I thank the House for the opportunity to move this Bill. I am pleased to be here to introduce the Data Sharing and Governance Bill 2018 in Seanad Éireann. This Bill proposes a series of reforms to the way government shares data in order to improve public services as well as measures to improve the safe handling of that data by bringing consistency and improved safeguards to the way it is managed. I look forward to hearing the contributions from Members of this House and I hope they will support this Bill. Officials from the Department of Public Expenditure and Reform are encouraging engagement with all Senators who have any concerns or questions on the Bill or who require clarification on any points of the Bill in coming days or weeks.
This legislation is just one part of our ambitious programme of reform for the digitalisation of public services and the use of data. The eGovernment strategy 2017 to 2020 sets out a vision of a Government using data and digital technology to increase efficiency and effectiveness and constantly improving public services. The actions in Our Public Service 2020, the new framework for development and innovation in the public service, provide for a more integrated, shared and digital environment to enhance the delivery and evaluation of public services.
It is imperative that the Government delivers on its commitments in this area. We now live in a digital economy and a digital society, and data is its lifeblood. Since the turn of the millennium, the way we go about our daily business has been changed fundamentally by digital technology. We get our news from online newspapers and journals. We also get news from the press; I would not want them to feel upset they were not mentioned. We bank and shop over the Internet. We share our lives on social media. Government must keep pace with public expectations regarding how people should be able to access services and with the availability of new technology. Achieving this objective requires modern laws on the use of data in public services to protect and use the information that enables us to deliver these services to the public.
Data sharing is currently carried out extensively across the public service under the existing legal framework. Indeed, it would not be possible to deliver many services effectively without this sharing taking place in the background. For example: details of birth registrations are forwarded by the General Register Office to the Department of Employment Affairs and Social Protection to automatically generate child benefit claims on behalf of parents; Student Universal Support Ireland, SUSI, shares data with the Department of Education and Skills, the Department of Employment Affairs and Social Protection, and the Revenue Commissioners to streamline the processing of student grant applications, reducing the need for applicants to provide documents; and the Department of Employment Affairs and Social Protection forwards the details of people who are about to turn 100 years of age to the Office of President so that the President may send them a congratulatory letter and the centenarian bounty of €2,450.
These are three simple examples of how data sharing benefits the public. However, those who deliver public services often face problems gaining access to information already held by other public bodies. Data protection law requires that data sharing needs an explicit legal basis. The examples of data sharing I have just given are made lawful by the specific sectoral Acts of the bodies concerned. Access to the legislative schedule is limited and, as a result, the process of obtaining the required powers to share data can be painstakingly slow for public bodies.
Furthermore, the reliance on sectoral legislation as a basis for sharing data has resulted in a set of data sharing laws that have grown piecemeal over time to respond to specific policy needs. This patchwork of laws is complex and not very transparent to the public.
There is, therefore, a clear need to update our legislative regime to provide for a flexible legislative gateway that will simplify the complex legal landscape that currently slows the pace of our efforts to modernise and improve the services we provide to people and businesses. We also need to allow for data sharing to be carried out in a systematic, consistent and transparent way so that the public can be confident that their data is being used for the right purposes and remains securely held.
When data is used effectively everyone benefits from better services that can be delivered more responsively and efficiently at a lower cost to taxpayers. The public also has a strong expectation that their data will be used responsibly, proportionately and securely in a manner that respects their privacy and upholds their data protection rights. As the volume of data and our capacity to deliver digital services grows, the opportunities to improve services increases, but so too must the governance and safeguards we have in place to keep people’s data safe.
This House will be aware of the EU’s general data protection regulation, GDPR, which came into effect on 25 May. The work of this House this year included the passage of the Data Protection Act 2018, which gave effect to the GDPR and the EU directive on the processing of personal data for law enforcement purposes. The GDPR and the Data Protection Act represent a very significant reform of the data protection regime to keep pace with the many technological advances and new business models that have emerged in recent years. The GDPR strengthens the public’s control over their personal data and the purposes for which it may be used.
A key principle underpinning the development of this legislation has been that the Bill should not weaken the protections afforded by data protection law, including the GDPR. Therefore, as well as providing a clear legislative gateway for public bodies to share data, this legislation must also provide a framework for public bodies to share data in a manner that is compatible with the requirements of the GDPR, in particular that bodies must be transparent with the public about exactly what data is to be shared and for what purpose.
