I welcome the Minister of State at the Department of Public Expenditure and Reform. I was listening to him from Tallaght Hospital earlier this evening.
Data Sharing and Governance Bill 2018 [Seanad]: Second Stage
I move: "That the Bill be now read a Second Time."
I am very pleased to have the opportunity to introduce this Bill to the House. It was published in June and commenced in Seanad Éireann, where it received strong cross-party support. The Bill was actively engaged with by the Members of the Seanad and I look forward to further constructive debate in this House. Members may be aware of the number of amendments that were tabled and accepted in the Seanad.
The Data Sharing and Governance Bill proposes a series of reforms to the way the Government shares data to improve public services for the benefit of citizens and businesses, as well as measures to improve the safe handling of that data by bringing consistency and improved safeguards to the way it is managed. This legislation is just one part of our ambitious programme of reform in the digitalisation of public services and the use of data. The eGovernment strategy 2017-2020 sets out a vision of a Government using data and digital technology to increase efficiency and effectiveness, thereby constantly improving public services. The actions in Our Public Service 2020, the new framework for development and innovation in the public service, provide for a more integrated, shared and digital environment to enhance the delivery and evaluation of public services.
The Government must deliver on its commitments in this area. The advent and adoption of digitalisation and data analytics have revolutionised the global economy and changed business models and the nature of jobs. We can use our computers and phones, and now even our watches, to do many everyday things, including keeping up with our families and friends, reading the news, watching television, banking and shopping. Digitalisation also opens up new opportunities for innovation in how we design and deliver our public services. We must keep pace with public expectations of how people should be able to access services and with the availability of new technology. Achieving this objective requires modern laws on the use of data in public services to protect and use the information that enables us to deliver these services to the public.
Data sharing is carried out extensively across the public service under the existing legal framework. Indeed, it would not be possible to deliver many services effectively without this sharing taking place in the background. I will provide some examples. Details of birth registrations are forwarded by the General Register Office to the Department of Employment Affairs and Social Protection to generate child benefit claims automatically on behalf of parents. Student Universal Support Ireland, SUSI, shares data with the Department of Education and Skills, the Department of Employment Affairs and Social Protection and the Revenue Commissioners to streamline the processing of student grant applications, reducing the need for applicants to provide documents. The Revenue Commissioners share data with a number of sources, including the Property Registration Authority, for the purposes of maintaining the local property tax register. These are three simple examples of how sharing and reusing data benefits the public.
However, those who deliver public services often face problems in gaining access to information held by other public bodies. Data protection law requires that data sharing needs an explicit legal basis. The examples of data sharing I have just given are made lawful by the specific sectoral Acts of the bodies concerned. Access to the legislative schedule is limited and as a result the process of obtaining the required powers to share data can be painfully slow for public bodies.
Furthermore, the reliance on sectoral legislation as a basis for sharing data has resulted in a set of data sharing laws that have grown piecemeal over time to respond to specific policy needs. This patchwork of laws is complex and not very transparent to the public. There is a clear need, therefore, to update our legislative regime to provide for a flexible legislative gateway that will simplify the complex legal landscape slowing the pace of our efforts to modernise and improve the services we provide to people and businesses. We also need to allow for data sharing to be carried out in a systematic, consistent and transparent way so that members of the public can be confident that their information is being used for the right purposes and remains securely held.
When data are used effectively, everyone benefits from better services that can be delivered more responsively and efficiently at a lower cost to the taxpayer. Members of the public also have a strong expectation that their data will be used responsibly, proportionately and securely in a manner that respects their privacy and upholds their data protection rights. As the volume of data grows and our capacity to deliver digital services expands, the opportunities to improve services increase. So too must the governance and safeguards we have in place to keep people’s data safe.
The House will be aware of the EU’s general data protection regulation, GDPR, which came into effect on 25 May. The GDPR and the Data Protection Act 2018 represent a very significant reform of the data protection regime to keep pace with the many technological advances and new business models that have emerged in recent years. The GDPR strengthens the control of members of the public over their personal data and the purposes for which this information may be used. A key principle underpinning the development of this legislation has been that the Bill should not weaken the protections afforded by data protection law, including the GDPR. Therefore, as well as providing a clear legislative gateway for public bodies to share data, this Bill must also provide a framework for public bodies to share data in a manner that is compatible with the requirements of the GDPR. I refer in particular to the requirement that bodies must be transparent with people about exactly who is sharing their data, what data are being shared and why this is necessary.
In this regard, I would like to take the opportunity to thank the Members of this House and Seanad Éireann who undertook the pre-legislative scrutiny work on this legislation in their capacity as members of the Oireachtas Joint Committee on Finance, Public Expenditure and Reform, and Taoiseach. The committee’s report made many useful recommendations which we have tried to address as much as possible during the drafting process. A clear theme that emerged from these recommendations was the committee's concern not only about the risks to people’s data protection rights arising from the sharing of data but also from the misuse and mismanagement of data by public bodies generally.
I share these concerns. This is why this legislation is a data sharing Bill and a data governance Bill. The scope of the governance provisions in this Bill goes beyond just regulating how we share data. The Bill also strengthens the way the public service manages its data in respect of how data are collected and processed, how data are kept secure, and how access to data is controlled, monitored and logged. Many of these governance provisions were added to the Bill following the pre-legislative scrutiny and I believe they go a long way to addressing the concerns raised by the committee. I believe that these provisions will reassure people that their information is being held, processed and shared in a responsible manner and in compliance with data protection law.
