The Data Protection Commission (“DPC”) issued guidance on data sharing in the public sector. The DPC noted its support for developing more efficient and customer-centric public services and sought to clarify the public sector obligations relating to processing personal data in the delivery of public services in a way which is lawful, fair and transparent.
The DPC states in its guidance that whilst data sharing can bring benefits in terms of efficient delivery of public services, it must be done in a way that respects the rights of individuals to have their personal data treated with care and not accessed or used without good reason.
The DPC recommends that all data sharing arrangements in the public sector should generally:
- Have a basis in primary legislation;
- Have a clear justification for each data sharing activity;
- Make clear to individuals that their data may be shared and for what purpose;
- Be proportionate in terms of their application and the objective(s) to be achieved;
- Share the minimum amount of data to achieve the stated public service objective;
- Have strict access and security controls; and
- Ensure secure disposal of shared data.
The DPC also welcomed the decision of the Court of Justice of the European Union (“CJEU”) in the case of Bara & Others (C-201/2014) noting the strong trend emanating from the CJEU in interpreting data protection law so as to enforce the protection of the rights of individuals in the context of public sector use of personal data. The Bara judgment highlighted a public sector data sharing arrangement and the importance of informing data subjects about the processing of their personal data, including sharing of that personal data. This is because it affects the exercising of data subject rights such as the right of access, rectification and/or objection to processing.
The DPC emphasised that from the outset, all processing of personal data must:
- comply with the principles of data protection (set out in Article 5 of the GDPR);
- have a legal basis to justify the processing (set out in Article 6 of the GDPR); and
- comply with the requirements to provide data subjects with information about that processing (under Articles 12-14 of the GDPR).
Additionally, where special categories of personal data are concerned, public sector bodies must also comply with the requirements set out in Article 9 of the GDPR.
Likewise, the processing of personal data by public sector bodies for law enforcement purposes and falling within the scope of the Law Enforcement Directive must comply with the similar obligations and requirements which are set out in Part 5 of the Data Protection Act 2018.
The DPC noted the recent passage of the Data Sharing and Governance Act 2019 (“the 2019 Act”) which aims to provide a generalised legal basis for sharing of data between public bodies as well as setting out further safeguards for this sharing to take place. The DPC notes that while public sector bodies should be aware of the requirements in the 2019 Act, they are in addition to the general principles of data protection law (as dealt with in the DPC guidance).
In undertaking a review of all current and future data sharing arrangements, the DPC states that public sector bodies should ensure that the best practice guidelines set out in their guidance note are considered and applied as appropriate.
The DPC’s guidance gives further information on lawfulness and legal basis, transparency, data minimisation, data access and security, data retention and governance. The full guidance note and recommendations can be accessed on the DPC website, here.