In this regard, I would like to take the opportunity to thank the Members of this House who undertook the pre-legislative scrutiny work in their capacity as members of the Joint Committee on Finance, Public Expenditure and Reform, and Taoiseach. The committee’s report made many useful recommendations which we have tried to address as much as possible during the drafting process. A clear theme that emerged from these recommendations is that the committee was concerned not only about the risks to people’s data protection rights arising from the sharing of data but also from the misuse and mismanagement of data by public bodies generally.
I share these concerns and this is why this legislation is on the one hand a data sharing Bill but on the other hand is also a data governance Bill. The scope of the governance provisions in this Bill go beyond just regulating how we share data and into strengthening how the public service manages its data in respect of how data is collected and processed, how data is kept secure and how access to data is controlled, monitored and logged. The guidance, concerns and contributions of the committee underpinned the governance structures which are proposed in the Bill and I thank the Members for that.
Introducing greater consistency across the public service in how data is collected, managed and stored will also support our ambitions to build a national data infrastructure underpinned by a set of common identifiers for people, places and businesses.
Many of these governance provisions have been added to the Bill since the pre-legislative scrutiny and I believe they go a long way to addressing the concerns raised by the committee. I believe that these provisions will give people greater confidence that data concerning them is being held, processed and shared in a responsible manner and in compliance with data protection law.
I will now outline to the House the main provisions of the Bill. The purpose of this Bill is to provide for the following: regulation of the sharing of information, including personal data, between public bodies; the regulation of the management of information by public bodies; the establishment of base registries; the collection of public service information; to establish a data governance board; and to provide for related matters.
The Bill comprises the following Parts. Part 1, comprising sections 1 to 4, inclusive, contains a number of standard legislative provisions concerning the Short Title, commencement, orders and regulations and expenses. Part 2, comprising sections 5 to 11, inclusive, provides that the Bill shall not affect the operation of the GDPR and also sets out how it will interact with certain existing sectoral legislative provisions concerning data sharing. This Part also defines the term "public body" for the purposes of the Bill. It is my intention that the Bill should apply to the widest possible number of public bodies and so the definition encompasses, among others, the Civil Service, local authorities, the HSE, An Garda Síochána, the Defence Forces and the non-commercial State agencies. A list of bodies excluded from the Bill - mainly the commercial semi-State bodies - is set out in the Schedule.
Part 3, comprising sections 12 and 13, sets out the conditions under which public bodies may share personal data using this Bill.
It provides that public bodies may share data only for the purpose of the performance of one or more of their lawful functions and only for one or more of the following purposes: to verify the identity of a person where a public body is providing a service to that person; to identify and correct erroneous information held by a public body; to support the once-only principle, namely, that persons should not have to provide the same information multiple times to different public bodies; to establish the entitlement of a person to the provision of a public service; to facilitate the administration, supervision and control of a service, programme or policy; to facilitate the improvement or targeting of a service, programme or policy; to enable the evaluation, oversight or review of a service, programme or policy; and to facilitate an organisational study of a public body. This part also provides that public bodies must comply with regulations and orders made by the Minister under Part 9 of the Bill concerning proper data management and that data sharing be carried out in accordance with a data-sharing agreement. It also gives the Minister the power to direct two or more public bodies to share data, subject to the provisions of the Bill.
The provisions contained in Part 4, comprising sections 14 to 21, inclusive, oblige public bodies to enter into a formal data-sharing agreement before sharing data. This part also specifies what information should, at a minimum, be included in a data-sharing agreement. Among other things, public bodies must be explicit in these agreements about the purpose of the data sharing, what data will be shared and how the data will be further processed and kept secure in accordance with the principles of data protection.
Part 5, comprising sections 22 to 31, inclusive, gives the Minister for Public Expenditure and Reform, or another Minister of the Government, where he or she has responsibilities in this area, the power to collect and process specified information regarding public servants arising from their membership of a public service pension scheme. This is a very important part of the Bill as it allows us to properly administer the schemes. The information includes provisions for the administration of pension scheme benefits for beneficiaries earned over a public servant’s entire career in the public service. It provides the basis for the establishment of a centralised pension system to support the long-term administration of the single public service pension scheme. It also provides for the Minister for Public Expenditure and Reform to collect and analyse information on the number of public servants employed and on expenditure on pay and pensions, including the carrying out of actuarial evaluations, to inform public service expenditure estimates and support public service resource planning and policy development.