I wish to outline to the House the main provisions of the Bill. The purpose of this Bill is to provide for the regulation of the sharing of information, including personal data, between public bodies; to provide for the regulation of the management of information by public bodies; to provide for the establishment of base registries; to provide for the collection of public service information; to establish a data governance board; and to provide for related matters.
The Bill comprises the following parts. Part 1, comprising sections 1 to 4, inclusive, contains a number of standard legislative provisions concerning the Short Title, commencement, orders and regulations and expenses.
Part 2 comprises sections 5 to 12, inclusive. Section 5 provides that the Bill shall not apply to the sharing of the special categories of personal data specified in article 9 of the GDPR. These include data revealing racial or ethnic origin, political opinions, religious beliefs and trade union membership as well as genetic and biometric data and data concerning a person’s health, sex life and sexual orientation. There are three specific instances where the Bill does apply to special category data and I will address these when I reach the specific parts of the Bill that relate to this.
Section 6 contains an explicit statement that the Bill shall not affect the operation of the GDPR or the Data Protection Acts. Sections 7 and 8 set out how the Bill interacts with certain existing sectoral legislative provisions concerning data sharing, including the Social Welfare Consolidation Act 2005. Section 9 defines data sharing for the purpose of this Bill as being “the disclosure of information, including personal data, by a public body to another public body”.
Section 10 defines the term “public body” for the purposes of the Bill. I want this Bill to apply to the widest possible number of public bodies and so, among others, the definition encompasses the Civil Service, local authorities, the HSE, An Garda Síochána, the Defence Forces and the non-commercial State agencies.
A list of bodies excluded from the Bill, mainly the commercial semi-State bodies, is set out in the Schedule.
Section 11 provides that the Bill applies to data concerning deceased persons. This is to allow for records to be updated upon a person's death.
Section 12 provides that the Bill does not apply to data sharing for the purposes of law enforcement, national security and defence.
Part 3, comprising sections 13 and 14, sets out the conditions under which public bodies may share personal data using this Bill. Section 13 provides that public bodies may only share data for the purpose of the performance of one or more of their lawful functions and only for one or more of the following purposes; to verify the identity of a person where a public body is providing a service to that person; to identify and correct erroneous information held by a public body; to support the "once only" principle that persons should not have to provide the same information multiple times to different public bodies; to establish the entitlement of a person to the provision of a public service; to facilitate the administration, supervision and control of a service, programme or policy; to facilitate the improvement or targeting of a service, programme or policy; to enable the evaluation, oversight or review of a service, programme or policy; and to facilitate an organisational study of a public body. This section also provides that public bodies must comply with regulations and orders made by the Minister under Part 9 of the Bill concerning proper data management and that data sharing be carried out in accordance with a data-sharing agreement. Section 14 gives the Minister the power to direct two or more public bodies to share data, subject to the provisions of the Bill.
The provisions contained in Part 4, comprising sections 15 to 22, inclusive, concern the data-sharing agreements referred to in section 13. Section 15 clarifies that the provisions of this Part only apply to data sharing carried out under this Bill, while section 16 obliges public bodies to enter into a data-sharing agreement before sharing data under this legislation.
Section 17 sets out the formal requirements for a data-sharing agreement and section 18 allows for additional parties to be added to a data-sharing agreement, if required.
Section 19 specifies what information should, at a minimum, be included in a data-sharing agreement. Among other things, public bodies must be explicit in these agreements about the purpose of the data sharing, what data will be shared and how the data will be further processed and kept secure, in accordance with the principles of data protection.
Section 20 provides for the periodic review of data-sharing agreements. Section 21 provides that one of the parties to the agreement shall be designated as the lead agency responsible for the management of the data-sharing agreement. Section 22 sets out the conditions for the expiry or termination of a data-sharing agreement.
Part 5, comprising sections 23 to 32, inclusive, gives the Minister for Public Expenditure and Reform, or another Minister of the Government where he or she has responsibilities in this area, the power to collect and process specified information regarding public servants arising from their membership of a public service pension scheme. This information includes provisions for the administration of pension scheme benefits for beneficiaries earned over a public servant's entire career in the public service. It will be necessary to collect and process some special categories of personal data for these purposes, for example, to record if a public servant has retired due to ill health. Section 24 explicitly provides for this.
Part 5 also provides the basis for the establishment of a centralised pension system to support the long-term administration of the single public service pension scheme. It provides for the Minister for Public Expenditure and Reform to collect and analyse information, in pseudonymised or anonymised format, as appropriate, on the number of public servants employed and expenditure on pay and pensions, including the carrying out of actuarial evaluations. This data will be used to inform public service expenditure Estimates and support public service resource planning and policy development.
Part 6, comprising sections 33 to 36, inclusive, gives the Minister for Public Expenditure and Reform the power to issue a unique business identifier number, UBIN, for the purpose of uniquely identifying any undertaking that has a transaction with a public body. It also specifies a set of business information that can be shared between public bodies in the performance of their functions. This UBIN and business information data set will assist in building the business data element of the national data infrastructure.
Part 7, comprising sections 37 to 43, inclusive, gives the Minister for Public Expenditure and Reform the power to designate a database owned by a public body as a base registry. Base registries will allow us to designate a single data set as the official source of that data that can be reused by other public bodies. This will improve the data quality across the public service by reducing the number of independent copies of data and allows us to focus our resources on the security and protection of a single data source, as opposed to many copies.
