On 5 July 2021, Her Majesty's Government of Gibraltar (HMGoG) published the Data Sharing (Public Authorities) Bill 2021 (the "Bill"). ISOLAS Partner James Montado and Associate Michael Adamberry were instructed by HMGoG to assist with the legislative drafting of this Bill, which aims to improve information sharing within the public sector in order to reduce duplication of tasks and alleviate the burden on data subjects having to provide the same information across different government departments when accessing public services.
Gibraltar's data protection legislation was recently revised following the end of the Brexit transition period, resulting in preservation of the EU's General Data Protection Regulation (Regulation (EU) 2016/679 or "EU GDPR") into Gibraltar law, but with certain modifications, resulting in the novel concept of the 'Gibraltar GDPR'. The Gibraltar GDPR, supplemented by the Data Protection Act 2004 ("DPA") and regulations made thereunder, now provides Gibraltar's data protection framework which dictates how information is to be processed, and imposes many restrictions on how it may be transmitted and shared. Although the modernised legislation allows for information sharing, there must be lawful basis for doing so; in other words, the law must provide valid gateways which take into account the privacy rights of natural persons.
How the Bill operates
If made law, the Bill will allow for the disclosure of information between certain 'specified persons' for certain 'specified objectives'. The list of specific persons is contained in Schedule 1 of the Bill, and notably extends beyond government departments to agencies, law enforcement bodies etc.
Specified objectives are similarly dealt with under Schedule 2, and under the current draft of the Bill are:
- the 'public administration objective'; and
- the 'well-being' objective'.
The public administration objective is the general aim of assisting, improving or facilitating the delivery of public services, which includes:
- avoidance of financial or administrative burdens on data subjects in providing the same information multiple times;
- reducing duplication of tasks;
- increasing efficiency for specified persons to carry out their functions;
- allowing for delivery of services via electronic means (e.g. eGov);
- verification of identity;
- identification and correction of errors;
- ensuring the right persons are obtaining the right services to prevent abuse by non-entitled persons through supervision, evaluation, and assessments which require efficient data exchange between specified persons; and
- analysis of the structure, functions, resources and service delivery methods of specified persons.
The well-being objective, as its name would suggest, aims to ensure users of public services derive the maximum benefit and endure the least burden, in order to ensure their overall well-being. This includes their physical and mental health, their emotional, social and economic well-being, or their living conditions.
In addition to the more general public administration and well-being objectives, the Bill also has more specific objectives (clauses 5, 6 and 7) which allow for disclosure of information between specified persons for the purposes of:
- taking of action (e.g. identifying, collecting or bringing proceedings etc.) in connection with a debt owed to a public authority or to the Crown;
- combatting fraud against the public sector which could involve actual loss to a public authority or exposure to a risk of loss; and
- research which is being or is to be carried out, and which is in the public interest.
The Bill aims to strike an appropriate balance between improvement of public service delivery and efficient sharing of information, whilst preserving the fundamental rights and freedoms of natural persons under the data protection legislation referred to above.
In terms of information sharing for research purposes, further safeguards have been built in, requiring data to be anonymised and that persons involved in processing information take reasonable steps to avoid accidental or deliberate data breaches.
Part 3 of the Bill adds further safeguards, to ensure that privacy obligations are properly considered prior to any information sharing. For example, clause 9 requires persons to consider whether there may be a restriction on disclosure imposed by law. As an example, consider that more sensitive types of personal data are subject to further safeguards under DPA and Gibraltar GDPR. Clause 10 also requires specified persons to have regard to any codes of practice issued by the Information Commissioner under DPA, being the Gibraltar Regulatory Authority ("GRA"). Clause 11 prevents onward disclosures of personal information unless one or more of the gateways in clause 11(2) applies.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.