Dáil Éireann Debate, Wednesday - 11 July 2018
177. Deputy Catherine Murphy asked the Minister for Finance the changes he has made to allow access by persons to their own data held by his Department and bodies under its aegis following the introduction of GDPR; and if he will make a statement on the matter. [31471/18]
View answer178. Deputy Catherine Murphy asked the Minister for Finance the staffing complement and resources of his Department's data protection officer; and if he will make a statement on the matter. [31495/18]
View answer179. Deputy Catherine Murphy asked the Minister for Finance the data protection impact assessments his Department has commenced since 15 May 2018; and if he will make a statement on the matter. [31512/18]
View answerI propose to take Questions Nos. 177 to 179, inclusive, together.
The right of an individual to access their personal data forms a fundamental part of the right to data protection. The Deputy will be aware that article 15 of the General Data Protection Regulation (GDPR) sets out the rights of an individual with regard to accessing their personal data. Details on how an individual can make a data protection subject access request for personal data held by the Department of Finance are set out on the Department’s website and can be accessed through the following link - https://www.finance.gov.ie/corporate/obligations/data-protection-officer/.
There are 17 Bodies under the aegis of my Department. Those Bodies have advised me of the changes they have made to allow access by persons to their own data and are set out in the appendix below.
It was not possible for the Disabled Drivers Medical Board of Appeals to respond to this information request in the time available and I will make arrangements to provide a response in line with Standing Orders.
Article 35 of the GDPR provides that where the processing of personal data is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall, prior to processing, carry out a Data Protection Impact Assessment (DPIA). I can advise the Deputy that my Department has carried out two DPIAs to date. One DPIA has been carried out regarding the processing of personal data by CCTV, while the second DPIA has been carried out with regard to the processing of employee personal data by the Department’s Human Resources unit. As new data processing takes place, consideration will be given as to whether a DPIA is required. This matter will be kept under review by the Department’s Data Protection Officer.
I can advise the Deputy that my Department has assigned a Data Protection Officer as required under article 37 of the GDPR. The Department's Data Protection Officer has undergone accredited training in data protection. There are a team of three staff in this area, who have all undertaken data protection training. I can also advise the Deputy that my Department has recently held a number of training courses for the Department's staff and senior management on data protection and obligations under the GDPR. Further training sessions are planned for the remainder of the year.
The Department’s Executive Board will ensure that the Department’s Data Protection Officer and staff in the Unit are provided with the opportunity to maintain and enhance their knowledge on data protection issues.
Appendix
|
Body under the Aegis of the Department |
Changes made to allow access by persons to their own data held bodies under the aegis of the Department following the introduction of GDPR |
|
Comptroller and Audit General |
No changes were made with regard to a person’s access to their own data as a result of GDPR. The Office does not obtain data directly from the public for the purposes of its functions. The Office is a joint controller of data provided to it by other public sector bodies for the purpose of its statutory functions. Section 60 of the Data Protection Act 2018 deals with restrictions on obligations of controllers and rights of data subjects for important objectives of general public interest which includes data held by the Comptroller and Auditor General for the performance of his or her functions. Employees are entitled to access any data held by the Office which refers to them personally. |
|
Central Bank |
The Central Bank has a significant project in place to ensure GDPR readiness across the organisation with the work on the project supported by external GDPR expertise. The Central Bank’s website sets out the conditions and arrangements for access by persons to their own data which can be accessed at the following link - https://www.centralbank.ie/fns/privacy-statement. |
|
Credit Review Office |
The Credit Review Office have always provided clients full access to all data held on them and so have not made any changes to data access in this regard for GDPR compliance. |
|
Credit Union Advisory Committee |
The Credit Union Advisory Committee (CUAC) will be subject to the same access to data as the Department. CUAC is a committee that meets monthly and provides advice to the Minister on credit union matters. The Department provide a secretariat service to the CUAC and all records are kept by the Department in the Credit Union Policy section of the Department. |
|
Credit Union Restructuring Board (ReBo) |
The Credit Union Restructuring Board (ReBo) will be subject to the same access to data as the Department. ReBo concluded its restructuring work on 31 March 2017. Contracts of the 2 remaining staff of ReBo concluded on 31 July 2017 and the Minister has accepted the resignation of the Board on 31 July 2017. While awaiting legislation to wind-down ReBo the Minister for Finance has appointed two Department officials to the Board of ReBo from 1 August 2017 on an interim basis to manage matters during the period up to dissolution of ReBo. |
|
Disabled Drivers Medical Board of Appeal |
The Disabled Drivers Medical Board of Appeal has advised that it is not possible to provide the requested information in the time available. I will make arrangements to provide a response in line with Standing Orders. |
|
Financial Services and Pensions Ombudsman |
The Financial Services and Pensions Ombudsman (FSPO) has introduced a ‘Data Protection’ section to its website which can be accessed at this link - https://www.fspo.ie/data-privacy/. In this section, there is a comprehensive account of the procedure for making a Data Access Request. In this section the FSPO have also introduced a form for complainants to download in order to make a Data Access Request. This form will be made available through the FSPO office where a request is made over the phone or by post. In addition to the above the FSPO has a dedicated email address (dataprotection@fspo.ie) to allow people make direct contact with the Office to request their personal data/to make contact with for any personal data related issues. |