Section 38 obliges base registry holders to keep this information up to date, accurate and complete and to make this information available to other public bodies for lawful purposes. Section 42 obliges public bodies to use the information on a base register rather than collecting it directly from the data subject.
The intention of Part 8, which comprises sections 43 and 44, is to facilitate the creation of a portal to make it easier for members of the public to exercise their access rights under the GDPR to see what information public bodies hold about them and the purposes for which the information is collected and processed. A provision to enable the development of such a portal was one of the key recommendations of the pre-legislative scrutiny report. This will extend to special categories of personal data and this is provided for explicitly in section 43.
Part 9, which is split into three chapters and comprises sections 45 to 68, inclusive, provides for better governance in the management of all data held and processed under this Bill or under another enactment by public bodies and will help public bodies to comply with their obligations under GDPR. Many of the provisions have been influenced by the recommendations in the pre-legislative scrutiny report on the Bill.
Chapter 1, comprising sections 45 to 52, inclusive, provides for the Minister for Public Expenditure and Reform to appoint a data governance board to advise on the operation of the Bill. Section 47 sets out the provisions concerning the membership of the board and includes provisions providing for gender balance and for external appointments to be made via the Public Appointments Service process.
Chapter 2, comprising sections 53 to 62, inclusive, sets out the process for enhancing transparency regarding data sharing and for advance scrutiny of any proposals for data sharing between public bodies as follows. Public bodies will be required, under section 55, to publish an advance draft of any proposed data-sharing agreement and invite the public to comment on the proposal. Section 56 requires that the draft data-sharing agreement, along with a summary data protection impact assessment - if one has been carried out - and any comments received during the consultation, will then be submitted to the board for consideration. Section 57 provides that the board may issue a set of recommendations in respect of the draft data-sharing agreement, which the public bodies shall incorporate into the final agreement before signing. Section 60 provides that the signed data-sharing agreement shall be submitted to the Minister for Public Expenditure and Reform and laid before the Oireachtas. The Minister for Public Expenditure and Reform shall publish the signed data-sharing agreement along with the summary data impact assessment and any recommendations made by the board.
Chapter 3, comprising sections 63 to 68, inclusive, gives the Minister for Public Expenditure and Reform the power to prescribe binding rules, procedures and standards for the management of data across the public service; issue guidelines for management of data across the public service; and prepare model data-sharing agreements that public bodies shall use as the basis for any data-sharing agreements they enter into.
Section 63 provides that this chapter shall apply to special categories of personal data as the intention here is to drive a set of robust common standards across the public service for the management of personal data. Clearly, such best practice standards must apply to the management of special category data in particular.
Finally, Part 10, comprising sections 69 to 73, inclusive, includes a number of miscellaneous provisions. Section 69 gives the Minister for Public Expenditure and Reform powers to prescribe certain documents that public bodies should not collect directly from a person but should instead avail of data sharing in order to avoid unnecessary requests for documents. Section 70 gives the Minister power to direct public bodies to collect information in a format specified in the direction. Section 71 gives the Minister powers to direct public bodies to provide information in relation to all data-sharing arrangements being carried out under this Bill or any other enactment. Section 72 is a technical amendment to section 17A of the Ministers and Secretaries (Amendment) Act 2011 to ensure compatibility with Part 5 of the Bill. Section 73 adds the National Shared Service Office to the list of bodies specified under the Social Welfare Consolidation Act to collect and process the personal public services number, PPSN.
A number of amendments have been identified which I will introduce on Committee Stage, most being of a technical nature. In addition, I agreed on Report Stage in the Seanad that I would consider adding some form of wording to exclude application of the Bill to any sharing of data that would support commercial activities of public bodies. I hope to bring forward a proposal to this effect on Committee Stage. I am also considering an amendment to provide for wider use of the Revenue online service digital signature, in keeping with the Government’s wider digital strategy. I will be proposing a minor technical amendment to the National Shared Services Office Act 2017 in regard to the Irish name of that office.
The nature of the subject matter of the Bill means that it contains a number of quite technical provisions. In that regard, my officials are available to assist any Member who requires clarification on any of the technical aspects of the legislation. I reiterate my thanks to the Members of both Houses who worked on the Bill during its pre-legislative scrutiny stage which greatly influenced its development. I thank the Members of Seanad Éireann for their support and contributions. I also thank the various stakeholders who contributed to the development of the Bill, including those who took the time to make submissions during the public consultation process when the general scheme was being developed and those who attended the pre-legislative scrutiny hearings at the committee. Their input was also a great help in the preparation of the Bill. I thank Members of this House for their attention. I hope they will support this important legislation and look forward to hearing their contributions throughout the debate.
I welcome the opportunity to speak to the Bill. Fianna Fáil supports and welcomes the Bill which has been designed to better enable public bodies to share personal data with each other with the consent of the individual citizen. It will also regulate the process by which public bodies can share data.
