The object of this Bill is to enable Ireland to ratify the 1981 Council of Europe Convention for the protection of individuals with regard to automatic processing of personal data. For convenience of reference, the text of the Convention is set out in the First Schedule.
The Convention has three main features. It sets out a number of basic principles for the protection of individual privacy in the handling of automated personal data. It has special rules on transborder flows of personal data and, finally, it provides machinery for mutual assistance and consultation between the contracting parties. As the provisions of the Convention are being given effect to by the Bill, it may be convenient to deal with the Bill under those three headings.
First of all, the basic principles of data protection are set out in sections 2 (1), 4 and 6 and require any person who controls the contents and the use of automated personal data — what the Bill calls a "data controller"— to observe proper standards in the collection and processing of the data. In general, they require that the information consisting the data must have been collected fairly; must be accurate and, where necessary, kept up to date; must not be used or disclosed in any manner incompatible with the purposes for which they are kept; must be adequate, relevant and not excessive in relation to those purposes; and must not be kept for longer than is necessary for those purposes. Appropriate security measures must also be taken against unauthorised access to, or alteration, disclosure or destruction of the data and against their accidental loss or destruction. Finally, a person who is the subject of the data — the "data subject"— must be given a right of access to the data, and any data that are incorrect or misleading must be corrected or erased.
As regards transborder flows of personal data, the Bill implements article 12 of the Convention. That article is aimed at reconciling, as between the contracting states, the simultaneous and sometimes competing requirements of data protection and the free flow of information. Its main provision is that transborder data flows between contracting states should not be subject to any special controls. That provision is a corollary of the requirement earlier in the Convention that all contracting states should incorporate in their law common principles of data protection, guaranteeing a certain minimum protection to data subjects in all countries where the Convention is in force. The adoption of such a common set of legislative principles by contracting states has the additional advantage of leading to a general harmonising of laws and a resultant decrease in the possibility of conflicts of law or jurisdiction.
However, article 12 also provides that a party to the Convention can prohibit or restrict the export of personal data in two cases. It can do so, first, if its legislation has specific regulations governing certain categories of personal data because of the nature of those data — what is in mind here is sensitive personal data such as health data — unless the regulations of the other contracting party give equivalent protection. It can also prohibit or restrict a transfer abroad of data to another contracting state if there is an intention to transfer the data subsequently to a non-contracting state and the object is to circumvent the data protection legislation of the exporting state. The provisions of article 12 are implemented in section 11 of the Bill.
Lastly, there are the provisions of the Convention for mutual assistance and consultation between the contracting parties. Chapter IV deals with mutual cooperation between data protection authorities and assistance to data subjects abroad. Section 15 of the Bill designates the Data Commissioner to be appointed under the Bill as an authority for the purposes of that chapter. Chapter V deals with the machinery for regular consultation between the contracting parties to facilitate the smooth running of the Convention and, where necessary, to deal with any problems that may arise with regard to both its interpretation and its practical application. The Consultative Committee established for this purpose are authorised to propose amendments to the Convention to help to solve any difficulties that may arise between the contracting parties.
While the Convention obliges contracting parties to incorporate data protection provisions into their domestic legislation, the particular measures may take different forms, depending on the legal and constitutional system of the State concerned. Apart from laws, there may be regulations, administrative guidelines and so on and these legally binding measures may be reinforced by measures of voluntary regulation such as codes of practice.
In fact, there is a fair measure of variation in the methods used to give effect to the Convention by the member states of the Council of Europe that have passed legislation in this field. Of our EC partners, five — Denmark, France, Germany, Luxembourg and the UK — have legislation already in force. Belgium, Greece, the Netherlands, Portugal and Spain all introduced legislation some time ago but it has not yet been enacted. There is also data protection legislation in force in five other European jurisdictions — Austria, Finland, Iceland, Norway and Sweden.
In preparing this Bill we have had the advantage of examining the various systems of data protection in operation in European countries and also the proposals for legislation in the other countries I have mentioned. What we have tried to do is to build on the experience of those countries and produce a measure that will be appropriate to our conditions. provide an adequate measure of data protection without imposing an undue burden on industry or unnecessary bureaucracy and facilitate the transfer to this country of personal data for processing.
