Amendment No. 1 is in the name of the Minister. Amendment No. 2 is an alternative to No. 1, and amendments Nos. 3, 4 and 9 are related. I suggest, therefore, that we debate amendments Nos. 1, 2, 3, 4 and 9 together. Is that agreed? Agreed.
Supplementary Estimates, 1988. - Data Protection Bill, 1987: Committee Stage.
I move amendment No. 1:
In page 4, subsection (1), to delete line 32, and substitute the following:
"‘data' means information in a form in which it can be processed;".
The amendments to the definition of "data" and "processing" are the only amendments of significance in this group. The other two amendments are consequential. As I mentioned in introducing the Bill on Second Stage, these are key definitions and they have to be expressed in very technical terms so that they will remain valid irrespective of continuing technological changes. Also we do not want to bring within the scope of the Bill any personal information that poses no threat to privacy even if it has been automatically recorded.
To take some examples, with the equipment now available typewritten documents can be recorded automatically and the information in them is then capable of being automatically processed. Therefore, we must make it clear that typewritten information will be covered by the Bill only if it has been inputted into an automated system. Also we must exclude word processing operations. The existing definitions cover both these points, as do the revised definitions now being proposed.
However, the existing definitions would have the effect that personal information recorded on an ordinary dictation tape or even on a gramophone record would be caught by the Bill and this would not be justified as these tapes or records pose no threat to privacy comparable to that of even the humblest micro-computer. The new definitions exclude such recordings. This is the effect of defining "processing" as meaning the automatic performance of logical arithmetical operations on data. In less technical language that means it must be possible to rearrange, manipulate, amend or add to the data and that these operations can be carried out automatically.
It is this power of a computer — the power to sort data into numerical order, alphabetical order or any other desired order, to merge two or more sets of data together, to update data, in fact to manipulate data in any conceivable way that can be reduced to a set of written instructions — that can endanger the privacy of individuals, and that is why it is being emphasised in the revised definition. Dictation tapes, records and the like cannot be processed in this way and are therefore being excluded.
I propose a further change in the existing definition of "processing". The present text confines it to "processing by reference to individual data subjects or categories of data subjects". This means that unless an individual can be searched for automatically by name or other identifying particulars the data about him or her would not come within the scope of the Bill. On further consideration it appears to me that this restriction is not justified and that the safeguards of the Bill should apply to personal data irrespective of whether the data can be retrieved by reference to the individual or not. Otherwise the test as to whether personal data is covered by the Bill would often depend on the degree of sophistication of the equipment and the software. The revised definition, therefore, deletes the reference to processing by reference to individual data subjects so that the safeguards in the Bill will apply to personal data even if the data cannot be retrieved automatically by reference to the individual's name.
Amendment No.9 also makes it clear that a data processor who lends equipment to a data controller for processing purposes will be covered by the Bill only if the equipment remains in his possession.
It was represented, rightly, that a data processor should not be made liable for ensuring the security of the data if he had parted with possession of the equipment. Then that leaves from the group amendments Nos. 3 and 4 which are purely technical and as I have said, consequential.
I wonder if the Minister could answer a question with regard to amendment No. 1 in his name. I see the definition of "data" is now "information in a form in which it can be processed". Should that include data that would be capable of being processed automatically in new and developing systems? For instance, there is a developing system whereby typescript can be read by processors of certain types and these, while not in general use at the moment, will undoubtedly be so in the future. Does the Minister consider that that type of information, apparently now in typescript, would be included?
I seek to move amendment No. 2 in the name of The Workers' Party which proposes to change and elaborate somewhat——
I am sorry, Deputy, there is a small technical point on which we had difficulty with a Deputy the other night. I remind you that technically we can have only one amendment moved. We discussed that. I remind you of it because of the meticulous cross-examination to which I was subjected by the Deputy when I was accused of not advising him at the time. It seems unnecessary to repeat these matters——
That was not Deputy McCartan, it was Deputy Taylor.
Deputy McCartan might wonder why I am saying this for him but I do so because the precedent is there of Deputies having expressed their disappointment or annoyance.
I wish to explain the thinking behind amendment No. 2. The amendment seeks to expand the definition of the information that will be subject to the provisions of the Bill and recognises that there is a large volume of secondary information — perhaps I am wrong in the use of the word "secondary"— or primary information from which the data processor or controller draws the information that finds its way on to the processing machine, and this can be in a cross-reference on other banks of information or held in manual files. It is important that when a person comes to challenge or seeks to correct an entry on any information that is kept he or she has the right of access to the information behind so that the error will not be repeated, or what is there can be corrected and the matter put right.
I accept the general drift of the Minister's amendments in seeking to keep matters precise and to ensure that only information capable of being processed is covered, but the Bill is very narrow in the area of information to which the subject is entitled to have access to know what is there and the right to seek to have it corrected. For that reason we propose at line 32 on page 4 to extend the definition of "data" by suggesting that "data" is to mean information undergoing automatic "processing, and includes all information cross-referenced, which is accessible and undergoing automatic processing or maintained in manual form;". The amendment to a great extent speaks for itself. I have given the reasons we seek to extend that definition and I hope the Minister's response will be favourable.
I understand the reason for the Minister's amendment but I wonder if it achieves his purpose. The amendment reads that "‘data' means information in a form which can be processed;". If one moves from the technical jargon of computers it appears that all information is in a form in which it can be processed. If I write out information, if I type out information, it is all convertible into being processed on a computer. The Minister says he is trying to exempt word processors — whether they should not be exempt is something we could come back to — but it could be that, without realising it, this amendment is incorporating what Deputy McCartan is talking about.
If I had a file in my office containing a lot of information which could be described as being in manual form, all that information would be in a form in which it could be processed. There is no reason a computer operator could not feed this information into the computer. This Bill is trying to adapt itself to the technical jargon dealing with computers and computerisation, but we must step outside that and deal with the legal jargon. This definition of data is even broader than the definition it is seeking to replace —"‘data' means information undergoing automatic processing;". That would clearly be information in the computer or being put into the computer that is undergoing automatic processing. This is information in a form in which it can be processed.
I know that, technically speaking, one can talk about information on a hard disc or a floppy disc which can be fed into a computer, but the definition section does not talk about hard discs or floppy discs or the retention of information on such a device. I am raising this as a query because at a future date a court could interpret "data" as including all data stored by any person for any purpose be it manual storage, or on floppy or hard disc, because there would be nothing to prevent such data being put into a computer by a computer operator. All information has the capacity of being processed by a computer or to be put into a computer. I am raising this issue in the context of the amendment, the Minister's intent in that amendment and Deputy McCartan's amendment, which, if I was right, would effect a substantive change to the Bill.
