Skip to main content
Normal View

Dáil Éireann debate -
Tuesday, 17 Nov 1987

Vol. 375 No. 4

Data Protection Bill, 1987: Second Stage.

I move: "That the Bill be now read a Second Time."

The object of the Bill is to give effect to the 1981 Council of Europe Data Protection Convention or — to give it its full title — the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data. For that reason, it will be useful, by way of introduction, to describe briefly the developments which gave rise to the need for such a convention and also to refer to the legislative provision made in some other European countries to protect the privacy of individuals in respect of automated personal data kept about them.

In the early seventies large information systems had become computerised to such an extent that fears began to be expressed on an increasing scale about the threat to privacy that they could pose. The fears were not based primarily on the amount of the information stored in the systems. The real basis for the concern was the ease and speed with which computerised information could be collected, re-arranged, transferred and retrieved, and the fact that this information could include sensitive personal information and could be used for all kinds of purposes without the knowledge of the individuals to whom it related. Moreover, the ability to link computerised information systems gave rise to apprehension that the State would be in a position to have virtually instant access to all the information it held separately on each individual and, through file matching, to build up a comprehensive profile on every member of society. There were fears, too, that computerised personal information could more easily be stolen or copied or otherwise obtained improperly by those to whom it should not be disclosed.

The recognition that automated personal data was a potential threat led to the introduction of data protection legislation in a number of European countries. Sweden was the pioneer in 1973, followed since then by Austria, Denmark, France, the Federal Republic of Germany, Iceland, Luxembourg, Norway and the UK.

On the international plane, the OECD in 1980 published guidelines on the protection of privacy and transborder flows of personal data. The Council of Europe Data Protection Convention was opened for signature in 1981. Unlike the OECD guidelines, the Convention is a legally binding instrument. So far most member states of the Council of Europe have signed the Convention. Six have ratified it: Norway, Sweden, France, Spain, the Federal Republic of Germany and the UK. The guidelines were accepted, and the Convention signed, on behalf of this country in December 1986. We shall be in a position to ratify the Convention as soon as the Bill has been enacted and is in full operation. A number of other countries are also proceeding with legislation to enable them to do so.

As might be expected, all the legislative measures enacted by the countries which have ratified the Convention have certain features in common. They all give effect to the basic data protection principles set out in Chapter II of the Convention. These principles require that personal data shall be collected fairly and lawfully, be accurate, up to date and so on; that appropriate safeguards be provided for particularly sensitive personal data concerning racial origin, political opinions, religious or other beliefs, health or sexual life and criminal convictions; that appropriate security measures be taken for protecting the data; that the individual concerned should be able to establish the existence of personal data systems, to find out what data are kept about him or her, and to have the data rectified or erased if they have been processed in contravention of the principles.

However, the Convention allows exceptions to be included in the domestic law if they constitute a necessary measure in a democratic society in the interests of protecting State security, public safety, the monetary interests of the State or the supression of criminal offences; or of protecting the data subject or the rights and freedoms of others. It allows restrictions on the rights of access, rectification and erasure with respect to personal data used for statistics or for scientific research purposes when there is obviously no risk of an infringement of the privacy of the data subjects concerned. It also provides that national laws must provide a remedy and appropriate sanctions if there is any contravention of the data protection provisions.

The provisions to give effect to the Convention can take different forms, depending on the legal and constitutional system of the country concerned; and the laws or regulations adopted may be supplemented by voluntary codes of practice or codes of conduct. By and large there is a substantial correspondence between the main provisions of the legislation in force in each of the countries which have so far ratified the Convention.

In the present Bill, the "common core" or basic principles of data protection of the Convention are given effect to in sections 2 to 8 under the general heading of "Protection of Privacy of Individuals with regard to Personal Data." They include provisions relating to collection, processing, storage, access and dissemination of personal data.

Side-by-side with the basic principles, which guarantee to data subjects in all countries where the Convention is in force a certain minimum protection, the Convention contains special rules on transborder data flows. Particular importance is attached by the Convention to the free flow of information because the right to impart information and ideas without interference by public authority and regardless of frontiers is already guaranteed by article 10 of the Convention on Human Rights. Indeed, in those cases where the Data Protection Convention provides for the possibility of imposing restrictions on transborder data flows, it does so only to the minimum extent required for the protection of the rights of others, in particular, the right to respect for individual privacy.

The maintenance of unrestricted data flows is particularly important for our economy, especially in view of the establishment of the international financial services centre on the Custom House Docks site. This is because several European countries have legislation restricting the export of data for processing to countries which have less strict data protection laws or perhaps none at all. The absence of data protection legislation here could thus be a factor that international companies would take into account when deciding whether or not to establish a business here, particularly in the area of data processing. For this reason it is desirable that the Bill should be enacted and the Convention ratified as soon as possible.

All data protection legislation to date provides for a person or body to supervise the operation of the legislation and to enforce its provisions. The Convention does not specifically require the establishment of such an authority but, as a practical matter, it is difficult to see how any legislation can be fully effective unless there is some form of supervisory authority with power to see that its provisions are complied with and, where they are not, to take remedial action. In most of the countries concerned the supervising authority is independent of both the public and the private sector.

Section 9 of the Bill provides for appointment of a Data Protection Commissioner. He will be appointed by the Government and will be independent in the exercise of his functions. He will have power to enforce compliance with the provisions of the Act, either on his own initiative or on receipt of complaints from data subjects. To achieve this, he can issue "information notices", requiring persons to furnish him with information to enable him to perform his functions; "enforcement notices", requiring data controllers or processors to comply with specified provisions of the Act, and "prohibition notices", prohibiting the transfer of personal data abroad in certain circumstances. These notices, of course, are measures of last resort to be employed only if the persons concerned either refuse to behave properly or genuinely believe that the commissioner is wrong and that the matter should be determined by the Circuit Court on appeal. I see the commissioner more as a mediator and as someone who can play a useful role in helping those who keep personal data to bring their operating procedures into line with the Act. Because it is not possible to legislate for the specific data protection requirements of all the different areas concerned, he will also have the duty of encouraging the preparation and dissemination of codes of practice in those areas.

I have referred to the international dimension of the Bill and its importance in relation to transborder flows of personal data. The commissioner will have an important role in this area. Section 11 contains special provisions regarding transborder flows and for mutual assistance between contracting States. The commissioner, when considering whether to prohibit a proposed transfer to a place bound by the Convention, must have regard to article 12, which severely limits the powers of a contracting State to prohibit or restrict data flows to the territory of another contracting State. So far as a transfer to a non-contracting State is concerned, he must allow it unless he is of opinion that the transfer would be likely to lead to a contravention of the data protection principles set out in the Convention. In either case he must also consider whether the transfer would cause damage or distress to any person and have regard to the desirability of facilitating international transfers of data.

The commissioner will be the designated authority for the purposes of Chapter IV of the Convention which provides that contracting States will render each other mutual assistance in implementing the Convention. That chapter also sets out the obligations undertaken by parties towards one another, such as the rendering of assistance to data subjects abroad and the safeguards necessary as regards confidentiality in such circumstances.

Data protection laws differ in the type of the control exercised over those who keep automated personal data. In the earliest of these, for example, in Sweden and Norway, a licence from the controlling authority was necessary before anyone could establish a personal data register or file. That imposed a heavy burden on the data protection authority. In other countries universal registration was the norm and the problem of undue "bureaucracy" was met by having simplified forms of registration for small businesses or other activities which did not constitute any serious danger to individual privacy.

More recently, a less rigid approach has emerged. The trend is now towards a two-tier system, characterised by a requirement of registration for the large-scale controllers and processors — those whose activities are more likely to give rise to concern — and a simpler system of a self-regulatory kind for those whose keeping and use of personal data is limited in scope and poses no threat. We have sought to learn from the experience of other countries and to provide a system which would avoid unnecessary burdens on industry and small businesses and ensure that the commissioner would have adequate powers to see to it that the provisions of the law are complied with fully. Accordingly, the Bill proposes that, initially, only certain categories of data controllers will be required to register. These will be persons or organisations keeping the specially sensitive data I have referred to —data about racial origin, political opinion, health, sexual life, and so on — as well as organisations operating in the public sector and financial institutions and agencies concerned with credit references, debt collecting, direct mailing and direct marketing. All data processors, that is, those who provide computer bureau services, must also be registered. The requirement to register will therefore cover a wide area of activity, an area in relation to which the public can expect to have particular concerns in the matter of the protection of their privacy.

All other persons and bodies who keep automated personal data, while not required to register, will be equally bound by the general data protection provisions of the Bill. Complaints about contraventions by them of these provisions can be investigated by the commissioner in the same way as he can investigate smaller complaints about data controllers who have to register. His powers to enforce compliance with these provisions will also apply in the same way. The heavy administrative burdens involved in universal registration will thus be avoided and resources can be devoted to supervision and enforcement of data protection.

On the other hand, the Bill does not exclude the possibility of extending substantially the categories of data controllers who are required to register or, indeed, even the possibility of having universal registration if in some future situation it should appear to be desirable to do so. For the present and for the foreseeable future, however, it seems to me that the resources involved in universal registration would be more effectively employed in seeing that the data protection provisions are properly implemented. In particular, I see no reason for the registration of all those small businesses that to an ever increasing extent are making use of microcomputers for payroll and customer applications and that constitute no danger to individual privacy.

The commissioner will have power to refuse applications for registration, for example, where he is of opinion that the person applying for registration is likely to contravene any of the provisions of the Act. Where data controllers keep the specially sensitive kind of data I have mentioned, he must refuse registration unless he considers that they are providing, and will continue to provide, appropriate safeguards for protecting the privacy of the individuals concerned.

Section 19 spells out the effects of registration. First, it will be an offence for data processors and registrable data controllers to keep or process personal data without being registered. It will also be an offence for such data controllers to act contrary to the intentions expressed by them when applying for registration. For example, they may not keep personal data of a description other than that specified in the entry in the register, or keep or use such data for a purpose other than the purpose or purposes described in the entry. If the source from which the data is obtained is described in the entry, they may not obtain the data from any other source. Finally, they may not transfer data to a place outside the State, other than a place named or described in the entry.

I should like now to turn to some of the other provisions of the Bill, starting with the definitions in section 1. Some of the definitions, particularly of such key expressions as "personal data" and "processing" are of critical importance because it is essential to try to express them in terms which will still be valid even if technological change continues at its present rate. Otherwise the scope of the Bill would be broadened or restricted by the continuous developments in the field of data equipment. For this reason it has not been possible to avoid a fair degree of technicality in the definitions.

An example will indicate why. I think we all appreciate that the kind of automated personal data the Convention contemplates are data that are machine-readable and not readable in the ordinary sense. In other words, we are talking here of information that is recorded in a computer memory or floppy disc or magnetic tape and that can be made intelligible only by displaying it on the computer screen or on a printout. On this view, a definition of personal data as information in machine-readable form would seem to be adequate. But nowadays data equipment can record typed pages so that all typewritten information is now potentially machine-readable and under such a definition would come within the scope of the Bill. The Bill should apply only if and when typewritten information has been inputted into an automated system and that is the effect of the definitions of "data" and "processing" in section 1.

