It is seldom that a piece of new law brings a level of anticipation, consternation, broad interest and (due to the ironically high amount of unrequested email correspondence it initially precipitated) public ire, but the GDPR is no ordinary new law. By comparison, the Data Protection Act 2018 (the “2018 Act”) (the Irish implementing legislation) received little fanfare despite the ‘twelfth hour’ nature of its passing by the Oireachtas.
Flying even further under the radar is the Data Sharing and Governance Bill 2018 (the “Bill”), which was published on 12 June by the Department of Public Expenditure and Reform and which forms part of the Government’s eGovernment Strategy 2017-2020.
The idea behind the Bill is to facilitate the more efficient use of data in the provision of public services, thereby reducing duplication of effort and cutting down on wasted time and money. This, in turn, will support better services for individuals and businesses and enhance policy implementation across the public service. The Bill has two main goals: to provide a legal basis for public bodies sharing data between each other (the “sharing”); but also to set down safeguards for the individuals whose data is being shared (the “governance”).
The Bill’s provisions include:
- Allowing for the sharing of personal data by public bodies for the performance of their lawful functions for specified purposes, including: identity verification; avoiding financial and administrative cost; establishing entitlement of a person to a service; facilitating administration of services; and allowing evaluation and analysis of service delivery.
- Requiring that the sharing be carried out in accordance with a “data sharing agreement” that must be in place before the sharing starts and that must address certain matters, including what data is to be shared and how it will be processed.
- Allowing the Minister for Public Expenditure and Reform to designate a “base registry” that must be used by public bodies as the authoritative source for the information contained in it.
- Issuing “Unique Business Identifier Numbers” to allow for datasets on individual businesses to be created and used in identifying a business across its interactions with public bodies.
- Provision for the creation of a “Personal Data Access Portal” to facilitate the exercise of rights of individuals under GDPR.
- Allowing for the creation of a “Data Governance Board” which will offer advice, monitor compliance and review existing arrangements, and granting the Minister power to issue legally binding standards, codes and guidelines on data management across the public service.
This Bill stands alone from the GDPR and the 2018 Act – it specifically states that “processing carried out in the public interest or in the exercise of official authority”, which is set down in the GDPR and the 2018 Act as a legal basis for processing, does not apply to data sharing in accordance with the Bill. This means a public body cannot merely rely on this general legal ground to share data with another public body. Instead, data sharing must only take place in accordance with the Bill – that is, unless allowed for by another law, it must be necessary for the performance of a function of one of the public bodies involved and be required for one of the purposes specified in the Bill.
There are also some differences between the Bill and the GDPR/the 2018 Act in terms of its application. Semi-state bodies and most schools are excluded from its application, and whilst the Bill extends to the data of deceased persons it does not extend to “special category” personal data (other than in respect of the provisions relating to administration of public service pension schemes). It also does not apply to data sharing for the purposes of criminal investigation or state security, being matters addressed by the 2018 Act.
Irrespective of the above, the Bill is likely to receive criticism for being weighted in favour of the interests of public bodies over the rights of the individual. The current balance is unsurprising given the approach which was taken to the application of administrative fines to public bodies under the 2018 Act; initially excluded from the provisions on fines, following criticism from the Data Protection Commission and others, in the end, the 2018 Act allowed for the imposition of fines on public bodies up to a limit of €1 million. In his submission to the Oireachtas committee considering the General Scheme of the Bill in May 2017, Dale Sunderland (Deputy Commissioner) said that, as it stood, the Scheme needed additional provisions underpinning the responsibilities of public sector bodies in carrying out adequate and robust data protection assessments and more clarity on governance and security arrangements. Other bodies, such as Castlebridge Associates and Digital Rights Ireland, also emphasised the need to focus more on data governance in preparing the legislation. It will be interesting to hear their feedback on the published Bill.
We all know the frustration of repeatedly providing the same information to public authorities and have all questioned why a more effective system cannot be implemented to ensure a more efficient use of the State’s resources (and our time). This Bill could be a significant step towards achieving that efficiency. This efficiency must, however, be balanced against our heightened awareness of our newly-strengthened rights over our personal data. Given the tension seen between the interests of the State and the individual during the passage of the Data Protection Act 2018 (not to mention the much criticised public services cards), the balance of “sharing” versus “governance” in this Bill, as it progresses towards becoming an act, will be one to watch.