JOINT COMMITTEE ON JUSTICE, EQUALITY, DEFENCE AND WOMEN’S RIGHTS debate -
Thursday, 23 Jan 2003

I extend a warm welcome to our guests. The select committee will be processing Committee Stage of the Data Protection (Amendment) Bill 2001 and, in advance of that, the joint committee decided to hold a meeting with the Data Protection Commissioner. In addition, the joint committee decided to request a technical briefing from officials in the Department of Justice, Equality and Law Reform dealing with the Bill. I am delighted to welcome Mr. Joe Meade, the Data Protection Commissioner, and I ask him to introduce his colleagues.

I also welcome the Department's officials who are here to provide a technical briefing following the discussion with the Data Protection Commissioner. Members were circulated with the text of a presentation document forwarded by Mr. Meade. Unfortunately, due to technical circumstances, it is not possible for us to have a PowerPoint presentation of the document today, which will make the task more difficult for Mr. Meade.

Before Mr. Meade commences I wish to remind him that members of the committee have absolute privilege but the same privilege does not apply to him or other witnesses. Members are reminded of the long-standing parliamentary practice that they should not comment, criticise or make charges against a person outside the House or an official by name or in such a way as to make him or her identifiable.

I am pleased to be able to give a general outline on the main tenets of data protection legislation. It would have been nice to do this presentation on PowerPoint but Leinster House, despite its modernisation, could not facilitate it.

The right to privacy is a fundamental human right, as outlined in our Constitution and in various international agreements and conventions. What is data protection? It is the protection of personal privacy against the threat of computer power by regulating computer use, by giving people new rights and, when the new Bill is enacted, by extending it to manual files. The key principle is that living people should be able to control how personal information about them is used or, at least, to know how that information is used by others. For the information society to succeed it is vital that good data protection practices are in place. It is not, therefore, freedom of information but, in regard to access rights in the public service sector, it can sometimes be confused with it.

Data protection law applies to all areas. The Data Protection Act 1988 implemented a 1981 Council of Europe convention on data protection which gave rights to individuals and imposed obligations on organisations, public and private, who collect and process personal data about individuals. It is a balancing Act in every sense of the word but it is highly complex and nuanced legislation.

What are the individual's rights? The individual has a right to fairness when giving information, that is, to know who is the company that is collecting it, what it is collecting it for and how it will use the information. A person has a right to get a copy of the personal information that is held on him or her by any organisation. That is known as the right of access. One has a right to correct information if it is wrong and a right to opt out of receiving direct marketing. Finally, if one is unhappy with a company, one has a right to complain to me as Data Protection Commissioner.

There are restricted rights of access: where it would impair the investigation of crime or the collection of tax, but that is subject to a case by case prejudice test; for international relations of the State; and for legal professional privilege. Also, if one's doctor or social worker felt that the release of personal information they have on the person could be injurious to the person's health, they will not release it.

What are the obligations imposed on an organisation that collects data? We call them the eight data protection rules. The first is that the information is obtained in a fair manner, with mutual consent and in an open and transparent way. The second is that it is for a specified, lawful and clearly stated purpose. Third, there can be no disclosure of data unless it is compatible with the purpose for which it was collected. If a charity collects data about a person, for example, it should not later disclose that information to a bank so it can direct market the person. The data should be safe and secure. It should also be accurate and up to date. What use is data if it is inaccurate? It should be adequate, relevant and not excessive. In that regard, I have stopped motor insurance companies asking applicants for motor insurance whether they are married, single, divorced or separated. I did not see it as relevant; I considered it excessive. The data should only be kept for as long as is necessary. If a person makes an application for a job, for instance, and does not get it, there is no need to hold onto that data. Similarly, if one makes a credit card booking at a cinema, the cinema should not retain that information once the booking has been paid. Finally, one must comply with an access request.

Data should not be disclosed unless for a specified purpose but there are exceptions to that requirement in order to balance other interests of society. They apply in the investigation of a crime, the collection of taxes, the security of the State and if there is a danger to life and limb. If a person arrives in the casualty department of a hospital some night, for example, and is not too strong as a result of alcohol consumption, the staff clearly have to get access to the person's data. However, there is no general public interest test.