There is also an express exclusion in the definition of "processing" for an operation performed solely for the purpose of preparing the text of documents. The intention is to exclude the operation of word processors when being used simply for that purpose. A common example would be the despatch of a standard letter to many people where the names and addresses are kept on a word processor. Word processors are not excluded as such. Much word processing the is done on personal computers which are capable of automatically processing the personal data concerned. Once they are used for purposes other than the preparation of documents, their operation comes within the scope of the Bill.

It is clear from the definitions of "data" and "personal data" that the Bill's provisions do not extend to manual files or to companies or partnerships.

The main reason for excluding manual files is that automated personal information systems present problems of a particular kind for the protection of individual privacy. There is also the major administrative problem that including manual files in this legislation would involve, not least of which would be the substantial additional costs. As against this, it is sometimes argued that the easiest way to circumvent the Convention is to delete the automated data concerned and put it on a manual file. However, the Convention is concerned with the potential misuse of computerised data and the computer's inherent power to transmit and correlate huge quantities of informtion at very high speeds. Such considerations do not arise where data are collected or stored manually. Also, more and more data are being transferred to computers and it would not be an economic proposition for a business to reverse the trend towards automated information systems.

As regards the question of extending possible protection to legal persons or non-personal data, it seems to me that there is an essential difference between the privacy interests of natural persons and those of an artificial entity such as a corporations, though I appreciate that corporations too have trade secrecy and confidentiality interests that can be damaged. The exclusion of companies or other bodies is not to be taken as exempting them from the provisions relating to data controllers or processors if they qualify as such.

Section 1, apart from containing the definitions, also authorises Ministers to delegate responsibility for compliance with the provisions of the Bill to those civil servants in the various Departments who are primarily concerned with the personal data covered by the Bill. Additionally, the Minister for Defence can designate an officer of the Permanent Defence Force to be responsible for automated personal data relating to members of the Defence Force.

Finally, section 1 provides for the exclusion of certain personal data from the scope of the Bill. As allowed for by article 9 of the Convention, this exclusion covers personal data that in the opinion of the Minister for Justice or the Minister for Defence are, or at any time were, kept for the purpose of safeguarding the security of the State. The section also excludes personal data concerned only with the management of an individual's personal, family or household affairs or kept by him or her only for recreational purposes.

Sections 2 to 6 of the Bill are devoted specifically to the protection of the privacy of individuals with regard to personal data. Section 2 imposes on data controllers obligations relating to the collection, accuracy, adequacy, relevance, storage and security of personal data kept by them and prohibits the use or disclosure of the data in any manner incompatible with the purposes for which they are kept. The obligation relating to security is the only one applicable to data processors.

Sections 3 to 6 entitle individuals to establish the existence of automated personal data concerning them, to have access to such data and to have the data rectified or erased, where appropriate. These provisions correspond to the principles contained in article 8 of the convention and give individuals new rights in relation to personal data kept about them. The right of access is one of the most important safeguards of the rights of the individual data subject that is provided for in the Bill. It will prevail over any enactment or rule of law prohibiting or restricting disclosure of information or authorising the withholding of it, but power is given to the Minister for Justice to make regulations continuing any such prohibition, restriction or authorisation if he thinks that that should be done in the interests of the individuals concerned or any other individuals. An example that comes to mind is the provision in the Adoption Acts prohibiting the disclosure of information from the index kept for tracing the connection between the entries in the Adopted Children's Register and the corresponding entries in the register of births.

The right of access is restricted in the kind of circumstances that are envisaged by article 9 of the Convention. For example, the right of access may not be exercised in relation to personal data kept for the purpose of preventing, detecting or investigating crime if that purpose would thereby be prejudiced.

Section 7 is an important provision. It imposes on data controllers and data processors a duty of care to individuals in respect of whom they collect, process, keep, use or disclose personal data, that is, to the extent that the law of torts does not already impose such a duty. Under the present law, any damage resulting from a breach of the relevant provisions of the Bill could make the controller or processor liable in negligence, breach of confidence, defamation or breach of contract. This section provides a specific right to compensation to the extent that the law of torts does not already do so, for example, where it may not be possible to establish a sufficient relationship between a data processor and the individual concerned so as to give rise to a duty of care.

The final group of sections, entitled "Miscellaneous", includes a provision— section 21 — making it an offence for "hackers" and other persons to obtain personal data without authority and then to disclose the data. "Hacking"— the unauthorised accessing of a system — is not being made an offence per se. That would be outside the scope of this Bill and if the creation of such a specific offence were necessary it would be appropriate to a Bill dealing with computer crime.

The offence under section 21 will arise only where two conditions are satisfied — obtaining personal data without authority and its subsequent disclosure. The inclusion of such an offence in the present Bill is appropriate because of the other provisions it contains which are directed against unauthorised disclosure of personal information.

Section 22 deals with personal data kept or processed outside the State. Normally the Bill will have no application to such data but it will apply if the data, although processed abroad, are used or intended for use in the State.

Provision is made in section 23 for officers authorised by the commissioner to visit premises of data controllers and processors in certain circumstances and obtain any information necessary for the performance of the commissioner's functions.

Section 25 provides a right of appeal to the Circuit Court against decisions of the commissioner. An appeal may be brought to the High Court against a decision of the Circuit Court only on a point of law.

The commissioner is being given power by section 30 to prosecute offences under the Bill summarily. Here I should say that, in general, a failure or refusal by a data controller or data processor to comply with the data protection provisions will not be an offence. However, if the commissioner requests a data controller or a data processor to comply with an obligation under the Bill and he issues a notice requiring compliance, then any failure or refusal, without reasonable excuse, to comply with the requirement will be an offence. Of course, if an appeal is taken to the Circuit Court against such a requirement, the requirement need not be complied with while the appeal is being determined unless in circumstances of urgency for which special provision is made.

Section 34 provides that different provisions of the Bill may commence at different times. The idea is to bring into operation those provisions necessary to enable the Convention to be ratified as soon as possible after the Bill's enactment, while allowing sufficient time for persons and organisations to adapt to the data protection requirements and, if required to do so, to register. Some of the provisions need not be brought into operation until the people affected have had an opportunity to accommodate fully to the legislation. An example would be subsection (2) of section 6, which requires a person who rectifies or erases personal data pursuant to the Act to notify the rectification or erasure to anyone to whom the data were disclosed in the 12 months prior to the request for rectification. It would be unreasonable to expect this provision to apply until some time had elapsed after the commencement of the main provisions of the Act, so as to give controllers who do not keep records of disclosures an opportunity to arrange to do so.

As regards commencement, it is anticipated that a period of six months at least would be required between the passing of the legislation into law and the date when its main provisions would become operative. During that period, steps can be taken to ratify the Convention since it will not come into force for the State until three months after the instrument of ratification has been deposited on our behalf. The intention is that that date and the date of the commencement of the main provisions of the Bill should be the same.

To sum up then: the Bill is designed to provide adequate safeguards to individuals against any abuse of their privacy arising from the automatic processing of personal data concerning them. It does this without imposing any indue burdens on industry or the taxpayer and without unnecessarily restricting transborder flows of data, including flows of data to this country for processing from countries which have ratified the Convention.

There are other positive benefits. The Bill will encourage Government Departments and agencies and private sector companies to adopt better practices in the handling of personal data, such as keeping data up to date and not keeping data for longer than necessary. That should lead to greater efficiency in the use of information technology in both the public and private sectors.

The general principles of the Bill will commend themselves to all sides of the House but it is a technical Bill and there may be aspects which Deputies may wish to have clarified. If so, I shall endeavour to do so when replying or during Committee Stage. In any event, I shall give careful consideration before that Stage to any suggestions for amendment that may be made in the course of this debate.

I note that the provisions of this Bill are designed to protect the privacy of individuals with regard to automated personal data and to give effect in the State to the 1981 Council of Europe Data Protection Convention. Within the last decade or so technology has advanced in ways which are bewildering to the average layman. Yet, increasingly, it is having a direct effect on us all. Developments which until recently were in the realm of remote scientific theory are now of clear practical application. Every day that passes sees more and more business offices throughout the country replace people with new pieces of electronic equipment. It is common now for more and more office workers to operate what is known as the electronic office. Governments are performing an ever-increasing number of tasks with the use of information technology of some kind or another. Wherever we look its impact can be seen. Clearly it is here to stay.

It cannot be denied that the advances made in technology have brought our society many benefits and I am sure that further advances in the future will bring many more benefits. However, along with those benefits come also disadvantages and dangers. Above all, developments in information technology have revealed how easily and rapidly information can be manipulated, collated, transferred and retrieved. That information may include sensitive personal information. Therefore, it is understandable that all of this has led to a certain unease among the public. There is some anxiety that personal information is collected about all of us, unknown to us, stored in data banks by unknown sources and used for all sorts of purposes of which we are unaware. The level of concern as to the extent of abuse in this area may be unfounded. Therefore, the important thing is for those of us charged with responsibility of legislating to eliminate this concern which otherwise might grow into a real impediment to the future use of technology.

As the Minister has said, the Bill now before us deals with an intrinsically difficult subject, one with which not too many Members of this House will be familiar. I am sure the Minister will appreciate that fact. I sincerely hope that when replying to the Second Stage debate he will endeavour to answer the many questions which will arise from Members' contributions.

I should also like to ask the Minister if he will allow adequate time between completion of Second Stage and Committee Stage for those of us on this side of the House to consider amendments if we feel they are necessary to improve the provisions of the Bill from the point of view of protecting both the individual and the business community.

I will, certainly.

The Minister might also consider referring the Bill to a Select Committee for Committee Stage consideration. I have always felt that to be the correct procedure for dealing with this type of legislation.

The joint aim of protecting the citizen while actively encouraging use of the computer has been shared by many Governments throughout Europe. Ultimately this aim led to the Council of Europe Data Protection Convention which was open for signature in 1981 and which I understand cannot be ratified by us until we have passed the relevant legislation.

The Minister pointed out also that the OECD have been active in this area, producing a set of guidelines governing the protection of privacy and transborder flows of personal data. It should be remembered that business depends more and more on the free flow of data, often personal data, between countries. This free flow of information must continue if business is to flourish. At the same time, however, the threat to the individual becomes potentially greater when data are used not only at home but in other countries and in circumstances over which the subject, and often the person passing on the information, has little control.

In recognition of this, the European Convention on Data Protection confirms the right of countries which have produced data protection safeguards to restrict the flow of personal data to other countries which do not offer comparable protection. I sincerely hope that the ratification of the European Convention will reassure people in this country that, when computers are used for the storage and use of personal data, there are special safeguards for individual privacy which are well up to the international standard.