There is one other aspect I did not draw attention to and that is the definition on page 5 of "disclosure". That definition seems to suggest that the Bill contemplates drawing in data that is not, in the strict sense, on computer, if we want to use the parlance. If I understand the Minister, he was seeking to confine the concept of data to that which can be found on a computer. The definition of "disclosure" on page 5 is wider than the Minister contemplates. It says:
"disclosure", in relation to personal data, includes the disclosure of information extracted from such data and the transfer of such data;....
That definition allows for the prospect of cross-references to other computer banks and information that can be extracted from computers. It does not say "in processed form". I ask the Minister to clarify exactly where the Bill is going and whether there is a need to allow for the right of a person to the data, and to have knowledge of the back-up information, the cross-reference information or the manual information upon which the computer entry was constructed.
The thrust of what is proposed on behalf of The Workers' Party by Deputy McCartan would have the effect of bringing manual files within the scope of the Bill. During the Second Stage debate I stated that manual files are excluded for a number of reasons. First, they do not pose any threat to privacy comparable to that caused by computers. Secondly, the administrative problems and costs involved in extending the Bill to cover them would be colossal. Thirdly, the inclusion would delay the bringing into force of the legislation and the ratification of the Convention. I am sure the House is aware that the majority of countries with data protection legislation do not include manual files and the Convention does not require contracting parties to do so. These are very valid and practical reasons why I cannot go along with what is being proposed by Deputy McCartan.
Computerised data of every kind is covered. The question was raised if type written documents which were capable of being automatically recorded were covered in the Bill. The answer is that such documents will only be covered if they are first actually recorded in a form in which they can be automatically processed. Once a document has been recorded in that form, the information is covered by the Bill. To come within the scope of the Bill, personal data must be recorded in a form in which such data are capable of being processed automatically, that is, information recorded in a form in which logical or arithmetical operations can be found on it without the need for any preparatory steps. For example, information inputted into the main memory of a computer or information stored in the main memory, or on a floppy disc, are data because the information is automatically processable.
Information prepared in a form in which it can be directly inputted into automated processing equipment by means of an optical character recognition device — OCR — or a text character recognition device — TCR — are not data as they cannot be directly processed in their manual form. Similarily, ordinary audio cassette tapes on which information is recorded are not data because the information cannot be processed automatically. Printouts or information extracted from a computer and displayed on a visual display unit are not data as such. They are only regarded as data for the purposes of disclosure. Information on microfilm or microfiche is not data but it can become data if it is located and displayed through an automatic retrieval system.
The intent of our amendment is to make this legislation more effective. It is not a question of whether information is a threat to privacy. The Bill is establishing the right of the data subject to have disclosed to him or her information retained and then to have it corrected where it is inaccurate. We argue that manually retained information or cross-referenced information is an integral part of what is on the computer. The amendment is seeking to give the right to the person, if an error or misstatement of fact is established in the computer data, to insist on seeing the source information or cross-referenced information and to correct it. The Minister's response is that the cost would be colossal. There is a mechanism for a charge to be made on the data subject who seeks to have information pursued. If a person feels strongly enough to pursue the matter to the source information, be it manual or cross-referenced he or she should be prepared to pay, within reason. The Minister's concern should not be a major worry. The point about delay escapes me. Administrative arrangements will have to be made in various quarters for the introduction of this legislation.
The Minister also said that in the majority of countries where this type of legislation is in existence this kind of amendment is not included. This suggests that there are some countries — a minority — who have the type of provision we are seeking in our amendment. That makes me believe that there is a more comprehensive form of legislation than is being suggested. An important factor must be the recognition of an integral link between the source information and what is ultimately put on the computer. They cannot be divorced. If we are to have effective legislation giving people the right to correct information retained, there should be the right to go back to the source and correct errors there, if that is what the subject wants. For that reason I am pressing this amendment.
I should like to return to the point I made earlier. Having looked once more at the wording of the Minister's amendment I am not convinced that in the fairly near future the OCR and TCR machines will have reached the stage of development where any manual files or typescript will be capable of being processed directly through the machines. It may not be possible now but technology will move and we will find that the Bill when in force will in future include all manual files, which the Minister indicated earlier he did not want to include. Does the Minister have any views on this as a possibility in the future and will he be happy to have all manual files included?
I have no objection in principle to dealing with manual files but the practical problems are very great. We are trying to learn from the experience of others who have been through the process of preparing this type of legislation. We have decided that manual files should be excluded as of now, but that does not mean that consideration cannot be given to including them at a later stage. I am advised that to deal with manual files now would put an extremely heavy burden on industry and that the costs would be considerable. It is not a requirement of the Convention. The majority of countries have done what we are doing but some certainly have gone further. If we decide to go further at a later stage, we can do so.
I believe that the form in which the amendment is worded will include manual files very shortly. It refers to information in a form in which it can be processed.
As long as it is inputted.
Deputy Colley and I have come to the same conclusion in regard to this matter. I appreciate the Minister's point regarding the information being inputted. The Minister has given the reasons for excluding manual files but it would seem that inevitably manual files could and will be included in the new definition the Minister is providing, due to the way technology is developing. I would suggest seriously to the Minister's officials that they should have another look at this definition. We are effectively having a Committee Stage and a Report Stage in one and we may not have an opportunity in this House to come back to this issue. Before the Bill goes to the Seanad the Minister should look at the point.
Deputy McCartan's amendment deals with files maintained in a manual form. There is a problem in principle relating to the Convention. The Bill is implementing the Convention and to that extent we are meeting our international obligations, but there is a tremendous artificiality about maintaining a difference in approach to information retained on computer and information retained on manual files. Leaving aside the difficulties of industry, let us approach this from the position of the rights of the individual, the right of every individual to privacy and the right to ensure that wrong information is not being disseminated about him. There is also the right of the individual to ensure that when major organisations, be they Government bodies, State-sponsored bodies or major public or private corporations, make decisions with regard to that individual, he should have some means of knowing whether the decisions made are based on accurate information held by the decision-maker.
The principle of this Bill, and it relates to the different types of data, is to ensure that where wrong information is held about an individual, the individual can have access to that information and can require that that information be corrected. There is a tremendous artificiality about maintaining a different legal position in regard to computer held information as against manually held information. The artificiality of that comes out very clearly in the definition of disclosure that one of the previous speakers has already drawn attention to. It is possible for major organisations to hold information on a computer bank. It is possible for that information not to contain the name of the person to whom it relates but to have some sort of cross reference system. The identity of the person could be discovered by checking some form of manual record. If ever someone wants to make use of information about that individual they would look up the manual record, discover what the key is into the computer to get access to information about that individual, and then extract it. The problems created by denying people access to information that is held about them are partly recognised in the context of the definition of disclosure, but a major body that wants to ensure that individuals do not discover what information is held about them will be able to use an amalgam of computer stored information and manual records to prevent individuals gaining access to information. Indeed some bodies could very well defeat the entire purpose of the Act.
