The Data Sharing and Governance Act 2019 (the "Act") passed into law on 4 March 2019 (but has yet to be fully commenced as of the date of this publication).
Arising from the Act public bodies may share personal data for certain purposes (set out below), subject to administrative and technical requirements, such as the execution of an approved data sharing agreement.
Oversight of these arrangements will be provided by a newly established Data Governance Board ("Board").
The Act also envisages the creation of an online portal to allow individuals to exercise their rights in relation to their personal data and access information on data breaches.
Data sharing principles
Under the current law, public bodies are generally only permitted to disclose information where there is an obligation under Irish or EU law that permits or requires data sharing. Pursuant to the Act, public bodies may share personal data (including personal data of deceased persons) where the disclosure is for the purpose of performing one of their functions, and¸ where necessary and proportionate, for one of the following purposes:
- to verify the identity of a person;
- to identify and correct erroneous information held;
- to avoid the financial or administrative burden that would otherwise be imposed were a public body to collect the personal data directly from a person as compared to retrieving the information from another body;
- to establish the entitlement of a person to a service on the basis of information previously provided by that person to another body;
- to facilitate the improvement or targeting of a service, programme or policy to be delivered or implemented;
- to enable the evaluation, oversight or review of a service, programme or policy; or
- to facilitate an analysis of the structure, functions, resources and service delivery methods of either public body.
The same considerations underpin a provision in the Act allowing the sharing between public bodies of certain business information such as number of employees, turnover and net assets.
Importantly, personal data may only be shared in the manner set out above, if (a) the provisions of the General Data Protection Regulation ("GDPR") are respected; and (b) a data sharing agreement is put in place between the public bodies. This agreement is subject to public consultation and review and approval by the Board.
The Minister for Public Expenditure and Reform ("Minister") may also direct a public body to disclose certain information to another public body and request personal and non-personal data from public bodies for public pension-related purposes.
Creation of shared databases
To further facilitate the sharing and access of information the Act allows the Minister to designate a database as a "base registry" which may be accessed by other public bodies only:
- when necessary to ensure the consistency and accuracy of information frequently used by public bodies in the exercise of their functions;
- to avoid the burden that that would otherwise be imposed were a public body to collect the personal data directly from a person as compared to retrieving the information from another body; or
- to avoid the duplication of databases by public bodies.
Personal Data Access Portal
A new Personal Data Access Portal will allow a data subject to exercise their rights under the GDPR, view information in respect of their personal data and access any breach notifications that they may have received. A copy of any relevant data sharing agreements are also to be made available through this portal. However, the creation of the portal is at the discretion of the Minister and subject to the approval by Government, so a timeline for establishment is unclear.
How does this impact you/your organisation?
The inability of public bodies to rely on the legitimate interest lawful basis under the GDPR meant that in order to share data most public bodies had to rely on a lawful basis prescribed under Irish or EU law. This Act will expand the basis on which public bodies may share information (including personal data).
While not all public bodies are subject to the Act (the Central Bank of Ireland, An Post, ESB and RTÉ, among others, are exempt), in-scope public bodies should review their current data flows and begin to draft data sharing agreements mindful of the public consultation process and review procedure by the Board.
The Act is not fully commenced as the date of this publication. On 18 April 2019, the Minister commenced Part 5 of the Act which allows the Minister the ability to request from public bodies certain information about public pension members. It is unclear when the other provisions of the Act will be commenced.
Once fully commenced the Act may benefit both the public and businesses alike by improving public digital services as well as increasing the efficient and effective use of data by public bodies.
This article contains a general summary of developments and is not a complete or definitive statement of the law. Specific legal advice should be obtained where appropriate.