The Office of the Data Protection Commissioner (DPC) has issued guidance on data sharing in the public sector, and has re-iterated the importance of informing the data subject about the processing of their personal data.
Following on from the recent case of Bara at the Court of Justice of the EU, the DPC recommends that all data sharing arrangements in the public sector should:
- have a basis in primary legislation;
- be made clear to individuals that their data may be shared and for what purpose;
- be proportionate in terms of their application and the objective to be achieved;
- have a clear justification for individual data sharing arrangements;
- share the minimum amount of data to achieve the stated public service objective;
- have strict access and security controls; and
- ensure secure disposal of shared data.
It is also advised that in circumstances where the public policy objective being pursued involves a data sharing arrangement without the data subject’s consent, an assessment should be made as to whether the likely benefits of the sharing justify the overriding of the individual’s data protection rights. Any exemptions contained in the Data Protection Acts which reduce fair processing provisions should be applied on a very narrow basis in order to protect and uphold the fundamental data rights of the individual.
The drafting of a data sharing and governance bill has been approved by the Irish Government and it is to be led by the Department of Public Expenditure and Reform. Case law is emanating from Europe on this topic, raising the profile of data protection among public sector bodies even further. Now is the time that public sector bodies should review their data sharing activities with other public bodies and be clear on data protection compliance and the potential effect the sharing would have on the individual involved.