Dáil Éireann debate -
Wednesday, 24 Jun 2015

I move amendment No. 2:

In page 7, to delete lines 19 to 21 and substitute the following:

"(2) A person who breaches the Act of 1988 in relation to postcodes shall be liable in damages in tort.".

The nature of this legislation is that it deals with something that was not dealt with in the basic initial legislation that set up the postcodes. I suggest that the mindset associated with the way that legislation was designed made this information a commodity. I do not think data protection and privacy were at the core of what was being talked about. The subsequent review conducted by Gemserv - the privacy audit - showed that there were concerns about privacy. A summary, more or less, was produced, but not the actual audit itself. It seems to me that data protection was not at the heart of the mindset of the Government and the Civil Service when they were approaching this issue.

Essentially, my aim in this amendment is to create some sanctions for breaches. It seems to me that one will have to prove there is a breach. One will have to prove damage if it is an individual. I do not think individuals are going to breach this. I suggest that big organisations will be far more likely to use information as a commodity. I do not see where there will be a sanction for companies outside Ireland, and indeed companies outside the European Union. Once they have bought information, they will be able to sell it on. Given that the Office of the Data Protection Commissioner has the statutory authority to deal with breaches of data protection, I do not understand why it was not central to the thinking when this legislation was being put together.

I do not see where this Bill provides the means for an individual to prove damage. A system that means that one has to rely on going to the courts to spend a long time dealing with a matter of this nature is really not accessible to the average person on the street. All of what I am trying to do is aimed at the bigger entities. I think there is a real risk that a company outside the EU will buy the whole data set in order to replicate it and sell it on. If our data audit says something different, it is important for the Minister to tell us about it. I think there is a mindset that the Government will have to change. On one hand, the Minister for Public Expenditure and Reform, Deputy Howlin, is talking to us about a more open approach to government - I am quite energised by what he is saying - yet on the other, this initiative is putting the Office of the Data Protection Commissioner on the periphery and using data as a commodity.

If we examine what is happening across Europe, particularly in the UK, we will see that an intuitive approach is being taken. If we were taking a more open approach, we might use the prefix "KE" for Kildare, followed by a code like "300" for Leixlip and another code like "200", "155" or "A" for the relevant housing estate. We could choose any combination of letters and numbers. It is only at that point that we would need to include the individual householder's name. It is not as if addresses are particularly secret at the moment. I know people complain about the misuse of the electoral register for the purposes of marketing and things like that. Obviously, that is a data set that is sold. It is not entirely correct. The 31 individual registers comprise a fairly comprehensive data set. We seem to be going the opposite way here in terms of the approach to this. It is in place now. I presume there is a contract. The very least we need to do is put in place some real safeguards.

I do not think we are particularly great at designing institutions or things like this. I had a recent experience with regard to the Stock Exchange where there was at least a possibility of insider trading. I am using this as an example. When I wrote to the Stock Exchange, I was told to write to the Central Bank. When I wrote to the Central Bank, I was told to write to the Office of the Director of Corporate Enforcement, which essentially told me that it does not have a role in this regard, or at least that there was nothing to complain about. Given that there is no route for making a complaint, is it a big surprise to us that, years after the legislation making insider trading an offence was put in place, there has not been a single solitary prosecution? In the absence of a practical means for individuals to make a complaint when they believe damage has been done to them, there is no sanction. The lack of a reasonable sanction in support of those whose data is potentially compromised is a real flaw in this legislation. I really do not see where the sanctions are. This is all aimed at large corporations that engage in wholesale marketing. I do not see where there is an adequate sanction in this legislation. I am seeking to remedy that in some of the amendments I have proposed.

The Minister knows I have serious concerns about this very expensive, badly designed and badly managed project, the aim of which is to solve a very simple problem. I have asked why the State has spent so much money on designing a system that is unique to this country. What business problem will be resolved by the use of this system? It is a simple question. The Minister has listed five or six business objectives, but nobody has explained what business processes will change to deliver those objectives. They are more like aspirations that could be listed than business problems to be solved.