|
Investor Compensation Company Limited |
The ICCL has established a comprehensive ‘Subject Access Request’ process through which it is committed to providing a copy of all personal data held in respect of a data subject within 30 days of receipt of an acceptable request as required under the GDPR. |
|
Irish Bank Resolution Corporation |
IBRC (in Special Liquidation) complies with the obligations under the General Data Protection Regulations and the Data Protection Act 2018 which includes the obligation to facilitate individual’s access their own data held (Right of Access). In addition, IBRC complies with the other key provisions including Rights to Rectification, Right to Erasure, Right to Restriction and Right to Object. In preparation for the introduction of GDPR, and through its recently appointed Data Protection Officer, IBRC has updated its Policies, Procedures and Processes to ensure it can (reasonably) respond to an individual’s valid data access request within the revised time frame of 30 days, as required under GDPR. A GDPR training and awareness seminar has been held for all IBRC personnel, run by the Data Protection Officer. Further training will be provided as required. |
|
Irish Financial Services Appeals Tribunal |
The Tribunal is at present examining whether and to what extent the obligations under the General Data Protection Regulation actually arise for a quasi-judicial body such as IFSAT. The only personal details stored would appear to be details on case files of appeals which are covered by the constraints of the Central Bank Act 1942 as amended. |
|
Irish Fiscal Advisory Council |
To allow persons to access their own data that IFAC holds, IFAC have: - classified all data according to sensitivity; - appointed a Data Protection Officer, and provided training for that officer; - updated their website’s privacy policy. |
|
National Asset Management Agency |
NAMA has appointed a dedicated Data Protection Officer who is the specific point of contact for data subjects on access to personal data and all aspects of GDPR/Data Protection. Detailed information on GDPR/Data Protection is available on the Data Protection Statement on the NAMA website at www.nama.ie. This statement includes information on the rights of data subjects, together with the contact details for the NAMA DPO. In advance of the introduction of GDPR, NAMA ran an organisation-wide GDPR preparation project with representatives from all areas across the agency. As part of its preparation, NAMA updated its policies and procedures to comply with the requirements of the GDPR Regulations and Data Protection Act, 2018. The project was initiated in the first quarter of 2017 and is aimed at ensuring that GDPR knowledge and compliance is fully embedded within NAMA. |
|
National Treasury Management Agency |
The National Treasury Management Agency already has developed specific procedures to facilitate the exercise of data subject rights pursuant to the General Data Protection Regulation and the Data Protection Acts 1988 – 2018, which includes the right of access to personal data and any applicable exemptions to those rights. Information is available at http://www.ntma.ie/information-pages/data-protection/. |
|
Office of the Revenue Commissioners |
Under the Data Protection Acts 1988 and 2003 an individual had the right of access to their personal data. This remains the position under the General Data Protection Regulation (GDPR) but some of the rules for dealing with subject access requests have changed. These relate to the removal of the access fee, shortening the timeframe for dealing with a request and the need to provide some additional information to data subjects making requests, such as their data retention periods and the right to have inaccurate data corrected. The Revenue website (www.revenue.ie) was extensively updated to comply with the requirements of the GDPR. In relation to Data Access Requests there is a specific section providing guidance under the following headings: 1. Overview 2. How to make a data access request 3. How soon will you receive a reply? 4. Can someone else make an access request on your behalf? 5. Can you obtain all data held about you? 6. How can you appeal the decision in relation to your data access request? In addition, a Data Access Request Form is available to download to assist the data subject to make their request. A link to this specific section is as follows - https://www.revenue.ie/en/corporate/statutory-obligations/data-protection/data-access-requests/index.aspx. |
|
Social Finance Foundation |
The main steps taken by the Foundation to allow access by persons to their own data are as follows; 1. data protection policy reviewed by legal advisors and management in light of the GDPR regulations 2. updating and approval of our Data Protection Policy which includes a section on Data Subject Rights Requests. 3. In general, the type and amount personal data processed by the Foundation is minimal and is mainly confined to the personal data about the four employees and seven directors. |
|
Strategic Banking Corporation of Ireland |
As the Strategic Banking Corporation of Ireland had already developed specific procedures to facilitate the exercise of data subject rights pursuant to the General Data Protection Regulation and the Data Protection Acts 1988 – 2018, which includes the right of access to personal data and any applicable exemptions to those rights, no changes needed to be made following the introduction of GDPR to facilitate such requests. |
|
Tax Appeals Commission |
A full review of GDPR requirements, which includes the possibility of allowing greater access to persons to their own data held by the Tax Appeals Commission, is currently taking place. Of course, the option for an individual to submit a Data Protection Request or Freedom of Information Request is always available. |
The following deferred reply was received under Standing Order 42A
I refer to my response of 11 July 2018 to Dáil Question 177 (Ref. No.: 314718/18):
AS I indicated in my response, it was not possible for one of the bodies under the aegis of my Department, the Disabled Drivers Medical Board of Appeal, to respond to this information request in the time available.
The Disabled Drivers Medical Board of Appeal has now provided a response as follows:
“The Data Protection Act 1988 provides right of access to personal data by data subjects. The Disabled Drivers Medical Board of Appeal has always provided full access to persons of their own personal data and this continues following the introduction of the GDPR”.