We have not had any legislation in this area and this Bill is a welcome contribution to extending some rights to individuals who are faced with major corporations or financial institutions or State bodies making fundamental decisions that effect their livelihoods, their wellbeing and their welfare. Nevertheless it is my own belief that if the Minister's own definition is not interpreted as including manual information we will inevitably come back into this House within the next couple of years to provide for amendments to this Bill to extend the rights of access to information to manual information held by major bodies. Businesses, Government Departments, State bodies and corporations are going to have to come to terms with the reality of that.
The Minister, in the context of the new definition he is tabling — and I think it might be appropriate to raise this now rather than coming back to it later on — could deal with the definition of disclosure because that definition says disclosure in relation to personal data includes the disclosure of information extracted from such data and the transfer of such data; then it goes on to say that where the identification of a data subject depends partly on the data and partly on other information in the possession of the data controller the data shall not be regarded as disclosed unless the other information is also disclosed. Perhaps the Minister could explain how this is going to work in the context of the assumption that, generally speaking, this legislation does not apply to manually held information. In the context of data, as the Minister now wishes to define it, in circumstances where there is this mix of information whose disclosure is dependent on something that is not held on computer, when will that information be regarded as data which is disclosed? I have tabled an amendment to that and I do not want to pre-empt discussion on it, but it does seem to me that there is an interlinking in this area. There is a danger in all of this that in excluding manual information as a matter of principle at this stage, we could partially defeat the purpose of the Bill and be forced to look at this legislation again in a very short time to expressly include manual information.
I accept what Deputy Shatter has said. Let me come back to the manual files versus what is held on computer. With regard to manual files, as long as they remain manual files they do not come within the scope of the Bill, but if they are inputted they are covered by the Bill. This particular input can be done automatically with the modern technology that is available and then the provisions of the Bill would apply. It is important, having regard to the prodigious manipulative power of the computer, to deal with the computer first and then, at a later stage, to deal with the manual files, bearing in mind that somebody can get from a computer in ten seconds what one person might spend a long time getting from manual files. It is certainly an area that we have given a lot of thought to. The manual files are not excluded. They are covered when they are inputted. I would say to Deputy McCartan that we are not ruling out the main thrust of this amendment.
Amendment agreed to.
Amendment No. 2 not moved.
I move amendment No. 3:
In page 4, subsection (1), to delete lines 33 and 34.
Amendment agreed to.
I move amendment No. 4:
In page 4, subsection (1), between lines 36 and 37, to insert the following:
"‘data equipment' means equipment for processing data;".
Amendment agreed to.
I move amendment No. 5:
In page 5, subsection (1), to delete lines 1 and 2, and substitute the following:
"‘data processor' means a person who processes personal data on behalf of a data controller but does not include an employee of a data controller who processes such data in the course of his employment;".
This is purely a drafting amendment. It makes it clear that the employees and the staff of a data controller working in a data processing department who engage in computer processing operations on behalf of their employer in the ordinary course of their employment are not to be regarded as data processors within the meaning of the Bill.
Amendment agreed to.
Amendments Nos. 6, 7 and 66 are related. Amendments Nos. 64 and 65 are consequential on amendment No. 66. Therefore amendments Nos. 6, 7, 64, 65 and 66 may be taken together by agreement.
I move amendment No. 6:
In page 5, subsection (1), line 7, after "transfer of such data", to insert "but does not include a disclosure made directly or indirectly by a data controller or a data processor to an employee or agent of his for the purpose of enabling the employee or agent to carry out his duties".
Again these four amendments are drafting amendments.
Amendment No. 7 comes back to what I was talking about a few moments ago dealing with when a disclosure takes place. The definition in the Bill is that disclosure in relation to personal data includes disclosure of information extracted from such data and the transfer of such data. That is a disclosure and presumably then a disclosure takes place at the time the information is extracted and transferred. It goes on to say that where the identification of a data subject depends partly on the data and partly on other information in the possession of the data controller, the data shall not be regarded as disclosed unless the other information is also disclosed. In other words, if the data that is held on computer is, in effect, disclosed, the other information which is not on the computer is not regarded as being disclosed. I have tabled a technical amendment to that which would add the words at the end of that definition section "at the time the data is disclosed or at some later time". It is necessary to clarify this. One has to determine exactly what is a disclosure and when it takes place. Information that is held on computer and which does not fully identify the data subject could be released and, at the same time, the information that is not held on computer that confirms or assists with the identification of the data subject could be released, and there would be no doubt in those circumstances that the disclosure takes place at that time. It is possible to release the information held on a computer and, some weeks later, to release the other information. This amendment is designed to determine that the disclosure takes place, and is regarded as having taken place, at the time when the latter information, the information not held on computer, is released. I would be interested to hear the Minister's comments on when exactly it is regarded that a disclosure takes place. In the context of manual held information, the Minister might also clarify exactly how he perceives the definition of disclosure operating and interacting with manual held information which is used, not by putting it on computer, but as a tool to identify a data subject, with regard to information held on computer about that data subject.
I wish to deal with amendment No. 6 in the name of the Minister and to inquire of him the purpose and intent behind the amendment. I think it is designed to clear up far more than drafting errors because the definition of the transfer of data is being restricted to such an extent that it defeats the whole purpose of including the word "transfer" in the definition of disclosure as contained in the definition section of the Bill. The original definition of disclosure was to include the transfer of any data from one source to another. It did not indicate whether that was by way of automatic transfer or manual transfer or the circumstances in which it would take place but in this case the Minister seeks to restrict the definition to exclude the transfer of information from the data controller to an employee or agent of his for the purpose of enabling that person to carry out his duties.
In his earlier remarks Deputy Shatter indicated correctly that the three main interests we are trying to protect here in this legislation are the right to privacy, the right to ensure that correct information is held and the right to ensure that fair decisions are taken on foot of accurate information whether by multinational corporations or by departmental officials. I am concerned about this restriction of the definition to exclude data being passed from the data controller onto an employee or an agent who may then make a decision on it. Let us take the position in a Department, where the person who has control of information, the data controller or processor, passes the information down the line, and on foot of that information a decision may be taken which adversely affects the data subject but that information may not be disclosed to the data subject who comes in to find out why it was that credit was refused or a particular decision was taken by a Department against his or her interests.
In order to ensure that a person can establish that fair decisions were taken on foot of accurate information, the data subject must know how information passes within a corporation or Department and must be in a position to assess the impact of decisions taken. I would like to know the intention behind this amendment.
What this amendment seeks to achieve is the transfer of the substance of section 8 (h) to the definition of disclosure of personal data any disclosures made to employees or agents of a data controller or data processor to enable them to carry out their duties. That paragraph is being dropped from section 8 and the definition of disclosure is being amended to exclude from it any disclosure of that kind. While this achieves the same result, the amendment of "disclosure" has certain advantages from a drafting point of view. In particular it makes it clear that sections 6 (2) and 10 (7) do not require data controllers who correct errors in data to notify the corrections formally to members of their staff.