In the modern technology-driven world the issue of individual rights and privacy is crucial. For Government and public bodies, a balance must always be struck between efficiency in administering tasks for the benefit of the citizen and the protection of the citizen's personal information and data. The general data protection regulation, GDPR, sums up these often conflicting issues. Even today, the issue of GDPR was brought up on "Liveline", in particular the inconvenience of implementing it for companies and individuals throughout the country. On the other side of the coin, when one considers the special categories of personal data under the GDPR which include people's racial or ethnic origin, political opinions and sexual orientation, among other things, nobody can deny that these details must be protected. The balance is now more important than ever. We live in a world where, all too often, people's personal information is treated as a commodity or something to be shared without consent or control. The basic right to privacy has been gradually chipped away, both with the rise of unfettered social media and also the rise of data hacking by the more sinister elements in this world. The State gathers a vast amount of information on each citizen on an almost daily basis. The Revenue Commissioners and social welfare offices possess detailed financial data for the vast majority of citizens. The Department of Health and the Health Service Executive possess detailed information on our health and health history. The State knows exactly where we live and work. In view of this, it is crucial for any democratic state that appropriate protections are put in place to prevent data from being transferred without consent. It is crucial that the State take the lead when it comes to protecting the right to privacy for the individual citizen. It was for this reason that the European general data protection regulation was brought into force and it is vital that the Bill be cognisant of it, not only legally but also in spirit. In that regard, I must recognise, as the Minister of State has done, the work done during the passage of the Bill through the Seanad, which served to strengthen it and put extra protections in place.
When a citizen deals with the State, be it with regard to a tax submission, a social welfare claim or a medical card application, he or she has an expectation that this work will be undertaken in an efficient manner. For the State to serve the citizen better and process actions faster, it needs to be better able to transfer data from one public body to another. For many citizens, it is frustrating, for example, to provide data for one public body and then have to replicate the process with another public body and give the exact same information. Of course, this will not be eradicated entirely, but with the Bill, the process should be improved.
Another key consideration that is at least partially addressed in the Bill is fraud. The vast majority of Irish citizens do not commit fraud, but it must be said a small proportion do. By collaborating in such a manner, the instances of fraud should reduce and the State should be better enabled to detect and tackle fraud. When someone commits fraud, be it in claiming social welfare benefits not owed to them or when he or she fail to pay his or her tax, it costs everyone else.
I turn to the specific sections of the Bill. Part 2 deals with the application in practice of the Bill and how it will interact with the Data Protection Acts and the general data protection regulation. It outlines what aspects of the Bill need to comply with the general data protection regulation and provides a framework by which the Bill will interact with the Social Welfare Consolidation Act 2005.
Section 9 defines precisely what data sharing is for the purposes of the Bill. Data sharing means the disclosure of information, including personal data, by a public body to another public body. Section 10 defines precisely what is a public body.
Section 12 sets out the areas where the Bill will not apply. It does not apply to data sharing for the purpose of the prevention, detection or investigation of offences and everything that follows thereafter. It does not apply to data sharing in the defence of the State.
Part 3 of the Bill regulates the data sharing process and sets out the conditions under which public bodies may share personal data. Section 12(2) provides that public bodies may only share data for the purpose of the performance of one or more of their lawful functions and only for one or more of the following: to verify the identity of a person where a public body is providing a service for that person; to identify and correct erroneous information held by a public body; to avoid the financial or administrative burden that would otherwise be imposed on a person to whom the service is being delivered; to support the "once only” principle that persons should not have to provide the same information multiple times; to facilitate the administration, supervision and control of a service, programme or policy; to facilitate the improvement or targeting of a service, programme or policy; to enable the evaluation, oversight or review of a service, programme or policy; and to facilitate the organisational study of a public body.
Part 4 of the Bill deals with data sharing agreements which must be completed in order for data to be shared between public bodies. Part 5 of the Bill deals with information on public service pension schemes. Part 6 of the Bill deals with the transfer of business information. Part 7 of the Bill deals with base registries.
Part 8 of the Bill seeks to establish a personal data access portal, whereby a citizen can exercise his or her right to see what data public bodies hold on him or her. This is a crucial check on the State and will add a level of transparency that is essential for the citizen to be able to hold the State to account.
Part 9 of the Bill provides for better governance in the management of all data held and processed under the Bill. This will enable the Minister to establish a data governance board. Section 46 sets out the functions of the board, while section 47 sets out its membership. Chapter 2 involves the review of data sharing agreements. This will be a crucial role for the board which will be charged with reviewing such agreements. It is crucial that the board be truly independent because, when things go wrong, we know what the standard response from any institution has been and, in many cases, continues to be - to circle the wagons. It is crucial that the board, in reviewing data governance, acts independently and genuinely holds public bodies to account. Chapter 3 deals with the governance of personal data, including special categories of personal data.
To reiterate, Fianna Fáil will be supporting the Bill and will engage constructively on Committee Stage. However, I take the opportunity to raise issues that, while not directly related to the Bill, are nonetheless relevant to the debate. We are living in a world in which there is unprecedented risk when it comes to data security. On an almost weekly basis we hear and read about another hacking incident in which people's personal data have been stolen, often for malicious purposes. These crimes are being perpetrated against public bodies, governments and companies. It seems nobody is beyond this scourge. We in Ireland are no exception and are as vulnerable to this threat as those in any other country.
In the coming years and decades, to protect citizens and the companies that operate here, Ireland will have to significantly beef up its defence and law enforcement capabilities. The threats are becoming ever more sophisticated by the day and we need to keep step with the perpetrators.
Another area of data security not directly related to the Bill but that is nonetheless crucial is the regulation of social media platforms. The increase in online bullying is becoming ever more difficult to detect and stop before it is too late. People are losing control of their online data as they are shared and passed on to individuals and parties unknown to them. In the coming years we also will need to address this threat. People's individual right to privacy is coming under threat in an unprecedented way. While technology can offer better ways of doing things, it brings with it threats that we must not underestimate.
