, and erode exactly what we are trying to have constituted in the Bill in the first instance. On that basis, I cannot support the amendment.
There are still a few small elements to be considered, namely, the role of the committee and the publication of the rationale where there is a conflict, as well as the crucial issues of necessity and proportionality. Perhaps, as we move through the Bill, there might be points at which I will propose that provisions with respect to necessity and proportionality be reinserted. If we were to reinsert them in those places, we might also address some of the concerns about the data governance board which comprises 12 persons appointed by the Minister, which is slightly different from the number in other areas where there is scrutiny. There will be opportunities to make the system more robust, but there are still gaps in it, as structured.
I am happy not to press the amendment because I recognise it is a new system, but I am keen to ensure it will incorporate all of the best elements of section 38 of the Data Protection Act. I might be able to liaise with the Minister of State and his officials on how specifically we can do this.
I do not want to labour the point, but, as we go through the Bill, particularly the reason the data governance board and the concept of proportionality are taken as a given, in the sense that we must have regard to existing legislation and the GDPR, that we have put in place a data governance board to protect the interests of citizens and public bodies, that we have the backstop of the Data Protection Commissioner and that we have the role of the Minister, it is proportionate in what we are seeking to do.
Before we proceed further, I remind Members that in this legislation we are providing a legal basis for the sharing of data between public body A and public body B for the benefit of citizen X. It is not currently on the Statute Book and is a lacuna in the law that needs to be addressed.
Amendments Nos. 2 to 5, inclusive, are related. Amendment No. 3 is a physical alternative to amendment No. 2, while amendment No. 5 is a physical alternative to amendment No. 4. Therefore, amendments Nos. 2 to 5, inclusive, may be discussed together, by agreement. Is that agreed? Agreed.
I move amendment No. 2:
In page 10, line 3, after “identity” to insert the following:“excepting such parts of that public service identity which constitute special categories of personal data under GDPR, including biometric data such as facial images which allow for the unique identification or authentication of a natural person”.
These amendments relate to the tension or conflict in the Bill between sections 6 and 12. Section 12 states: "This section applies to the disclosure of personal data (other than special categories of personal data) by a public body to another public body, where there is no other enactment or law of the European Union in operation under which specific provision is made permitting or requiring such data-sharing". It states it does not apply to special categories of personal data, yet section 6 has effectively been designed in a way which will permit an intersection between the public service identity dataset and section 12, with the exception of one small part of it. The problem that arises is that the public service identity dataset contains special categories of personal information. Under the GDPR, biometric data are defined as including facial images which allow for the unique identification or authentication of a natural person. There will be circumstances where biometric data such as facial images and photographs will need to be exchanged. Article 9 of the GDPR sets out the circumstances in which it may occur. Special measures need to be taken to safeguard special categories of personal data which include facial images. There is tension between section 12 in not wanting to deal with special categories of personal data and section 6 which covers how the dataset which contains special categories of personal data will be processable under section 12.
I recognise that only specified bodies, not every public body, will exchange the data, but there is tension and I have put forward a few ways by which it might be tackled. I have suggested the inclusion of the words "excepting such parts of that public service identity which constitute special categories of personal data". I have put forward another version in which I spell out the special categories of personal data to which I am referring and recognise that there may be interpretational differences. That is the reason I have put forward two versions. Amendment No. 2 which spells out biometric data include data "such as facial images which allow for the unique identification or authentication of a natural person" is better, stronger and clearer, but I recognise that the Minister, the Minister for Employment Affairs and Social Protection and others are considering and questioning whether photographs constitute biometric data. There should be no objection to amendment No. 3 which I hope the Minister of State will accept. It provides for the insertion of the following words "excepting such parts of that public service identity which constitute special categories of personal data". That would make section 6 directly compliant with section 12 which states it does not apply to special categories of personal data. Amendment No. 3 would simply reinforce that special categories of personal data would not be processed under section 12. It is an issue of direct compatibility. I will find it difficult to understand if the Minister of State does not accept amendment No. 3, although my preference would be for him to accept amendment No. 2.
Amendment No. 4 provides for the insertion of the following words "where the information is disclosed [it must be] in accordance with the Act and compliant with Article 9 of GDPR". Where there are special categories of personal information, Article 9 of the GDPR becomes relevant and must be abided by. Another amendment proposes the insertion of the words "where the information is disclosed in accordance with Article 9 of the GDPR". These are literally suggestions.
I have also indicated that section 6 is opposed, an issue that will be discussed separately. I question if this is the appropriate place in which to deal with it. Section 6 refers to the public service dataset and specified bodies under the social welfare legislation of 2005. Many argue a social welfare Bill is the appropriate place in which to tamper with the terms of social welfare legislation and that we should wait for the next social welfare Bill to do so, especially given that the generality of this Bill deals with public bodies, whereas the social welfare Bill only deals with a closed set of specified bodies. I know that the Minister of State wants to put some of the other good practices in place and perhaps that might be the appropriate Bill in which to do so in the context of how specified bodies engage with each other. Giving him the benefit of the doubt, it is the only rationale I see for the inclusion of section 6 in this Bill, but if it is to remain in the Bill, it must be compatible with section 12 and, crucially, the GDPR. Currently, there is an incompatibility.
A particular concern arises in that regard, given that this is one of the issues being considered by the Data Protection Commission and which has been part of the debate on the public services card, on which we are still awaiting the decision of the commission. Amendment No. 3 has been phrased mildly in that it does not seek to anticipate what the decision of the commission might be.Amendment No. 2 is probably somewhat more specific and reflects what I believe is the correct interpretation. I ask the Minister of State for his observations on the amendments.
We need to go back to when the Bill went through pre-legislative scrutiny and the Data Protection Commissioner was given sight of it. It is important to point out that the observations of the Data Protection Commissioner and those involved in pre-legislative scrutiny have been incorporated in the Bill.
On whether we have the luxury of waiting, I draw attention to a point I made on Second Stage regarding Part 5 of the Bill which is not referred to in these amendments but is of concern to me and other Oireachtas Members and regards the sharing of information to accrue pension entitlements. All elements of the Bill have been formulated with the objective of protecting people’s information and enabling a seamless public service. I am a little hesitant to begin picking out parts of the Bill, particularly as it has undergone pre-legislative scrutiny but I am satisfied that data sharing is provided for under section 6 of the Bill and is restricted to the sharing of personal data only and that, as set out in section 12 of the Bill, the sharing of special categories is not permitted. In addition, although it is not referenced in these amendments, section 36 of the Bill makes clear that special category data may not form part of a base registry. Furthermore, the Bill sets out in section 5 that nothing in the Bill shall affect the operation of data protection law, including the GDPR. As such, any actions carried out under this Bill must be fully compliant with the GDPR. There is no need to restate that elsewhere in the Bill and to do so may give rise to confusion as to whether GDPR applies to some provisions of the Bill but not others.
Having reviewed the issues raised by amendments Nos. 2 to 5, inclusive, with the Office of the Attorney General, I draw attention to the fact that the Bill does not try to unwind the public services card, to which reference was made, and which has widespread support across this House. As PPS numbers are currently widely used by public bodies in the State, it is important that the legislation clarifies the position on the sharing of data. Accordingly, section 6(1) of the Bill provides that it does not affect the operation of the 2005 Act except as set out elsewhere in section 6. I know we are going around the houses somewhat but, having reflected on the four amendments, I think they could have unintended consequences and, on that basis, I do not support them.