I will now comment on what is contained in the Data Protection (Amendment) Bill 2002. The committee will be given a far more detailed technical briefing so I will be brief. The Bill transposes a 1995 EU directive into Irish law. It is worthwhile to reflect on the reason for this EU directive. The EU has common value systems based on democracy, human rights and fundamental freedoms. IT and the information society is important in the EU from an economic, social and free flow of trade viewpoint. However, personal privacy is also fundamental to a democratic society. The directive aims to achieve, as far as possible, a uniform system of data protection throughout the EU. Some parts of the EU directive have been in force in Ireland since April 2002, those dealing with security and the transfer of data outside the EU. The Bill will amend and enhance some other parts of the 1988 Act to improve its operation. However, the basic principles will remain the same.

I will summarise the content of the new Bill. It contains some new rules. Manual data will now be covered. Publicly available data, such as the register of electors, can only be used for its intended purpose but not as an easy way to direct market people with junk mail. The Bill provides for new responsibilities. The fairness and transparency requirements will be more demanding. Consent is clarified and explicit consent will be needed where sensitive data is acquired. There are new powers for the Data Protection Commissioner. I can conduct privacy orders rather than waiting for complaints as I want to be proactive in that area. I can devise codes of practice and prior checking can also be undertaken.

There are improved rights which include the right to be informed of the right of access, a right to be informed, to object and to block and not to be subject to automated decision making, as there must be some level of human input in the process. With regard to the improved rights of access, they will apply to manual files from the outset. As well as getting details of what data is held on the person, he or she will be told the purpose for which the data was processed, the persons to whom it was disclosed, the source of the data subject to certain confidentiality safeguards and, where automated decisions have been taken, the logic involved therein.

My role as Data Protection Commissioner is to uphold the rights of individuals and enforce the obligations of data controllers. I investigate and decide on complaints. I have powers of entry, seizure and examination. I maintain a public register because certain organisations must register with my office, including some Deputies and public representatives if they process sensitive data. It is a criminal offence to disobey any of my orders and any of my orders or decisions can be appealed to the Circuit Court. A person also has the right to damages in the normal judicial process. I also have European functions. I and my fellow EU Data Protection Commissioners meet to co-operate and give policy advice and I am a member of the joint supervisory boards on Europol, Schengen, Eurojust, the customs information system and EURODAC to ensure that personal rights are respected in these police bodies. Finally, I give advice and guidance to the public and I liaise with the Government, Departments and the Oireachtas.

There are a few other areas of data protection which should be brought to the committee's attention. There is great potential for employee monitoring in the workplace by e-mail, the web, CCTV or telephone. However, a balance is required between the legitimate interests of employers and the personal privacy rights of employees. What is needed is transparency. There should be an acceptable uses policy which should not be restrictive but focus on prevention and education. A code of practice is needed in that area and I hope to address that in the coming year.

The telephone, e-mail and Internet are covered by an EU directive which was transposed in May 2002. It deals with specific telephone data protection issues, such as the option of blocking caller ID. Direct marketing calls to people must respect the national opt out register if a person has stated that he or she does not want to receive such calls. Automated recorded phone calls and SMS messages need specific prior consent before they can be made and the retention of the call details should only be kept for billing purposes and for a limited period. Use of the Internet is growing apace and developments are occurring each day. A new EU directive 2002/58 will be transposed by next October. That will apply to telephone, e-mail, the web and Internet messages. One must opt in or agree to receive spamming. I am sure all members will do that. Transparency will be needed as regards website cookies and what they will and will not do. Mobile telephone location data cannot be used for marketing purposes without consent.

As regards the retention of traffic data, member states must balance security against privacy issues. That raises the issue of the post 11 September situation and anti-crime measures. We all accept that information is essential in the fight against international crime. The Internet, telephones and personal computers are a potential source of valuable information. Any measures introduced should be proportionate and take account of the privacy rights of individuals as well as the preventative measures they try to impose.