In transferring section 8 (h) to the definition of disclosure, one minor clarification has been incorporated, that is, the addition of the words "directly or indirectly" in relation to disclosures to employees or agents of a data controller or data processor. This has been done to make it clear that these disclosures will still be excluded from the restrictions of the Bill even if not made directly to each employee or agent by the data controller or data processor; in other words, in a case where an employer communicates an instruction or information to a senior employee who then relays it to the rest of the staff.
With regard to the amendment proposed by Deputy Shatter, I have no objection in principle to what he has in mind but I had the amendment referred to the parliamentary draftsman who advised that the text as it stands covers both a simultaneous disclosure of the other information and subsequent disclosure. That is the advice which I have received. It would also cover the disclosure of such information made in advance of a disclosure of computerised data.
The advice I have received is that this amendment is not necessary and might have a limiting effect in that it would not catch a case where the disclosure of the other information is made before disclosures of the computerised data. As I understand it, a disclosure within the meaning of the Bill will take place in the type of case we are discussing, that is, where the computerised data alone do not identify an individual at the point in time when both the data and complementary information have been disclosed whenever that occurs.
The Minister has merely set out what is to be covered but why give this exemption to Departments or companies who retain information in this way? What difficulties does the Minister perceive with the definition as it originally stood and what difficulties is he trying to overcome in putting forward this amendment? I still do not see where the Minister is going or what he is trying to achieve with this amendment.
We are not really concerned about what goes in, what goes up or what goes down but it is the Department who would be held liable. Deputy McCartan spoke of internal disclosures within an organisation which might adversely affect the data subject but it must be emphasised that the Bill regards the data controller as being one single unit comprising the organisation and the staff. It is that unit which would be responsible to the data subject for any breach of the provisions of the Bill.
The point I tried to make earlier on is this. Where the data controller passes on information within a corporation or Department and decisions are taken on foot of that information, it is not a case of the data subject wanting to know the thinking of the person who received the information but rather who the data processor passed the information to, where it went to and what use it was put to.
As I have already said, the data controller is regarded by the Bill as being one single unit which comprises the organisation and their staff. Therefore, the responsibility is there.
Except that there would be no onus on them to disclose that information, that is being excluded from the definition.
They can disclose whatever they like within the organisation.
Acting Chairman
Is the amendment agreed to?
No.
Amendment put and declared carried.
Amendment No. 7 not moved.
Acting Chairman
Amendments Nos. 8 and 106 are related and may be discussed together by agreement.
I move amendment No. 8:
In page 5, subsection (1), between lines 12 and 13 to insert the following:
"‘financial institution' means—
(a) a person who holds or has held a licence under section 9 of the Central Bank Act, 1971, or
(b) a person referred to in section 7 (4) of that Act;".
These amendments are on the lines of a similar provision in the Restrictive Practices (Amendment) Act, 1987, in relation to the powers of authorised officers under the Consumer Information Act, 1978, and the Restrictive Practices Acts. The provisions were incorporated in the Bill of the 1987 Act after the publication of the present Bill.
The amendments provide that the powers of inspection, etc., conferred on the authorised officers of the Data Protection Commissioner by section 23 will not be exercisable in relation to financial institutions unless a High Court order has first been obtained. The High Court may grant such an order only if it is satisfied that it is reasonable to do so and that the exigencies of the common good so warrant. The definition of "financial institution" in amendment No. 8 covers not just licensed banks but also building societies, the Post Office Savings Bank and the like. It is the same as the definition in the corresponding provision of the Restrictive Practices Bill.
Can I ask the Minister if the definition extends to credit unions as well?
Yes, it does.
Amendment agreed to.
I move amendment No. 9:
In page 5, subsection (1), to delete lines 25 to 34, and substitute the following:
"‘processing' means performing automatically logical or arithmetical operations on data and includes—
(a) extracting any information constituting the data, and
(b) in relation to a data processor, the use by a data controller of data equipment in the possession of the data processor and any other services provided by him for a data controller.
but does not include an operation performed solely for the purpose of preparing the text of documents;".
Amendment agreed to.
Acting Chairman
Amendments Nos. 10 and 11 are related and may be discussed together by agreement. Is that agreed? Agreed.
I move amendment No. 10:
In page 5, subsection (2), line 40, to delete "fact" and substitute "fact, including any omission of fact or detail.".
This amendment is very simple in its intent and it seeks to refine in some ways the definition of "fact" in subsection (2). Subsection (2) states: "For the purposes of this Act, data are inaccurate if they are incorrect or misleading as to any matter of fact". The purpose of the amendment is to include in that definition the words "fact, including any omission of fact or detail". This amendment suggests that one can say much about a person by overlooking or omitting a detail of relevance or importance. It is particularly relevant to the provisions of this Bill where we are seeking to give the right to an individual to inspect and to insist on correction. "Correction" could include insisting that a relevant detail be inserted into the record retained. One thinks about the issue of the credit-worthiness of an individual which could be retained in financial institutions or anything held at Government level. When one is talking about matters and facts being accurate one has to ensure that they are also complete and this amendment proposes to ensure that that situation is covered and allowed for.
I know I cannot move amendment No. 11 at present but I realise that the same intent is behind amendments Nos. 10 and 11 with regard to data which may be missing. Subsection (2) does not refer to data which may be missing. I am not really certain about the wording in The Workers' Party amendment because it would be unfair to include omissions of fact or detail which do not refer to the data on file. This Bill attempts to put restrictions on and give access to individuals to data that are recorded and accessible. I believe it would be unnecessary and impossible to give access to data that are not in existence of the file. Therefore, my amendment seeks to insert after the word "fact" the words "which is referred to in the data". This would confine the obligation to data that are actually registered on the file so that they would be accessible but would also show that there has been an omission as to that data.
This can happen in a number of ways. It may not be straightforward and it may happen that, as a result of cross-referencing, transfers and so on, which can be achieved with data processing, information may be left out. We should be able to cover in some way the situation where data are missing from the information supplied to an individual. Subsection (2) as it stands at present is lacking in that regard. The Workers' Party amendment is unrealistic. I do not believe one can leave it as vague as that and any omission of fact or detail, wherever it may be found, could be included in that amendment. I believe my amendment is realistic and would probably cover the omission I have referred to.
With regard to amendment No. 10, subsection (2) provides that data will be regarded as inaccurate if they are incorrect or misleading as to any matter of fact, as distinct from a matter of opinion. Data can be incorrect or misleading either because some relevant item of information has been omitted or because some supplementary information has been included. In either case the wording used in the subsection seems adequate to make it clear that when the Bill speaks of data being accurate it means that on any matters of fact data must not be incorrect or misleading, whether by the addition or omission of particular information.