I thank the Minister of State, Deputy O'Donovan, for bringing the Bill before the House. I acknowledge and thank him for the offer a number of weeks ago of a briefing on the Bill which is quite technical and his offer tonight of a further briefing in the lead up to Committee Stage should we require one. The Bill has been through the Seanad where the Minister of State took on board some of the recommendations made. Sinn Féin will be supporting the Bill, but we will take up the Minister of State's offer of a briefing with his officials in the lead up to Committee Stage to discuss some amendments we propose to table.
As stated by the Minister of State, the Bill is not only about the sharing of data, it is also about the governance of data being shared. This is critical because there is a balance to be struck between the sharing of data and privacy. As we all know, there is a constitutional right to privacy. The Library and Research Service analysis of the Bill touched on this constitutional right and how it was balanced in the Bill. As we are all aware, following pre-legislative scrutiny of the Bill last year by the Oireachtas Joint Committee on Finance, Public Expenditure and Reform, the committee produced a report in July and many of its recommendations were taken on board by the Government and are reflected in the published Bill, which is welcome.
Technology is advancing rapidly and while there are advantages in that regard, with those advantages come increased responsibilities, which is the purpose of the Bill. In the context of the recent legislative changes surrounding data protection, it is timely. In essence, the Bill is about providing a legal framework for the sharing of data between public bodies and institutions to improve service delivery. We all know the advantages of improved service delivery not only to the bodies concerned, financially, but also to the citizens who benefit from those services, but it is important that there are safeguards in place in the sharing of personal data between these bodies. The Bill, in terms of the data governance body to be established by the Minister, provides those safeguards. The information portal is a critical aspect in people knowing what information is being shared, how it is being shared, the purpose for which it is being shared and the duration for which data will be retained by a public body.
An issue I have not seen covered in the Bill - as I have not studied it in detail, it may be covered - is a mechanism by which a citizen can have data held by public bodies corrected or removed. As I said, I have not studied the Bill in detail, but I will do so in greater detail in the drafting of amendments. If the issue is covered in the Bill, the Minister of State might comment on the mechanism by which a citizen who does not agree with the validity of the sharing of data can have them removed or changed. The sharing of data between public bodies is about the streamlining of public services. I do not believe there is anyone in this House who would be opposed to the streamlining of public services, the benefits of which include determining people's entitlements, identifying inefficiencies in the system and correcting false information held by a particular public body once shared with other public bodies.
As I said, Sinn Féin will be supporting the Bill, albeit with one or two amendments that we would like to see made. We recognise that there is a balance to be struck between the interests of privacy and data protection and the responsibility of the State and public bodies to ensure effective public service delivery. There is no trade-off between these rights and responsibilities. In other words, the Bill provides for the effective delivery of public services, while at the same time safeguarding the interests of privacy and data protection.
Data sharing is not a novel idea. It is already in place in some public bodies. We know from the regulatory impact analysis carried out at pre-legislative scrutiny stage that it already occurs between numerous public bodies and institutions under existing legal provisions and frameworks. It is worth noting that the regulatory impact analysis concluded that public services would deteriorate if the sharing of data was to cease. In other words, the analysis carried out as part of the pre-legislative scrutiny process highlighted the efficiency and importance of data sharing and noted that if data sharing between public bodies was to cease, the impact on the provision of public services would be detrimental. It also recognised that the primary policy issue facing the Government in the passage of the legislation was that an overly restrictive interpretation of data protection laws could preclude or discourage some public bodies from sharing data, which could, in turn, lead to the inefficiencies in the system I mentioned and, in effect, impact detrimentally on the provision of public services. While this is justifiable, data protection is a right that cannot be traded or diluted. That is the reason we need the safeguards provided for in the Bill.
As I said, the information portal is critical and welcome, but I would like to hear from the Minister of State if provision is made in the Bill for a mechanism by which citizens can have false information held by and shared between public bodies corrected. Sinn Féin will support the Bill, but we would like to schedule a meeting with the Minister of State's officials to discuss amendments we would like to see made but which may not be necessary. To ensure we will not take up time unnecessarily on Committee Stage, we would like to discuss the amendments with the officials. We will be in touch with them to schedule a meeting, I hope next week, but it is dependent on the deadline for the tabling of amendments to the Bill. Sinn Féin will work with the Minister of State to ensure adequate scrutiny and the passage of the legislation as quickly as possible.
It should be noted that we have just come through a presidential election in which one candidate made wild and wrong allegations about, for instance, the Traveller community as a whole. It says something about data in Ireland that many people believed much of the negative trolling on social media and the different stories that had currency. It was a terrible period for people from the Traveller community because of the way in which they were maligned. This ought to be revisited and an accurate reflection given of Travellers' relationship with the State for good and for bad because it was very unfair to so many from that community who work very hard, do their best for their children and are very good, law-abiding citizens of the State.
In my years in the Department of Social Protection, I was very conscious as Minister of the fact that the Department held a vast amount of data on a substantial percentage of the population. As Minister, I made a decision after ten years or more of a project to consider whether to move to a modern personal services card, which has been subject to legislation and protection in terms of people's data. In a way this brings out the key issue in this legislation. We want to be able to use modern IT in the most efficient way possible for the sharing and use of information in a beneficial way. This is very important. It is now so easy for retired people, for instance, to get on a bus or a train if they have their personal services card, to get a private service whereby they can just go quietly, get their train ticket or get on the bus and travel and carry that out without anyone else who is using the transport being aware in any way of what their status might be. That is as it should be.