As I said at the beginning, it is not freedom of information. Data protection is a human right, whereas freedom of information is a citizen's right. Data protection applies to all sectors, whereas freedom of information applies to the public sector. Data protection focuses on privacy, whereas freedom of information focuses on openness. These are lofty ideas, but what does the public expect? It expects confidence and trust which are essential for e-commerce and e-government. Data protection creates an environment of trust and respect for the individual and it mustbe a key enabler of e-commerce and e-government.

That is borne out by a privacy survey which was carried out by a market research company before Christmas. It indicated that after crime prevention, personal privacy is rated next in terms of importance. Crime prevention was rated by 84% as very important, while personal privacy was rated by 81% as very important. It is rated before consumer protection, workplace equality and ethics in public office. Personal privacy is important. The survey also revealed that 95% of people are concerned about their financial records compared to 93% of people who are concerned about their health records. Some 76% of respondents felt that excessive demands were being made by business. On the other hand, 54% trust business to deal adequately with their personal data compared to 52% for State agencies. However, 26% of respondents did not trust anyone, either public or private. Furthermore, 56% are afraid that their privacy will be endangered when they go on the Internet, an increase from 37% in 1997 when a similar survey was done. That not only indicates more usage of the Internet, but also that people are becoming more aware of it. Direct marketing by telephone is opposed by 60% of respondents to the survey.

What should our response be to these findings which were published in the newspapers last week and are on our website? The Government, the business community and my office have a role to play in allaying people's fears. Data protection law provides the assurance which the public demands. I will redouble my enforcement efforts in the coming year to ensure people's legal rights in this area are upheld and to try to ease their fears. For example, I will launch privacy orders and exercise the other range of new powers open to me when the Data Protection (Amendment) Bill is passed, which I hope will be soon. I have been provided with extra resources for my new task for which I am grateful to the Minister for Justice, Equality and Law Reform, Deputy McDowell, and his officials. I also urge the business community and the Government to build privacy proofing initiatives into the way they interact with the public. Information, transparency and consent are the touchstones of good practice in both the public and private sectors and in any walk of life. The success of e-business and e-government will ultimately depend on public credibility.

Data protection is not a barrier to any organisation once personal data is collected in an open, transparent and fair manner. It is essential if the information society is to be a success. If members want more information, they can log on to my website, www.dataprivacy.ie, or contact me by e-mail, info@dataprotection.ie. I welcome any questions members may wish to ask.

I welcome Mr. Meade and his colleagues to our committee. I thank them for their lively and interesting presentation on what seems to be a dull topic. I am interested in a number of things which were said.

The register of electors is the Bible for politicians. We look at it regularly, particularly if someone, whom we recognise but whose name we cannot remember, comes to see us. I expect that is a legitimate use of the register of electors. Perhaps I am breaking the law and I will be put in jail. If I want to send a mailshot to a particular street, I hope the register of electors can be used as the database. Until recently, it was possible to purchase labels of the register of electors from the local authority if one wanted to do a mailshot at election time. One then only needed to put the labels on the envelopes and send them to a group of people. At least one local authority put the labels on and mailed the Litir um Toghcháin if they were delivered to them. It charged for that service. Is that within the law and will it continue to be within the new data protection law? To what extent can the register of electors be used by anyone? If I am in business and I want to get a database of people to whom I can write, can I use the register of electors? Where does the telephone book fit into the new law? It provides a lot of data, although it is not as geographically specific as the register of electors. The Golden Pages is useful for politicians who want to find all the solicitors in their constituencies. I presume those directories can be put on our databases and used for mailshots.

Mr. Meade stated that insurance companies cannot ask a person if he or she is married, single or separated. However, he said there may be exceptions in relation to taxation. I recently reviewed an insurance policy I held and I agreed with the agent to upgrade it. I was given a lot of documentation and when I started to fill it out, I wondered why the company was asking certain questions. Two separate documents were produced which required additional information and each one had to be signed according to Central Bank regulations. I protested that they had nothing to do with the policy I wanted to upgrade. The company wanted to know what type of pension scheme I was in, what type of life cover and standing orders I had and if I had shares.