With regard to the amendment proposed by Deputy Colley, I note what she is trying to achieve but I am advised that this is a drafting matter and that the present wording is adequate. I do not see any difference between the wording but if the Deputy wishes I can have the matter examined during lunchtime to make sure that what I am saying will stand up.
I would accept that from the Minister if he would have the wording looked at again. It has been drawn to my attention that the subsection is not necessarily tight enough and it could be seen to be allowing omissions to slip through the net.
Perhaps I am not yet fully alert but I do not understand how Deputy Colley's amendment addresses the problem of omissions or deals with the problem I sought to address in The Workers' Party amendment. I do not see the difficulties being presented, not so much by the Minister but by Deputy Colley in respect of our amendment. To the extent that the Minister's interpretation of the present wording allows for the omission of fact, I would urge him to put the matter beyond doubt by accepting words along the lines suggested in our amendment or indeed any other wording he thinks would better serve the purpose.
I am concerned about the overall working of this Bill. Any press comment there has been on this Bill, or any articles written about it, have been seeking to alert industry and agencies to its wide scope, to the almost revolutionary impact its provisions will have on companies' practices in having to accede to requests from members of the public to inquire into the records they keep. I am concerned that every conceivable device will be deployed by those companies who are slow to disclose information. Many of us in our capacity as public representatives and otherwise have come across examples, particularly in this city, of cartels between credit companies, one referring to another information about people seeking credit. I am not talking about large business interests. I am talking about ordinary people seeking to survive by resorting to credit and the grave injustices often done such people by misinformation being put about or retained on file.
I am also concerned about the fact that apparently, again in this city, insurance companies maintain black lists of people who represent insurance risks. Reading between the lines of such comments and articles there have been on the provisions of this Bill, it appears to me that there is widespread concern about and an amount of resistance to them, particularly on the part of banks, insurance and credit companies. They are not happy with its provisions. They are not happy about the obligations and duties the provisions will impose on them. They fear they will have to begin to open up their company practices and records to members of the public, something of which they never conceived in the past.
I am anxious that we have water-tight legislation that does not afford people any opportunity to avoid its obligations or provisions. I accept that the Minister is endeavouring to meet all concerns in this House and that the present wording, as he perceives it, includes problems arising through omission. Perhaps my thinking here goes back to Catholic training——
——a long way back.
——something from which I have long departed. But I remember, from the days when the catechism was drummed into me, that sins were sins of act or omission. It is this problem with regard to omission of which we must be aware. As I speak I am endeavouring to think of an example of information which arguably can be correct, that there is nothing incorrect in what is retained on record but in respect of which a relevant piece of information could be omitted. Like the catechism, I should like the sin of omission written into the provisions of this Bill, to ensure that information tainted by omission is clearly defined as inaccurate so that its subject can have the matter corrected. I should ask the Minister to consider inserting some provision to allow for that type of problem being encountered.
Having listened to Deputy McCartan, recognising that there is not any great difference between what he and we all want to achieve, I am prepared to have discussions over lunch with the parliamentary draftsmen to ensure that nothing is left undone in this respect.
Amendment, by leave, withdrawn.
Amendment No. 11 not moved.
Acting Chairman
Amendment No. 12 in the name of Deputy Spring. I might inform the House that amendments Nos. 12, 13, 14 and 62 are related and may be discussed together by agreement.
I move amendment No. 12:
In page 5, subsection (3) (a), line 41, before "An appropriate authority" to insert "With the consent of the Government, and subject to a written copy of the designation being laid before the Oireachtas".
The whole purpose of the provisions of this Bill is to protect individuals' rights in this computer age, in an era when more and more information is capable of being stored in computers covering every aspect of people's lives.
The intent of my amendment is to strengthen the provisions of the Bill, particularly as they affect the rights of individuals. I contend that the provisions, as drafted, leave a number of loopholes which would render it easy for some specified bodies to escape their obligations. For instance, a member of the Government has power to designate a subordinate civil servant as a data controller or processor. By so doing a Minister can ensure that the provisions of the Bill do not apply to himself. I consider that provision most unsatisfactory. My amendment would have the effect of ensuring that such designation could take place only as a result of a clear Government decision which would have to be taken and recorded, as opposed to a decision taken by a Minister acting on his own and that this House would have to be advised of any such Government decision.
There is an important principle involved here. The House has always accepted that a Minister of the day is responsible and ultimately accountable for acts or omissions of civil servants. If we depart from that principle and institute a practice under which civil servants will become directly accountable for some of the provisions of this Bill, then I contend that can be done only with the knowledge and consent of this House. My amendment would ensure maximum accountability to this House.
My amendment No. 13 deals in a somewhat different way with the problems to which Deputy Spring has drawn attention. We must revert to the principle of the Bill. The Bill is designed to provide a degree of protection for the individual, to ensure that information held by various types of bodies on computer is accurate, that an individual will have access to such information, know what information is held and, if necessary, have it corrected; indeed, if wrong information is held and an individual suffers damage as a result that he be entitled to bring court proceedings seeking damages.
There is one extraordinary and indefensible aspect of the Bill the rationale behind which I find very difficult to understand. The obligations the Bill seeks to impose on bodies outside of Government, such as financial institutions, which are correctly imposed, the Government are seeking here to render themselves immune from. They are seeking to ensure that Government Departments and other bodies are not held liable by the provisions of the Bill and cannot be sued by individuals who are wronged as a result of suffering damage due to wrongful information being held on computers which has affected their wellbeing, livelihood or family. This arises as a result of the definition contained in subsection (3) (a) of section 1 which says:
An appropriate authority, being a data controller or a data processor, may, as respects all or part of the personal data kept by the authority, designate a civil servant in relation to whom it is the appropriate authority to be a data controller or a data processor and, while the designation is in force——
(i) the civil servant so designated shall be deemed, for the purposes of this Act, to be a data controller or, as the case may be, a data processor, and
It then goes on to say, more importantly:
(ii) this Act shall not apply to the authority, as respects the data concerned.
That all sounds very complicated until one has a look at what an appropriate authority is under this Bill. We are told in subsection (1) that an "appropriate authority" has the meaning assigned to it by the Civil Service Regulation Acts, 1956 and 1958.
Section 2 of the 1956 Act defines an appropriate authority as follows: In relation to a civil servant holding a position to which he is appointed by the Government, the appropriate authority is the Government. In relation to a civil servant who is a member of the staff of the Houses of the Oireachtas or the office of the Attorney General, the appropriate authority is the Taoiseach. In relation to a civil servant who is a member of the staff of the Office of the Revenue Commissioners, the Minister — here being the Minister for Finance — is the appropriate authority. In relation to any other civil servant, the relevant Minister in whose Department that civil servant works is the appropriate authority. This definition seeks to ensure that the Minister, or the Government, or the relevant Government Department can render themselves immune from the protection afforded to the individual by this Act and, indeed, immune from being sued, by simply designating somebody within that Department as a data controller.
