Data Sharing and Governance Act 2019
| ||
Number 5 of 2019 | ||
DATA SHARING AND GOVERNANCE ACT 2019 | ||
CONTENTS | ||
Preliminary and General | ||
Application of Act | ||
5. Application of Act to special categories of personal data | ||
6. Interaction with Data Protection Acts and General Data Protection Regulation | ||
Regulation of Data-sharing | ||
Data-sharing Agreements | ||
Public service information | ||
26. Administration of pre-existing public service pension schemes | ||
Business Information | ||
Base Registries | ||
Personal Data Access Portal | ||
Data Governance | ||
Data Governance Board | ||
Review of Data Sharing Agreements | ||
Governance | ||
Miscellaneous | ||
73. Amendment of Ministers and Secretaries (Amendment) Act 2011 | ||
Bodies to which definition of “public body” does not apply | ||
Acts Referred to | ||
Civil Partnership and Certain Rights and Obligations of Cohabitants Act 2010 (No. 24) | ||
Civil Registration Act 2004 (No. 3) | ||
Civil Service Regulation Act 1956 (No. 46) | ||
Communications Regulation (Postal Services) Act 2011 (No. 21) | ||
Companies Act 2014 (No. 38) | ||
Comptroller and Auditor General Acts 1866 to 1998 | ||
Criminal Justice (Money Laundering and Terrorist Financing) Act 2010 (No. 6) | ||
Criminal Law Act 1976 (No. 32) | ||
Data Protection Act 2018 (No. 7) | ||
Data Protection Acts 1988 to 2018 | ||
Education Act 1998 (No. 51) | ||
Electronic Commerce Act 2000 (No. 27) | ||
Employment Equality Act 1998 (No. 21) | ||
Family Law (Divorce) Act 1996 (No. 33) | ||
Family Law Act 1995 (No. 26) | ||
Interpretation Act 2005 (No. 23) | ||
Irish Human Rights and Equality Commission Act 2014 (No. 25) | ||
Local Government Act 2001 (No. 37) | ||
Offences against the State Acts 1939 to 1998 | ||
Public Service Pensions (Single Scheme and Other Provisions) Act 2012 (No. 37) | ||
Public Service Superannuation (Miscellaneous Provisions) Act 2004 (No. 7) | ||
Statistics Act 1993 (No. 21) | ||
Taxes Consolidation Act 1997 (No. 39) | ||
Vital Statistics and Births, Deaths and Marriages Registration Act 1952 (No. 8) | ||
| ||
Number 5 of 2019 | ||
DATA SHARING AND GOVERNANCE ACT 2019 | ||
An Act to provide for the regulation of the sharing of information, including personal data, between public bodies; to provide for the regulation of the management of information by public bodies; to provide for the establishment of base registries; to provide for the collection of public service information; to establish the Data Governance Board; to amend the Taxes Consolidation Act 1997 ; to amend the Social Welfare Consolidation Act 2005 ; to amend the Ministers and Secretaries (Amendment) Act 2011 ; to amend the National Shared Services Office Act 2017 ; and to provide for related matters. | ||
[4th March, 2019] | ||
Be it enacted by the Oireachtas as follows: | ||
PART 1 Preliminary and General | ||
Short title and commencement | ||
1. (1) This Act may be cited as the Data Sharing and Governance Act 2019. | ||
(2) This Act shall come into operation on such day or days as the Minister may by order or orders appoint either generally or with reference to any particular purpose or provision and different days may be so appointed for different purposes or different provisions. | ||
Definitions | ||
2. In this Act— | ||
“Act of 1997” means the Taxes Consolidation Act 1997 ; | ||
“Act of 2005” means the Social Welfare Consolidation Act 2005 ; | ||
“Act of 2014” means the Companies Act 2014 ; | ||
“base registry” means a database which is designated as such in an order made under section 37 (1); | ||
“base registry owner” means a public body specified as such in respect of a base registry in an order made under section 37 (1); | ||
“Board” has the meaning assigned to it by section 45 (1); | ||
“company” means a company formed and registered under the Act of 2014 or an existing company within the meaning of that Act; | ||
“controller” has the same meaning as it has in the General Data Protection Regulation; | ||
“data protection impact assessment” means an assessment carried out for the purposes of Article 35 of the General Data Protection Regulation; | ||
“data protection law” means— | ||
(a) the Data Protection Acts 1988 to 2018, | ||
(b) the General Data Protection Regulation, | ||
(c) all law of the State giving further effect to the General Data Protection Regulation, and | ||
(d) all law of the State giving effect or further effect to Directive 2016/680; | ||
“data protection officer” in respect of a public body, means the person designated in accordance with Article 37 of the General Data Protection Regulation; | ||
“data-sharing” shall be construed in accordance with section 9 ; | ||
“data-sharing agreement” means an agreement between two or more public bodies which provides for the disclosure of information by one or more of the parties to the agreement to one or more of the other parties to the agreement; | ||
“data subject” has the same meaning as it has in the General Data Protection Regulation; | ||
“database” has the same meaning as it has in the Copyright and Related Rights Act 2000 ; | ||
“Directive 2016/680” means Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA1 ; | ||
“enactment” has the same meaning as it has in the Interpretation Act 2005 ; | ||
“General Data Protection Regulation” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC2 ; | ||
“information” includes data; | ||
“information system” has the same meaning as it has in the Electronic Commerce Act 2000 ; | ||
“lead agency” has the meaning assigned to it by section 21 ; | ||
“Minister” means the Minister for Public Expenditure and Reform; | ||
“personal data” has the same meaning as it has in the General Data Protection Regulation; | ||
“prescribed” means prescribed by regulations made by the Minister under section 3 (1); | ||
“processing” has the same meaning as it has in the General Data Protection Regulation; | ||
“public body” shall be construed in accordance with section 10 ; | ||
“public service pension scheme” has the same meaning as it has in Part 4 of the Public Service Pay and Pensions Act 2017 ; | ||
“special categories of personal data” means information referred to in Article 9(1) of the General Data Protection Regulation. | ||
Regulations and Orders | ||
3. (1) The Minister may by regulations provide for any matter referred to in this Act as prescribed or to be prescribed. | ||
