Joint Committee on Finance, Public Expenditure and Reform, and Taoiseach díospóireacht -
Wednesday, 6 Apr 2022

Our business today is to consider the motion relating to the Data Protection Act 2018 (Section 60(6)) (Office of the Ombudsman) Regulations 2022. No. 6, the minutes of the joint committee meeting on 30 March 2022 were agreed at the private session.

Before we begin, members are reminded of the long-standing parliamentary practice to the effect that they should not comment on, criticise or make charges against a person outside the Houses or an official by name or in such a way as to make him or her identifiable. I remind members of the constitutional requirement that they must be physically present within the confines of the place in which Parliament has chosen to sit, namely, Leinster House, Dublin, to participate in the meeting. I cannot permit a member to participate where he or she is not so located. Members are reminded to turn off their mobile phones. I welcome the Minister of State and his officials and he will make his opening statement now.

I thank the Chairman and members of the committee for inviting me to speak today. I will begin by introducing in general terms the draft statutory instrument and the background to it. The Office of the Ombudsman performs a vital role in ensuring good administration across the civil and public service. Part of this role includes investigating complaints in regard to particular incidents and issuing findings. Decision letters issued by the office to complainants will include all the basic facts and evidence gathered during the investigation process. They also outline the position of the service provider as reported to the Ombudsman as well as the Ombudsman's evaluation of the merits of the case and the basis for any of his findings and recommendations. To make the investigation process effective, there must be a certain space where the Ombudsman can engage with complainants, public bodies and staff members. This is reflected in section 9 of the Ombudsman Act which restricts the dissemination of information relating to an investigation. This facilitates the full co-operation of bodies under remit in the provision of all the necessary records required for the examination of complaints, the nature of which is often highly sensitive. This approach is in line with what is seen globally in similar institutions.

On the other hand data protection rules provide for a number of rights to seek access to personal data as well as asking for personal data to be amended or deleted in some circumstances. When the general data protection regulation, GDPR, was passed, it was anticipated there would be a need in certain instances to balance individual data protection rights with the ability of public bodies to carry out their statutory functions. Accordingly Article 23 of the data protection regulation allows for data protection rights to be restricted in appropriate circumstances. Under the previous data protection legislation, investigations by the Office of the Ombudsman were completely excluded by way of a statutory instrument. That exclusion lapsed when GDPR and the 2018 Data Protection Act were passed. This statutory instrument is part of the implementation process for the GDPR and will regularise the position of the Ombudsman’s office in line with what was anticipated in the data protection regulation.

Under Article 23 of the data protection regulation as well as section 60 of the Data Protection Act, rights may be restricted to protect what are referred to as important objectives of general public interest. One of these is identified as avoiding obstructions to any official or legal inquiry, investigation or process. In practical terms, what is at issue here is the potential for data protection rights that are fundamentally directed at privacy and the fair use of personal data to be used in a way that was not intended as a means of undermining, delaying or derailing the Ombudsman's office in the performance of its functions. For example, an official named in a complaint to the Ombudsman may attempt to use data protection rights to access personal data relating to them and from there to seek amendment or erasure of those data to undermine or delay the investigation being carried out by the office. Similarly, a complainant may attempt to use repeated data protection requests as a means of micromanaging the conduct of an investigation. Such scenarios as these are far removed from the core purpose of data protection and would have a seriously detrimental impact on the ability of the Ombudsman’s office to do its important work. In this context it is necessary to give the office of the Ombudsman the option to refuse to act on data protection requests only in some circumstances.

However, it is not a blanket exemption, as was the case under the previous legislation. The proposed regulations take a measured and proportionate approach, providing for a number of safeguards to ensure they are not applied in a disproportionate way. The draft statutory instrument is the product of a long and detailed engagement between my Department, the Office of the Ombudsman and the Office of Parliamentary Counsel. It has been approved by both the Data Protection Commission and the Department of Justice as being in compliance with the letter and spirit of the GDPR in accordance with sections 60(9) and 60(10) of the 2018 Act. Under these regulations, data subject rights can only be restricted to the extent that it is necessary and proportionate to prevent an interference with the performance of the Ombudsman's functions in the particular circumstances. Whether and to what extent a restriction applies to a particular request will to be determined case by case. Where an individual is unhappy with the approach taken by the Ombudsman, it will be open to him or her to make a complaint to the Data Protection Commission. The regulations are supported by a set of organisational policies maintained by the Ombudsman’s office. Under section 6(5) of the 2018 Act these regulations may be made once it has been laid before both Houses and approved by way of positive resolution in each.

In the circumstances, I recommend to the committee both that these regulations are necessary and that the approach taken is a meticulous and balanced one. I thank the Chairman and members of the committee for their time today and am happy to take any questions.