We are going around the houses and we are going around the amendments because the section on pensions has absolutely nothing to do with this section, section 6, and base registries have nothing to do with these amendments. The key questions and concerns I raised have not been addressed. I have not raised concerns about pensions or base registries. Nobody is in a position to invoke the Data Protection Commissioner as endorsing the Bill as the data protection commission is the adjudicator on rather than the promoter or presenter of a Bill. We await a decision and report from the data protection commission on the public services card and, more importantly, the public services data set, which is addressed here.
PPS numbers are very widely used and they are a key point but over the past year and a half photographs and biometric data have been added to that data set. There is nothing wrong with the PPS numbers being shared as a normal category of personal data but there is a concern in regard to the processing of photographic and facial images, especially given the new contracts in social welfare and other areas. Ultimately, there may need to be a mechanism whereby the PPSN element is shared but the photographic element thereof is shared under a different set of provisions compatible with Article 9 of the GDPR. Article 9 is clear that the data may be shared but provides the circumstances in which that may be done. Section 12 provides a completely different set of rules for the sharing of those data. That is not to say that facial images cannot be shared but, rather, that that must be done in a manner compatible with Article 9. It may be that the rest of the data set is shared under one set of rules and the photographs under another or that section 12 is adapted such that it is compatible with Article 9 of the GDPR. It may be that section 12 will provide the grounds for most processing public bodies but specified bodies will operate on different grounds. There is an incompatibility. Saying it is confusing or talking about inadvertent consequences does not deal with the incompatibility which we must address.
I ask the Minister of State to outline his objection to amendment No. 3. If he is of the belief that the Bill already provides for the provisions in the amendment, why not clarify that such parts of the public service identity which constitute special categories of personal data would not be processed under section 12? That would reiterate what the Minister of State has said he is confident will happen anyway. I hope he will accept that amendment.
The Bill in its current format does not permit the sharing of personal data under section 12. Section 12 spells out what can and cannot be shared. Many of the concerns raised by the Senator are addressed in section 12.
I would prefer not to have to address it but section 12 of the Bill, which sets out circumstances under which one can share data, and Article 9 of the GDPR which sets out the circumstances under which one may share photographs, are different. Different circumstances are provided for in each. I am suggesting ways to make them compatible and am trying to be constructive. Repeatedly stating that everything is fine does not make it so.
I did not say it said that. Section 12(1) states:
This section applies to the disclosure of personal data (other than special categories of personal data) by a public body to another public body, where there is no other enactment or law of the European Union in operation under which specific provision is made permitting or requiring such data-sharing.
We have had regard to the GDPR and other legislation on the matter and it is on that basis that I cannot accept it.
In that case, why is the public service data set only excluded in one small sub-section of circumstances in section 12? Why does the Bill specifically allow for the public service data set to be processed under section 12? The public service data set has within it special categories of personal information. Is it the view of the Minister of State that facial images could not be shared under section 12? I ask him to give assurance on the record in that regard. Will the facial images within the public service data set be shared with other specified bodies under section 12?
I move amendment No. 5:
In page 10, to delete line 5 and substitute "where the information is disclosed in accordance with Article 9 of GDPR.".
I urge the Minister of State to re-examine these amendments because I intend to reintroduce them on Report Stage. It is a question of which amendments we will press. I will be happy to engage with the Department and with the Minister of State on these matters. I realise that there are a number of approaches to these issues.
I move amendment No. 6:
In page 10, line 8, to delete "section 12(2)(a)(ii)(VIII)" and substitute "section 12(2)(a)(ii)(III) or (VIII)".
Amendment No. 6 refers to the interaction with the Social Welfare Consolidation Act 2005. All of these amendments are being proposed to resolve a problem of legal incompatibility arising from a 2015 European Court of Justice case between Google Spain and a Spanish citizen. I am addressing the same issue in sections 6 and 12 and in a later section as well.
I will quote from section 12 because it is the easiest one to use to make my point. It provides that one of the grounds on which data sharing will be permitted will be, "to avoid the financial and administrative burden that would otherwise be imposed on the second mentioned public body or on another person were the second mentioned public body to collect the personal data directly". The key point is that European Court of Justice rulings make it very clear that "the financial and administrative burden", as it is phrased here with a pejorative slant, is not in itself an acceptable basis on which to share data.
I recognise that we are talking about a combination of a public body's performance of its functions and its desire to avoid financial and administrative costs. It is clear that the sharing of the personal data of individuals between public bodies will be allowed any time it happens to be a bit cheaper or handier for that public body. Therefore, this extraordinarily wide provision will apply under almost all circumstances.
The European Court of Justice has previously recognised that this system does not work if a public body can simply say it is financially and administratively easier for it to get the data without having to go through any other normal process. Such an approach does not stand up in the rulings of the European Court of Justice. In the case involving Google Spain and other search engines, they argued that it was administratively and financially burdensome on them to exercise and vindicate the right to be forgotten of the individual or data subject. It was ruled that it would never be necessary or proportionate for them to act on that basis.
We will come back to the question of what is necessary or proportionate later in this debate. It is certainly the case that financial and administrative ease is not a necessary or proportionate ground. The section of the Bill I am seeking to amend does not stand up legally. We have case law in respect of it. When I met the departmental officials, it was acknowledged that there may need to be movement in this regard. I am interested to hear what the Minister of State is proposing in that context. I will listen to those proposals before I expand on our concerns.
There has been a great deal of engagement. I acknowledge that the Senator has engaged and I thank her for doing so. She referred to Google Spain, which is a private body. This Bill refers to two public bodies. It is not necessarily comparable.
The Bill refers to a number of prescribed public bodies. The prescription of the public bodies will make it possible for the Minister to add other public bodies, or other bodies which might yet necessarily be constituted, in the future. We do not know what size such future bodies might be and we do not know how burdensome that would be.
Outside of all of that, I repeat the point I made earlier, which was that any data sharing which will be carried out in the future on this basis will need to have regard to all the backstops, namely, the Minister, the governance board and the data commissioner. While there are two parties to the agreement, we cannot really determine the size and the financial ability of one of those parties at the moment.
The three amendments before the House propose the removal of the avoidance of a financial and administrative burden as one of the purposes for which data sharing can take place and a registry be designated under this Bill. The primary legal basis for data sharing under the Bill is Article 6(1)(e) of the GDPR, which refers to, "processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller". This Bill, in seeking to further limit the circumstances under which data sharing may occur, lists the avoidance of a financial and administrative burden as one of a list of additional purposes, at least one of which must be engaged in, in order for data sharing to be permitted. I emphasise that it is just one of the purposes listed. The aim of this provision is to support the principle that people should have to give their information to a public body once only. During the pre-legislative scrutiny phase and in earlier discussions in this House, Members said they were very keen to avoid all of us being confronted on a continuous basis with having to provide the same information to public bodies that are trying to deliver services to us.
If this amendment is agreed, and if this is the only additional purpose a public body is relying on to share data, people will be left having to resubmit documents to public bodies on a continuous basis, rather than enjoying the benefits of the once-only principle. This would undermine one of the main tenets of the Bill and would militate against the purpose of the Bill and the obligation on public bodies to provide an efficient and effective service. It would also militate against the efficient and effective use of taxpayers' money by public bodies, which I am sure no one would intend. We are committed to the implementation of the once-only principle under the Tallinn Declaration on eGovernment, to which Ireland is a signatory. The Senator’s amendment would effectively hold Ireland behind its European counterparts and militate against the achievement of the Tallinn objectives, one of which is the once-only principle. On that basis, I cannot support these amendments.