I decided not to fill out the forms and instead I photocopied them and sent them to the Central Bank. I asked it if I was required to provide such information and it sent me a vague letter which stated "generally, no", but that it was entitled to look for information about the product being sold. That is a thin line in regard to the information sought when taking out life insurance or assurance. Almost anything is related to that. To what use will it put that information? I would like to hear comments from Mr. Meade on it because I was surprised by the type of documents I was asked to sign and I was particularly disappointed that the Central Bank was not more definitive in saying whether the type of material with which I was presented was correct.

I refer to databases which appear in newspapers, including death notices. Some companies which market memorial cards and so on write to bereaved families mentioned in death notices which appear in the newspapers. Is that a legitimate use of information which has appeared in a newspaper? Does Mr. Meade have a view on that? What happens? Perhaps he will enlighten us.

Reference was made to telephone marketing. I am cheesed off because the other day I received a third telephone call from a hotel, which was not in Dublin, trying to sell a particular product and I was informed that if I purchased the product I would become a member of its exclusive club and receive attaching benefits. I received three calls each from different sellers. They wanted me to decide there and then on the telephone and would not send out the information. One wonders whether they are entitled to do that. Related to that issue are text messages. During the last election an enterprising candidate - I had better not say "he" or "she" - managed to secure many mobile telephone numbers and was able to send text messages to people on election day. Is that in order and controlled? That all relates to marketing surveys by Daz, for example. Much of that type of activity takes place. Where do they source telephone numbers?

Mr. Meade spoke about keeping information on telephone calls private. Is it not true that if one employs a private investigator to investigate something, they can get a print out of a telephone bill detailing calls made and received for as little as €100? They may also be able to get a print out of people on particular air flights. Is it not true that much of that information can be made available? Is it being acquired illegally? If it is, perhaps Mr. Meade would like to make a definitive statement to the committee on it.

I welcome Mr. Meade and his colleagues and thank them for a most interesting presentation. My colleague, Deputy Paul McGrath, also gave an interesting response. Mr. Meade mentioned the protection of the living. Any of us who read newspapers know that the protection does not extend to the graveyard. Has any consideration been given to protecting those who have died and their reputations? On many occasions we see appalling coverage in the media of people who are no longer in a position to defend their names or families. It must cause frustration to families who are not in a position to defend their loved ones who have passed away. I would like to hear Mr. Meade's comments on that.

I was interested to hear his comments on e-mail and access to the Internet. How protected are the sender and the recipient when using e-mail? I understand people who use a company's e-mail are obliged and answerable to the company but I would like clarification on usage in the privacy of the home. In recent days access to the Internet, child pornography and other areas which are controversial and call on people's integrity have been raised. What is the situation in that regard? The Garda has proven to be efficient in accessingthat type of information. How protected is the citizen?

As regards the granting of planning permission, at times banks and other commercial institutions have availed of such information being made freely available to contact people who may wish to access mortgages and I wonder if that is above board. I am not sure if this issue comes under your remit as commissioner but, as a member of a local authority, I find it quite strange that assessments done by road engineers, for example, who give assessments on site lines and visibility at a particular site, or by other engineers, such as environmental engineers, who assess the suitability of sites for percolation, etc., are not freely available to the applicant or their local representative until after the application has been approved or disapproved. I have had experience of this. An engineer may relay his assessment to me on a road or a site for percolation purposes but cannot give me written data until after the application has been approved or otherwise by the manager. Is that within the law? I find that quite strange but was told I was not legally entitled to that information until after the approval or disapproval was given.

Surveillance cameras are a concern to people, although they have proven themselves to be worthwhile in the area of security and to prove a person's address if they say they live elsewhere. They have also been used to great effect in buildings and schools but yet people claim they are an invasion of privacy. I would like to hear the commissioner's response to those issues.