My amendment seeks to remove that immunity from the Government of the day. It certainly would continue to allow, as logically it should, Ministers to designate people within the Departments to be data controllers. The ordinary legal view, however, would normally be that a civil servant is acting on behalf of his Minister and where court proceedings are necessary it is never the individual civil servant who is sued if a citizen suffers damage. It is the Minister nominally who is sued, or the Government can be sued.
I am not suggesting that this Government would do so or that it is likely that the next Government might, but let us project ourselves beyond the year 2,000 and assume that we have a Government that become somewhat paranoid about their position and sought to develop computerised information that they retain about the political beliefs and peculiarities of every individual in the State.
They do that already.
Some Departments may do it, but it is not an aim of Government at the moment to maintain a data bank about every citizen in the State.
Do political parties do that? The Workers' Party have it already.
(Interruptions.)
Let us assume that these computers are full of wrong information to which individuals wish to have access and that this information has been used to create havoc in some individual's life. Under this Bill that Government apparently could not be sued. The individual civil servant who is foolish enough to undertake such a task on behalf of the Government could be sued, but the Government could not. It would seem, on the basic principles of political responsibility as we understand them in this country, that it is an acceptable part of our political process that the Minister of the day is responsible for the acts of his civil servants. It seems that this definition, which looks innocuous until one starts to examine it, seeks to ensure that the Minister of the day is protected against any wrongdoing by his civil servants in the use of computerised information, provided that he designates one as a data controller.
Perhaps I am misinterpreting the Bill and the Minister might explain the reason for this subsection (3) (a). My amendment seeks to delete paragraph (ii) of subsection (3) (a). It would restore responsibility to the Government Department, the Minister of the day, or the Revenue Commissioners, or whoever else is involved, for any wrongful information held in their files and used in a way which is contrary to the Act and causes damage to the individual. This is important, because the Cathaoirleach has indicated that we should discuss amendment No. 62 in the context of this discussion. Amendment No. 62 deals with section 7 of the Bill, which I assume will be discussed in more detail when we reach that section. Section 7 is what could best be described as the damages section. It seeks to ensure that where somebody has suffered damage or loss as a result of the wrongful use of information, he or she can bring court proceedings and secure damages. It is the data controller who in this instance would normally be sued. My amendment to section 7 is to add a new subsection to it which would read:
"(2) For the purposes of the law of Tort where an appropriate authority has designated a Civil Servant to be a Data Controller, such authority shall to the extent that the law does not so provide be vicariously responsible for the compliance by such data controller with the provisions of this Act in relation to the collection of personal data or information intended for inclusion in such data or the processing, keeping, use or disclosure of such data and owe a duty of care to the data subject concerned subject to the same proviso as arises under subsection (1) of this section.".
Subsection (1) contains a number of provisos with regard to the bringing of proceedings. That amendment is designed to ensure that if a Government Department hold information and are in violation of this Act, if the information is wrong and someone suffers damage as a result, it is the Government of the day, or the Minister of the day, who is accountable to the courts for any damage done as a result of the holding of that information.
In so far as the Minister may be seeking to ensure that this Government or future Governments, or the Minister of the day of a particular Department, is given a degree of immunity, I suggest that to try to extend the degree of immunity violates the constitutional principles enunciated by our Supreme Court in the case of Byrne versus Ireland. It would seem that, in so far as this Bill would seek to prevent individuals from suing the State or the Government Department for damage suffered by them at the hands of that Department as a result of wrongful information being held and used from the computer processing system, in the light of the decision in Byrne versus Ireland any such provision is likely to be unconstitutional. I would be very interested to hear what the Minister has to say on foot of these amendments and his rationale for dealing with this matter in the way that it appears to be dealt with under the provisions of this Bill.
In conclusion, I would not regard Deputy Spring's amendment as going far enough. It simply agrees to this approach in extending some degree of immunity to Government, or the Minister for the day, provided that the Government have made the decision and that that decision is notified to the Oireachtas. I hope that I am not doing Deputy Spring an injustice by saying that, as I read it, that is the effect of what he is saying.
Basically, the Government consent would be given to a particular person within a particular Department being nominated as a data controller and a written copy of this designation would be laid before the Oireachtas. That would not give the Oireachtas any control over that Government decision. It would not extend to the Oireachtas any right to approve or reject it and it would not extend to the individual, following such a Government decision being made, any greater protection than the Bill, unamended, currently provides for the individual.
I do not understand how this amendment would greatly protect the rights of the individual in ensuring that a Government Department, the Government, the Taoiseach or other bodies referred to as appropriate authorities in the 1956 Act can be properly sued in the courts for violating the provisions of this Act or can be required to comply with the provisions of the Act in the context of the various obligations that are imposed on data controllers and data processors by the Act. It is desirable that Government Departments, save for the very extensive exemptions they seek from this Act, should be the bodies required to comply with the obligations of the Act. Designating a Government decision by simply notifying the Oireachtas or putting a note in the Library of the House does not extend any additional protection to anyone, other than letting people know the name of the designated data controller.
There is no loophole here and no diminution in the liability of the State and Ministers for the wrongful acts of their civil servants. The Bill recognises the reality of the situation and puts responsibility, including liability for criminal proceedings for breaches of various provisions of the Bill, where it should lie, on those who are responsible for running the data systems of Departments. Everyone know that Ministers have nothing to do with the day to day operation of the system. The Bill does that without taking in any way from the liability of Ministers and the State for the wrongful acts of their civil servants.
Before going into detail regarding the amendments, I should like to set out the objectives of section 1 (3). It enables the Government, Ministers and any other appropriate authority to delegate to a civil servant or civil servants their functions as data controllers or data processors. Defence Forces personnel data may be delegated by the Minister for Defence to an officer of the Permanent Defence Forces, for example. Also, it deems civil servants, members of the Defence Forces and members of the Garda Síochána to be employees of their Minister or the civil servant he has designated or the Garda Commissioner, as the case may be.
Where a Minister designates a particular civil servant, that civil servant will be the person to be registered in the register of data controllers that is to be maintained by the data commissioner. The decision to designate will be a matter for each individual Minister and probably most Ministers will designate the civil servant or civil servants with responsibility for particular areas of the departmental data activities.
Deputy Spring's amendment would require the consent of the Government before any designation is made and a written copy of the designation to be laid before each House. I cannot see why the consent of the Government should have to be obtained for making a designation. A designation does nothing more than recognise the reality of the situation. A Minister cannot be expected to supervise the detailed operation of the data processing of his Department: that responsibility should be placed on those whose duty it is to see that the departmental data is handled properly. There is no diminution of the State's liability here for the acts or omissions of its civil servants involved. Nor do I see any necessity for informing the Oireachtas whenever a designation is made either for the first time or to cover changes in personnel. On each occasion, the designation or change in designation must be notified to the commissioner and recorded in the register which is a public document available for inspection free of charge. Arrangements could be made to have a copy of the register placed in the Dáil Library and, if that is the wish of Members, there would be no difficulty about it. It could be done administratively if that were deemed to be helpful.