For all of the reasons I have outlined I accept in principle the need for this type of legislation and can state that the Fine Gael Party will not oppose this Bill on Second Stage. There are, however, a number of points that need to be clarified in relation to the Bill and I would like to deal with some of these now.

From my reading of it, the Bill does not apply to those people who keep personal information in manual form only. The Minister in his contribution stated that as a fact. This is so despite the fact that personal information stored in manual files may pose a threat to the privacy of the individual. The European Convention requires signatories to apply the provisions to personal data only which are processed automatically, although it leaves open the possibility of extending its provisions to manually processed data in any State which so wishes.

A great deal of personal information is not computerised and individuals will have no right of access to it even though Article 3 of the Convention enables any subscribing country to enforce access to such manually compiled information. Surely this provision was not put into the Convention idly but to enable any willing Government to do so if they so wished. As a result, many important files will be withheld from people who would like to learn what is in them. Organisations could even be impelled, in order to escape the legislation, to withhold or remove from their computers information they would rather not disclose.

I would be afraid — and similar fears were expressed in Great Britain when their legislation was being passed — that we might have some movement away from computerisation back to the manually held file. There is a possibility that in certain circumstances people who do not want to be put into the position that they have to register or disclose information will move away from computerisation and back to the manually controlled file. I do not think that would be a very good thing. For that reason I ask the Minister to reconsider whether he should include information on manually controlled files and perhaps he could tell us exactly why he and the Government decided not to include it in the first place.

The Bill is supposed to entitle individuals to establish the existence of automated personal data kept in relation to them, to have access to the data, with some exceptions, and to have inaccurate data rectified or erased. While these are very worthwhile objectives, I fail to see how they can be achieved when only certain categories of persons and bodies who keep personal data will be required to register with the Commissioner. For example, people who keep particularly sensitive data on political opinions, health, criminal convictions, etc., the public sector and financial institutions are all referred to in section 16 and the Third Schedule to the Bill.

How will a data subject, as he is referred to in section 16 of the Bill, become aware of people outside those specified in section 16 of the Bill who keep automated personal data? How am I to know who keeps information on me if there is no insistence that a person, individual or company must register? While section 2 of the Bill imposes various obligations on persons who keep automated personal data, for example, the data must be accurate, be kept for lawful purposes, not be disclosed in any manner incompatible with those purposes and be protected by adequate security measures, it will be practically impossible to enforce the legislation when registration is not required for everybody. Are we not putting unreasonable obligations, which are not readily enforceable, on small traders and businessmen who are data controllers if the policing of these obligations is not possible? I read the Bill a few times and I cannot see how a commissioner can enforce the provisions contained in section 2 of the Bill if a person is not registered and nobody knows about him. Are they going to do it on a voluntary basis?

Section 1 (4) states that the Bill does not apply to personal data kept for State security purposes, or kept by an individual for recreational purposes etc. Can the Minister say what exactly is meant by "recreational purposes"? Does it mean a sporting club which has a list of members on a small computer? I am concerned that "personal data that in the opinion of the Minister or the Minister for Defence are, or at any time were, kept for the purpose of safeguarding the security of the State" is not included in the Bill. I do not question the Minister's integrity but this gives the Ministers referred to very wide powers when they alone can decide the meaning of "the purpose of safeguarding the security of the State". Should there not be some court of appeal? One Minister may decide that the release of some information could come within the definition I have just stated and others may differ. I understand the reasons for it but it strikes me that it gives Ministers excessive power in this area.

I would like to turn to section 4 of the Bill which deals with the right of access of a data subject to personal data about him or her, save in certain circumstances. I could not find any reference in this section to the position of minors. What happens, for argument's sake, if a person wishes to ascertain information from, say, a doctor or a hospital concerning the health of his two year old child? It would appear that a doctor is not entitled to give this information as the Bill stands at present. If a minor or somebody who is mentally handicapped cannot seek the data, who can get that information on that person's behalf? Perhaps the Minister could touch on this point when he is replying.

I would like the Minister to expand on section 4 (8) (a). What happens when somebody applies to a doctor for information relating to his physical or mental health and the doctor feels that it is not to his benefit that he should receive the information? Must the doctor then apply to the Minister to make a regulation so as to protect him for non-disclosure of the personal data? This would appear to be a very cumbersome way of dealing with such a problem and I ask the Minister to clarify it.

The Explanatory Memorandum covering section 4 of the Bill state: "A data controller need not comply with a request for access if he is not satisfied about the identity of the individual making the request or has not been given enough information to enable the data to be traced." That gives a data controller discretion but who is to decide whether the data controller is not satisfied about the identity of the individual making the request? Can he just say: "No, I am not satisfied"? I would like the Minister to clarify this.

I would like to turn to the appointment of the data protection commissioner. I note from the Second Schedule the conditions relating to the appointment of the commissioner and that the Minister may appoint to be members of the staff of the commissioner such number of persons that may be determined from time to time by the Minister with the consent of the Minister for Finance. I am quite fearful that because of the scope of this Bill, a very large bureaucracy could be built up at enormous expense to the taxpayer. Every effort should be made to ensure that the exercise is self financing. The fees paid by those data subjects requiring information on themselves together with the fees to be paid by data controllers, who benefit from the use of this technology, should meet as far as possible the cost of the commissioner and his staff and indeed the running costs of his office. It is reasonable to expect that the industry itself together with those seeking information should carry the cost. The experience in the United Kingdom since the introduction of similar legislation in 1984 would suggest that the commissioner referred to in this Bill will be faced with considerable problems in trying to operate under the conditions laid down in the Bill. There is a real fear that this legislation could become a non event. All in all, we could be involved in considerable expenditure of time and effort which would briefly give rise to seminars, with consultants cashing in and then fading away.

Section 11 empowers the data protection commissioner, subject to the provisions of the section to prohibit the transfer of personal data from the State to a place outside the State. The Minister will forgive me if I am displaying a total lack of knowledge of technology when I say I cannot for the life of me understand how it is proposed to police the transfer of information from this State to a place outside the State. Surely the daily advances in technology suggest that the commissioner will have no possible way of ever discovering what information — personal data — is being passed from this State to some other part of the world. This adds to my fears that the legislation, despite all its good intentions, will be seen within a very short period to be incapable of implementation because of the looseness of many of its provisions.

The explanatory memorandum states:

Section 13 requires the Commissioner to encourage the preparation of codes of practice by bodies representing data controllers or data processors and the dissemination of any such codes that he may approve of.

This would appear to be a very worthwhile aspiration but I fail to see why something that is only an aspiration is included in the Bill. In the explanatory memorandum, too, we find the following:

Section 16 (1) lists those persons — every data processor and certain data controllers — who are required to register. The data controllers concerned are: (a) those keeping personal data relating to racial origin, political opinions, religious or other beliefs, health, sexual life or criminal convictions; (b) those in the public sector, as listed in the Third Schedule; (c) financial institutions and agencies dealing with credit references, debt collecting, direct marketing and direct mailing; and (d) such other categories as may be prescribed by the Commissioner with the consent of the Minister for Justice.

I wish to address some questions to the Minister on this section. What exactly is meant by, "data controllers who keep personal data relating to political opinions"? Does it mean, for argument sake, that political parties who keep a register of their members will be required to register? In relation to religious or other beliefs would it entail that churches who keep a register for the purpose, perhaps, of collecting funds would have to register? As it is stated in the Bill it is not exactly clear what is meant. I am taking the Minister up on his generous offer to answer the various questions when replying.

You are welcome.

With regard to personal data on mental or physical health and sexual life does this mean that doctors who have their records on computer must register?

Section 19 (1) states:

A data controller to whom section 16 of this Act applies shall not keep personal data unless there is for the time being an entry in the register in respect of him.

I am at a loss to understand why this group of data controllers cannot keep any other information and comply with section 2 of the Bill, unless they are registered. It would appear that a data controller who keeps information as set out in section 16, and for this very reason must register, cannot, under section 19, keep any other information. I may be wrong but that is my interpretation of the section. I am at a loss to understand why this group of data controllers have been singled out.

Section 19 (2) states:

A data controller in respect of whom there is an entry in the register shall not—

(a) keep personal data of any description other than that specified in the entry,

This would appear to be rather severe because as I understand it, even though the data controller complies with section 16, he cannot do as any other data controller can do who is not covered by section 16, provided he complies with the provisions of section 2. Perhaps I am misreading the situation, but I would welcome the Minister's observations on that point.

The Explanatory Memorandum states:

Section 21 makes it an offence for a person to obtain personal data without the prior authority of the data controller or processor concerned (by "hacking" or otherwise) and disclose it to another person. To constitute the offence there must not only be unauthorised access to the data but a subsequent disclosure.

Surely it should be an offence to have unauthorised access? Why should it be an offence only if you subsequently disclose the unauthorised data? The Explanatory Memorandum continues:

The section does not apply to an employee or agent of the data controller or data processor concerned: unauthorised disclosure by an employee or agent of a data processor or of a data controller who is registered is an offence under section 19. Disclosures by unregistered data controllers or their employees or agents in breach of section 2 (1) (c) (ii) do not constitute an offence but may be made the subject of an enforcement notice.

Again I would like to know why it is not an offence in those circumstances?

Those are the points I wish to raise on Second Stage. I believe that the Houses of the Oireachtas should not pass legislation which it feels cannot be enforced after the enactment of the legislation. I feel that the Bill as it stands at present has many provisions which cannot be policed adequately to ensure they are implemented. For that reason I request the Minister to seriously reconsider some aspects of this legislation before proceeding with the Bill on Committee Stage. Data protection legislation was put in place in the UK nearly four years ago. We should take time to see how this Bill has worked, if it has worked, and learn from mistakes if there are any. I look forward to the Minister's reply and I hope we will have adequate time to deal with this matter on Committee Stage.

This Bill is designed to give effect to the terms of the Council of Europe Data Protection Convention of 1981. The Progressive Democrats were among the first to call for such legislation. We were, I believe, the only party in the last general election to call for such proposals in the manifesto we put forward in that election.

It is important to note the background to this legislation. Under Article 12 of the Convention countries who are party to the Convention can prevent the free flow of data to countries which are not party to it. We, in particular, cannot afford the consequential trading disadvantages of being excluded from this free market of data. As the Minister said, the international services centre proposed for the Custom House Docks site would not be successful if it were in any way hindered by the lack of this kind of legislation. Many companies, particularly financial companies, would not be prepared to locate in a country that did not have access to the free flow of data that can be available as a result of ratifying this Convention.

The Convention was prompted by growing concerns about the threat to personal privacy posed by the increasing use of computers. The computer user may have stored incorrect data or may have amassed more data than is necessary or data of a kind that should not be stored and might indeed have exchanged such information with other computer users. These concerns were linked to the absence of any right on the part of individuals to know what was stored about them. This could intrude on personal privacy in all sorts of ways. Individuals might be refused credit or denied a job interview on the basis of information which was stored about them and which very often they might not have even known about. We have been very slow to protect the privacy of our citizens. The Constitution does not include, in the fundamental rights section, any right to privacy. Although the courts have been to the foreground in ensuring that our citizens have privacy and have their privacy protected, the Constitution should give citizens that protection. Many of our citizens have had to take cases to court in order to ensure that their right to privacy is protected.