The Tallinn Declaration is a declaration, whereas the GDPR is law. They are quite different. The GDPR takes significant precedence on the hierarchy of priority. I suggest that in invoking the once-only principle, the Minister of State has given the Tallinn Declaration an equivalent status. However, it is not in any way equivalent to the necessity and proportionality test we now have under the GDPR.
Convenience, as represented by the once-only principle, is not a ground that stands on its own in fulfilment of the requirements of necessity and proportionality. That has been determined by the highest courts. That the case involved a private body rather than a public body is not pertinent in this context because it is a matter of necessity and proportionality. I am not challenging the grounds we already have regarding a public body's performance of its functions, a large number of which are set out in section 12. I refer to more effective delivery, etc. All of those grounds relate to a benefit to the individual data subject whose data this is, who owns this data and whose benefit has to be paramount. Those are the other circumstances.
Perhaps it is misleading to refer to this as just one of many purposes. Only one of these categories is needed to justify the protection of data sharing. All that is needed is to have the function and the fact of it being administratively and financially convenient or less burdensome to the public body, rather than to the individual. The Bill that is being proposed is not a matter of convenience to the individual - it is a matter of convenience for the public body. Again, that is going away from the principles of the Data Protection Acts and the principles of benefit for the individual and, where possible, choice for the individual.This incompatibility has not been addressed.
There is a reason that these provisions are included in the GDPR. It has not been done to make life difficult for anybody but to achieve a balance. We see in Hungary and other parts of Europe examples of states where there has been overreach by public bodies. It is appropriate that checks and balance apply regarding how public bodies share data of citizens among themselves. There are times when data sharing is merited and times when it is questionable. The grounds provided are so wide that almost any data sharing of individuals' data among public bodies will be possible. The backstops are not really relevant. They relate to the process of checking, but the initial data sharing agreement needs to be on a legal basis. What is proposed in this section - a financial and administrative burden on the public body - is not a legal basis that satisfies the criterion that the data sharing be necessary and proportionate. It is simply not legal and does not meet that standard. I ask the Minister of State to re-evaluate the section. Regardless of what the Data Protection Commissioner or any other body may say down the line, the starting point must be to operate from a basis of legal compatibility with the relevant laws, not simply declarations.
I agree with Senator Higgins on one point, namely, that nobody present claims to have the knowledge of the Data Protection Commissioner. While the Data Protection Commission has been silent on certain matters, that is not to suggest the commission either supports or opposes anything. However, after the heads and general scheme of the Bill were published and circulated, they were scrutinised and the various arguments were well aired. We have had a good debate on the legislation.
Senator Higgins raised the issue of checks and balances and asked whether there is a legal basis for data sharing. That is the reason we are discussing this Bill. As I stated, there is a gap in the system and information is being shared on a regular basis. I do not agree with the Senator's view that convenience is not an issue for citizens. Convenience is an issue and people legitimately ask why they have to repeatedly submit the same information to Ireland Inc., as it were, to access public services. People have a right to ask that question. As the person who signed it, I accept that the Tallinn Declaration is a declaration. The Senator is also correct that the GDPR is the law and the Bill has been developed to fully reflect that law and all the other data protection legislation on the Statute Book.
There is nothing in the Bill that is incompatible with the existing provisions of the law. I reiterate that section 12(a) provides that personal data is disclosed for the purpose of the performance of a function of a public body and to avoid the financial and administrative burden that would otherwise be imposed on a public body or another person. It is important to note that this benefits the individual concerned. We should not lose sight of what we are trying to do, namely, to establish a framework to govern what is already occurring in public bodies. We want to make sure the provisions of the GDPR are adhered to by the Government in terms of engagement between Departments and other public bodies. It is on that basis that I cannot support the amendments.
The Minister of State is correct that there is a lacuna and that a large amount of data sharing is taking place without a clear legal basis. It is good that he acknowledged that.
On another issue to which I will return on Report Stage, the definitions of "public body" in the Data Protection Act and this Bill are inconsistent. The definition of "public body" in this Bill is very wide. A significant number of potential actors will fall within the scope of this definition. A large number of bodies will share data, which is the reason we need to get this right. With respect, the Minister of State spoke of the Bill having undergone scrutiny but this discussion - the legislative process - is scrutiny. Many Ministers come to this Chamber and many Senators engage with them and give a higher degree of engagement in terms of recognising that this is the legislative process. Our role is not to congratulate Ministers on bringing legislation to the House and agree to rubber-stamp it. It is to ensure we are confident that legislation is as it should be and the proposals being put forward are constructive. I ask the Minister of State to revisit the provisions of this Bill because I do not want a case to be taken against the State in the European Court of Justice on the basis of the grounds on which data may be shared.
Crucially, the Minister of State referred again to convenience for individuals. This would have been a different discussion, although there may still have been problems, if the Minister of State had spoken about the financial and administrative burdens on individuals. However, the Bill makes no such references but refers instead to the financial and administrative burden on public bodies. Convenience for individuals is not the ground on which data will be shared, although it, too, is included. I am specifically querying the inclusion, as a reason for sharing data, of the financial and administrative burden imposed on public bodies. This will allow any one of the large and growing number of public bodies to refuse a request on the basis that it would be inconvenient. If the goal were convenience for the individual, a mechanism would be provided to allow individuals to abide by the "once only" principle or to allow all their data to be shared to the maximum and in the most convenient way. It would still be the individual's data, however, because none of them belong to the public bodies, they all belong to the individual. The public bodies are sharing data for the benefit of the individual and not for their own benefit and convenience.
In her last sentence, Senator Higgins articulates the reason we are here. We are doing this for the benefit of the citizen and to make it easier for the citizen to avail of public services and to do so in a legal framework that is compliant with the law. I draw attention to section 9(1)(q), which refers to "any other body specified in an order made under subsection 4".In other words, while the list of public bodies is long, it is by no means exhaustive. I am sure Ministers will make further amendments to the list in the future. There may be glaringly obvious omissions and this provision will allow the Minister of the day to make an order to add other public bodies to the list. The reason for including this provision is to ensure the section is not prescriptive.
I am aware of another amendment to be discussed later, as I referred to it in my Second Stage speech. The Bill specifically does not include the commercial semi-State companies for the obvious reason that these companies are in the business of trying to make an annual return and dividend for the taxpayer. It would not be practical to ask them to share information in the format that we are expecting other public bodies to share information. That is the reason for the difference in what is regarded as a public body under this Bill and what may be regarded as a public body under other legislation. It is simply to ensure we have regard to the commercial sensitivities of some of our public companies.
I note that commercial sensitivities are being given great regard. I regret, however, that the same regard is not being given to the data protection sensitivities and entitlements of the individual and the concerns regarding necessity and proportionality, which have not been addressed.
I put forward amendments to make constructive proposals. I do not like many elements of section 12 but only one stood out as being incompatible with the general data protection regulation's provisions on necessity and proportionality. I will return to these issues. I regret that the Minister of State does not seem to be able to take on board what is a small and constructive proposal. Again, I have only discussed the headline issues but we will return to these matters on Report Stage. Unless we get this right and have some level of engagement on it, this will be used as a ground for a court case. Nobody wants State funds to be spent on defending court cases in Luxembourg, simply because we chose not to improve a section when we were drawing up the legislation.We can have the discussion on Report Stage. We have an opportunity get this right and we should endeavour to do so.
I will move my amendments but will not press them and reserve the right to return to them on Report Stage.
I move amendment No. 7:
In page 10, between lines 14 and 15, to insert the following:"(6) A specified body may not make presentation of a public service card or access to a person’s public service identity the sole or exclusive basis by which a person may confirm their identity in order to conduct a transaction or access a service.".