I cannot understand why we have spent so much, and relied so much, on one firm of management consultants to advise - I use the word "advise" in quotes - on this project from the very beginning right through to the preparation of the functional and technical design and requests for and submission of tenders. This is a licence to print money. I described it as the gift that keeps on giving for management consultants. I am sorry that I and the Dáil have to spend so much time on something that should be very simple, the setting up of a postcode system. It is ill-conceived. A postcode in this country is an excellent idea. It should have been simple, straightforward and inexpensive. Principally, it should have been inexpensive. We have allowed those who have commercial considerations to convince us that we need something more complex that will continue to give money to the company. I believe it is wrong.

Deputy Catherine Murphy and I have tabled more or less the same amendments on the data protection aspects of this legislation . It is establishing a very dangerous precedent. That the normal data protection legislation does not cover this and we have to incorporate it into primary legislation is precedent. Government-generated data will be sold off to companies in Ireland, Europe or throughout the world, which may then resell that data to other companies, yet this legislation is intended to protect data in this country. That will not and cannot happen. It all stems from the fact that we decided, on the advice of management consultants, to introduce a complex system where complexity was neither necessary nor desirable, and it will not do what the Minister says it says on the tin. It has not been demonstrated to me that it will do what it says on the tin. It is the gift that will keep on giving to management consultants. People will pay big bucks for that data and this legislation will not stop them from reselling or misusing the data they have purchased.

I will oppose this legislation at every stage in the process because the substantive amendments that I and others have tabled have not been accepted. Even had those amendments on the data protection element been made, the very creation of the system is opening up a precedent whereby Government-sponsored data can be bought by private companies anywhere in the world and resold to whomever they wish with no controls over the dissemination or use of that data.

I could go on for an hour about this, but I do not see the point. I have raised these issues before and pointed out my serious concerns. Time will prove that my concerns and the concerns of Deputy Catherine Murphy are well-founded, and it will cost the State a lot of money to clean up the mess this will create.

Almost every Deputy who spoke on Second Stage of the Communications Regulation (Postal Services) Act 2011, as I remember it, was very concerned about data protection and how it would be enshrined in the Act.

This Bill is the first major change in postal addresses in this State. There is genuine concern that we have to bring in a Bill to amend the Communications Regulation (Postal Services) Act 2011. The public do not seem to be convinced that this Bill will protect data in the way in which it is intended. The Minister should take account of that. We need to have total confidence that any legislation that goes through the House protects the data it covers.

I agree with Deputy Moynihan that we must exercise considerable care with regard to the data protection implications of any legislation such as this. I do so, and have done so, and I regard it as being of considerable importance.

Section 66C(2) of the Bill clarifies that section 6A of the Data Protection Act 1988, which relates to the processing of personal data which is likely to cause damage or distress, does not apply where processing is necessary to undertake a legitimate activity in relation to the postcode. This would cover a situation in which an owner or occupier of a property disagrees with the matching of his or her address to an Eircode and in particular to the routing key element of that code - the number - despite the accuracy of such matching. That is why section 66C(2) is an essential provision in the Bill.

Section 7 of the Data Protection Act 2003 provides that data controllers and processors owe a duty of care to data subjects which relates to the collection and use of personal data. That is the law and that is not being disturbed. The provisions of the Data Protection Acts apply in respect of breaches of the rights contained in those Acts. Section 30 of the Data Protection Act 2003 provides that the Data Protection Commissioner may bring summary proceedings for an offence under that Act. Section 31 of the Act provides for penalties for offences under the Act.

It is neither appropriate nor necessary to provide for offences of breaches of data protection rights when such provisions already exist in the Data Protection Acts. In addition, the Bill provides that the Minister can make regulations providing for a power to suspend or terminate a value-added reseller licence, as well as the power to carry out audits. The activities covered by this Bill are only those which are essential to the delivery and maintenance of the postcode system. End users will still be subject to the full rigours of the data protection legislation. If any Deputy can persuade me otherwise I will listen for as long as it takes to understand the point. I say that with every respect to all the Deputies in the House.

Deputies Colreavy and Catherine Murphy already raised the extra-territorial effect on the last day we debated this. The Data Protection Acts apply to all data controllers established in the State.

Section 11 of the Data Protection Act provides for restrictions on transfers of personal data outside the State. The transfer of personal data by a data controller to a country or territory outside the European Economic Area may not take place unless that country or territory provides an adequate level of data protection. This provision is already in the Data Protection Act. While the issue may arise in this discussion, it does not turn on any of the provisions in the Bill, given that it is addressed in existing legislation.