I thank the Minister of State. This is exactly the approach that should be taken. I have not seen, and I do not know whether we have received, a copy of the proposed regulations, which it would, of course, be important to see in terms of the detail. I am glad to see section 60 of the Data Protection Act and Article 23 of the GDPR used properly. Very often, when we are told things cannot happen because of GDPR and there are limits, it excludes the fact there are those very clear provisions where there is a strong public interest that could be served which allow for the appropriate making of necessary and proportionate regulations and which would be applied case by case. Those are the big tests. We often see either blunt attempts to create an exemption from GDPR or people saying their hands are more tied than they actually are. We have come across this in such areas as social protection, human rights practice, adoption and personal information, and information related to forced adoption.

This is good. This is an exemplary approach, and I commend the Ombudsman and the Minister of State on it, in that it specifically sets out the question of necessity of proportionality and it is also very clear that these regulations will be applied case by case. In that context, in principle, I am supportive of it but my concern is that I have not actually seen the regulations. It would ideally be good for us to see it because we know there is much difference in the detail in this regard. Of course it is very important for the Ombudsman's office in particular to be a place where people who may be vulnerable in bringing a concern forward can engage and where that vulnerability would not be exacerbated or we would not have an avoidable chill effect in terms of people coming to the Ombudsman. I understand the rationale for this. I am happy with how it is being proposed to move forward, with the exception that I would like to see the regulations. Perhaps the Minister of State comment

I thank Senator Higgins. I agree that GDPR is often used by service providers as an excuse not to service a request, sometimes perhaps through a misunderstanding of GDPR and not having read what the principles are and so on.

This clarifies the situation. Under the previous data protection legislation, there was a complete exemption for the Ombudsman from all data protection rules. Under the Data Protection Act 2018, we now need to provide a specific, proportionate and limited exemption to prevent investigations from being frustrated by people.

With regard to the Senator's question about not having seen the draft regulations, I believed that they had been circulated. I have a copy of them here and will ensure they are sent around to all members. However, they should have been sent around and I apologise for the committee not having had a chance to see them.

I will look at them with interest. I thank the Minister of State for illustrating how section 60 can be used. I hope we do not see either blunt attempts to suspend GDPR or those kinds of people who let their hands be needlessly tied in it. I hope we will see more use and appropriate use of that section.

I welcome the Minister of State and thank him for his appearance here today. As the Minister has laid out in his opening statement and as has been said by Senator Higgins, this is a very reasonable amendment. The Minister of State also mentioned in his opening statement how Article 23 of the data protection regulation, as well as section 60 of the Data Protection Act 2018, allow for rights to be restricted in certain circumstances in order to protect important objectives of general public interest.

The Minister of State noted that one of those identified is where there is a need to avoid obstructions to any official or legal inquiry, investigation or process. We can all appreciate a delay to an official investigation or inquiry would be a situation where the restriction of rights could be deemed legitimate.

I will ask the Minister of State about the appeal mechanism. He noted that for someone wishing to appeal a decision by the Information Commissioner that he or she has the avenue of the Data Protection Commission. The justification for restricting rights in this regard would be on the basis of the need. There should be no unnecessary delays to investigation, as was said earlier. That indicates that the appeals process would also need to be dealt with in a timely fashion.

It is quite reasonable. I do not have many questions on it. Will guarantees or timelines be set out, if there is an appeal, to make sure that there is not undue delay to such a process?

The Data Protection Commissioner is independent in the performance of her functions and has statutory requirements to carry them out. The Ombudsman or I cannot effect her timelines directly in that way. It is a matter for the Data Protection Commissioner who I encourage the committee to bring in to ask directly about her timelines. However, I can see the Deputy's point. What if somebody immediately goes to appeal and says he or she is not getting what he or she wants? If that works, we have a problem.

I am on record as being the first person in the House to object to the data protection legislation when it was introduced, on the basis that it attempted to be selective in the way information was sought and got. My argument, then and now, is that we were all given leave by the electorate to raise any issue that was within our rights to raise. That is virtually every issue. We have to use our judgment. We have to respect privacy and so forth.

However, by and large, the European Union in its promotion of GDPR was following other European countries many of which had ministers that had never been elected, a bit like the American system. It rightly applies to people who were never elected. It does not apply, however, nor should it be made apply to elected Members of the Houses of Parliament.

I have been asked, as I am sure other public representatives have, if we have the permission of the individual or the group to raise the issue. What if we do not? If we were complaining about the individual or group, would we have to get permission from them to raise the issue in that way? What do we have to do?

All in all, giving the individual, Department or group that might be at odds in terms of sheltering behind the legislation an order not to give the information that is necessary adds up to a delay and slows down the process. It continues to happen, as we speak. The need, first, last and always, is to observe the right of an elected Member of Parliament to raise an issue in the House on any subject, or to raise an issue on behalf of or against a constituent, on behalf of the electorate or anybody within the House. Intervening to that extent is an interference with democracy. It does not work. It never should have worked.