When I came into the Department in 2011, however, I remember being horrified by the briefing I received on a number of cases dating back quite a number of years in which data had been accessed and which were over the years, rightly, the subject of a number of court cases. Whether out of curiosity, because of personal relationships or for other reasons, certain people in the employ of the Department saw fit to access individuals' data, but it is wrong of any public servant to do so. The IT was tightened up considerably in my time such that if one accesses a file, one leaves a trace on the file. The same probably applies nowadays to the Garda. Therefore, if something gets out about an individual that is a breach of his or her data, that can be tracked and traced. It is very important that the Minister of State gives us an assurance that this has been done.
I have a proposal to make in this respect. I notice there is to be a data governance board within the framework of the Bill. My understanding is that this may be within the Department of Public Expenditure and Reform. Is it correct that that will be the home Department?
I urge caution. When I was in the Department, I had a number of discussions with civil servants when I found out about these cases to see whether we could establish within the Department a data board consisting for the most part of people external to the Department in order that there could be a constant vigilance as to how protective the Department was. As we all know, there are a number of Departments that hold masses of data: the Department of Employment Affairs and Social Protection, as I have just instanced; the Department of Health, which holds very private data on individuals, families and the general population throughout most of their lives; and the Department of Education and Skills, which also holds a lot of information on people. The Minister's proposal that this governance board be a solo board in the rather rarefied atmosphere of the Department of Finance is not sufficient because when it comes to data protection, there is a factor of simple human curiosity whereby people mean no wrong but nonetheless feel they may be entitled to a peek. Members may remember the case of someone from Limerick winning an enormous prize in one of the lotteries and a departmental staff member who was found to have accessed information on the prizewinner. Whether he or she did, I do not know, because it was a very long time ago, but there is an instinct in people to be a little curious, particularly about people they know, but perhaps also about people in the public media.
My suggestion for the Minister of State's consideration is that the big data-holding Departments, if not every Department, should have a governance board which looks at how the Department handles its data but also underlines to public servants that protecting the privacy of the data is a key objective of each Department. Just passing this over vaguely to some worthy board in the Department of Finance, in my view, as a Minister with a lot of experience in this area, is not sufficient. The Minister of State may say to me that the Secretaries General of the Departments of Health, Finance, Education and Skills and so on will all be on this board. Perhaps they will be, but they are rather busy people and the Government needs to think about the kind of people it wants on the board. I suggest to the Minister of State that the Government needs some very bright, younger IT people - men and women - who will have a knowledge of and a feel for what is likely to be of interest to people who want to snoop. As the Minister of State may be aware, in the Department of Social Protection there were a small but significant number of prosecutions in the courts. The courts arrived in some cases at convictions and passed sentence. It is very important we have a very strict approach.
Another thing I want to ask the Minister of State about is referred to in the background of the Bill. Just as there are Departments that have access to a lot of data about all of us at different times of, or during all of our lives, there are also Departments which hold data about people which they do not allow them to have. This Bill should be an opportunity for the Government to provide a principle that citizens, people who are resident in Ireland, have a right to their own data. We have done this for a long number of decades in colleges and universities and in respect of examination scripts, whether at college or secondary school level. It has been a good system and, it is to be hoped, in the not-too-distant future will be made a better system. I refer in this regard to the Adoption (Information and Tracing) Bill.
Unlike other common law countries which have the same legal framework and provide these data access rights for their citizens, citizens here have no such rights. Citizens in Scotland have had these rights for more than 40 years. Citizens in the rest of the United Kingdom have had them for more than 50 years. Citizens in British Columbia and the rest of Canada have had them for about the same period. Citizens in Australia and New Zealand also have the same rights. The Minister needs to be challenged on why the 50,000 or so people in this country who have been adopted have no legal right to information on their adoption.
Worst of all, the body responsible for handling these data is Tusla. We know from the recent report by Mr. Justice Charleton that it is not a perfect organisation. Some very strange stuff was going on with data in it from the information that was before a recent tribunal. It was interesting that a party to the tribunal, Sergeant Maurice McCabe, might not have had any legal right to get his files from Tusla. He had to engage the services of his legal team to do so. We need to look around a few corners and challenge ourselves a little more on how we protect citizens.
To the Minister of State and his officials I say some thought should be given to this issue. From the time of the Adoption Acts in the early 1950s up to when adoption had pretty much died out in the 1980s, other than inter-family adoptions and the adoption of babies overseas, there were about 50,000 adoptions. In the period from the foundation of the State, there were probably about another 50,000 informal adoptions and long-term fosterings. None of the people involved or their descendants has any legal right to his or her data. People adopt all sorts of mechanism to find their data and, in many cases, do find them. As someone who has been through the process, it is all very hush-hush, but guess what? A social worker is also necessary to access data. Can the House believe that?
I will refer to my own case. By the time I had managed to get in contact with the adoption agency that had arranged my adoption, I had been elected to the Dáil, was a fellow of the Institute of Chartered Accountants, had lectured in Ireland and Africa and held down jobs. To access my data or even talk about it, however, I had to be assigned a social worker. I am told that is the policy Tusla is also adopting. Can the Minister of State get the Department to change that silly process? I refer to how it approaches the oversight of the release of data to the people who own them. All of us in this Chamber know that there are many children who need a social worker. By and large, unless they ask for a social worker where they believe they need one, people do not need a social worker in accessing their data. Nobody ever suggests a person who goes to the Department of Employment Affairs and Social Protection to obtain information on his or her pension or other entitlements, should he or she become unemployed, needs a social worker. A person might be very traumatised by the information, but he or she is simply given his or her information and, as far as possible, an explanation for it. In a European context, the Bill is necessary and appropriate, but I am not sure the issue of data protection in Ireland is treated with as much respect as it ought to be. By the way, the penalties should be very severe for civil servants who abuse data protection by taking data to which they are not entitled and examining it. We must show all citizens the highest level of respect in dealing with their personal data.