Furthermore, under section 11 of the Data Protection Act, the Data Protection Commissioner may prohibit the transfer of personal data from the State to a place outside the State. The commissioner can serve a prohibition notice on the data controller or data processor. These provisions will continue to apply. Moreover, the Bill provides that the Minister may make regulations requiring a value-added reseller to provide evidence of having registered with the relevant data protection authority, where applicable, before a value-added reseller licence will be granted. This requirement is not limited to registration with the Irish Data Protection Commissioner.

I propose to respond to some of the issues raised by Deputies. In the first instance, I respectfully do not accept the suggestion that there is a mindset at work here which seeks to exclude or have no regard to data protection issues. Deputy Moynihan made a fair point in stating that Deputies raised issues at a certain time. The former Minister, Deputy Pat Rabbitte, examined this issue, as did I, and we both decided to introduce what may be colloquially described as belt-and-braces legislation in so far as there could be any concern about the application of data protection principles. This Bill deals with postcodes simpliciter - in other words, the Eircode number on its own. When a person is allocated a postcode, the number will be meaningless on its own. However, if it is linked to a person's name or by means of another identifier, it becomes something that can be treated in a certain way - Deputy Catherine Murphy used the word "commodity" to describe it - and people will have legitimate concerns about how it may be treated. This is only the case where the postcode is linked to some other identifier because, on its own, it is nothing more than a number.

All the existing protections for personal data in the Data Protection Act apply in this scenario. The only reference to a separate treatment, as it were, is to the postcode where it is used on its own. However, once it is linked to anything else, all existing data protection legislation applies. This Bill introduces rigorous protections in respect of what can be done with postcodes simpliciter.

A privacy audit was conducted on my instruction, and while the executive summary has been published, I will furnish Deputy Catherine Murphy or any Deputy with the full report if he or she wishes to have a copy. It can also be published.

It is not true that the Data Protection Commissioner was in some way peripheral to this Bill. The current Data Protection Commissioner has acknowledged its publication and views the legislation as positive, describing it as "underpinning the implementation and operation of the Eircode system and ensuring that essential data protection safeguards are in place".

On offences and ensuring compliance, the existing Data Protection Acts 1988 to 2003 provide stringent penalties for summary offences in sections 30 and 31. All the penalties are set out and substantial fines may be imposed where a person is found guilty of an offence under the Act.

On the commodification of data, it is worth remembering that the information we are discussing is already sold by GeoDirectory and addresses are sold commercially. The postcode is effectively an address that is referable to a premises rather than an individual. Once it becomes referable to an individual, all of the data protection provisions with which we are familiar and which we regard as being of such great importance apply. The addresses simpliciter are already sold commercially by GeoDirectory. We hear a great deal about consultants and so forth. A financial benefit will flow to the State from the contract that has been agreed, which includes a gain-share mechanism.

Having listened carefully to the arguments made by the Deputies opposite, I am not persuaded, nor could the House be persuaded, that this Bill in any way sets aside the important and precious principles outlined in the Data Protection Act 1988, extremely important legislation that was subsequently amended in 2003. These principles continue to apply, as do the mechanisms for making complaints under the Data Protection Acts. In addition, a separate complaints procedure has been established solely in respect of postcodes. I draw the attention of Deputies to section 66C on personal data protection, as it emphasises the point I have been making. It reads:

(1) Nothing in this Part shall be construed as authorising the processing of personal data contrary to the provisions of the Data Protection Acts 1988 to 2003.

(2) Section 6A of the Act of 1988 shall not apply in respect of such processing of personal data as is required for purposes related to the carrying out of a legitimate postcode activity.

My point is that once the postcode or Eircode has been linked to another identifier, all the protections of the principal Act apply. If a concern arises about legitimate postcode activity, namely, this narrow area of dealing only with Eircodes, section 66D sets out the complaints procedure that would apply.

Deputy Catherine Murphy argued that there is no facility available to individual citizens who feel aggrieved. Citizens may avail of the existing protections under the Data Protection Act in respect of personal data, and where a complaint is related solely to the simple Eircode, they have available to them a new complaints procedure, which is set out in section 66D.

