The first thing to note about the provisions of the act is that they are intended to provide a legal basis for public-sector bodies to share data that has already been collected in line with the requirements of the General Data Protection Regulations 2016 (GDPR).
They only relate to the onward sharing of this data to other public bodies, and not its original collection.
All I really want to do
Unlike private parties, public bodies cannot rely on the ‘legitimate interests’ basis for processing personal data in performance of their tasks as public-sector bodies, as provided for in article 6(1) of the GDPR.
As a consequence, public bodies can only rely on a lawful basis prescribed under Irish or EU law. The provisions of the act will enable public bodies to share personal data in a broader range of circumstances, where necessary and appropriate.
Under section 10 of the act, its provisions apply to a wide range of public bodies. However, several public bodies are designated as ‘exempt bodies’ and are not subject to its requirements.
These are listed in a schedule to the act and include RTÉ, the Central Bank of Ireland, An Post and the ESB.
The expanded list of circumstances where the act enables the sharing of personal data are listed in section 13 of the act.
Where provision hasn’t been made under other Irish or European law, public bodies can disclose personal data to one another for the purpose of the performance of their functions, where the disclosure is also for one of the following purposes:
- To verify a service-user’s identity,
- To identify and correct errors in the information held,
- To avoid the financial or administrative burden that would otherwise be imposed on a service-user of one of the public bodies concerned if the personal data had to be collected again,
- To establish someone’s entitlement to a public service on the basis of information previously provided by them to another public body,
- To facilitate the administration, supervision and control of a service, programme or policy delivered or implemented, or being delivered or implemented by either public body,
- To facilitate the improvement or targeting of a service, programme or policy delivered or implemented, or to be delivered or implemented by either public body,
- To enable the evaluation, oversight or review of a service, programme or policy, and
- To facilitate an analysis of the structure, functions, resources and service-delivery methods of either public body.
Importantly, any such disclosure must be done in accordance with a data-sharing agreement entered into by the public bodies concerned, as outlined further below. Sections 64, 65 and 66 of the act also provide for rules, procedures, standards, guidelines and model agreements that the Minister for Public Expenditure and Reform may prepare, prescribe and issue, as considered appropriate.
There are also restrictions where a public body might be in competition with private enterprise. Under section 13 of the act, where the receiving public body is engaged for gain in the production, supply or distribution of goods, or the provision of services, its use of the personal data cannot lead to the distortion of competition in trade in those goods or services in the State.
Train of thought
Data-sharing agreements are provided for under part 4 of the act. For public bodies, these agreements and the mechanics of entering into them are likely to involve a substantial amount of work.
It’s important that those responsible for making these arrangements make themselves familiar with the requirements now, so that they’re prepared when these sections are commenced.
Under section 19, the agreements must, among other requirements, specify:
- The information to be disclosed,
- The purpose of the data-sharing,
- The function of the public body concerned to which that purpose relates,
- The legal basis for the data-sharing and for any further processing, by the parties to the agreement, of the information to be disclosed under the agreement,
- Whether the impetus for the disclosure of information under the agreement will come from a data subject or a public body,
- Whether, where information is disclosed under the agreement, the disclosure will be of information in relation to individual data subjects or classes of data subjects,
- Whether the disclosure of information under the agreement will be on a once-off or ongoing basis,
- How the information to be disclosed is to be processed following its disclosure,
- What the related retention requirements are for the duration of the agreement and on its termination, and
- The security measures to be applied.
Where a data-protection impact assessment has been carried out in relation to the data-sharing, the parties must include a summary of the assessment in a schedule to the agreement. The agreement must also include a schedule with a statement summarising the analysis by the parties on the necessity and proportionality of the proposed disclosure.
I found someone
In addition to the sharing of personal data, the act also provides for the sharing of ‘business information’, the definition of which includes (among other things) details of a business’s annual turnover, net assets, and number of employees.
Section 34(3) permits Revenue to disclose business information that is taxpayer information (within the meaning of section 851A of the Taxes Consolidation Act 1997).
Another interesting element of the act is the provision for the designation of ‘base registries’ by the Minister for Public Expenditure.
These base registries are envisaged as being central registers of information gathered by public bodies that may be accessed by one or more other bodies, where necessary, to ensure consistency and efficiency when multiple bodies need to process the same personal data relating to service-users.
This is intended to avoid duplication and to reduce the administrative burden on service-users and public bodies. The registry must have a designated ‘owner’, responsible for ensuring that the personal data is accurate, relevant, and up to date. That owner must prepare a ‘terms-of-service’ agreement, setting out the rules for access.
In line with the principles of the GDPR and the objectives of the Public Service Data Strategy 2019-2023, part 8 of the act provides for the establishment of an IT system, referred to as a personal-data access portal.
This portal, to be established by the Minister for Public Expenditure, would enable citizens to exercise their GDPR rights in respect of personal data processed by public bodies, and view information relating to any data breaches involving their data.
Examples of the types of services to be provided on the portal include the ability to view the information and personal data held, and the data-sharing agreements under which it may be shared between public bodies.
The provision of this data-access portal would be a welcome advance for ‘eGovernment’ in Ireland, giving citizens an enhanced level of transparency and control in the State’s management of their personal data.
If I could turn back time
To oversee many of the requirements created under the act, part 9 provides for the establishment of a Data Governance Board. The board’s functions include the provision of advice to the minister, the promotion of compliance across public bodies, and the review of data-sharing agreements, in accordance with the procedure set out in sections 53 to 62 of the act.
The board’s membership is to be appointed by the minister, and must include at least two people not employed by a public-sector body. Once established, the board must provide an annual report to the minister on the performance of its functions.
In its guidance note on data sharing in the public sector, the Data Protection Commission noted the arrival of the act, while also reminding public bodies that the new requirements it creates are in addition to those bodies’ existing obligations under the GDPR and the Data Protection Acts 1988-2018.