The amendment is on the public services identity card. Again, there is a fundamental tension in the Bill between sections 6 and 12 and I will address the same issue in each of these sections. The amendment proposes that a "specified body may not make presentation of a public service card or access to a person's public service identity the sole or exclusive basis by which a person may confirm their identity in order to conduct a transaction or access a service." It relates to a concern that has arisen regarding the public services card or, more specifically, the public service identity data set. I am a member of the Joint Committee on Employment Affairs and Social Protection which has considered this issue in detail. Experts in data protection and the Department have made presentations to the committee. We are awaiting a report from the Data Protection Commissioner who is considering the now notorious issue of whether the public services card is compulsory but not mandatory or mandatory but not compulsory. The issue is whether it is appropriate to make the presentation of a public services card and-or public service identity data set number, which are effectively the same thing, the only basis by which a person may confirm his or her identity. A number of challenges have been made to this requirement. One such challenge was made by a pensioner who was denied a pension on this basis took a challenge. We now know that persons have been denied child benefit or, potentially, denied student grants on this basis. In all cases where challenges have been made, the body in question has backed down because the provision does not yet have legal standing.
Alternative ways to prove identity is required, specifically for persons who are not happy to share their data in the new public service data identity set, which is under investigation. I acknowledge that many people will choose to use their public services card, which is their prerogative, and many will choose to use the public service identity data set. However, the Data Protection Commissioner is undertaking a section 10 investigation into a number of issues concerning the public service identity data set, including storage, access and whether the data is adequately secure. I have listed only some of the issues that are being considered. In the absence of a clear, strong assurance that the conditions regarding storage are satisfactory and meet the required standards, we should not force anybody to engage with the public services card or make it the only means by which essential services can be accessed.
My amendments to sections 6 and 12 simply suggest that the public services card and public service identity data set should be a non-mandatory means by which a person may verify his or her identity. They provide that people can use this means and share data for certain purposes. If an individual finds it wonderfully convenient to use his or her public services card, so be it but he or she should not be forced to do so. The amendments provide a reasonable middle way whereby the data set can be used but other options are made available. I hope they will be accepted by the Minister of State.
These amendments relate to the Social Welfare Consolidation Act 2005 and its relationship to this Bill.
In the amendment tabled in respect of section 6, the Senator has proposed that the public services card, or the underlying public service identity data associated with the card, cannot be used as the sole basis by which a person may confirm his or her identity to access a service. Similarly, she proposes to amend section 12 to provide that data may be shared as a "non-mandatory means to verify the identity of a person".
To ensure services are provided to the right person and to protect personal data, service providers must put in place necessary and proportionate requirements for identity verification. The Senator will appreciate that, in light of general data protection regulation, GDPR, and the extreme importance the Government places on the protection of personal data, it is more important than ever that we ensure that providers of public services are certain they are dealing with the correct people.
The State continues - as is appropriate - to invest significant time, money and effort in the public services card, MyGovID, and the underlying standard authentication framework environment, SAFE, registration process. It is a result of the SAFE registration process that the card and MyGovID are the most robust and assured means of establishing a person's identity when he or she accesses a public service. In this context, it is a matter for each service provider to decide the most appropriate means by which to verify a person's identity. This should be necessary and proportionate to each service. It is not appropriate to place a blanket restriction on how the public services card or public service identity data can be used to facilitate data protection. On that basis, I do not propose to accept these amendments.
The Minister of State indicated it is not appropriate to impose blanket restrictions, yet that is effectively what is being applied in respect of access to social services. Persons seeking to access social welfare payments and other payments will encounter such a blanket restriction and I am concerned that it will be extended. I am concerned that the interaction between sections 6 and 12 will result all of the specified bodies may determine that the only basis on which they will deliver essential services will be on the presentation of the public service identity data set, over which there is a question mark, or a public services card.
I am open and flexible in terms of how my proposal would be phrased or framed. The language used by the Minister of State would be perfect and we could provide that there will not be a blanket restriction or requirement. The decision to roll out the public services card as the only way people can access services is excessive. For example, it has been presented as the only way a person can access the funds required to return to college and a condition for receiving child benefit or obtaining a passport to leave the country. Thankfully, the requirement regarding passports has been changed and I applaud the Minister for Transport, Tourism and Sport, Deputy Shane Ross, for recognising that the provision had no legal basis. I know that was a surprising move. I also note the acknowledgement that insisting that people have a public services card before acquiring driving licences and taking the driver theory test was excessive.
I will be pleased to withdrawn my amendment and accept a Government amendment which exactly captures the need not to have a blanket restriction and to show flexibility regarding the means of identification. Such flexibility is needed. There are circumstances in which identity can be clearly proved. The Data Protection Commissioner is investigating the unresolved concerns expressed by many people, which may well be resolved as a result of this investigation. These people should not be forced to use a system that is still imperfect and requires improvement. It is the type of flexibility described by the Minister of State that we want to capture and I will be happy to accept other phrasing provided it captures this flexibility. It is important that the Bill does not become the instrument that introduces a blanket provision.
There is a contradiction in wider Government policy because we have repeatedly been told that the public services card is not an identity card.It is not meant to be an identity card. We do not have identity cards in Ireland and so forth. The Bill seems to cement the practice whereby the public services dataset and associated card wil effectively become a national identity card. If that is the route we are taking, so be it, but let us have a debate on it that is honest. I note also that An Garda Síochána is one of the public bodies implicated; there is, therefore, a level of reference.
There is nothing in the Bill to suggest a reference to the security of the State or anything of that nature would be included in the provisions. It is a matter for each individual Department and agency to decide the most appropriate form of ID. The Senator is entitled to her view, but a lot of what she has said is already the law and included in the Social Welfare (Consolidation) Act 2005. I do not think we are proposing to unwind that legislation.
I move amendment No. 8:
8. In page 10, between lines 23 and 24, to insert the following:“Data-sharing: meaning
8. (1) In this Act, “data-sharing” means the execution and operation of defined processes for the exchange of information between one or more entities for the purpose of supporting the delivery of statutory public sector services, or the execution of obligations under EU law.(2) The basis on which data sharing processes may operate include—(a) a case by case basis for the validation and verification of data,
(b) on a defined batch processing basis for the validation, verification, and updating of specific populations of data, or
(c) as once-off consolidation and integration of disparate data sets to form a new, shared, master data repository.”.
This relates to the question of data sharing. The definition of data sharing in the Bill is quite wide and does not recognise the very different bases on which it may occur. This issue was the subject of considerable debate in considering a very similar version of the Bill in 2014 when there was an extensive Committee Stage debate. One of the key points made in that debate concerned the lack of a clear definition of data sharing. The current definition simply describes some activities, but it does not describe clearly what the basis might be. Some of the bases, for which there is a strong precedent in law, as I am suggesting, include a case by case basis for the validation and verification of data; a defined batch processing basis for the validation, verification and updating of specific populations of data and a once-off consolidation and integration of disparate datasets to form a new, shared, master data repository or a new base registry, as recognised later in the Bill. I am concerned that data sharing is defined in a very loose way.
The GDPR is very clear that there are certain circumstances in which data may be shared and certain bases on which to do so. It is a complex process and I am worried that the nuances have been lost in a sweeping definition in the Bill, as it stands.
The Senator is right that the definition of data sharing in section 8 is quite wide. If I came here with a narrow definition, I am sure we would be having a different debate and Senators would be arguing that the Minister was trying to restrict what was covered by the Bill for the purpose of the establishment of data sharing agreements between agencies and was doing so to suit himself. The reason we have not done so is to make sure we capture everything that can be properly constituted as data sharing, which includes the disclosure of information and personal data by a public body to another public body. The definition is wide because it should be.