For all of these reasons, I regret that I do not propose to accept the amendments.

The Minister described the two Bills which introduce Eircodes as belt-and-braces legislation. This is a much more appropriate description of the intuitive and open approach that Britain is taking to changes in its postcode system. Its objective is to facilitate members of the emergency services in locating houses and commercial entities in delivering goods. This Bill, however, is different as it groups information in a way that makes it a commodity, which I would not describe as a belt-and-braces approach.

On the issue of how an individual can practically ensure that he or she is protected and his or her information is not misused, it will be difficult for an individual to prove that damage has been done.

The primary function with regard to data protection is with the company itself in this instance. The Data Protection Commissioner is the second line of defence as I see it. The consultation is where the big flaw occurred. The consultation process should have been much more open to citizen engagement. There is a fetish in both the Government and Civil Service for secrecy for its own sake yet there is a cavalier approach to data protection as we saw with PPS numbers and Irish Water. This was a secondary consideration. If it was not, why is the Bill before the House at this point? Why was this not a central part of the initial legislation?

The Minister stated accurately that the code is a numeric sequence and only becomes something useful or tradeable when it is linked to a person. The same could be said about the PPS number. That is also a numeric sequence which becomes useful when it is linked to a person. I guarantee the Minister that if we were having the debate we are having on postcodes about the PPS number, the Chamber would be full. It would not just be the four of us. The same risks are inherent and the same precedent has been established with this legislation as if we were talking about the PPS number. There is the same risk that data will be resold and that information will be resold once it is linked to people and an address. The very fact that we need this legislation to protect against what might happen is an acknowledgement on the part of the Government that there are risks. The legislation is not strong enough, however, to ensure those risks do not materialise. It is ill-conceived.

In relation to the point Deputy Catherine Murphy made on what is happening in the UK, the Eircode system will be of considerable benefit to the emergency services. That has been made very clear to me by them. I understand the Deputy's point about the difficulty in proving damage in any complaints system. When one brings forward a complaint, one must know or at least have a strong suspicion that there has been a breach. In the complex world we live in, many things happen that we are concerned we do not know about; the so-called "unknown knowns". It is very difficult to devise any complaints system that is not based on an individual pointing to a particular breach that has occurred and bringing that matter forward. That is the basis on which the Data Protection Acts were enacted. I do not want to offend, but if anyone can think of a better way for the Data Protection Acts to function other than by way of complaints, I would certainly be interested in discussing it. That is in relation to the Data Protection Acts, however, which are already there and which we deal with and use all the time. I am sure Deputies use the legislation all the time to considerable effect. That is in relation to Deputy Catherine Murphy's points.

To Deputy Colreavy I note that there is considerable protection in the Bill. We are drawing on and can avail of the protections that are already in the Data Protection Acts and which cover all personal data. The Deputies raised a parallel with the PPS number issue and we can all have our views on that in the context of the controversies last year. With respect to Deputy Colreavy, I point out that PPS numbers were linked to individuals. To the extent that there was a concern about one's PPS number, it was possible to see whose PPS number it was. An Eircode simpliciter and on its own is not linked to any other identifier whereas the PPS number was.

I move amendment No. 3:

In page 7, line 23, to delete "postcode contractor" and substitute "Data Protection Commissioner".

Essentially, a unique large-scale dataset is being introduced on a national level. To reiterate but not labour the points I made, the company involved has the first or primary role in regard to data protection and the Data Protection Commissioner has a secondary role. I would argue that the Data Protection Commissioner should have been central to this in the first instance. The amendments are designed to remove the private firm's role in handling the Eircode system and to give that role to the Data Protection Commissioner. The firm will be given wide-ranging data protection powers, but such powers should be independent of it. It is vital that the new system is as robust as possible when it comes to data protection, and that should include the direct involvement of the Data Protection Commissioner. Many of the comments I made in my opening contribution relate to this issue, so I will leave it at that.

I do not propose to rehash all the arguments, other than to say that this is about more than a matter of delegating responsibility for data protection from the Data Protection Commissioner, a trusted office and a trusted brand, to a postcode contractor, a private entity. That is not delegation but abdication of responsibility for a solemn State duty. It is setting a very dangerous precedent and it should not be included in this legislation.