The Bill contains some welcome provisions which have the potential to improve efficiency in the public sector, interactions between staff and the public and also reduce costs. The proposed personal data access portal, the establishment of a data governance board and new data sharing agreement requirements, particular the necessity for all public bodies to hold a public consultation process before entering into a data sharing agreement, are all positive. However, some problems still need to be addressed in the Bill. Many of them relate to how the Bill, particularly section 7, will interact with the Social Welfare Consolidation Act 2005.
The Bill attempts to establish a legal basis for the large-scale data sharing that is already happening via the public services card registration process. Most people will welcome the convenience the once-only principle in the Bill promotes. I refer to the idea that a person will only have to give his or her data or information to a public body once. He or she will not have to provide his or her data repeatedly should he or she need to interact with other public bodies. However, it is also true that many people will want more control over their data and will not want them reused for an additional purpose other than the one specified when they were initially collected.
We cannot continue to coerce people to consent to the sharing of their data. That is what we have been doing illegally for a few years. The Bill fails to address the problem of forced consent. According to the general data protection regulation, GDPR, "consent should not be regarded as freely given if the data subject has no genuine or free choice or is unable to refuse or withdraw consent without detriment". Withholding a pension payment from an elderly woman for 18 months because she had refused to register for a public services card is clearly coerced consent and a form of State coercion.
It is important to acknowledge the work done in the Seanad by Senator Alice-Mary Higgins in amending the Bill into shape. It is also important to acknowledge that the Minister of State, Deputy O'Donovan, and his Department seem to have genuinely engaged with the Senator and accepted many of her amendments or else, based on conversations with her, came back with Government amendments to improve the Bill. That is to be commended. However, during the debate in the Seanad the Minister of State stated that when people presented to the Department of Employment Affairs and Social Protection to apply for a social welfare payment, "it could be inferred that there is a consent already contained in that by virtue of the fact that they have presented themselves to look for that particular support or service from the State." That can be a worrying statement. People apply for social welfare support because they are vulnerable and need help. It would be strange for the Minister of State to extrapolate from this that these vulnerable people are at the same time also automatically consenting to such widespread sharing of their data. There are approximately 150 public bodies with which data are being shared via the single customer view database. It is important to understand the fundamental fact that, according to Article 4 of the GDPR, consent must be freely given and cannot be coerced. Recital 42 of the GDPR gives us further guidance on how we should interpret this definition of consent. Consent must be informed, which means that the data subject must be made aware of the purpose of processing. Informed consent cannot be obtained if there is no clearly defined purpose for the processing of a person's data. The data subject needs to know why his or her data are being collected and processed.
The lack of a defined purpose for such large-scale data processing is addressed to some extent in Part 4 of the Bill and the requirements in respect of data sharing agreements. The once-only principle which forms the basis of the Bill completely undermines any meaningful notion of consent. The Minister for Employment Affairs and Social Protection, Deputy Regina Doherty, has being blurring, consciously or unconsciously, the true purpose of this data processing. She has repeatedly tried to suggest in this Chamber that the SAFE2 process is simply a matter of verification and that the public services card is merely a token having completed the verification process. In February this year the head of client identity services in the Department of Employment Affairs and Social Protection told the Oireachtas Joint Committee on Employment Affairs and Social Protection that "the SAFE public services card programme is simply about verifying the identity of people engaging with public services. It is no more or less than that." It is, of course, completely acceptable and very welcome that the Department should verify an applicant's identity to minimise fraud and make sure the payment is going to the right person. We have no problem with this and no one is questioning it. However, the claim that the SAFE2 process and the public services card a person receives having successfully completed it are just about verification and no more or less than that is disingenuous.
The Minister and her Department are attempting to divorce the SAFE2 registration process and the public services card from what is a data sharing project of enormous proportions, the single customer view database and the sharing of the public services identity data set.
The Bill interacts in a very significant way with the Social Welfare Consolidation Act 2005, of which section 247C states the Minister may require any person receiving a benefit to satisfy the Minister as to his or her identity. Of course, this is a completely reasonable requirement. Section 247C(3) of the Act specifies the manner in which the Minister may be satisfied and essentially describes the SAFE2 verification process for registering a person's identity. The Minister has repeatedly stated this is a similar approach to that taken by the Passport Office in its systems when processing passport applications and renewals. Why not just accept a passport as proof of identity when a person applies for a social welfare benefit? Why does someone now need a public services card to obtain a passport? It is because the aim of the public services card and the SAFE2 process is not just verification, it is also to coerce consent to data sharing and enable the creation of a serious database of citizens' data. However, section 247C(3) of the Social Welfare Consolidation Act 2005 does not state the purpose of going through the verification process is to have data entered into a national database or that data will be shared with 150 other public bodies.