The Senator proposes changing the definition of data sharing which is set out in section 8 and used throughout the Bill. It would have a consequential impact on section 18 which specifies the information that shall, at a minimum, be set out in a data-sharing agreement. The purpose of section 8 is to provide a definition of data sharing. This provision does not set out the processes under which data may be shared. In addition, sections 12(1) and 14(1) set out the conditions under which data sharing may take place in the context of national and EU law.
We have, as I said, set out a wide definition of data sharing to ensure all forms of data sharing that may be carried out by public bodies will be captured and, therefore, regulated by the legislation. If the definition was limited, as the Senator is proposing, it would mean that other forms of data sharing not captured by the proposed definition would not be subject to the governance and other provisions of the Bill such as the limitations on processing set out in section 12 and the requirements for formal data-sharing agreements and associated consultation, scrutiny and transparency provisions, as I mentioned. I do not think that is what the Senator intended.
Section 18 specifies the information which shall, at a minimum, be included in a data-sharing agreement. Among other things, it provides that public bodies must set out the purpose, function and legal basis for sharing and processing the data concerned and specify what data are to be disclosed and how they will be processed. Notwithstanding that the requirements for the content of the agreements are comprehensive, section 18(2) gives the Minister the power to prescribe additional information that must be included in a data-sharing agreement, if required.
The Senator’s amendment to section 18 is very technical. People want to know what data are held and why, what they are being used for, for how long they will be held, who is going to use them and what internal processing works will be used. I appreciate the Senator's comments, but, on reflection, her amendment would overly complicate the agreements we have set out in the provisions of the Bill. On that basis, I encourage her to consider withdrawing it.
I recognise that this relates to sections 8 and 18. As it stands, section 18 provides that the legal basis must be set out. In terms of the subsection, there is a key concern about whether Ireland is really reflecting the spirit of where we are in data protection regulations. Our job is not to make it really simple. There is a need for a level of clarity on why it is happening and the basis on which it is happening. Is it on a case by case basis? Is a person's data part of a large cohort of data being processed at the same time? Are they part of a dataset or has the person been picked out individually? Is it happening once or multiple times?
My amendments are not exclusive. They include the words "or another basis detailed in the agreement". I make it very clear that while I list the recognised primary bases on which it will happen, I am not making them exclusive or exclusionary. Other bases would be allowed for.
The point is that we need to make it really clear for people. It is one of the rules of the GDPR that information should be made as clear as possible for the individual. That is not the same as making it as simple as possible by simply saying "we are processing your data." It is about making the rationale clear as to why it is happening. That is the concern that needs to be addressed. I am not sure whether, under the current provisions, an individual who looks at a data-sharing agreement covering his or her data will clearly understand how or why it is being done. I appreciate that data-sharing agreements will be published.
Returning to amendment No. 8, the definition states "data-sharing means the disclosure of personal information including personal data by a public body to another public body". Down the line, we will see a real concern expressed by individuals. It might not happen now or while the Bill is going through, but there will be a concern when people realise the wide parameters in the sharing of individual data by public bodies.We need to balance appropriate action with appropriate transparency and clarity for the individual who needs to know the rationale for sharing his or her data. Again, the current provisions do not achieve this. I will withdraw amendments Nos. 8 and 14.
I move amendment No. 9:
In page 10, to delete lines 34 to 38, and in page 11, to delete lines 1 to 30 and substitute the following:"9. (1) In this Act, "public body" means—(a) a company (within the meaning of the Act of 2014 or a former enactment relating to companies within the meaning of section 5 of that Act) a majority of the shares in which are held by or on behalf of a Minister of the Government,
(b) a subsidiary (within the meaning of section 7 of the Act of 2014) of a company referred to in paragraph (a).".
We discussed this amendment briefly. There are entirely different definitions of public body in the Data Protection Act and the Bill before us. The definition of public body in the Bill includes some elements of the definition in the Act and some elements of what are described in the Act as "public authorities". A potential tension arises because certain entities, including An Garda Síochána and a number of other bodies, are described as public authorities in the Act but as public bodies in the Bill. That conflict is a concern.
It is not simply the case that a public authority and public body have equivalent meanings because the Data Protection Act includes separate definitions of "public body" and "public authority". The definition of the former in the Bill takes a little from column A and a little from column B, which creates confusion. We will have circumstances in which a concern or ambiguity will arise about whether an entity, such as An Garda Síochána, is considered a public body or a public authority. As we can imagine, the Data Protection Act and this Bill will closely interact and are naturally linked because they substantially overlap. I expect many cases will arise in which both are invoked, yet they have different definitions.
I will not press the amendment, which is an attempt to alert the Minister of State to this issue. Amendment No. 9 would take the definition of a public body from the Data Protection Act and make it the definition in the Bill. I recognise that certain groups and entities the Minister of State wants to absorb into the Bill will not be captured by the amendment, but this is one way of making the Bill and the Act compatible. I am open to other proposals the Minister of State or Department may have on how to make them compatible.
It creates an inappropriate legal ambiguity when the House passes legislation featuring certain definitions and a few months later it is proposed that we pass legislation featuring a completely different definition which clashes with the original definition in the same area. I am open to proposals from the Minister of State on how to resolve this issue and I hope he will put forward Government amendments to address it. Amendment No. 9 is one way of addressing it, albeit one which I recognise is quite blunt as it proposes to take the public body definition from the Data Protection Act and put it into the Bill. If the Minister has other suggestions I am very open to them.
The Minister said that the definition of public body is very wide. We should bear in mind that these bodies may share data with each other. As the Minister said, subsection (q) refers to any other body which a Minister decides to make into a public body. Any body, public entity or company could become a public body. We need to have firewalls in that respect. In cases where the Minister designates as a public body under this section a body whose activities and functions do not relate to the delivery of services to the public under an agreement with the public body, the Minister should publish regulations on suitable and specific safeguards to protect against inappropriate access or data shared under the Act within the body. For example, if a company which is under contract to the State to deliver one kind of service and, on that basis, is given access to a data set for that purpose, we need to ensure suitable safeguards are in place if a commercial section exists within the same organisation. If an entity has other clients besides the State, there must be clear safeguarding of data shared by any public body with this entity, that is, the public body for the purposes of the Bill, which may be involved in commercial, State and public activities that may serve public and private purposes.
I am not attempting to be prescriptive and I will leave space and discretion to the Minister of State to set out the regulations. I have used the same wording we used for the Minister for Justice and Equality in regard to the general data protection regulation, namely, "suitable and specific safeguards". I expect everybody will agree there should be some safeguards in place. If we are to allow data to be shared by a Department with other fully public entities or partly public and private entities, rules will be required on how we protect such data.
As I said, the reason there is a wide definition of public bodies in the Bill is the same reason to which Senator Higgins referred. If I excluded the Health Service Executive, an education and training board, An Garda Síochána, the Commissioners of Public Works or another body, I would be pilloried and people would say it was more of the same and the Government was covering something up.
If I did not include any other public body specified under section 9(4)(q), I would also prevent any future public body which has not been established from being included in the Bill. That is why the definition is as wide as it is. Section 9(4) states that:
The Minister may, at the request of a body that would not otherwise be included in the definition of “public body” in subsection (1) and with the consent of the Minister of the Government in whom functions in relation to that body are vested, by order designate that body as a public body where—(a) that body is financed wholly or partly, whether directly or indirectly, by means of moneys provided, or loans made or guaranteed, by a Minister of the Government or the issue of shares held by or on behalf of a Minister of the Government, and
(b) the Minister is satisfied that the principal activity of the body is the delivery of services to the public under an agreement with a public body.