A situation is developing whereby freedom of information is used as a means of getting information and dealing with issues. That should never be the case. Elected Members of Parliament are predetermined to raise the issue on behalf of their constituent at any time that they see fit. It should not follow that we have to get anybody's permission to raise the issue. That impedes the progress of any investigation that might follow.

There is an increasing danger that to achieve speed in terms of efficacy and efficiency, about which I am not so sure, we should in some ways curtail the rights of Members of Parliament to raise and deal with the issues with which they were elected to deal.

As we all know, GDPR is a European directive. We implement it but we do have some latitude in how we do it. Part of it is that one of the principles in GDPR is that one can process data in a way that is consistent with primary legislation. If one wants to use personal data in a particular way or if the State needs to use it in order to carry out its functions, one can pass a law to do that.

In terms of how Deputies use personal data, it is a matter of fairness that when a constituent sends in personal information to a Deputy and asks for help with it, the Deputy checks with the constituent first that he or she is happy for the information to be taken and shared with other agencies. I know it is a delay but it has to be done. Otherwise, the person may be surprised the Deputy took his or her personal information and brought it around to a set of other people.

In terms of what a Member says in the Oireachtas, of course, Members have constitutional privilege and can make reference to people's personal data, if we want to, in the Houses, without fear of breaking any laws. To that extent, our Constitution allows us to do that and that is part of our legislative basis.

When we look at GDPR, we try to make sure that there is a legislative basis for what we do with the data and that we use it in a fair way. At the same time, it is always a balance of rights. On one side, there is a person's privacy and on the other, the need to carry out the functions of the State to delivery services to the public. The two have to be balanced up together. That is what is happening with this exemption for the Ombudsman.

Many parliamentary questions are refused nowadays, presumably based on GDPR. When we table them, the private information in the answers is not revealed. Answers state "details supplied", which covers a multitude. There should be a right to table a question on behalf of a constituent regardless. A constituent knows full well that when he or she refers an issue to the elected representative, the latter will have to do something with it. It is a waste of time on two counts if the representative has to go back to the constituent to ask whether it is acceptable to process a question. That would be nonsense altogether. I am not blaming the Minister of State for this, but it is a fact of life. I have never seen that kind of application of the rules. I am aware that the legislation is from the EU. I opposed it all the way. In the past couple of days, we had an example of the EU coming to a decision on the basis of the retention of information along lines that apply in any case. I do not accept that at all. The reality is this: the State needs to protect itself and run itself. I am obviously pro-European, but an issue can arise if the EU or a branch thereof tells us that it is very sorry and that its interpretation stands, based on considerations of the European courts, if you do not mind. I do not mind the European courts coming to decisions but I remind them of the important point that they must have regard to the rule of law in individual member states. If they undermine it on the basis of freedom of information or the need for privacy, that is fine, but they need to be aware of whom they are doing it for.

There are several issues of importance to us, and we need to recognise them. The concept of writing to somebody to ask for permission to raise the issue they want us to raise makes a laugh of the elected public representatives. All journalists have to do is send in a freedom-of-information request; they do not have to ask anybody.

I take the Deputy's points. What I was trying to say is that although I believe GDPR entails European legislation, we have much flexibility in how we implement it and that if we do change our laws to provide for the sharing of data in particular circumstances, we can use this. I understand the Deputy's frustration from having asked parliamentary questions myself and from having had all the important information edited out. I am not sure where it gets changed. Is it a matter for the Office of the Ceann Comhairle or whoever sets the rules on Dáil questions? Perhaps we can make new legislation — we are all legislators — to allow for the information to be published at the time it is used, so it will be useful and will not be presenting information in the abstract. It is not an impossible matter to deal with; it is something we can change by changing our rules. That is what we are doing here today.

To take up Deputy Durkan's point, there is a need for those elected to the European Parliament to ensure greater scrutiny of regulations and directives handed down to us by the EU for transposition into Irish law. There is not enough of it. It is led mainly by bureaucrats, I believe, based on some of the material I read. That should not be the case. We need to make a greater effort as a country to ensure the interrogation of the various measures occurs and involves Members of the European Parliament.

In doing constituency work, I note that different county councils and Departments have different approaches. Some ask for written consent from the constituent and some do not. To clarify the position, there is a need for someone to set out a template for dealing with Members of Parliament, in particular, because we are here for a purpose. Some of the regulations on GDPR are a little vague in that respect. Clarifying the role of a Member of the Oireachtas is important.

There has been much consultation on the regulations, which I have to hand. The committee has played its part by considering them. Therefore, I propose that we now regard them as adequately scrutinised and considered. Is that agreed? Agreed. I thank the Minister of State and his officials for attending and the members for their input.