On a more trivial level people have found themselves on mailing lists getting junk mail that they do not wish to receive. We are not as frequent users of this junk mail as are people in other parts of the world. For example, in the United States when somebody has a baby they immediately get a letter congratulating them. When the child is two years old they are told that the child should have a cardigan and when he is four and is about to go to school they are told it would be a good idea if he had X, Y or Z. While there are business and trade advantages to having that information so freely available it infringes on the rights of citizens. People should have the right to know who stores information about them and to have that information removed if they do not wish to be included in these kinds of marketing or mailing lists.

This Bill will give people some redress by ensuring that persons holding data are required to register with the data protection commissioner. I agree with Deputy Barrett that all computer users should be required to so register. How is any citizen expected to establish, firstly, who is storing information and, secondly, whether they are storing information about the person in question?

It is important in the context of this legislation — in this regard I would differ to some degree with Deputy Barrett — that the commissioner have sufficient funds available to him. I accept that if the system can be worked on a self-financing basis that is all the better but if not public servants from the existing Departments of State should be deployed to his office to make sure that this is not just another Office holder without the resources to carry out his job. In the next few months we will see that the Ombudsman will be such an officer — he will hold the Office but unfortunately will not have the resources to allow him to do his job properly. If we are to get the balance right in this legislation between helping trade and business, particularly in the financial services area, and protecting the rights of our citizens, in particular the right to privacy, that commissioner will have to have adequate resources available to him or her. Obviously the Government will appoint such a commissioner. How long will he be appointed for, what kind of resources will be available to him and what kind of cost will be involved for companies who will have to register?

In this Bill data is defined as information undergoing automatic processing. Thus, as others have said, information stored in manual files is excluded. If we were really concerned about protecting the privacy of individuals rather than the trade advantages in this legislation, obviously we would not exclude information that is stored in manual form. I realise that would pose difficulties, that would be bureaucratic, cumbersome and expensive but to ignore the principle of moving in that direction is dangerous and would be allowing the rights of citizens to take second place to the technological or financial rewards of having this kind of legislation. It may be the case that certain information on individuals which is currently in computer form may be transferred to manual records simply to avoid having to give out the information.

It is not clear why word processing is exempted in the definition of processing. While it is desirable that computer users should not be subject to unnecessary regulation any process which has as its end result the production of a document should not be exempt from the Act, otherwise the Act would not have much impact. The definition section needs to be changed.

We also need some explanation in relation to data controllers. It may be the case that although somebody is referred to as the data controller, he or she may not have any control over the data that is held in computer form. I would like the Minister to elaborate a little more on that matter. In relation to companies in particular will one person be the data controller even though that person might not have any control over what is held in computer form in relation to individuals?

The definition section will cause difficulties for partnerships. Under the Partnership Act, 1890, partnerships are not legal persons. Therefore, must each partner register if the firm uses data? This raises the prospect of large registration costs for solicitors and accountants' firms and so on. This Act should be amended to allow single registration for partnerships.

I am sure universities and institutions involved in examinations will intensely dislike these provisions but I welcome the fact that students will be able to have access to their exact marks as opposed to the grades they have been getting for the last few years. However, I recognise that it will cause difficulties and probably long delays. In relation to intermediate and leaving certificate results, for example, the exact results need not be given for up to two months after their publication. That is an undue delay and results from the fact that we are archaic in the way we organise matters within the Departments and in the methods of holding data. If we had a much more improved marking and filing system within Government Departments that would not arise.

The exemption provision in section 1 (4) does not appear to be sufficiently wide. For example, there should be an exemption in favour of members' clubs and other unincorporated bodies. As matters stand, golf clubs and political parties will have to register if they keep data of members on computer lists. That is probably an unnecessary inclusion in the Bill.

There have been examples of Ministers doing extraordinary things in the interest of State security and I do not refer to the present Minister in that regard. To leave such a decision in the hands of two members of Government is not desirable and I would like to see greater safeguards in that area, perhaps the involvement of a member of the Judiciary. In recent years certain matters that had nothing whatever to do with State security were justified in the interest of State security. The exemptions in this area are too wide and are too open to political interference.

Section 7 imposes a duty of care on data controllers and data processors but there is no mention of the extent of that duty of care. If the data controller, for example, negligently discloses information about an individual to an unauthorised user, can the information or the individual in question take an action to recover for physical loss, for economic loss or for any particular shock or upset that has been caused? That is not made clear by the provisions of the Bill.

In relation to other exemptions, State security and tax matters, there are many of us who would like to have access not only to our own tax affairs but also the tax affairs of others to see why it is that some people pay so little. I wonder is it really necessary to go to the lengths we have gone to in this Bill to exempt so many people from having access to affairs about themselves? Is that really necessary? I would suggest that in relation to some individuals it would not at all be necessary to go to such lengths to exclude them.

Deputy Barrett referred to the fact that all bodies are not obliged to register and I agree with what he said about that. It would be impossible to enforce the provisions of this Bill if all computer users are not at least obliged to register. It is not that I want to impose heavy costs particularly on small companies but I believe it will not be possible for the commissioner to enforce many of the provisions of this Bill if all computer users are not registered on an annual basis giving details of what precise details they have collected in this form and for what use they are held.

Also, in relation to the passing on of information, the Bill does not make it clear as to the use for which this may be done. While it may be collected and stored by one body for one reason, passed on to another body or group, it can be used for very different reasons indeed. We all know that sometimes when one signs on for a particular product one ends up signing on for all kinds of things and getting information and letters about things which one has not sought information about and would not wish to subscribe to. There is a lot of exchange of data base between companies in very different fields. What worries me is that the passing on of information which is held or registered for a particular use may have a different use when passed on and this is not covered under the provisions of this Bill.

I will end by saying that this Bill will be supported by the Progressive Democrats. We will be putting down some amendments on Committee Stage. I would have preferred the balance to be a little bit more in favour of the individual. We have gone a long way down the road to helping the development of trade and commerce by bringing forward this legislation but we have not gone as far as we might have to protect the legitimate rights of individuals. It should be easier for people to establish whether data are held by somebody about them without having to pay the fee. We all become data subjects and it is up to the subject to pay the fee. That is not reasonable. It would be preferable if people were entitled to get some basic information themselves without having to pay a fee to find out what information is being held by somebody else about them.

I am particularly glad to have an opportunity to speak on this Bill. I commend the Minister for bringing it forward. It is very technical but it is long overdue because we have had the use of computers for quite a number of years and this is the first legislation to regulate their use here.

The legislation has been prompted by the Data Protection Convention in 1981. Ireland has signed this convention but has not ratified it. I understand that a number of other countries, Spain, France and West Germany so far have ratified it. The UK, Denmark and Luxembourg have national legislation put forward but have not yet ratified the Convention as far as I am aware. This Bill purports to give effect to the Convention.

An attempt was made previously in the Seanad by Senator Brendan Ryan when he brought forward the Freedom of information Bill in 1985. Part of that Bill had relevance to this legislation and to the Convention. This Bill was referred to the Oireachtas Joint Committee on Legislation but no report was ever forthcoming which brings to mind what Deputy Barrett had to say about putting this before a joint committee. If we did that, would a report come forward or would that just delay the passing of a Bill which, as the Minister rightly pointed out, will be very relevant to the happenings down on the docks in Dublin?

I come back to the Freedom of Information Bill brought forward by Senator Ryan in 1985, it had two flaws. It had no provision for a system, of regulation or registration whereas this Bill does. Also, there were no security measures against third party access or alteration to files. The 1981 Convention is to prevent the misuse of information and the use of misinformation on computers. It goes right to the heart of an individual's right to privacy. The individual's right to privacy was discussed at great length in two famous cases in the Republic, McGee v. Attorney General and Norris v. Attorney General. The definition of privacy is sometimes defined as the intrusion upon a person's seclusion or solitude or into his private affairs. Indeed I think Mr. Justice Henchy in the Norris case referred to the right to privacy as the right to be left alone.

This Bill is yet another attempt to protect against the intrusion of the computers on the person's right to privacy. I was looking at a programme on television recently which illustrated that information is quite readily available to the general public. In fact, the interviewer on the programme took a number of people into the studio, put up a computer and showed them very personal details; they were astounded to find that the computer contained quite personal details about them. This Bill will, hopefully, help to change that. To come back to the individual's right to privacy, sometimes this is absolute but on other occasions it should be contravened in the interests of the public good and there are safeguards in this Bill to take care of that.

This Bill is also important for foreign trade. We have the Customs House Docks site and all that goes with it, and some foreign companies might be reluctant to come into that if we did not have this legislation in being. So the sooner it gets on the Statute Book the better.

The Convention laid down principles which are basically that personal data must be accurate, it must be kept up-to-date, it must be relevant, it must be obtained lawfully and it must be capable of rectification or change and secure against unauthorised access and distribution. However, Article 9 of the Convention allows States to enter derogations on the basis of protection of State security, public safety, etc.

Deputy Barrett mentioned that manual data are not included. I was reading the report of the debate in the House of Commons on the UK legislation and this matter was discussed at length and there was quite a strong lobby to have the manual aspect included in the legislation. I appreciate the Convention refers only to automatic processing but I would ask the Minister to have a look at some data protection legislation in relation to manual files at a future date.

Deputy Harney mentioned direct mailing and it is very important. It is contained in section 2 (6) which is in line with the recommendation of the committee of Ministers on this subject. We all get direct mail to our houses every day of the week. It is becoming all too frequent. In America it has gone beyond the beyonds. It is important to have safeguards to prevent us being bombarded in our homes by this type of hard sell. The Bill provides safeguards in this regard and goes even further than the recommendations of the committee of European Ministers who discussed this matter. In their recommendation, there was no right of erasure, whereas in our Bill there is. I compliment the Minister on putting that in. There are a number of matters in the UK legislation to which I would like to draw the Minister's attention.

In section 7 of the Bill before us there are very specific points in relation to the duty of care and to compensation provisions. Perhaps there should be a better look at this section and a broader section inserted to include all aspects of compensation in relation to inaccurate information. Section 8 (f) states: "....made to the data subject concerned or to a person acting on his behalf." Could that lead to a legal minefield? Perhaps that should be elaborated on a little more to show how there is a connection between the data subject and the person acting on his behalf.

In relation to section 10 I am not very clear about one matter. I find slight difficulty in the fact that the Commissioner may have grave difficulty in policing all that is going on, particularly in relation to the trans-border transfer of data. If a complaint is made by a person, has the Commissioner a statutory right to intervene? If he has, perhaps he will get bogged down in many complaints, some frivolous — although I know that there is a subsection in relation to frivolous complaints.