This covers circumstances in which there is part funding or whole funding.
I completely understand the issues relating to bodies and authorities. The term "authority" is used more in European Union law than in Irish law. Irish law has generally and historically referred to bodies and it is on that basis that references are to "public bodies". The wording in the amendment would mean the Bill would only apply to those public bodies established under the Companies Act 2014. An unintended consequence of that would be that the Bill would not apply to the Civil Service, local authorities, the HSE, the Garda, education and training boards and several other bodies.
As I said when I introduced the Bill in the House last week, it is the Department's intention that the Bill should apply to as wide a number of public bodies as possible. At a minimum, Government Departments and offices, local authorities and the HSE should be able to share data under the Bill. They already do so, albeit in a legal vacuum which needs to be addressed. It is on that basis that we are introducing the Bill. If further bodies need to be included in the legislation in the future, subsection (4)(q) will allow a future Minister to make the relevant additions, as necessary.
I should clarify that the primary reason the definition of a public body is different in the Bill compared with the definition in the Data Protection Act is that the Bill needed to specify a legal person who can sign the data sharing agreements. As no similar requirement applied in the case of the Data Protection Act, a different approach to the definition was necessary and was used. The two definitions do not have to be identical because the processes are completely different and the differences reflect the different requirements of both pieces of legislation. In any event, the Data Protection Act and GDPR continue to apply to all public bodies or authorities within the scope of the Bill.
When we speak of unintended consequences, this is exactly what I am seeking to avert. Entities are listed in two lists under two different definitions.I recognise that the Minister of State needs to have a different definition in the Bill but I suggest that, perhaps in the section on definitions, he seeks to clarify that, for example, the definition of public bodies in the Bill relates to the public bodies and the elements thereof specified in the Data Protection Act. There needs to be some clarity because entities are defined differently in the Bill and the Act. It would not be insurmountable for such direction to be given. In terms of unintended consequences, it would be better to address the issue than to ignore it and hope that no conflict arises between the Bill and the Act. The issue could be addressed and dealt with.
The Minister of State did not alleviate my concern in regard to bodies wholly or partly funded by the State. In fact, he confirmed it. As he stated, the Bill allows him to designate as a public body entities that are wholly or partly funded by the State. My concern regards entities that are partly funded by the State and also funded by private entities, commercial interests or other actors. I ask the Minister of State for his perspective on regulations, guidelines or safeguards in respect of entities which receive State funding along with other funding. Again, I have not sought to be prescriptive in terms of what the regulation or safeguard should be, but it is important that we allow space in the Bill to ensure that only the State-funded actions of an organisation or entity partly funded by the State can access public data which it receives.
The GDPR and the Data Protection Act and the Bill are different because the main thrust of the Bill is in regard to data sharing agreements. As I stated, a person with legal qualifications is involved in the signing of those agreements and that is one of several differentiating factors between the Bill and the Act to which the Senator referred.
In regard to the wide remit to which the Senator also referred, section 9(3) of the Bill provides that the Minister would have the power to exclude a public body if required to so do. If compliance with the Bill were too onerous or not required for a particular public body, there is provision in the Bill for it to be excluded.
On bodies which are wholly or partly funded by the State, I give the example of local authorities, which fund a significant element of their work from resources they generate and also receive resources from the State. Some of their activities are wholly State-funded while others are partly funded by the State. However, they are public bodies; the bulk of their work is directed at serving the public. The intention is to cover the public bodies referred to in the definition for the purposes which I have already set out. I hope I have clarified the difference between the Data Protection Act and the Bill.
I understand the reason for the differentiation but am suggesting that that must be made clear in the legislation. It does not really address the issue of entities being wholly or partly funded by the State because although the Minister of State gave the example of local authorities, another example is a company providing homecare services and which is partly funded by the State and needs to have data shared with it for the purpose of its activities on behalf of the State. However, it may also be a commercial company. The question is whether data, potentially in respect of vulnerable individuals, that might be provided by the State to such company would potentially be usable by it in its private or commercial activities. Such data may include health data, which is a special category of information, and that would raise further questions in terms of what is appropriate. That is the key question. Homecare may not be the right example but I am highlighting concerns in regard to commercial companies rather than local authorities. I am happy to park the amendment. It seems that the Minister of State does not yet have an opinion on the question of safeguards and regulations but I believe it needs to be addressed. Does the Minister of State plan to put in place safeguards in regard to entities which are partly publicly-funded and partly commercial entities in order to ensure that public data is used only for one purpose? It is a very clear question.
Section 18 deals with the issue of safeguards. It contains several requirements which restrict further disclosure of data, including that security measures, retention requirements and how the data will be deleted when they are no longer needed must be specified. In addition, as I stated, the data protection commission may use its enforcement powers if sharing occurs outside the terms of the agreement.
On public bodies and partially publicly-funded bodies, section 9(4) states: "The Minister may, at the request of a body that would not otherwise be included in the definition of “public body” insubsection (1)and with the consent of the Minister of the Government in whom functions in relation to that body are vested, by order designate that body as a public body."
In a case such as that to which the Senator referred, the Department of Health and the Minister for Health would have to consent to the company being designated a public body. That safeguard is built in because, as I stated, we do not know what may happen in the future. The Bill is not exhaustive in that regard because we do not know what public bodies may be constituted in the future. However, we have made provision that the line Minister who takes responsibility for the Vote from which the funding would come – the Minister for Health in the Senator's example – would have to sign off on the designation. That power will not will vest in me or my successor but, rather, would be the responsibility of the line Minister.
I will not press the amendment. Section 18, on which the Minister of State touched, could be strengthened to address this issue. I hope I will be able to engage with him on how section 18 and the content of the data sharing agreement could perhaps make the protections more robust and be a way of approaching that issue.
I move amendment No. 13:
In page 15, line 4, to delete “body.” and substitute the following:“body, and
(f) the sharing of personal data is necessary and proportionate.”.
Amendments Nos. 13 and 16 relate to necessity and proportionality, which are the guiding principles that underpin the GDPR. Again, this is about making clear that that test is being applied. In the Data Protection Act, it is clear that it should be applied in many cases and that was reinforced in several sections. There was strong agreement across the Oireachtas, from colleagues in Sinn Féin among others, to ensure that necessity and proportionality be made visible as a consideration. In regard to page 15 line 4, I suggest the insertion of reference to the necessity and proportionality test within the section on directions regarding personal data. I also suggest reference hereto on page 18 in regard to the content of the data sharing agreement, which is perhaps the most important place for it. Necessity and proportionality must be the underpinning consideration in a decision to share data between public bodies.There is a danger whereby the ease and smoothness of data sharing becomes the norm when we share data. Necessity and proportionality need to be applied consistently, and this is very clear in the general data protection regulations to every purpose to which data is put. It may be that every purpose meets that test, but necessity and proportionality must be applied. There is a concern in the establishment that these data-sharing agreements would bring in a level of complacency. Consider the Road Safety Authority, for example, and another entity - albeit semi-State agencies are excluded. I refer to cases where public bodies from this proposed wide list have established an agreed data-sharing agreement, even between the driver theory test section and the Department of Transport, Tourism and Sport, for example, it may cover everything. It is important there would be a reminder that every time data is shared and every decision that is made to share data must meet the tests of necessity and proportionality, and that the purpose to which data is being used is constantly put under that scrutiny.