I thank Mr. Meade for his presentation which was informative and interesting in many ways. I have learned a lot from it. I refer to the survey which shows that 95% of the public is interested in matters relating to their financial records. An individual will have a relationship with the financial institution with which they deal. There seems to be a history among financial institutions of sharing information in relation to credit worthiness and so on. How does this legislation impinge in that area? What is Mr. Meades relationship with the financial institutions?

In the past week I was visited by a person who told me he was astounded that he had been refused a car loan by a financial institution. When he did a little research he found the refusal was based on records which had been kept over a number of years. Five or six years earlier he had what I would regard as a fairly minor difficulty with another lending agency. The information was shared and the difficulty five or six years earlier was used as the basis to refuse him a loan on this occasion. Does the commissioner have a view on that?

As regards education and schools, this morning when dealing with a particularly problematic case, I was made aware of the amount of information a school has and compiles on students over a number of years, particularly students who are challenging and have difficulties. That information relates to the student but may also contain information on the family and other circumstances. Does the legislation address that and to what extent is it appropriate to reuse it over a period of time? Who should or could have access to it? For example, if a child gets into difficulties in a school and seeks a transfer to another school or schools it is certain that the information at source will be made available to the other schools. As public representatives we would be aware of this aspect.

Although I am a Member of the Dáil for only six months or so, I am aware of the growing number of files in my constituency office. They contain considerable detail on constituents. What are our responsibilities here and in what way will the legislation impinge on this?

Not only financial institutions but many other companies contact those involved in the planning process. They appear to be in a position to buy planning lists from local authorities. It means that if an application is made to extend or build a house, the applicant can expect an avalanche of post from various parties, including offers to provide roofing or decoration services. How will the legislation cover this aspect?

I welcome the delegation. This area of e-government has been rightly identified as being difficult in terms of reassuring the public about the retention of data. Authentication is integral to the delivery of e-government services, regardless of the model used, whether it be fingerprinting or IRS scanning. In addition to Mr. Meades watchdog role in assisting the delivery of e-services, is there a role for his office in terms of reassuring the public?

Opting in for products and services often means being exposed to information that is of no relevance. While this may have been acceptable in terms of printed information sent through the post, the potential for spamming in relation to e-services, for example in text messaging, may be very unwelcome. While text messaging is a direct method of marketing, it could be considered very intrusive. Perhaps members of the delegation will clarify this aspect.

I welcome the delegation and apologise for my late attendance. Banking institutions regularly write to under age people offering them credit card facilities and many parents are very concerned that their children could follow up on these offers. Is there a way to address this?

While CCTV can be an invasion of privacy it can also monitor where anti-social behaviour occurs, although it cannot be used in evidence in court cases. Does Mr. Meade have an input on this aspect because it could be a useful means of identifying those who commit crimes?

While accepting that the electoral register is a public document, are there any rules excluding its use for the purpose of transmitting data? For example, it would be undesirable if it could be used to source young people as a means of getting information to them. On occasion people have complained to me that their doctor was unwilling to part with their medical records. Individuals should have the right to access any personal information. Perhaps Mr. Meade would comment on this.

What can be done to limit the dissemination of information on the Internet to young people, particularly in the area of pornography? Parents have huge difficulties in monitoring what is received over the Internet. There should be a way of blocking much of this information. I look forward to Mr. Meades comments on this.

On the question of credit card details if, for example, I was to visit the UCI in Tallaght I would like to be able to telephone a booking without having to disclose my card number. Is there a way a password could be used instead? I use the Superquinn grocery shopping Internet service. When it is provided with a password it can access the credit card details, which is very useful. In this regard I do not agree with the suggestion that credit card details should be destroyed because there is a benefit in retaining them.

When you referred to the powers of entry, seizure and examination I was alarmed to think of Revenue and Customs officials. How long have you had these powers and how often have you used them? The result of the survey appears to back up the Office of the Data Protection Commissioner and justify to a great extent all that is being done. Who carried out this survey? Was it unbiased? For what purpose was it carried out originally?

I am really worried about freedom of information. In the beef tribunal report, Mr. Justice Hamilton stated that if there had been more questions answered in the Dáil the tribunal would not have been needed at all. If there was more information made public upfront, there would not be as many questions and the need for all these tribunals would not be so great. I am not as much in favour of personal privilege as are other people.