Section 16 (1) (c) includes data controllers and debt collecting agencies. I am wondering if that would include the legal profession who do quite a deal of debt collection. Would they have to register under this legislation? I am glad that registration would appear not to include small businesses. The very fact that somebody goes on to a computer shows that he is trying to be efficient in his business; yet if he gets a computer he may have to register and may be subject to regulations, as against somebody whose business remains manual and who does not have to register and go through all the red tape.

Deputy Harney, in response to the Minister, mentioned that there are quite a number of activities which should be exempt, such as the amendment of text and of documents and the drafting of letters to different recipients. I understood the Minister to say these are exempt and if that is the case, it is to be welcomed. In my own experience word processors, in particular, are used as glorified typewriters and not for the purpose for which they were intended. I am glad on that basis that word processors are exempt. I wonder, if this Bill conforms to the Convention, who is the overseer? Who will make the decision with regard to whether or not matters are in conformity with the Convention?

I do not see any provision for people to be told when information on them is being held back. Perhaps the Minister might deal with that point. Basically, I welcome the Bill and am glad there appears to be all-party support for it. I suggest that on Committee Stage an effort should be made to amend a number of aspects about which Deputies are not happy.

I am glad of the opportunity to comment at this stage on this very important legislation, important primarily because it hinges in a very real sense on an aspect of personal liberty, the right to be protected from the collection of information, its wrongful use and dissemination and the right to know what information is being retained. Nonetheless, it is regrettable that the agenda of this House, legislatively, seems to be dictated almost entirely by events which occur outside our jurisdiction. It is, within a week, the second piece of legislation the origins of which are to be found directly in outside events and motivations. Last week we discussed the Bill relating to the enforcement before our courts of judgments made in European countries. At other times we had legislation, particularly related to industrial labour laws. Such legislation always seems to have been promoted and, indeed, pushed upon us by events abroad.

The problem here is perhaps not as accentuated in respect of this Bill as in respect of the Bill which we discussed earlier on the enforcement of European court judgments because at least while we are heavily relying upon a Convention — in this instance a Convention of 1981 — we are still at a stage where as a Government we have not ratified that Convention and there are many opportunities in the context of the Convention itself available to us as a party to it to extend, to make reservations, to derogate, or to seek to negotiate exceptions for us. That is exceptionally important.

With regard to the last Bill discussed, we were in a position where the Convention was already ratified and on the stocks and not available for comment in this House because it was already passed and not open to our review. Therefore I am suggesting at this stage that the Minister should move with caution with this Bill as he seeks to advance it further through the Houses. In particular, it is important that its provisions and their implications are made known as widely as possible through the community, to consumers, members of the public generally, social reformers — because there are contained in the Bill, very important restrictions on the right of access in the whole area of prisons, for example — and to industry generally so that they are all made aware of what is contemplated in the legislation and that we shall have as wide as possible a contribution from the public at large in regard to the legislation.

Because of the short time the Bill has been on the stocks, being contemplated in December of last year, there has not been an opportunity for people to respond generally to it. I hope that, before we have finished with this Bill, there will have been a fairly reasoned and wide-ranging discussion within the community as to its importance, its implications and its impact.

It is a fact that, for example, the Irish Council for Civil Liberties have for a long number of years now contemplated legislation in this area and have campaigned for it. In 1978, they promoted a report entitled "An Act Requiring Open Meetings of Public Bodies and Freedom of Information Bill" but that is not directly on all fours with the Bill which is currently being promoted through the House by the Minister. A corollary to the question of storage of information and access to it is the right to freedom of information by private individuals and this was contemplated and promoted as far back as 1978 by the Irish Council for Civil Liberties. I would like to see that body and other bodies concentrating on this Bill for the moment.

It is a matter of concern that the primary motivation in introducing this Bill, which was highlighted in the Minister's opening statement, is to facilitate the development of industry. I hope that all of us are aware that there are many other interests and motivations behind the introduction of this legislation. It is regrettable that we are singularly responding to a Convention and are not meeting our obligations internationally by introducing comprehensive legislation, to deal with the freedom of information, access to it and the right of privacy. It is a shame for our Governments over the years that there is not on the Statute Book comprehensive legislation to deal with these intrinsically related areas.

The Minister indicated that as far back as 1973 Sweden dealt fully with this matter and that countries such as Luxembourg and Iceland have managed in the intervening period to bring their legislation up to date in order to deal comprehensively with these issues. Unfortunately, this country lags very far behind in the development of law and seems to be prompted, as I have said, by forces exterior to our own Parliament and by the narrow interests of bringing our legislation up to date so that we do not run foul of legislative requirements in the area of business development. That seems to be the primary motivator.

Having said all that, it is appropriate to say that The Workers' Party welcome in a guarded way the publication of this Bill and its promotion by the Minister in this House today. In a limited way it will advance the law in this area and, therefore, it must be supported in this House. We will be doing so even though we will be casting a very critical eye on it on Committee Stage. This Bill must be recognised as a singular achievement and advancement in this area. It is the first small step into the body of law dealing with the area of freedom of information, access to it and the protection of the individual in regard to the assembly of information. This area should have been looked at long before now and it was overlooked entirely in the drafting of our Constitution in 1937. It is an area which should have been dealt with under Articles 40 to 44 of the Constitution.

I have called for the widest possible discussion on the implications of this Bill and I would like the Minister to tell us in reply to this debate to what extent the Government intend to highlight the provisions and implications of this Bill. Last week I watched a programme on television which was sponsored by a consumer rights body which dealt with the comparative legislation in the United Kingdom. Members of the public were invited to write in for an information booklet. This I have already done but, as yet, I have not received a reply. I hope it will be as comprehensive as the Minister's introduction.

I have a copy here.

Obviously, Deputy Barrett was ahead of me. However, the most important thing is that the British Government have acted to make sure that the members of the public are aware of the implications of the legislation for them. Very important protections have been introduced for the first time in a society which is rapidly running ahead of itself in terms of computerisation and it is essential that the members of the public are made fully aware of the implications of that legislation. I would like the Minister to tell us whether he has any plans or proposals in regard to either copying or advancing on what has been done in the United Kingdom.

It would seem that the Data Protection Commissioner to be appointed under this Bill will, unfortunately, and some would say sadly, play a role similar or parallel to that of the Ombudsman. He will act as an overseer of operations which are very closely aligned to bureaucracy. Limited penal powers will be available to him to police his area of activity. He or she will sit in an office somewhere in this city and will try to grapple with this very cumbersome legislation. We on this side of the House are disappointed with the way in which the Office of the Ombudsman has been treated in the recent past and we seek assurances from the Minister that when the office of the Data Protection Commissioner is established he or she will not be subjected to the same treatment which the Office of the Ombudsman has been subjected to over the past few months, as a result of which Mr. Mills after a short period in office is so inundated with work and so bereft of resources that he cannot carry out his duties effectively and I can see the same situation arising very quickly in the parallel Office of the Data Protection Commissioner.

I seek assurances from the Minister that the Government will ensure that once the Office of the Data Protection Commissioner has been established adequate resources will be made available to it which will be reviewed upwards irrespective of what other decisions may be taken by the Department of Finance in regard to manning. As in the case of the Ombudsman, the role of the Data Protection Commissioner will be critical to the working of this legislation. If he or she is not given the resources to carry out their role this Bill will be unworkable.

It is important to recognise that the Government and the drafters of the Convention are seeking to draw a balance between the development of computer assembled information on the one hand and the protection of the individual against abuse of that information on the other. The main function of the Bill is to establish the Office of Data Protection Commissioner and that person will be charged with maintaining a register, to ensure that that register is adhered to and that those who seek registration on it will comply with the law. What is disappointing is that this legislation does not seek to introduce into our corpus of law declarations of positive right. The main intention of this Bill is to set up bureaucratic structures which seek to impose upon the data controller or processor duties and obligations which will be mostly policed by the civil law of tort, and under section 16 of the Bill penalties are outlined for the non-compliance with directives issued by the commissioner.

That is far short of what would have been more desirable in an what area of law that is for the first time being broached by this House. I would like to have seen a declaration of a positive right available to every citizen of this country to protection and privacy from abuse of the use of information. A right to access and not simply a bureaucratic structure secondary in benefit to a declaration of right similar to what we have in the Constitution in respect of personal rights should have been contemplated in the drafting of this Bill.

In the way the drafters of the legislation have gone about their job the register to be maintained by the commissioner is of crucial importance. It is essential that when the regulations are drafted, either by the commissioner or by the commissioner on direction of the Minister, very careful consideration be given to the content of the registration of the information. Again, that is not provided for in the Bill. It is left to the commissioner in his office to draft in time the regulations to be complied with by those persons seeking registration. I hope the Minister will counsel the commissioner in his or her functions in this regard to ensure that the widest possible amount of information is contained in the register so that when a member of the public seeks access to it he or she will have all the types of information which are essential to the proper appreciation of the scope and extent of the information retained by the data processor or controller. I would like to itemise some of the pieces of information that must be contained in the register.

Any proper registration should contain all of the data personal to the individual or subject who seeks information on it, such as name, address, date of birth, PRSI number or any other such information personally directly concerned with the subject and retained by the data processor or controller. That must be immediately available and evident to the subject on making an inquiry.

Secondly, the register should deal with the data base upon which the data is assembled and it should refer to the other data stores to which that data base has a correlation or interrelationship. Computers attain their brilliance when one gets into the whole area of cross-relations, cross-references and cross-referrals. It must be made clear that one data store or piece of information could be a member of or involved in any number of data stores at any one time. It is important for a person looking to a register to be able to ask while this data processor or data controller holds that piece of information about him or her on that data base, into how many more data bases that piece of information is linked and in what way they are interchanged and correlated to give a different sum relating to the person or subject.

Thirdly, the register should indicate the data source. In other words, if, for example, I go to a business who hold a credit reading in relation to me and I find it is wrong, then I am concerned to know about it. I have used the word "credit" which is probably not appropriate to the area of the retention of the register, but if I look to any piece of information I should be able to be told at that point the source from which that information was drawn and how many of the processes along the way retain that piece of information so that if there is an error to be addressed, corrected or clarified the person seeking the information will have no difficulty in pursuing it. One of the worst fears any member of the public would have in this regard is that he or she would be subjected to the cat and mouse game of having to pursue endlessly the enlightened or slick computer operator.

In this context it is fair to say that the computer is a machine that frightens most members of the public. It seems to control so much of our life at this time that many people are not too sure how to approach it. They are intimidated by it for a great part. It must be ensured that a register is comprehensive and intelligible to the person coming off the street so that he or she will have all the information necessary in turn to challenge the data sources or to bring that information to an expert who can advise him on how to address it.

In this context there is a small provision in the Bill in regard to the levying of charges. I would like the Minister to consider in time that the charge must be paid, in the wording of the Bill, "in advance". It is to be a charge fixed by the person to whom the request for the information is addressed. It is essential that if people who are not very well off are not to be inhibited from availing of their rights under this Bill they have some appreciation of the extent of the information retained before they are asked to hand over money. In reading the Bill it seems to me that it is money up front and that is not a very good approach to take where the person is not too sure what is going to be delivered at the end of the day.