Part 6, comprising sections 32 to 35, inclusive, gives the Minister for Public Expenditure and Reform the power to issue a unique business identifier number, UBIN, for the purpose of uniquely identifying any undertaking that has a transaction with a public body. It also specifies a set of business information that can be shared between public bodies in the performance of their functions. This UBIN and business information dataset will assist in building the business data element of the national data infrastructure.
Part 7, comprising sections 36 to 42, inclusive, gives the Minister for Public Expenditure and Reform the power to designate a database owned by a public body as a base registry to act as an authoritative source in respect of basic information that is frequently used by public bodies in the performance of their functions. It obliges base registry holders to keep this information up to date, accurate and complete and to make this information available to other public bodies for lawful purposes. It also obliges public bodies to use the information on a base register rather than collecting it directly from the data subject.
The intention of Part 8, which comprises sections 43 and 44, is to facilitate the creation of a portal to make it easier for members of the public to exercise their access rights under the GDPR to see what information public bodies hold about them and the purposes for which the information is collected and processed. A provision to enable the development of such a portal was one of the key recommendations of the pre-legislative scrutiny report.
Part 9 of the Bill, which is split into three chapters and comprises sections 45 to 68, inclusive, provides for better governance in the management of all data held and processed under this Bill or under another enactment by public bodies and will help public bodies to comply with their obligations under the GDPR.
Many of the provisions here have been influenced by the recommendations in the pre-legislative scrutiny report on the Bill. I acknowledge the contributions of the participants in that regard.
Chapter 1, comprising sections 45 to 52, provides for the Minister for Public Expenditure and Reform to appoint a data governance board to advise on the operation of this Bill.
Chapter 2, comprising sections 53 to 62, sets out the process for enhancing transparency regarding data sharing and for advance scrutiny of any proposals for data sharing between public bodies, as follows. Public bodies will be required to publish an advance draft of any proposed data-sharing agreement and invite the public to comment on the proposal. The draft data-sharing agreement, along with a summary data protection impact assessment, if one has been carried out, as well as any comments received during the consultation will then be submitted to the board for consideration. The board may issue a set of recommendations in respect of the draft data-sharing agreement, which the public bodies shall incorporate into the final agreement before signing. The signed data-sharing agreement shall be submitted to the Minister for Public Expenditure and Reform and laid before both Houses of the Oireachtas. The Minister for Public Expenditure and Reform shall publish the signed data-sharing agreement along with the summary data impact assessment and any recommendations made by the board.
Chapter 3, comprising sections 63 to 68, gives the Minister for Public Expenditure and Reform the power to prescribe binding rules, procedures and standards for the management of data across the public service; issue guidelines for management of data across the public service; and prepare model data-sharing agreements that public bodies shall use as the basis for any data-sharing agreements into which they may enter.
Part 10, comprising sections 69 to 72, inclusive, includes a number of miscellaneous provisions, including giving the Minister for Public Expenditure and Reform the power to prescribe certain documents that public bodies should not collect directly from a person but should instead avail of data sharing in order to avoid unnecessary requests for documents; direct public bodies to collect information in a format specified in the direction; and direct public bodies to provide information in regard to all data-sharing arrangements being carried out under this Bill or any other enactment.
Data are the key to sound decision-making and efficient operations for all organisations. Proportionate, secure and well-governed sharing of data between public bodies will deliver very substantial benefits. Citizens and business can receive better services. Public bodies can operate more effectively and efficiently together. Better access to, and usage of, data can help us make better-informed decisions as to how and where we can spend the public’s money to make the most impact and achieve the best possible outcomes for our people.
The very nature of the subject matter of this Bill means that it does contain a number of quite technical provisions. In this regard, my officials and those in the Department of Public Expenditure of Reform are available to assist any Member who requires clarification regarding any of the technical aspects of this legislation, if required. I reiterate my thanks to the Members of both Houses who worked on the pre-legislative scrutiny report on this Bill, which has greatly influenced its development in the Department. I thank the various stakeholders who have contributed to the development of this Bill, including those who took the time to make submissions to the public consultation when the general scheme of the Bill was being developed and those who attended the pre-legislative scrutiny hearings at the committee. Their input has also provided great help in the preparation of this Bill. I thank the Senators for their attention and I look forward to their contributions this evening. I commend this Bill to the House.