Those are my questions. There is also Deputy McGrath's question about the voters' register. I ask Mr. Meade to do his best to answer all of those questions. I am sure he will be able to take some of them together.

The committee has raised good and interesting questions. It emphasises that the committee values data protection and privacy as an important matter which raises certain concerns.

The last thing I want to do is put any Deputy in jail. That is not my purpose. I accept and recognise that the political process in a democratic society, particularly for public representatives, is very valuable and information is a great resource. The electoral register is in place so that people can vote and Deputies and councillors can use that in the course of their normal political activity. There is no difficulty with a Deputy direct mailing constituents and using the electoral register for constituency purposes. I understand there will be an amendment regarding direct mailing by politicians for their electoral purposes to ensure it will not be outlawed by the Data Protection Act. It was never outlawed, but this will ensure that it will not be. As regards the electoral register being used for other purposes, the committee will recall that in September 2001 the Electoral (Amendment) Act was passed. There are now two registers: an A register for electoral purposes and a B register where people have opted to state that they do not mind receiving commercial marketing or whatever.

What I wanted to redress was the situation where the electoral register was being used as an easy source by direct marketers to send junk mail to people on everything from the sun, moon and stars. When it is passed the legislation will contain a provision that if any publicly available database is to be used for direct marketing purposes, a person will be given the option to state that he or she does not want to be included because it is so easy to get annoyed. There has been fierce annoyance about this matter.

Deputy McGrath raised the question of a super database and being able to tie the telephone to the electoral register. In last year's report I outlawed that. It is called tele-appending, where, in effect, marketing companies were getting Eircom to run up a list of names and telephone numbers in all the areas in alphabetical order. That would have created a super database. It was not the purpose for which people put their name in the telephone directory and people were getting very annoyed at getting calls at home. As the survey has indicated, 60% of the people were very concerned about telephone marketing.

I have no difficulty with electioneering as long as it respects the normal data protection rules, particularly as regards telephoning people. Many people's details are not contained in the telephone directory. People did not give their names to have them put into alphabetical order or for it to be made easy, or indeed to have it as a reverse search. The new EU data protection directive on telecommunications has specifically outlawed reverse searching where a person keys in a name and up pops a number because all over Europe this was being used by marketing and it was annoying.

As I said at the outset, data protection only applies to the living; it does not apply to dead people. Policy arguments have been made and this has been raised in the Dáil. It is ultimately a matter for the Department of Justice, Equality and Law Reform and for Dáil Éireann. On the other hand, the Freedom of Information Act does apply to getting details on deceased people. Generally data protection legislation throughout Europe only applies to living people.

I want to refer to three or four general matters on financial institutions. On credit referencing, I issued guidelines two years ago as to what a credit referencing company can and cannot ask for, but one of the conditions of applying for a loan is that one gives permission for a credit check. There is a central database, which is maintained by the Irish Credit Bureau, containing details of people's loans and their progress in repaying them or not, and a check will be done on it. Those records are kept for six years. A bank will conduct a credit check and that will be one of the considerations it will take into account in deciding whether or not to sanction a loan.

I have expressed concern in the past to the banks that this detail was in very small print, was very difficult to read, and people were not aware of it. I have asked for that to be clarified and made much clearer. Therefore the new legislation about transparency and informed consent will also come into play and people will be told exactly what is happening. However, it is normal to conduct a credit check. That is the position.

As regards what is happening with biometrics, palm-reading, iris recognition, etc., this is a topic which will arise in the future and which will have major implications, both for data protection and for society in general. Next Monday I am going to a meeting of the Article 29 committee of the EU Data Protection Commissioners and the European Commission where we are considering a working paper on the safeguards which should be in place. Biometrics by their nature can be good, but we need to ask what abuses could arise for them. For instance, where are the central biometrics stored? Is it on a central database? What are the security procedures for it? Is it a palm reader? Is it an iris reader? Is it a voice recognition device or whatever? Who would have access to it? For what purposes would it be used? Would it be used for surveillance, recognition or identification? No doubt there will be strict guidelines laid down on that at a European level because it is a major issue.