The fourth area that the register must deal with comprehensively and make available to the subject on inquiry to the commissioner's office is the data use to which the information is put. There can be no doubt the Minister envisages under the wording of the Bill that that will be included. Nonetheless it is important that the register indicates clearly why a piece of information is being retained, to what purpose it will be put and its uses as licensed by the commissioner under the workings of the register. In this regard there are two areas I ask the Minister to respond to in due course. It is important that we clarify the uses of all data collection of a general nature, particularly those pieces of information or collection of data that are essential to the proper ordering of our society and which require the co-operation of the public at large.

I am thinking of two in particular, the census of population carried out by the Government and the assembly of the register of electors which is done by local authorities. They are essential for the proper working of our society and require the co-operation of the public in their assembly. It is vital that the public be assured that this type of information will be for a limited and State use only. It is clear that some local authorities, particularly in the Dublin urban area, use the register of electors as a source of information for the collection of overdue water charges. For example, in Britain the poll tax will be levied on all persons whose names appear on the register of electors. It is vital that confidence is restored to the census of population and the assembly of the register of electors and the Minister should use the Bill to do that. He should ensure that the information is collected for a specific purpose and is not abused.

In drafting regulations under the Bill the Minister should insist that documents emanating from a source covered by the register or covered by the other data protection provisions in the Bill carry a warning notice indicating that the information is subject to restriction under the Bill. He should highlight in detail the restrictions on use imposed by the commissioner. That important point is not covered in the Bill and it could conveniently be included by the Minister in a regulation.

I note that the text of the Convention is conveniently contained in the Bill and I should like to raise a number of questions in regard to it. We are at the happy stage that we have not ratified that Convention and so to some degree it is open to us to discuss it now. I should like to put a number of questions about that Convention to the Minister and I appeal to him to respond to them at some stage during the progress of the Bill through the House. Will the Minister tell the House the derogations the Government have in mind under Article 3.2a? Deputy Barrett pointed out that there is a facility under Article 3.2 (b) and (c) to extend the operation of the Convention to areas not mentioned in the Convention and he was concerned about the important matter of manual files. That is a dangerous area particularly in a State with a bureaucracy that seems to rely so heavily on manual files — I do not mean any disrespect to the fine gentlemen on the Minister's right who are busily preparing notes for the Minister. A vast area of our bureaucracy relies on the operation of the manual file and we should be concerned about that in connection with this Bill. As Deputy Barrett pointed out, there is a neat opportunity for a data processor, or the person who assembles the information, to take out information from the data base and convert it through the use of a print-out into a manual file and away from immediate public scrutiny.

Have the Government contemplated any derogations from Article 9 which relates to the provisions of Articles 5, 6 and 8 of the Convention? Article 5 deals with the quality of data to be retained and I should like to know if the Minister, or his officials will consider amending the definition under which it is intended to impose obligations on a data processor or a researcher. Article 6 deals with personal data relating to race, religion or political opinion and I should like to know if the Minister does not consider it necessary to include the trade union affiliation of an individual. In this day and age of industrial strife and conflict and under-supply of job opportunities there is a greater reliance on information relating to the affiliation of people to trade unions. There are many workers who feel aggrieved that their past union history was held against them. The Minister should tell us whether he considers it appropriate to extend the areas covered under Article 6. Will he say if we intend derogating from the provisions of Article 8 in relation to access to personal data?

Will the Minister say if the Government intend seeking a derogation from the provisions in Article 12 relating to the transborder movement of information? Article 12.3 envisages enabling contracting parties to opt out of the clear and concise condition contained in Article 12.2 which states:

A Party shall not, for the sole purpose of the protection of privacy, prohibit or subject to special authorisation transborder flows of personal data going to the territory of another Party.

I am leaving aside the technical worries raised by Deputy Barrett. I do not know how one can stop a radio message or the computer transmission of information from one State to another but I am sure there is some intention behind that part of the Convention. However, I am concerned that the Convention only imposes one restriction of the transmission of such information, for the sole purpose of the protection of privacy. I understood that was the whole purpose of the legislation. That is an important consideration for us, a country that has so many multinational concerns. We must know whether we will be asked to apply such a sweeping provision to our dealings with multinationals. It is serious if we are to invoke that Article in the way it is drafted. Will the Minister say if he has any intention of seeking a derogation from it? I hope the Minister will give me a response to my questions at a later stage. I accept that he does not have the information to hand.

Is the Minister in a position to tell us to what extent the other countries who are in a party to the Convention have sought a derogation from Article 12? How many of them have sought exceptions or extensions of this Convention to their national legislation, legislation that would affect information coming to this country? I would like that information if it is available, at a convenient time.

Perhaps the Minister could advise us as to who, under Article 18, he has in mind to appoint to the consultative committee, what expertise he or she has, what is the status of that person within our jurisdiction and what talents or attributes the Minister thinks would be important to a person sitting on behalf of this country on the consultative committee. With regard to Article 21, do the Government have any active plans for promoting or suggesting amendments to the convention as it stands? In short, I am asking the Minister what have this or previous Governments done to adopt, apply or develop the Convention since it was first put on the books in 1981.

I want to deal now with specific areas of the Bill which cause me concern and which I hope the Minister will bear in mind before we deal with them in Committee. My first concern deals with section 1 (2). The Minister might consider an addition to the definition of data that are inaccurate. The Bill says that data will be considered inaccurate "if they are incorrect or misleading as to any matter of fact". It is important that that might be amended further to include "any omission of fact". It is all too evident that a person can be misled and given inaccurate information not simply by what is there in print but by what is omitted.

With regard to section 1 (3) (a) and the designation of authority, could the Minister advise whether there will be an end to that process? What I am worried about is this. As I understand it, the intention behind that provision is that a person within the Civil Service can be designated as the data processor. That person, for the purposes of that section, in turn becomes a person entitled to designate. I wonder if the Minister is concerned whether there is an end to the process of designation.

Section 1 (4) (a) deals with the definition of not imparting information because of this time honoured expression "safeguarding the security of the State". Any of us who engage with the Minister for Defence at Question Time will know the extent to which that expression can be used for the purpose of not imparting information. It is known that most of the information daily refused to Members of this House is available in publications and the manuals of international arms dealings which are available in this city and elsewhere. I am very concerned about finding the same definition in this legislation that is available to the Minister for Justice and to the Minister for Defence to keep information from persons on the grounds of safeguarding the security of the State. It happens on numerous occasions with the Minister for Justice but as regards the Minister for Defence anything and everything can be withheld on the grounds of safeguarding the security of the State. It is important that there should be a reference elsewhere to a higher authority, above and beyond the Minister concerned, for the purposes of reviewing that definitional exception.

Another particular area of concern is covered in section 5 (1) (c) which deals with the restriction of right of access. As a person who has been concerned for many years with prison reform, I am very alarmed to see that it is the intention to restrict the right of persons to access to information relating to the prison service generally and to prisons on the grounds not only of the prejudice to security but also in the maintenance of good order and discipline.

Everyone can appreciate the need to be sensitive with regard to security in our prisons, but I do not believe the Minister can make a serious case that a member of the public coming off the streets or any concerned person who seeks information regarding the administration of our prisons would be someone likely to interfere with the maintenance of good order and discipline of life in our prisons. I ask the Minister to seriously consider having that section amended so as to delete the grounds on which that information can be refused because, in the view of someone in the Department, the maintenance of good order and discipline in a prison could be affected. I do not believe that is a serious concern. I do not quibble with the restriction as it affects security but I have some reservations so far as the prison service is concerned.

As regards section 16, I would ask the Minister to consider including a person's union affiliation or membership. I want also to refer to the section which allows for a person to appeal against a determination direction from the commissioner where he directs a data controller or processor to do something under his power and the person concerned appeals. The provision that enables the person appealing not to have to comply with that direction in the interim period, is something that will lead to more abuse of the purpose of the Bill than to anything else. I am contemplating the situation where a person has information that is wrong or is being wrongly used and where the commissioner intervenes to direct compliance with the purposes indicated on the register. The person concerned can appeal but, while the appeal is pending, he is not obliged to comply with the direction of the commissioner. That seems to be an immediate "out" available to any dishonest person seeking to wrongly use the information retained by him. I ask the Minister to tidy that up before Committee Stage.

Those are the matters I wish to raise in respect of the Bill. I indicated previously — and I will briefly repeat — The Workers' Party will support this Bill but some of its aspects are of primary concern to us upon which we may have to do battle with the Minister at a later stage unless he hears us as favourably as he has done in the past.

The Labour Party welcome this overdue Bill. It makes a very welcome contribution to our legislative body. It is interesting to note that the measure resulted as an initiative from the Council of Europe. All too often one hears criticisms of the travels abroad by Members of this House to do legislative work in the Council of Europe and other bodies. The people who criticise overlook the fact that the Council of Europe perform very valuable work in bringing forward agreed measures of this nature which find their way into legislation. I am proud to have been a member of the Council of Europe on and off for the past few years and, with Deputies from other political parties, to have participated in the day to day work of the committees in all sorts of fields which produce measures such as the Bill before the House.

There have been abuses in this regard over the years. I recall hapless individuals complaining to me that, for some reason they could not understand, they were unable to get a loan from a hire purchase company. The research that was possible indicated that blacklisting was carried out by all these organisations, financial companies and so on who, quite clearly, had been working hand in glove on these issues, very often without a justifiable base. Their actions affected many people, including families, and I hope this Bill will remedy that.

I want to make a point about the limitation of the Bill to individuals. I am puzzled as to why the Bill is confined to individuals and seems to exclude partnerships and companies from having any rights to apply for information on the computer records of the financial institutions. Many people operate in a partnership. Small companies can be adversely affected by wrong information in the computer data bases. I know of one such case, a one man company who was brought to the brink of ruin for reasons he could not fathom. He eventually found out that erroneous information had been lodged with the financial institution with which he was dealing. Why can the limitation only concern a single individual? A partnership could mean two or more individuals and the fact that they operate in tandem should not exclude them from the provisions of the Bill.

If the Bill is to be effective it will have to operate in the area of Government Departments, semi-State institutions like the Eastern Health Board, the Department of Social Welfare and so on. The Minister for Justice is taking power in the Bill, in consultation with other Ministers, to exclude some of these Departments or the Eastern Health Board from the operation of the Bill. One must sound a warning note in this regard. Governments and their institutions have a tremendous need to keep themselves as secretive as possible and we all know how difficult it can be to extract information about our constituents or indeed — as a lawyer — about one's clients from Government Departments, semi-State bodies and so on. They guard that information with remarkable jealousy. Indeed on occasion, Government Departments have attempted to avoid court orders. Those kind of ideas ought to be swept away and in this Bill we should make our position clear that, except in recognised special circumstances dealing with State security and limited matters of that nature, the preserve of the State for its own secrecy should not be acceptable. We should seek whatever amendments may be necessary on Committee Stage to ensure that the State will not cop out when it comes to disclosure of information any more than it should be possible for any other institution to do so.