This data belongs to the individuals in many cases. This is personal data that belongs to people and they need to be assured, as was said in the previous debate about rationale on Second Stage, that there is always a rationale for why their data are being shared, and that it is always necessary and proportionate. This does not mean a huge or exhausting process every time, it just means that the test applies. This is very clear under the GDPR.
I put it to the Minister of State that we are potentially talking about hundreds of data-sharing agreements because it covers a very large number of public bodies, and the Minister of State has quite rightly said it is a growing number, which are all sharing data with other public bodies. This is a large number of data-sharing agreements being established. If these data-sharing agreements are the key architecture of this Bill and how our State plans to share our information, then necessity and proportionality need to be built in at ground level. This is why I urge the consideration test. I have included it in two places, but the particularly important aspect is necessity and proportionality within the data-sharing agreement section.
The other two amendments that have been added to this section of the debate - I probably would not have added them but they are here - are around privacy sharing and data protection impact assessments. I recognise that a data protection impact assessment is not always needed, necessary or relevant. What is always needed and relevant, however, is a demonstration of consideration as to whether an assessment is needed or not. Although I had considered it in this section, I have not suggested that a data protection impact assessment would always be conducted, because I realise there are many cases where it is not necessarily pertinent. It is reasonable, however, to propose there would be consideration of whether it is needed or not. This is the level, namely, that it simply requires a demonstration that whether or not a data protection privacy impact assessment is needed, it has been thought about.
Has amendment No. 17 been included in this group of amendments under discussion?
Amendment No. 17 is a technical amendment. It is clear. There is a little bit of ambiguity here. I regard it as a different issue and therefore a different discussion, but it relates to the ambiguity around the lead agencies and data sharing, and where that stands. Consider the situation where there are data controllers within two public bodies, for example, in the context of discussion about lead agencies. If an individual person has a concern there is a question over who he or she should go to. We do not want a situation where individuals are being sent from pillar to post.
The European Court of Justice ruling in 2015 made it very clear that both of the data controllers are liable. We cannot have a situation where one data controller says, "Well they were the lead agency so do not look to us". Both of the data controllers are liable. While a lead agency may be a preferred point of contact, and while the lead agency may take the responsibility for outreach and so on, the amendment is important because it makes clear that this section of the Bill outlines how individuals may engage with the lead agency, "without prejudice to and does not limit the rights of a person as a data subject in respect of any or all data controllers in a data sharing agreement". This makes it clear and ensures that Ireland is compatible with the European Court of Justice.
With regard to whether or not we are being complacent, it is important to make a few points. The Senator spoke of the tests for necessity and proportionality. These are absolutely necessary and they are happening currently. Data is being shared at the moment, which is necessary and the agreements are necessary. They need, however, to have a legal basis, and hence this Bill.
Consider what is included in the Bill to cover proportionality, complacency and all the checkpoints and all the safeguards. There is public consultation and publication online. I am aware there is a later amendment on the timeframes that are allowed and whether or not there can be greater scope for that. This is certainly an aspect I am very amenable to.
On the agreements themselves there is scope around how the agreements are drawn up, who the lead agencies are and who the base registry holder is. Given that this is a data-sharing Bill that will cover public bodies we have also taken a lot of time to make sure the governance board would have the proper people to see that everything is done in accordance with the Bill. The data commissioner will be in the background and will have oversight on the laying of the agreements. The agreements will have to be laid before the Houses of the Oireachtas. The Minister will also be involved.
Senator Higgins alluded to hundreds of agreements. I believe there will be thousands of data-sharing agreements that will need to be registered. That will tell us the level of sincerity and commitment the Government has on the issue. This will take quite a considerable amount of resources. We shall do this to make sure the public has confidence in us to mind, supervise and use the data for the purpose for which it is collected. I agree that this has not always been the case. The Bill is being brought before the House because this lacuna in the law needs to be cleared up.
With regard to the lead agency and from the perspective of individuals who could be bounced around as the Senator has said "from pillar to post", the Bill makes it very clear that the lead agency must deal with the individual's request. The agency cannot try to send the fool further or send people around the houses from Billy, to Jack, to Jim. It does not prevent the citizen from going to the data commissioner. It also does not prevent the individual from using the provisions available to him or her for consultations to have his or her views heard. Given that the agreements will be laid before the Houses of the Oireachtas there will be opportunities for Deputies and Senators to make observations also. In fairness, there are an amount of safeguards included.
Discussion on amendments Nos. 13 and 16 went together. I want to refer to amendments Nos. 15 and 17, which are related. Amendment No. 15 proposes that a public body should, "demonstrate a consideration of whether there is a need for a data protection impact assessment". As I have said, the Bill must comply with the GDPR. Article 35 of the GDPR sets out when a data protection impact assessment must be carried out. It is in the law already. The Bill provides, at section 18(1)(h), that where a data protection impact assessment has been carried out, a summary of the assessment must be provided in a schedule to the agreement. This is in accordance with the guidance on data protection impact assessments issued by the European Commission’s Article 29 data protection working party. The Senator’s amendment proposes an additional requirement on public bodies that they would provide an explanation in the data-sharing agreement of what they considered in deciding whether or not to carry out an assessment. This is not required under the GDPR and I do not consider it appropriate to oblige public bodies to go further than the GDPR in this regard.
Amendment No. 17 concerns the role of the data controller as specified in section 20 of the Bill. This refers to lead agencies.This section requires one of the parties to the data-sharing agreement to be designated as the lead agency responsible for carrying out the functions specified in the section and elsewhere in the Bill. It sets out a number of functions that the lead agency will have, including dealing with requests made by data subjects to exercise their rights under the GDPR.
As I have mentioned a number of times, data sharing that takes place under the Bill must comply with the GDPR which is being transposed. The GDPR sets out the rights of data subjects and this section of the Bill does not override those rights; it serves to extend them by providing that the lead agency is obliged to deal with requests made by data subjects to exercise their rights under the GDPR. In other words, the Senator will not be sent around the houses.
While someone might not be sent around the houses, which I understand from the reference to the lead agency - in fairness to the Minister of State, he has affirmed it - it would be useful to affirm it in the Bill to be clear that it does not in any way prejudice someone's right to call to each of the relevant houses.
Having heard what the Minister of State had to say, I almost reinforce the point about necessity and proportionality. Necessity is not about the need at the very beginning to have a legal basis because we know that we are operating illegally. I am surprised that there are not more public alarm bells about the fact that the State is not operating with a legal basis for what it is doing, but that is not the necessity. The necessity and proportionality test applies each time one uses the data. It is not about whether in general we need data protection agreements; rather, it is about each data-sharing agreement and how it applies. There is a real concern in that regard. In fairness, we are describing that the public will have a chance, but at the same time we are being told that there will be thousands of such agreements. It is not the job of the public to test data-sharing agreements for necessity and proportionality. It is not the job of the Data Protection Commissioner to do so, except in the general sense of oversight. It is not the job of the data governance board, to which we will come. It is the job at foundation level when two public bodies are agreeing to share personal information. They must be satisfied at the starting point that it is necessary and proportionate. It is not for people to catch it down the line. It is not an issue of backstops. It is not for the public who already put huge work into guarding data protection. I applaud many individual citizens who have made great efforts in that regard. It is for the public bodies who are making the decision to share data between them. What I am saying is that it needs to be in that bit of the Bill. I do not think it would take anything from the Bill and its operation, but it would add a certain assurance for the public. I, therefore, urge the Minister of State to strongly consider taking it up on Report Stage. I refer simply to mentioning necessity and proportionality and making it clear that they will be key considerations for the two public bodies involved in respect of the thousands of agreements that will be happening.