Section 247C(1) makes it clear that the purpose of the verification process described is "to satisfy the Minister as to his or her identity". Once a person's identity has been verified and the Minister is satisfied as to his or her identity, there is absolutely no legal basis for any further processing of the person's data, unless consent has been obtained from him or her. I am not saying data sharing is inherently wrong and I have no problem with necessary and proportionate sharing of data. As I have mentioned, there are positive developments in that regard in the Bill, but the Government must be honest and clear about what it is trying to achieve as otherwise it will continue to undermine trust in how the State handles personal data.
The Bill needs to give people a mechanism to opt out of the once-only principle and indicate a preference to give each of the specified bodies the data separately. In the Seanad the Minister of State indicated that the right to object under the GDPR would serve this purpose instead, but the right to object process is far more arduous for the individual and, more importantly, that process would not solve the problem of coerced consent, as a person would not be able to access public or welfare services without first consenting to the large-scale reuse of his or her data. The Minister of State told the Seanad that he would reflect further on the opt-out option in advance of the Bill being brought to the Dáil and I hope the Bill will see some changes in that regard.
I am glad that the Minister, in conjunction with Senator Alice-Mary Higgins, has amended the Bill to resolve the contradiction between sections 6 and 12 of the Bill, as initiated. The internal contradiction in the Bill derived from the fact that while section 12 specifically excluded the sharing of special categories of personal data, as defined by the GDPR, section 6 permitted the sharing of a person's public services identity. The problem was that a person's public services identity contained biometric data which the GDPR defined as a special category of personal data. I am thankful that the Bill has been amended to remove this contradiction. Strangely, however, the Ministers seem to deny that photos or facial images collected as part of the SAFE2 process are biometric in nature. At an Oireachtas joint committee meeting in September the Minister said her Department did not view photos as biometric data. She said the definitions were different and that the Department's definition of biometric data did not include a photograph. Unfortunately, the definition of the Ministers and their Department of "biometric" is completely irrelevant; what matters is the definition in the GDPR and European Union case law, both of which make it very clear that facial images or photographs are biometric in nature. The Irish Data Protection Commission also issued an information notice on biometrics which included, for example, raw images consisting of recognisable data such as an image of a face or fingerprint.
I recently accessed a bundle of emails via the freedom of information process between the Secretary General of the Department of Employment Affairs and Social Protection and the Department's data protection officer covering the period from early July this year which covered biometric processing. Some of the statements made in the emails by the Secretary General reveal a strange and jumbled logic, as well as a complete failure to grasp the basis of the definition of "processing" in the GDPR. The content of the emails was used to brief the Minister for a response to a parliamentary question on 12 July, in which she stated the Department was also clear that it did not collect or share biometric data but that it created such data for its own use in accordance with the law. In an email on 9 July the Secretary General indicated that the Department did not collect data or share biometric data but that it did process them and had been clear that it did so. The Secretary General has admitted to processing biometric data and says there is nothing to hide, but the Secretary General and Minister seem to think the processing in which the Department engages is a second order of processing. That is a failure to understand the definition of "processing" in Article 4 of the GDPR which includes basic operations such as storage, use, retrieval and consultation. It is clear that the Department is processing biometric data and, therefore, special categories of personal data. This is not necessarily bad, but there are separate rules for processing special categories of data. The Department cannot adhere to these rules if it does not acknowledge that they apply to what it is doing.
In discussing this issue we must go back to the beginning and look at how we got to where we are with the Bill. It is the case that a number of years ago the Government decided that it wanted to introduce a national identity card. We are not really sure why. The war on terror was in vogue and there was a general desire to engage in mass surveillance which was always in the background. It may also have been about being able to make a quick buck. In any case, it was not clear, but there was such a desire. The concept was beaten back in the United Kingdom and the Government realised it was a deeply creepy concept to which many people objected. A national identity card would not come about in that way and even the Tories found it reprehensible. Instead of being up-front and calling it a national identity card when introducing it to the population, we had a back-door version. It was introduced via the most vulnerable in society and called a public services card. A new policy was introduced - if somebody wanted to receive social protection payments, he or she had to obtain a public services card. If that did not happen, the person's income would be cut.
Although it is shocking and outrageous, it is interesting that the media largely ignored the matter. At the time, Fine Gael and the Labour Party, including the former Minister for Social Protection, pushed the lie that social welfare fraud was a major problem and that the cards would have solved it. Nobody even noticed it until a pensioner's payment was cut when she refused to obtain a public services card. At that stage the media started to take notice, although tens of thousands of cards had already been issued. We know that the Data Protection Commission launched an investigation which has been ongoing for over a year, which is unbelievable when we consider there is not much to investigate. In the meantime, the card was made mandatory to receive a range of essential services, despite the fact that there was no legal basis for it. Each time it was made mandatory for a new service, the policy was reversed. This debacle has been ongoing in the background.
Last September a draft of the Data Protection Commission's investigation report was leaked. Essentially, it indicates that there might have been a legal basis in the Social Welfare Consolidation Act 2005 for the card to be used for social welfare services but that there is no legal basis for forcing people to obtain one to access anything outside the Department of Social Protection. It is probably not that surprising that just a few short weeks later we are debating a Bill intended to provide such a legal basis for the public services card to be used across a bunch of Departments. A cynical person might think the Data Protection Commission's investigation was deliberately delayed to give the Government time to get the Bill into the House and here we are. A sum of €20 million has been spent so far and the Government has really been prepared to flout the law.
Like Deputy Wallace, I acknowledge some of the improvements made to the Bill in the Seanad, largely as a result of the work of Senator Alice-Mary Higgins who has done very good work. Nonetheless, there are still serious issues with the Bill.
Debate adjourned.