I am glad that Deputy McCartan referred to the question of derogation being possible under the Convention because if this measure is to be effective, the question of the transborder exchange of information is crucial. The whole objective of the Bill can be avoided if the data bases are kept in another country. If multinationals are operating in this country and if they feel any embarrassment at maintaining their information data banks here, they may seek to set them up in another country. Will these multinationals set up in tax havens and avail of the derogation provisions provided? It would mean that the material could be stored there freed of the obligations imposed under this Bill.

The information stored concerning people must indeed be sacrosanct. Financial firms will maintain data bases which contain information about their customers and so on. The question then arises as to the transfer of that information to another firm. A building society may have information about a customer but if the customer seeks a loan from a different building society, there may be an exchange of information. I want to see it incorporated in the Bill that information may not be given lawfully about a person by any one firm to another unless there is the written consent of the person concerned. Written consent is essential. We must copperfasten in this Bill that information about a person may not be passed to another company without the written consent of the person whose information is on file. It may be in this Bill but I do not see it there. I would ask the Minister to consider incorporating on Committee Stage the necessity for written permission.

It seems that responsibility for administering this legislation is devolved onto a single person, the commissioner. Is that a good idea? In some of the other countries where the equivalent legislation is operated, responsibility is devolved onto a small board rather than onto a single person. I do not know if the Minister has considered that but it is something that should be thought about. It should be up to a small board of perhaps three or five people to operate and to oversee the very serious measures that are provided here. There will be a staff, of course, but it might be too important a function to devolve to one single person, even though there is an appeal procedure provided for in the Bill.

There are probably very few Deputies in the House more at sea in the world of technology to which this Bill introduces us, than I. At this stage I just wish to ask a few questions which in themselves adequately demonstrate the depth of my lack of knowledge of electronic data processing.

I took the opportunity to compare this Bill with the corresponding British Act of 1984 and I am glad to be able to tell the House that, unlike so often in the past, where our legislation tends to be copied word for word from that enacted in Britain, sometimes up to 20 years previously, our Bill on this occasion appears to have been drafted on independent criteria and without more than an occasional glance over our shoulder at the English Act. If I knew more about data processing, storage and retrieval perhaps I would see more of a resemblance between the two measures, but they appear to be structurally different and in some respects different in detail. Because I have complained about the opposite so often in this House I am expressing my appreciation of the fact that on this occasion we appear to have done something for ourselves.

I am interested in the achievement of the Minister's Department in producing a Bill of this kind, seeing that, although perhaps they ought to be, they are not a very high technology Department. I am genuinely interested to know about the mechanism by which this draft came into existence. Did the Minister's Department retain consultants for the drafting of the Bill from the world of data processors and the world of electronic information? If so, I have no special objection. I recognise that it may often be cheaper and simpler for a Department to get private sector advice than to retain experts on a full time pensionable basis. Will the Minister tell us the genetic process by which this Bill arrived before us? I do not wish the Minister to name consultants but I would like to be assured that they have no, even concealed, axe to grind. I know the Minister's Department are not so naive as not to spot an obvious interest on the part of consultants that they might entrust with so important a job as drafting legislation, but even such consultants, with the best will and the clearest conscience in the world, may still be injecting some admixture of their own interest and perspective into the draft. While I have no suspicions in the matter and have no objection to the Department employing consultants in a proper way, the subject matter of the Bill is so far away from the Minister's usual bailiwick that I feel entitled to inquire about it. The Minister and his Department usually move in the world of handcuffs, bail applications, the slam of prison doors and industrial problems arising from their relations with the various employees under the Department's umbrella. Visual display units and other high technology are not normally part of the scene at 72-76 St. Stephen's Green. I am genuinely interested in whether consultants were employed and whether the Minister can be perfectly satisfied that the angle which any individual or firm must have is not reflected in the legislation before us.

This may be a humble question, but would the Minister tell the House whether the data protection included here relates only to sensitive material or whether it is possible to avoid being in breach of this Bill by disclosing information which is not necessarily sensitive but which may lead to a serious nuisance for a number of people? I have in mind the possibility of compiling specialised lists of the kind which might arise if one were trying to collate a list of people between the ages of 18 and 20 or of people who were recorded as having some interest in some recreation or sport or people in a certain socio-economic group, and selling that information to an advertising agency or a company with material to sell for which that group is an obvious target. I do not suffer a lot from this type of thing as I am very careful never to fill up a form which offers me a free holiday in Bulgaria, and puts me therefore on a par with a member of Dublin Corporation. I always turn down offers of that sort because even though the holiday will arrive or the machine or the box of sweetmeats or whatever it is, I am going to be pestered for the rest of my life by unwanted advertising arriving through my letter box as a result of my name having been put on a "sucker" list and sold to an advertising agency or a firm who believe in marketing products through postal approaches. I appreciate that there is a limit to the amount of policing the Minister can employ here but I would like the Minister to reassure us that the protection this Bill is designed to provide will not stop merely at the disclosure of material which he or I would recognise as sensitive, but will also prohibit the abstraction from data bases or data banks of specialised lists of that kind. That will simply multiply a nuisance, multiply the waste of paper, multiply the ecological burden, all for the sake of facilitating access to the market for the sort of firms who depend on a postal approach.

Another small point which perhaps would be more appropriate on Committee Stage — I do not except the Minister to answer it on his feet but I think it is no harm, therefore, to mention it now — arises from the definition section. There are special rules regarding the kind of information which the Defence Forces may find necessary to collate in a particular form and which would be made available to an officer in certain conditions. There are similar provisions in regard to the Civil Service. I presume — and I would like the Minister to assure me I am right — that an officer of the Defence Forces, or a public servant who comes through the operation of one of these processing mechanisms into possession of certain kinds of information, so far as an individual is concerned whose data may be reflected in this data bank, will be covered by the Official Secrets Act. If he afterwards retires, resigns from the service or for whatever reason finds himself outside the service, there will be a sanction preventing him from divulging information which he may have reached by such a means.

Perhaps I am wasting the time of the House by raising a point to which the answer is perfectly clear. It would be no harm for the Minister to devote a few words showing the correlation which ought to exist in public offices between data collected about individuals and its possible subsequent disclosure. That kind of information ought to be an official secret for the purpose of the Official Secrets Act and its publication or passing on in any shape or form after the departure of the official or officer concerned from the service ought to be regarded as a breach of the Official Secrets Act just as much as if it was a piece of official information in the more ordinarily understood sense of that term.

There are two other points I should like to raise and I am sorry if I am wasting anybody's time in doing so. Is there any suggestion in the operation of the Convention to which this Bill is the Irish response of its cross-Border operation in the sense of the creation of extraterritorial offences? The Bill does envisage the creation of an indictable offence. Section 30 envisages an indictment for an offence, and it obviously envisages an offence serious enough to warrant putting someone on trial before a jury and exposing him to a possible fine of £50,000. Can the Minister tell the House whether offences of that kind, or that degree of seriousness, ought to be mutually extraditable between the States which are party to the Convention and if they are not whether there is any provision for a network or system of mutual extraterritorial jurisdiction in such a way that we could prosecute here somebody whose action represents a breach of the data protection legislation in Italy or the Swedes could prosecute somebody whose activities there represented a breach of our data protection legislation? Deputy Taylor referred briefly to this matter, or to something like this matter, if I understood him correctly. Probably he knows more about it than I do. I am sorry if I misunderstood him but I thought he raised an interesting point in that connection.

The last point I want to raise relates to a more strictly legal point and that is the question of the further out consequences of a breach of the Act. There is what looks like, at first blush, a reasonably adequate apparatus of penalties, but what about further out consequences for the individual? Suppose an individual feels aggrieved by disclosure of information about himself, which is simultaneously a breach of the Act and which perhaps entitles him to compensation and which exposes the person who has done wrong in disclosing information about this to prosecution. That is all very fine but what would be the position if at a later point some information about that individual which has become public, or which if it has not become public has become available to somebody, even if it be a State authority to which it otherwise would not have been available? Would the Minister consider including a provision which would automaticaly invalidate any process taken by a public authority or in which an individual might afterwards be involved vis-à-vis a public authority, in the sense that it would be regarded as a prejudicial situation in which the individual had arrived in consequence of a breach of his rights?

There is a fairly close analogy — at least I hope it is close enough for anyone to see — between the point I am making and the situation where somebody has been arrested on wrong grounds. During the time when he is under arrest, as a consequence of his arrest a more prejudicial situation arises. There was, for example, a case involving a person — I do not want to mention the name of the case although I think the person concerned is dead — which received much attention here a few years ago in which a person was arrested under section 30 of the Offences Against the State Act. This enabled him to be held for 48 hours but in fact, or so it appeared from the Law Report, merely to enable extradition arrangements to be put in place which facilitated his being exported from the country altogether. The courts took the line there that since his arrest and holding had been not for the ostensible purpose of operating the provisions of the Offences Against the State Act — not that he was genuinely under any suspicion of an offence under that Act or related to that Act — but merely in order to put him on ice for long enough to enable the extradition arrangements to fall into place so that he could then be handed over, the State must be denied the fruits of its misbehaviour. While I agree in this instance that the State or organs of the State were themselves the authors of the wrongful operation of State law and that there was a clearer reason why the State should be, as the court said, denied the fruits of that unlawful interference with the man's rights, when we are dealing with legislation like this there is a case for saying that where information gets out — whether it becomes totally public or becomes known to somebody or other in consequence of an invasion of rights here — no State body, whether it be the Revenue Commissioners, the Director of Public Prosecutions or anybody else, is to be allowed rely on information or on something to which they would not have had access but for that information in any proceedings in which that individual might afterwards be prejudicially involved. I hope the point I am trying to make is not obscure or will not seem impossibly liberal. If the Minister were to consider amending the Bill by including a clause to that effect he would be doing something very much in the spirit of the decisions in the constitutional area which the courts have given in recent years.

I want to apologise if anything I have said not only demonstrates my ignorance of the electronic world but also has held up the business of the House.

I want to thank the spokesman for the Fine Gael Party and the spokespersons for the other parties for the generous but cautious welcome they gave the Bill. I thank them very sincerely for their contributions. They have raised a number of points with which I will endeavour to deal. I hope Deputy Barrett will not take me to task if I deal with one or two points raised by Deputy Kelly first because, let us remember, the last is often first.

Perhaps my mistakes are the simplest ones to put right.

No, the Deputy did not make any mistakes. I am not implying anything like that. In reply to Deputy Kelly's query as to how the Bill came into being — bearing in mind that in the past there have been accusations on the part of many Members that we normally slavishly follow legislative proposals in another place — I should say that, in this instance, we did this ourselves within the Department of Justice. We did not pay any consultants or engage consultants from anywhere to help or advise us.

I must compliment the Minister's Department in that respect.