Mention was made of opt in and opt out clauses. The Irish Direct Marketing Association has had long discussions with me over the past 12 months. Personally, were I not the Data Protection Commissioner I would favour opt in, but what the EU directive states is there should be informed or unambiguous consent. If it is made clear that one has an option and that one can exercise that option, that is fine. If one does not exercise it, then the companies take it that one has given consent and that is the position in law. However, as regards spamming and telecommunications marketing etc., the EU is insisting that it be opt in from next October because it is more intrusive. I would urge everybody to look at forms. It is so easy to ignore them.

Mention was also made of children being direct marketed by banks. I generally do not confirm or deny that I am investigating any claim but because the person who mentioned it was on radio and said he had complained to my office, I will say that this matter is being investigated. Until I have carried out all of the processes, I am not willing to talk about it. There were about 250 instances of it. From what we know at present, people filled in a form and they gave their age and details. In the marketing process, the age, when it was under 18, was put in as 18. It should not have happened. There was a breach in the security - at least, that is what it looks like, prima facie. The matter will be investigated and I doubt it will happen again.

The question of medical records was also raised. As I stated at the outset, if a medical doctor or a social worker feels that the release of personal medical information to you could do you injury or harm, then under the data protection regulations they are not obliged to release that information to you. One can see why that is necessary, particularly in psychiatric cases or in certain illnesses, where the professional judgment of the doctor is that it should not be released. If the person is not happy, he or she can complain to me and I will investigate that matter in full and see whether the doctor exercised his or her due professional coverage on it.

Credit card bookings were mentioned by the Chairman. It is fine if one has given consent to all that, if one is happy with the security procedures in place, if one is happy that the cinema in Tallaght and Superquinn security measures are okay. That is a good example of how data protection does not stand in the way of good customer-friendly practices. I was referring to where one gives one's credit card details to, for example, the cinema in Coolock or Tallaght, and although one might never phone them again, within four to six months one receives direct marketing from them or they retain one's details on their system. If they do not have a secure line and the security of their access provisions is inadequate, serious credit card abuse could occur.

As regards power of entry, that is provided for in the 1988 Act and I do not need a court order. The reason for it is quite simple. Any breach of a person's privacy and data protection is a serious matter. If I become aware or have concerns - I do not need to receive a complaint - that personal data could be or are being abused or misused in such a way as to endanger a person in terms of life or limb or whatever, I must have the power to enter unannounced and seize records for examination. I have gone on site on numerous occasions but have exercised the power four times in the past year when I did not receive co-operation. Even if I receive co-operation but believe I need to go on site, then I need the power to do so. As with Customs and Excise and the Garda Síochána, the Data Protection Commissioner has the power because of the seriousness of an invasion of a person's privacy.

Members should think about the data they have given to organisations, such as hospitals. What if that were abused? What if a situation were to occur, which legally occurs in the United States, where a doctor writes a prescription and he or she automatically gives the details to drug companies who market the patient directly because they know what medicines that patient takes? If that were to happen here, imagine the consequences it could have. Imagine what would happen if that information were released to unscrupulous sources. That is why I must have the power of entry. However, I use it only when I have to and as a bare necessity.

The survey was referred to. It was conducted by Millward Browne IMS Limited, a professional marketing company selected by public tender. For the past two and a half years that I have been in this job, and I am the third Data Protection Commissioner since the Act came into effect in 1989, I have wanted to establish several matters: the effectiveness of my role, how well known I am, what people's real concerns are and how concerned they are about certain areas. The questions were devised by the marketing company in consultation with my office and drew on some aspects of a similar survey carried out in 1977.

The purpose of the survey was to see whether matters had changed, worsened or whatever. The questions were loaded to an extent in that I wanted factual information. However, the survey was carried out in people's homes. As politicians, committee members know how opinion polls and surveys are conducted, so this survey was carried out to as rigorous if not a higher standard than those conducted at elections.