With regard to amendment No. 13, section 1 (3) allows a Minister to designate one or more civil servants to be responsible for the proper handling of the personal data kept in the Department concerned. In the ordinary course, it is to be expected that Ministers would designate senior officers to be responsible for the divisions of the Departments to which the personal data relates. I am sure Members recognise that Ministers could not be expected to involve themselves in the day to day operation of the processing system in use in Departments, in the same way as responsible senior officers would have to, especially when criminal sanctions can be invoked against data controllers in the public sector for failure to comply with the provisions of the Bill. That is why the Bill places the responsibility for compliance with its provisions on those civil servants who have been designated by the Minister for that purpose.
That is not say that the Bill, in making that provision, in any way diminishes the right of any individual under the law of tort as extended by section 7, to relief for any damage he may suffer as a result of non-compliance with the data protection principles by a designated civil servant or any of his subordinate civil servants. This is because, under the present law, the State is liable for wrongs committed by civil servants in the course of their duty and that will still apply to any wrong committed by a designated civil servant because his relationship to his Minister is not changed in any way by the Bill. Accordingly, if that civil servant, as data controller, causes damage to an individual, the individual will have the same remedy against the State as he has now. That applies also where the damage is caused by an officer who is subordinate to the designated civil servant. His relationship to his Minister is not changed either.
I note that the Minister says there is no diminution of the State's liability for wrongful acts by its civil servants and that the designation here is reality. I acknowledge that there are civil servants throughout a ministerial department who have responsibility in individual areas and that that is the way Government works. The way the Civil Service are accountable for what they do is through the political head of that Department who is normally accountable to this House. As things stand at the moment, if a messenger from the Department of Justice driving a van along the road beside St. Stephen's Green crashes and causes physical injury, the person who is injured will seek damages by bringing proceedings against the Minister for Justice who is nominally the person who can be sued. If what the Minister says is correct, that there is no intention here to provide the Government or the State with some degree of immunity for the wrongful acts of civil servants in the context of the Data Protection Bill, the Minister should have no difficulty in accepting amendment No. 62 in my name because it would insert a new subsection to section 7 seeking to ensure that State or Ministerial liability will be accepted in the context of actions for damages brought.
From what the Minister is saying it seems that this amendment merely states what he intends to be the law and therefore he should have no difficulty with it. Section 7 seeks to ensure that the data controller, generally speaking, is the person liable for wrongful acts in civil damages and to ensure that where the ordinary law of torts or the civil law relating to litigation would not in some instances under this Bill provide for damages, there is a specific duty of care for which the data controller is responsible which is over and above the existing law of torts. Section 7 provides that:
For the purposes of the law of torts and to the extent that that law does not so provide, a person, being a data controller or a data processor, shall, so far as regards his compliance with the provisions of this Act in relation to the collection of personal data or information intended for inclusion in such data or the processing, keeping, use or disclosure of such data, owe a duty of care to the data subject concerned.
The section says that for the general purpose for the law of torts, it is the data controller or the data processor, who is liable and that in so far as under the ordinary law of torts he would not have a liability, this Bill specifically says that he has a duty of care with regard to the inclusion of data or the processing, keeping, or use or disclosure of data. This is a very specific duty of care relating to the use of data held on computer or being processed through computers. It is a specific duty of care dealing with what could be described as our civil law negligence in areas into which the civil law in this State has not yet travelled by way of judicial development. Instead of awaiting judicial development and instead of waiting to see to what extent the courts will extend the laws of negligence to the use or misuse of computerised information, this Bill provides specifically what the nature of the duty of care is and to what it applies and it states that the person liable is the data controller, subject to various provisos set down. The Minister is saying that even if that data controller who has been appointed by an authority under this Bill fails to comply with this duty of care the Minister of the day can be the defendant in court proceedings brought in which someone seeks damages. This Bill does not say that. It says that the data controller is the person. Because of the definition section provision, it seems to me that the Minister cannot be the nominal defendant and cannot be sued. I am not suggesting that a Minister can know what is being done from hour to hour by every official in his Department. The Minister of the day, in theory at least, would not be responsible and in practice could not be held responsible for the bad driver attached to his Department who runs over someone. The reason the Minister of the day becomes the defendant is because that person is a servant of the State and if he runs over someone when in the employment of the State the State can be sued because the State has a vicarious liability for its employees.
What is more important from the point of view of the person who is wronged is that the State is more likely to have the money to pay the compensation for the wrong suffered due to someones failure to exercise a duty of care, than will be the individual. Will we have civil servants in Government Departments prepared to operate computer systems on the basis that they may be personally liable in cases of substantial financial damages if they fail to comply with the provision of the Act or if they have information on their computer which does damage to someone and which turns out to be wrong information? I suspect that it would be very difficult to find any civil servant willing to operate under those conditions. But from the point of view of the rights of the individual, what is more important is that the individual will look to the State for compensation for negligence. If the Minister's intent is that the State remains liable the Minister should have no problem in accepting the amendment to section 7 and in taking on board for the purpose of civil liability, the amendment I have tabled to section 1 (3) of the Bill.
I have a minor point in relation to the phrase "data processor" in section 1. The data processor is a machine and in the computer world generally, the phrase "data processor" is always used in relation to a machine. The fact that this Bill refers to a data processor as a person is bound to cause confusion and I suggest that the Minister change that phrase and consider a variation of it so as not to cause confusion.
The definition of the data processor is clearly spelled out in the Bill. I am sure that it will be very clear to everybody in the context of the Bill.
We are not changing the law about the liability of the State for the acts of civil servants. To do that would require an express provision to that effect. Deputy Shatter suggested that by accepting his amendment it would be made clear that there was no question of giving the Minister immunity. To accept it would negative the whole purpose of the amendment which is to distribute actual responsibility to the civil servants directly concerned. By accepting the amendment one would retain the Minister as top data controller with perhaps four or five other data controllers under him. I have no doubt that confusion about their respective liabilities would emerge. The Minister has responsibility to this House and indeed on occasion in relation to other matters, I recall Ministers coming to the House admitting that wrong information was supplied by their Departments and the House accepted the explanation.
I am thinking of the time when we were trying to negotiate the milk quotas in Brussels and incorrect information which left us 13 million gallons of milk short in our quotas was submitted. The explanation was accepted, and it was accepted that the Minister of the day cannot be involved in day to day activities. I am satisfied that it is right to have people designated and there is no question of civil servants not wanting to take this type of work because they might be held responsible personally for anything that might go wrong in fulfilling their duties. The same could be said for a Minister. A Minister might not want to take on the office of Minister if he was to be personally responsible for something that might go wrong, even things he knew nothing about down along the line. What we are trying to do is exercise control and protect data. We are putting the obligation on the people designated who will not be faceless persons and whose names will be on a register which will be available in the library. If there is any change that change will be notified and if anybody is wronged the State will be responsible in the normal way.
