On the basis of the clarifications that have been provided by the Deputy’s Office, I wish to confirm that my Department does not have data-sharing agreements in place with organisations that are not other Government Departments or State Agencies.
My Department does have Controller Processor contracts in place with service providers who process data, including personal data, on behalf of the Department e.g. in the area of ICT. Such contracts are reflective of Article 28 of the General Data Protection Regulation (GDPR) which outlines the obligations on controllers and processors.
A review of the Department's contracts is currently underway to ensure optimal compliance across all areas. All of the Department’s financial contractual obligations are subject to scrutiny by the Office of the Comptroller and Auditor General.