The full results of the survey will be published in my annual report. We only have the preliminary findings at present. The survey indicated that the awareness of my office is not as high as it should be. That did not surprise or disappoint me because, for the past two years, I have insisted on doing most of my dealings with the data controllers. If organisations are operating correctly and I get them on the right foot, people's privacy should be protected.

As regards tribunals, as a person who gave evidence to the beef tribunal, I fully agree that as much information as possible within the remit of legislation should be in the public domain. This is freedom of information to an extent. Personal data, which are of concern here, can be released under certain conditions if they are required by law for the investigation of crime and so on. As much information as possible should be made available to ensure tribunals are kept to a minimum.

Schools must keep a great deal of information relevant for the purposes of their administration and giving children an education. They only have to keep what is necessary and relevant. That can only be disclosed for the compatible purposes necessary to run schools. A person has a right to access information kept on him or her by a school, subject to a confidentiality test.

As regards children who are sent from one school to another, it is often a condition of an application to a school that it obtains details from a child's previous school. Parents would have been asked for that consent. What it comes down to is the purpose of the data, if they are necessary and if the purpose complies with the eight rules.

Detailed security arrangements have been in place since April 2002 which state that adequate security procedures must be in place that take account of the adequacy of the system in place, the degree of sensitivity of the data and the cost of the system, and to ensure that staff know about it. I do not know what sensitive information is on members' files. If a system is not secure and has inadequate security measures resulting in a breach, the system can be subject to the data protection rules from which can flow damages or, if the system is not corrected, closure. I would not want that to happen.

I will enter into discussions with the Committee on Procedure and Privileges on this. It is an important area and I do not want to impede the work of Members. It could be possible that, if a son were chosen to stand as a candidate and were elected, I could see reasons that responsibility would be transferred to him or to a daughter. I will discuss these detailed problems. I would like to know what they are so that we can come to a reasonable understanding. We must ensure that sensitive data are not left on the system once a Member has died.

Two other questions were raised to which I wish to refer. One related to the fact that a private investigator could easily access a person's phone bill details. That is not the case to my knowledge. Apart from data protection legislation, stringent laws are in operation regarding the confidentiality of communications and phones. I assure members that not even the Garda can access this information when investigating crimes concerning phones unless it relates to a specific case, a request for it is signed by a chief superintendent and the data controller is satisfied it is necessary to release it to the Garda for the case in question. If a private investigator were employed as an agent of the Garda to carry out a certain task, that information could be released to him or her if a range of stringent conditions were complied with. I would be amazed if were possible to obtain telephone data willy-nilly, as has been stated. If it is, it is not just a matter for the Data Protection Commissioner but also a serious matter for the Minister for Communications, Marine and Natural Resources.

CCTV was mentioned and we have discussed a code of practice with the Garda. CCTV images should only be kept for a maximum of 28 days and there should be very strong security procedures in this area. A code of practice is to be published in the next few weeks about community-based CCTV. A question that often arises regarding CCTV is whether the data is processable and personal. It can be processed if one could easily put in the name of Joe Bloggs and his photograph immediately stands out. Very often, however, that is not the case and one has to roll on a reel of film for approximately 25 days. That is not covered by the data protection legislation.

I thank Mr. Meade and his officials. This has been informative and interesting and every member had questions. I am sure they have still more questions regarding Mr. Meade's position as the Data Protection Commissioner but the opportunity may arise in the future for Mr. Meade to come back at a mutually convenient time. Deputy McGrath raised some issues towards the end of the meeting which need to be addressed more fully. Time does not permit us to learn more at this point but we have an excellent flavour of what is going on and we have been well briefed ahead of a technical briefing from Department officials.

I have appreciated this meeting as it has given me food for thought. When I publish our annual report, or at some other convenient time, I would like to come back to the committee. The more interaction I have with public representatives and vice versa the better, as it ensures I carry out my job correctly while taking account of the valid concerns and perhaps misapprehensions Deputies may have about this area. I would welcome such a future meeting.

The joint committee went into private session and adjourned at 3.50 p.m. until 4 p.m. on Tuesday, 28 January 2003.