I am grateful to the Deputy for that as I am sure are the people who have been involved in its preparation. In an effort to explain to Deputy Kelly why we felt sufficiently confident that we had the ability to do this the Deputy will appreciate that we had representatives on the Council of Europe committee of experts dealing with this. It is quite obvious that they gained considerable experience from their participation at that level. I might say to Deputy Kelly also that I hate being included on anybody's mailing list. I have as much aversion as he to junk mail. I do not like being bombarded with unwanted gifts or offers. I am glad that the provisions of this Bill give the right to have one's name deleted from such lists. That is the purpose of section 2(6).

I can confirm for Deputy Kelly that the provisions of the Official Secrets Act, 1963 cover also disclosures of official information by the holder of a public office after he or she retires.

Deputy Barrett hoped that a massive bureaucracy would not be built up and that the office's operating costs would not be borne by the taxpayer. I mentioned this aspect in my introductory remarks. It is because we want to avoid bureaucracy that we have partial registration. Certainly that will cut down on the amount of office work to be done. In addition, the staff of the commissioner's office will be found through redeployment. The other office expenses will be met from the registration fees. I cannot say yet what the registration fee is likely to be. Its amount will depend on a number of factors, including the extent to which it will be possible to staff the office of the Data Protection Commissioner by redeployment of existing staff. I should say that any shortfall in the operating costs of the office will have to be met from registration fees. The amount of the fee will be dependent on the number of those who register. My intention is that, initially, the fee should be prescribed for the first year of registration, to be reviewed at the end of that period in the light of the considerations I have mentioned.

Deputy Barrett also asked why was a provision about codes of practice included in the Bill. The Deputy was right in saying that, to a large extent, the provision is aspirational. But it has a practical significance in so far as it affords an opportunity to the commissioner to approve formally of the provisions in the codes of practice so that they will be given an element of official recognition. In other words, any data controller who complies with the particular code of conduct governing his industry will know that he is complying fully with the provisions of the Bill. Codes of conduct or of practice are recognised as being an essential complement to general legislation which can never hope to cover all the detailed requirements of particular areas.

I will consider the Deputy's suggestion that, in the interests of the Bill being processed and enacted as speedily as possible the Bill be referred to a select committee. All of us agree that this is a very complex and technical Bill. If I find I can accept the Deputy's suggestion then perhaps the Whips can deal with the matter from there.

Deputies Barrett and others were concerned about disclosure of information on health matters. The Bill provides that there is a clear right of access to data about a person's health. But it recognises that there must be some safeguards in the interests of data subjects themselves. Clearly in some circumstances the disclosure of such information could cause harm to a patient. Therefore there is provision for the Minister for Justice, after consultation with the Minister for Health, to make regulations restricting the right of access. The Council of Europe have issued recommendations on the kinds of circumstances in which disclosure should be restricted. While no decision has been made with regard to the form of the regulations it is clear that they may confine the disclosure of health data to, say, a patient's doctor and might also restrict disclosure if it would cause harm to the data subject.

Deputy Barrett asked also who is to decide whether the person seeking access has been given sufficient information. The answer is: ultimately the Data Protection Commissioner. There is no question of the data controller deciding that an individual has not given sufficient information to locate data. Such individual has only to complain to the commissioner who must investigate that complaint and who has adequate powers to get whatever information he requires.

Deputy Barrett inquired also as to how transfers outside the State are to be monitored by the commissioner. In the case of registered data controllers — who will comprise the bulk of those transferring data abroad — the commissioner must be told at the time of registration what they are doing in this regard. He will then consider whether they can be allowed to do so and, if he considers that they should not, he can refuse to register that controller. I might add that, through his authorised officers, the commissioner can check on the activities of controllers who transfer data.

On the question of manual files mentioned by a number of Deputies, I should say that these are excluded for a number of reasons. First, they do not pose any threat comparable to that caused by computers. Second, the administrative problems and the cost involved in extending the provisions of the Bill to manual files would be colossal and, third, most data protection laws do not extend to manual files.

Again Deputy Barrett asked how an individual can ascertain whether a person keeps personal data if everyone is not obliged to register. The answer is that everyone is given the right, under the provisions of section 3, to ask anyone whether he or she has personal data and, if so, what are the main purposes for which they are kept. I might add that no fee is payable. This achieves exactly the same result as consulting a register, especially since experience suggests that, where universal registration is the law, a large number of small businesses simply do not register. If a person refuses to give information about the data he keeps there can be a complaint lodged to the commissioner who must deal with it.

A number of Deputies advocated the registration of all data controllers. The provisions of the Bill have endeavoured to avoid universal registration because it is more likely to create an over-bureaucratic system. Therefore, registration is limited to the large-scale controllers and controllers who hold sensitive data, so that small businesses will not be burdened by it. The controllers of the sensitive data, under the provisions of section 16, regarding health matters and so on are included in order to comply with Article 8 of the Convention which requires that special safeguards be provided in respect of such data. It is for that reason that that category of data controllers must register.

Deputy Barrett and others suggested that the provisions of the Bill afford the Minister for Justice too much power to determine what personal data should be kept for State security purposes. We must accept that this type of data must, in no circumstances, be disclosed to persons other than those responsible for maintaining State security and that ultimately the Minister for Justice is responsible to the Dáil in this respect. In fact what is involved here is that information kept on any computerised files relating to subversives or suspected subversives will not be accessible to such subjects. It would apply also to security checks made in relation to persons employed, or about to be employed, in military installations and the like.

The Bill does not say that; its provisions are restricted.

Deputies will have plenty of opportunity to raise points in the course of Committee Stage. I said at the outset that, because of the very nature of the Bill, I will more than gladly give as much time as any Member requires to debate any amendment they propose.

A criticism was made that we have been very slow in bringing this legislation before the Parliament. As a result of a spot check with regard to the situation in other countries, I understand that a number of other European countries are behind us at this stage, for example, Spain, Italy, the Netherlands, Belgium and Portugal, to mention a few.

Deputy Harney made a number of very interesting points, including many of a technical nature. I hope she will forgive me if I leave some of the technical points until Committee Stage when we can deal with them more fully. She asked about the commissioner. It is envisaged that the commissioner and his office will be financed through redeployment and registration fees. She asked about word processors. Word processors are not caught by the Bill if they are used to prepare the text of documents only. If they are used to process personal information they will be caught. The Deputy asked who will control the data. The Bill defines a data controller as a person who controls the contents and use of the data. In the case of a partnership, each partner has a say in the contents and use of the data and, therefore, each partner is a data controller.

She also asked about the possibility of abuse of the national security provision. I mentioned this already in my reply to Deputy Barrett. It would be a greater abuse if security information about an individual could be disclosed either to him or to persons other than those entrusted by the Dáil to defend national security. This House has accepted, and I understand still accepts, that the Minister for Justice, who is answerable to the House, has ultimate responsibility in this matter.

Provided it relates to subversives or those involved in crime but not to any average citizen.

I accept that. There have been some suggestions that the restrictions on the right of access may be excessive. Of course, this is a question of balance. It is right and proper that a data subject should know what information is kept about him on computer. However, there are conflicting public and private interests and these are recognised in the Data Protection Convention which we will ratify. The public interest requires that the right of access should not prejudice the prevention or detection of crime or the monetary interests of the State; neither should the rights and freedoms of other data subjects.

In particular, personal data relating to another individual should not be disclosed without the consent of that individual. Section 4 (4) provides for this, with the qualification that the information must be disclosed if it can be edited without revealing the identity of the other individual. In other words, the Bill sets out the minimum legal entitlement of a data subject to any information kept about him on computer that can be disclosed without damage to the public and private interests to which I have referred. Data controllers are free, however, to go further than this if they wish to do so. For example, employers may negotiate with unions' representatives the extent to which personal information originating from third parties may be disclosed.

I am glad Deputy McCartan's party welcome the Bill, even in a guarded fashion. Obviously he will have a number of amendments for consideration on Committee Stage. These amendments will be considered in detail when we come to that stage.

As regards the derogations that we will make to the Convention, these will be as limited as possible and may not go beyond the data mentioned in section 1 (4), namely, archival and other material that is already available by law to the general public. The derogations under Article 9 are reflected in the restrictions on the right of access as regards the prevention of crime, taxation and so on in Article 5. These are allowed by the Convention and are related to Articles 5, 6 and 8. With regard to Article 12, we are already represented on the consultative committee by an observer. The Deputy asked for information about derogations by other countries which have ratified the Convention. I do not have this information but I will get it for the Deputy.

No amendments have been made to the Convention since 1981 and, so far as I am aware, none is contemplated. Deputy McCartan mentioned some other points in his speech that are very much in the technical area. I am glad he has given us notice of what he proposes to have dealt with by way of amendments on Committee Stage and I will have them examined.

The Deputy criticised the provision that a person was not obliged to comply with a requirement of the commissioner once he had appealed and that that exemption lasted throughout the period the appeal was being determined. This is not the full picture. If the commissioner wants a requirement complied with urgently, all he has to do is include a statement to that effect in, say, the enforcement notice. When he does that, the data controller concerned must comply with the requirement in the time specified by the commissioner unless, first, he appeals within that time and, secondly, the court allows him a little more time for compliance. If he does not get a special court order, he commits an offence of non-compliance. That is provided for in section 25 (4) of the Bill.

I am pleased at the welcome given to the Bill by Deputy Taylor on behalf of his party. I will consider the points raised by him and I want to mention one of two of them. I appreciate that there could be an advantage in having the data commissioner backed by a board or an authority, but I must disagree if only on the point of expense and the possible increase in paper work.

I am very grateful to Members for the constructive way in which, on behalf of their parties, they have approached the Bill. There is general agreement on the objects of the Bill. These are, first, to protect the privacy of individuals in relation to personal data kept about them on computers and secondly, to facilitate transborder flows of data to the greatest possible extent consistent with the protection of privacy. The Bill seeks to do that by striking a balance between the requirements of privacy and of maintaining the free flow of data internationally and also with due regard to the need to avoid over-regulation and to minimise the burden on industry. I am satisfied that we have achieved a proper balance but this is a matter about which there will always be a difference of opinion. I assure Deputies that I will have a close look at the points made by them between now and Committee Stage and I will not hesitate to bring in any amendments I think will improve the measure. I commend the Bill to the House.

Could I ask the Minister to deal with the point I made about the right of a minor to seek information he or she is not in a position to seek.

Or people not of full capacity.

I understand that will be dealt with under the general law relating to minors, guardianship and so forth.

Question put and agreed to.

There has been an indication that speakers would not like Committee Stage to be rushed. Can the Minister say when it is proposed to take Committee Stage?

Two weeks from today?

A bit longer.

It is important that we get this Bill through. There are five weeks only between now and Christmas. Deputies have 14 days to put down their amendments and they have identified the areas the propose to amend.

Committee Stage will be taken a fortnight today, subject to agreement by the Whips.

Subject to agreement by the Whips.

Committee Stage ordered for Tuesday, 1 December 1987.
Top
Share