One important aspect in which the Bill differs from the legislation in force in most European countries is that we do not propose to adopt a system of universal registration or licensing of data controllers. Such a universal system was adopted by Sweden in 1973 in the first data protection legislation ever enacted and their lead was followed by many other countries subsequently, including the UK in its Act of 1984 which came into operation last November. More recently, there has been a trend towards introducing an element of self-regulation. The Finnish legislation, dating from last January, is an example of this. Their system requires registration only of certain sensitive categories of data and a system of self-regulation of the remainder.
That brings me to the proposals in the Bill for regulating the processing of personal data and ensuring that data is dealt with in accordance with its provisions. First of all, the Bill proposes a system of selective registration for those areas of activity which it is particularly desirable for the data commissioner to monitor, such as the public sector, financial institutions, companies in relation to which individuals are likely to avail themselves of the right of access such as credit reference agencies and, finally, persons or firms who keep sensitive data, such as data relating to health, political beliefs and so on. Persons who are in the business of processing data on behalf of others are also required to register. These categories may be added to by regulations made by the data commissioner with the consent of the Minister for Justice.
All other controllers of personal data are under no obligation to register. That is the only obligation they are relieved of. They are still equally bound by the obligation imposed on all data controllers by the Bill to comply fully with the data protection provisions and, if they do not, the data commissioner has been given adequate powers to compel them to do so. In particular, every data controller, whether registered or not, is obliged by section 3 to tell an inquirer whether he keeps personal data and, if so, the purposes for which the data are kept and a description of the data.
Another distinctive feature of this legislation is the provision for codes of practice in section 13. Codes of practice have an important role in any scheme of data protection that aims at achieving a proper balance between the interests of all those concerned — that is to say, the interests of data subjects, the legitimate interests of data controllers and their particular circumstances, including the cost to them and the community at large of providing adequate safeguards, and the benefits to the public from automation.
The fact is that any law, such as this Bill will become on enactment, can do no more than set out general principles of data protection. These cannot reflect adequately the difference in sensitivity there can be between various forms of personal data and, consequently, between the levels of security and safeguards that are appropriate in each case. Personal data can range from a person's address, which can be ascertained from the telephone directory in most cases and is normally not of any great significance to anyone, to highly sensitive information about, say, his or her sexual life.
That is why section 13 requires the data commissioner to encourage bodies representing data controllers or data processors to prepare codes of practice that will guide them in complying with the Bill and provides for his approving of codes where he is satisfied that he should do so. The codes will fill in the detail required for achieving the level of data protection that is desirable in the particular circumstances of the data controllers concerned. In so far as the codes do so, they will improve the level of data protection in those sectors.
As the codes are voluntary, they would, in practice if not in law, be binding on members of the body that had drawn them up. That would not apply, or apply to the same extent, to non-members. For that reason, and because I believe the bodies concerned would wish to have the possibility of their codes of practice having statutory effect, the section enables both Houses of the Oireachtas to give the force of law to a code of practice provided that it has been approved of by the commissioner and that it is in accordance with the principles of data protection as set out in the Bill. The code will then become enforceable in the same way as those principles are. Of course, I would expect that codes would have to be in operation for some time before the Houses would be asked to approve of them, so that by then any difficulties in their practical operation would have been remedied. This provision further emphasises the self-regulatory content of the Bill and keeps it fully in line with developments in modern data protection legislation.
Another feature of the Bill is the imposition on data controllers and data processors — these are people who are in the business of processing data on behalf of data controllers — of a duty of care towards data subjects in their handling of personal data relating to them — that is in so far as the existing law or torts does not do so. To establish liability for damage caused by negligence, the person causing the damage must have been under a duty of care towards the injured party. Obviously that duty applies in some circumstances at present as between data controllers or processors and data subjects but there are cases where it does not exist or its existence is doubtful. For example, a data processor will frequently not have any reason to be aware of the nature of the data he is processing or to whom the data refers so that it would be difficult to contend that he owes any duty of care to the data subjects covered by the data. Nevertheless, harm could be caused to those data subjects if, say, the data became public knowledge through some failure or inadequacy in the data processor's security arrangements. Section 7 makes it clear that in such circumstances a duty of care will exist.