I take the point that the Minister wishes to distribute responsibility for actions taken under the auspices of this Bill or in relation to data processing to those who are actually taking those actions. That is something which I support. I support the reorganisation of the public service on the basis that those responsible for certain actions should be made to take that responsibility. Unfortunately, this is probably the only Bill in existence in our legislative system that might seek to do that. It is not possible to singularly give the responsibility for actions purely to civil servants in this Bill and not to do it right across the board. I do not think you can opt out of the system in that way. If somebody were to read the reports on the debate and hear what the Minister has said they could be confused with the Bill as it stands.
The most important phrase in amendment No. 62 in the name of Deputy Shatter is contained in line three which states: "to the extent that the law does not so provide...". That would remove the doubt that if somebody were to be designated as a data controller that he or she would get immunity from the State for any action taken either in tort or under this Bill against that person. It is unrealistic not to make reference to that because it will be misleading to those who are examining the Act after it has passed through this House if it is not stated. I have received representations from people who were under the impression that every Government Department was given immunity against the effects of this Bill and these are people who should know better if it were clear. Obviously it is not clear and amendment No. 62 serves to clarify the issue while still retaining the notion of the Minister that one person in a Department should be designated as a data controller. It is realistic for the workings of the Act to have somebody designated as such as it would not be possible to work it otherwise. It should also be tied in very clearly to the policy that has existed so far, and still exists, in the process of government that the Minister is responsible for what happens in his Department. I support the idea of moving away from that but it cannot be done in isolation with this Bill. It must be a policy that goes right across the board.
I would like to reply to Deputy Colley and say we are making a start in this Bill with regard to placing responsibility here for data handling on the people who will be designated by the Minister in the various Departments. A start has to be made somewhere. It is a good principle. It is my experience in different Departments that it is often very difficult to find out — even as Minister — who has direct responsibility for certain matters. On occasions it takes an effort to pin responsibility. There are people here who have been in Government and have been in charge of Departments and I am sure they would agree with me, others in time will have the same experience. It can be very frustrating at times when one is trying to get the full story and the facts before making the required decision.
It is very important in this instance when we are talking about data protection that we identify those who have specific responsibilities. It is a major breakthrough and it is necessary in the context of this Bill. As I have already said in relation to Deputy Spring's amendment, these designated persons will be identifiable and their responsibilities will be known. They themselves will be very much aware of their responsibilities. This will give us all what we hope for in this Data Protection Bill which is the element of control and to see to it that it is not abused.
If I might borrow part of the phrase used by Deputy Spring in his opening contribution in support of his amendment, we have to protect the rights of individuals. I believe this move is what is required in this area. Having said that, we are not changing the Minister's ultimate responsibility for the wrongful acts of his staff. We are not doing that in any way. If the Deputy, or Deputies, say we are changing the law about the liability of the State for the acts of civil servants, that is such a fundamental change that it would require an express provision to that effect. We are not doing that. The Minister has and must have ultimate responsibility because he is the political head of the Department. He is the person who makes the designation and he has the authority to do so. He then has the responsibility that goes with that authority to come into this House and answer any questions in relation to this matter.
It would be unrealistic to make a Minister personally responsible for the observance of the data protection requirements when he is not involved in the day-to-day detailed operation in the various sectors of the Department. Having regard to other duties and functions of Government it would be impossible for him to do so. Even in the less busy Departments there is no way the Minister of the day would have the time to observe on a daily basis and in detail what is going on. In an effort to have an element of control in this sensitive area people are being designated. I believe this is the proper way to do it. I am not saying it should be like this for ever. I go along with Deputy Shatter when he said that we must look beyond the year 2000 which is 11 or 12 years away. I am not saying this Bill cannot be amended along the way — if the occasion demands it should certainly be amended — but I am satisfied that we are doing the right thing and that the approach is the proper and the correct one.
I remind the House of the obvious, that we are still on section 1. Deputy De Rossa is anxious to raise a point of order.
I seek permission to raise on the Adjournment the activities of the le Patriarch group in France and the treatment of Irish citizens by that group.
The Ceann Comhairle will communicate with the Deputy.
In the context of the Minister's response, would he confirm if I am right in saying that section 7 of the Bill in effect sets out what the law of tort will be in this area and, indeed, may extend the concept of negligence in the context of dealing with computer processing to some extent and that this would be a provision in this Bill which specifically entitles someone to sue for damages? Perhaps the Minister would explain how he can say that the State can still be sued or, nominally, a Minister can be sued under this provision even where a data controller has been appointed by an appropriate authority. Subsection (3) (a) of section 1 expressly states that where such a data controller has been appointed the Act shall not apply to the authority as respects the data concerned. If the civil liability arises under section 7 and a data controller is appointed, the appointment of the data controller seems to exempt the State, the Minister of the day or the Government Department from being sued for damages. The Minister said this would be a major change in the law. I am saying it is a major change in the law and it seems that this is what this Bill does. If it does not and if the Minister is not prepared to accept my amendment, an amendment in similar form to amendment No. 62, which I have tabled, should be tabled to be included in section 7 to expressly confirm that — even where someone has been nominated by an authorised authority as a data controller that the authorised officer for the purpose of civil damages would maintain liability——
Sorry Deputy but he will appreciate that there will be an opportunity to treat that under section 7. With the co-operation of the House could we dispose of the amendments which have been discussed now for some time?
Amendment, by leave, withdrawn.
Perhaps the Minister would respond to my invitation to amend section 7.
We cannot juggle around with the order; 1.30 p.m. is 1.30 p.m. and there will be a response from the Minister.
Perhaps I could make one sentence of a reply to Deputy Shatter. The State is liable for the actions of its civil servants. The data controller is a civil servant designated by the Minister and the State cannot evade its responsibilities.
Amendment No. 13 not moved.
I move amendment No. 14:
In page 6, subsection (3) (c), to delete lines 19 to 38, and substitute the following:
"(i) where a designation by the relevant appropriate authority under paragraph (a) of this subsection is not in force, a civil servant in relation to whom that authority is the appropriate authority shall be deemed to be its employee and, where such a designation is in force, such a civil servant (other than the civil servant the subject of the designation) shall be deemed to be an employee of the last mentioned civil servant,
(ii) where a designation under paragraph (b) of this subsection is not in force, a member of the Defence Forces shall be deemed to be an employee of the Minister for Defence and, where such a designation is in force, such a member (other than the officer the subject of the designation) shall be deemed to be an employee of that officer, and".
Amendment agreed to.
Progress reported; Committee to sit again.
Sitting suspended at 1.30 p.m. and resumed at 2.30 p.m.