I will not press the other amendments at this point. On the question of data controllers, the Minister of State made it clear in his narrative and it would be nice if it was clearer in the Bill. To be clear; my amendment does not state they have to state what they considered, it simply states they have to have considered.
The kick-off for the agreements is identified in section 55(1)(c, which states: "a statement from the data protection officer of each of the proposed parties to the effect that the data protection officer concerned has reviewed the proposed agreement, and is satisfied that compliance by the proposed parties with the terms of the proposed agreement would not result in a contravention of data protection law". In other words, on the point made by Senator Alice-Mary Higgins about who would start the process, the data protection officer in each of the public bodies must state they are satisfied that the agreements are in order. After that, all of the other trickle-down measures such as the data governance board and the Data Protection Commissioner, the Oireachtas and consultation will kick in.
It terms of necessity and proportionality, it is not just the fact that it is necessary because it is ongoing. It will be necessary and proportionate because the law will be enacted; therefore, the necessity will come from the very fact that when public agency A is sharing information with public agency B, they will have to satisfy themselves that a data-sharing agreement is necessary and they will be bound by the Bill which I hope will become an Act. It is inherent in the Bill, the very tenet of which is to do exactly what is necessary and proportionate. We do not have either.
I appreciate the frank acknowledgement by the Minister of State. I am happy to consider section 55(c) which is about public consultation. The Minister of State referenced the statement the data protection officer might make. It would be useful for the public if the data protection officer did not simply say he or she was satisfied but if he or she were to indicate under the section in a published statement that he or she was satisfied in terms of necessity and proportionality specifically. If a Government amendment were to be introduced to that effect, I would be happy to withdraw mine. I imagine it would be really useful for the public if a specific reference to necessity and proportionality were part of the statement they were given from the data protection officer.
When one Department has information to share with another, can all Departments hold the information or does it go back to a register and will they have to apply again to obtain the information from the Department that supplied it originally?
No, there will be one base register. Every time information is shared between Department A and Department B, there will be an agreement. If it is being shared between Department A and Department C, there will be another agreement.
I move amendment No. 19:
In page 33, line 35, after “registry” to insert the following:“other than where that information may be sought or collected on the basis of direct consent of the person or data subject”.
This potentially is one of the more sinister aspects of the Bill and it would be a source of real concern if it was not amended.Under section 42, there is an obligation to use the base registry so that when personal data which has been gathered on individuals is in a base registry public bodies must go to the base registry. This effectively precludes public bodies from asking individuals for their data. I recognise that there are situations in which public bodies might be more appropriate where consent is not the appropriate legal basis, particularly in situations with vulnerable users. However, this does not simply state that there are certain circumstances under which a public body would go to the base registry and use that as the legal basis. This literally forbids public bodies from engaging in other ways with citizens and individuals in the public and there are many public bodies where that data is on a base registry. For example, someone cannot necessarily be asked what their address is. Many public bodies provide services that need to be done on a legislative basis and there are other cases in which consent is the appropriate mechanism. It may be the difference between being included in a Christmas raffle list as well another list. At the moment somebody cannot be asked if they want to be in the Christmas raffle list as well as whatever else, their data has to just be taken from the base registry. The provision precludes public bodies from having the discretion to recognise that there are certain aspects of their business whereby asking people might be the appropriate route.
My amendment simply states "other than where that information may be sought or collected on the basis of direct consent of the person or data subject". I am simply introducing the option for a public body, in some of its dealings with people, to occasionally use consent. That is the key concern there. I recognise that there are certain situations or circumstances where it is not appropriate but this basically forbids the use of any other method or means of engagement. It must be borne in mind that there is not a right to be informed on this. If a person's name or address is in the base registry, he or she cannot be asked. If that person's name, age and address and any other information are in the base registry he or she cannot be asked for that information, it has to be taken. That seems to me to be excessively onerous on public bodies and to be an overreach.
I regard my amendment as excessively mild and I may revisit some issues on Report Stage. I have genuinely come into this on Committee Stage with what I thought were achievable and reasonable amendments. If progress does not come in any of these areas then I will come back with amendments for my ideal Bill and what it would look like. Right now, at a minimum, we should allow public bodies, in the circumstances where it is appropriate and consent is an option, to have the option of using consent. Part of that is the relationship that public bodies have with those clients and users of their services. Part of it is the iterative process such as in the case of people who are accessing the data of vulnerable people. Sometimes the dynamic of repeatedly asking questions is part of the relationship building that leads to the effective functioning of a public body and an effective delivery of a service. The Minister of State might indicate if he is willing to give that flexibility because I am worried that we are cutting the data subjects out completely from the operation of public services.
We are not cutting anyone out of it. There is nothing in the Bill that precludes the public body from engaging with the citizen. Public bodies are obliged to use the base registry as a source and as a result of that move on to the agreement. All of the safeguards I have referred to a while ago regarding leave agencies, base registries, all of the setting out of agreements, submissions, consultations are there for that purpose. There is not in any way an intention to abuse the data set.
The Senator referred to effectiveness and efficiencies. The flip side of that can be taken also in the delivery of the public service. It is more efficient to ask the question once. That principle is accepted. It is a once only principle where if a person is availing of a service, it could be inferred that there is consent already contained in that by virtue of the fact that they have presented themselves to look for that particular support or service from the State. If it is an efficient use of the State's resources to have all of this data accessible once in a legally binding agreement which is supervised by the Data Commissioner, subject to audit, scrutinised by a data governance board, laid before the Oireachtas, open to public consultation and amenable to what we are already bound to by the general data protection regulations, GDPR, then it certainly is proportionate and is an efficient and effective use of the data set.
It must be borne in mind that this is already happening. We are trying to put a legal basis on it at the moment and what we are doing here is proportionate, reasonable and having clear regard to making sure that there are safeguards in place that are tested and can be tested.
Each individual thing that happens has a test of what is the appropriate way. Things will happen between citizens and public bodies, where consent is an appropriate mechanism. Right now the Bill states clearly that the public body shall not collect or use such information for that purpose from a source other than the designated base registry. That source includes the individual, the data subject. Public bodies are being precluded from seeking information from a data subject on the basis of consent. The Minister of State said consent can be inferred. It cannot. In many of the functions consent is not inferred and is not even relevant in the case of some functions of public bodies but there are other functions of public bodies where consent is relevant and is required under the GDPR.
The Minister of State is creating a tension because of the once-only principle he has described. It is in the Tallinn Declaration but the once-only principle has no legal status compared to the general data protection regulation. It is nice as an aspiration and it is there as a goal but do not let us pretend that this is the overarching principle which trumps every single other part of our law and of European law. We are getting excessive emphasis on it. On that basis there could be a base registry where people give their personal data once, they have one point of contact ever and then thousands of data sharing agreements are put in place and that individual does not have engagement with any part of the State again because all of the public bodies share data. There is a danger there. That is excessive. I understand that the Minister of State wants efficiencies and there is great scope for that but it needs to be balanced with transparency, appropriate checks and balances and the individual data subject's rights in engagement with the State. That balancing is skewed in this Bill at the moment. I have not said not to use this in any case. I am saying to allow public bodies to recognise that there are points whereby checking in again would be good because right now they are not even allowed to check in again if that information is on a base registry. That is a concern because they cannot provide transparency to citizens in that way at the moment. We could end up with a very distant State and set of operation of public bodies which is contrary to effective functioning and a sense of engagement.