I should also perhaps mention section 22, which makes it an offence for anyone to obtain access to personal data, or information constituting the data, without the authority of the data controller and then to disclose it. It will cover acccess to data either by way of "hacking"— by which I mean obtaining access at a distance from the firm's computer by using the telecommunications system — or merely by direct access to a computer printout or to the information in the computer memory, as displayed on the screen. The Bill, being a purely data protection measure, does not make "hacking" itself an offence. That would be appropriate to legislation amending the general criminal law. So, under section 22, the offence will arise only if there is both unauthorised access and disclosure.
The convention does not specifically require a contracting party to establish a data protection authority but it is difficult to see how any system can be effectively monitored or policed without having some authority with power to enforce compliance with its provisions. The Bill, therefore, provides for the appointment by the Government of a data protection commissioner who will be independent in the exercise of his functions. He will have power to investigate whether data controllers are complying with the requirements of the Bill, either on his own initiative or following a complaint from a data subject. Where he is satisfied that a data controller is not complying with the data protection provisions he can serve an enforcement notice on him requiring him to take whatever steps are necessary and it will be an offence to refuse to comply with such a notice. However, the controller will have a right of appeal to the Circuit Court against the notice and, apart from special circumstances of urgency, he need not comply with the notice until the appeal has been finally determined.
The commissioner has also power to prohibit the transfer abroad of personal data and also to require information to be given to him where this is necessary for the exercise of his functions under the Bill. While it is essential that the commissioner should have power to issue these notices and to invoke the criminal law if they are not complied with, I envisage that the commissioner would seldom, if ever, have to invoke these powers but rather that his functions would be advisory and aimed at achieving an ever higher standard of compliance with the data protection principles. In particular, there would be no question of an enforcement notice being issued as a result of a complaint without the commissioner asking for and considering the data controller's side of the story.
Senators will observe that the Bill does not apply to information contained in manual files but only to information that is in automated form. The Convention allows its provisions to be extended to manual files and some of the countries who have ratified it have done so.
I accept fully that there is a clear case for extending the principles of data protection to manual files. There is an equal need for these files to be accurate, relevant and kept up-to-date and the information in them to be collected fairly and not used for purposes incompatible with those for which they were collected. There should be rights or access to them and rights to have inaccurate information corrected or erased. Everything that a computer can do with information can be done with the same information kept in manual form, though of course far less readily.
The fact is, however, that such an extension would place a severe administrative burden on the public and private sectors. To take one example, it is a simple matter to retrieve all the information kept about an individual from an automated data base, possibly in a matter of seconds, whereas it could take days to do so from manual records. Second, there is not the same possibility of manipulating information stored manually as there is with automated data. A computer can manipulate data at prodigious speed and the fact that it can do so much more quickly and easily makes it more likely that it will be used to do so.
For that reason we are proceeding first with the protection of automated data. The protection of manually held data is another day's work. I am sure it will come in time but I have no evidence of public concern in this regard and consequently it would have to get a lower priority than other legislative projects being dealt with in my Department.
I would like to say, in conclusion, that this Bill has been well received and that the principles underlying it have secured wide acceptance. I understand also that it is well regarded in international data protection circles. It is in the nature of this kind of legislation that advances in technology may require it to be reviewed in a comparatively short period of time — though every effort has been made in the drafting, particularly of the definitions, to ensure that its provisions will still be applicable in spite of technological developments. Also, the ground covered is so new that it would be surprising if experience did not demonstrate the need for some changes here or there in it. For that reason it is my intention to monitor carefully the operation of the legislation and in addition, through our representation on the consultative committee established under the Convention, to keep in touch with any developments that my require amending legislation.
This is, I believe, a non-controversial Bill and I commend it to the House.