As we are discussing amendments Nos. 3 to 10, inclusive, together, I will deal with them accordingly. The complaints procedure set out in the Bill refers to the process which owners or occupiers of property can follow in the case of a postcode-related complaint. The complaints procedure is set out in the postcodes contractor's code of practice. The postcode contractor has consulted with the office of the Data Protection Commissioner in the drafting of the code of practice, and the Office of the Data Protection Commissioner has made a number of observations and recommendations which the postcode contractor is happy to accept. The Office of the Data Protection Commissioner has stated that it will approve the code of practice once these changes have been incorporated.

The Data Protection Act provides powers for the Data Protection Commissioner to investigate complaints and enforce compliance with the Act. Those provisions apply to any postcode-related complaints which the commissioner may receive. There is nothing to prevent persons complaining to the Data Protection Commissioner where there is a perceived breach of the Data Protection Act in the context of the postcodes project. It is, therefore, neither necessary nor appropriate to set out investigative functions for the Data Protection Commissioner in this Bill, given that there is a statutory regime already in place.

The Office of the Data Protection Commissioner was consulted extensively during the drafting stages of the Bill and at no stage indicated that the provisions set out in the 1988 Act are inadequate. I repeat the core point I have made to the Deputies on this issue that the very considerable protections contained in the Data Protection Acts remain and will endure. Nothing is being done to disturb, remove, delegate or abdicate the powers of the Data Protection Commissioner under the Acts, powers it is proper that she should have, and which are in no way being removed or lessened in this legislation.

For those reasons, regrettably I am unable to accept the amendments.

The Minister mentioned something about income to the State earlier; he might give us some information on that. From the foundation of the State, we have tended to outsource things. We have outsourced education, health care in some cases, and the so-called "care" of children in some instances. We have difficulty taking direct responsibility for things. I see the current issue falling within that same category.

Information is now a commodity, and the ease of access to information by large corporations is significant. I do not believe it is easy for the citizen to make a complaint if he or she is targeted on the basis of there being grouped information. What can the citizen do about it? The very fact that this legislation is happening tells us everything about the mindset that was in place when the system was designed. The design is about remedying something that was not adequately thought out in the first instance. That tells us that citizens and data protection were not front and centre in this process, yet that is where we should have started from. I do not believe there is adequate protection. There is a two-pronged approach, and every time I have come across such an approach, for example, to parking fines, it has worked to the disadvantage of the citizen.

I will not repeat myself. If the Minister is going to talk about the projected income to the State from this, he might also advise us on the estimated cost to the State for the various Departments to get their databases in order. In response to parliamentary questions, I have been told there are a number of Departments that are not in a position to estimate the cost of getting their own databases in order to use the new system.

I thank the Deputies. There is always a very important debate to be had about which elements of public services, if any, should be outsourced to the private sector, and which should continue to be carried out directly by the public sector. This issue arises in all kinds of areas, as the Deputy rightly says. Education is still principally carried out and funded directly by the State. I accept that there is controversy in some areas of health care. Assessment sometimes has to be made as to whether it is more efficient for services to be provided by the private sector on contract to the State, or for the State services to provide them directly. We have seen it in the areas of public transport and, in my own area of responsibility, telecommunications and broadband. These issues come up all the time.

My own view, for what it is worth, is that we should address these issues on a case-by-case basis. A strong case should have to be made when a public service previously provided directly by the State would in future be provided by the private sector on some form of contract. That case should have to be made; it should not be the default position or anything like it. However, I believe there are services which it is appropriate to outsource, and this is likely to be one of them.

This type of contract is essentially a self-contained process of design and implementation of a postcodes project. It is appropriate that it should be contracted to an expert company in order to deliver it in circumstances where there is a strong hold on how the matter is done.

Obviously, this has a statutory basis and the State is ultimately responsible for ensuring it is carried out correctly. One of the things the State is certainly responsible for is to ensure there are adequate protections in regard to data. As to the value to the State, as I mentioned earlier, once sales reach a certain level, there is to be a gainshare mechanism in terms of the value to the State. However, the most important value to the State and the wider community is the multiplier effect for individual citizens, for the implementation and efficient provision of public services, in particular the emergency services, which I mentioned earlier, and for business and economic activity generally. I expect there will be a very significant multiplier effect and this will bring huge value to us all.