(2) Without prejudice to any provision of this Act, regulations under this section may contain such incidental, supplementary and consequential provisions as appear to the Minister to be necessary or expedient for the purposes of the regulations. | ||
(3) Every order (other than an order under section 1 (2)) and regulation under this Act shall be laid before each House of the Oireachtas as soon as may be after it is made and, if a resolution annulling the order or regulation is passed by either such House within the next 21 days on which that House sits after the order or regulation is laid before it, the order or regulation shall be annulled accordingly, but without prejudice to the validity of anything previously done thereunder. | ||
Expenses | ||
4. The expenses incurred by the Minister in the administration of this Act shall be paid out of monies provided by the Oireachtas. | ||
PART 2 Application of Act | ||
Application of Act to special categories of personal data | ||
5. This Act, other than Part 5, Part 8 and Chapter 3 of Part 9, shall not apply to special categories of personal data. | ||
Interaction with Data Protection Acts and General Data Protection Regulation | ||
6. (1) Subject to subsections (2) and (3), nothing in this Act shall affect the operation of data protection law. | ||
(2) Section 38 of the Data Protection Act 2018 shall not apply to the disclosure of information by one public body to another public body. | ||
(3) Regulations made under section 38 (4) of the Data Protection Act 2018 shall not constitute an enactment under which specific provision is made permitting or requiring data-sharing for the purpose of sections 13 (1), 15 (1) or 34(1). | ||
Interaction with Social Welfare Consolidation Act 2005 | ||
7. (1) Subject to subsection (2), this Act, other than Part 5 and Chapter 3 of Part 9, does not affect the operation of the Act of 2005. | ||
(2) Notwithstanding section 262(6)(b) of the Act of 2005, a specified body (in this section referred to as the “first mentioned specified body”) may, subject to subsection (3), disclose the information comprised in a person’s public service identity to another specified body (in this section referred to as the “second mentioned specified body”), where the information is disclosed in accordance with this Act. | ||
(3) The first mentioned specified body may not disclose the information comprised in a person’s public service identity to the second mentioned specified body for the purpose specified in section 13 (2)(a)(ii)(VIII). | ||
(4) The reference in subsections (2) and (3) to the disclosure of the information referred to in those subsections includes the accessing of that information by the second mentioned specified body where that information is contained in a base registry in respect of which the first mentioned specified body is the base registry owner. | ||
(5) In this section— | ||
“specified body” has the same meaning as it has in section 262 of the Act of 2005; | ||
“public service identity” has the same meaning as it has in section 262 of the Act of 2005, subject to the modification that the reference, in the definition of that phrase in subsection (1) of that section, to information specified in subsection (3) of that section shall not include a reference to special categories of personal data. | ||
Interaction with other enactments | ||
8. (1) Subject to section 34 (3), nothing in this Act shall affect the operation of section 851A of the Act of 1997. | ||
(2) Subject to section 64 (3), this Act shall not apply to information— | ||
(a) collected for statistical purposes in accordance with the Statistics Act 1993 , or | ||
(b) disclosed in accordance with regulations made under section 2 of the Vital Statistics and Births, Deaths and Marriages Registration Act 1952 . | ||
(3) This Act, other than Chapter 3 of Part 9, shall not apply to the disclosure of information under the Civil Registration Act 2004 . | ||
Data-sharing: meaning | ||
9. (1) In this Act, “data-sharing” means the disclosure of information, including personal data, by a public body to another public body. | ||
(2) For the purposes of this Act, an addition or change to the information held on an information system under the control of a public body that results automatically from an addition or change to information held on an information system under the control of another public body, is deemed to be a disclosure by the second mentioned public body to the first mentioned public body of the information so added or changed on the information system under the control of the first mentioned public body. | ||
Public body: meaning | ||
10. (1) In this Act, “public body” means— | ||
(a) a Minister of the Government, | ||
(b) the Attorney General, | ||
(c) the Comptroller and Auditor General, | ||
(d) the Revenue Commissioners, | ||
(e) the Commissioners of Public Works in Ireland, | ||
(f) the Commissioner of Valuation, | ||
(g) the Garda Síochána, | ||
(h) the Defence Forces, | ||
(i) a local authority for the purposes of the Local Government Act 2001 , | ||
(j) the Health Service Executive, | ||
(k) an education and training board, | ||
(l) a recognised school established and maintained by an education and training board, | ||
(m) a board of a recognised school established and maintained by an education and training board, | ||
(n) a body (other than an exempted body) established— | ||
(i) by or under an enactment (other than the Act of 2014 or a former enactment relating to companies within the meaning of section 5 of that Act), or | ||
(ii) under the Act of 2014, or a former enactment relating to companies within the meaning of section 5 of that Act, in pursuance of powers conferred by or under another enactment, and financed wholly or partly by means of moneys provided, or loans made or guaranteed, by a Minister of the Government or the issue of shares held by or on behalf of a Minister of the Government, | ||
in respect of which a public service pension scheme exists or applies or may be made, | ||
(o) a body (other than an exempted body) that is wholly or partly funded directly or indirectly out of moneys provided by the Oireachtas or from the Central Fund or the growing produce of that Fund and in respect of which a public service pension scheme exists or applies or may be made, | ||
(p) any subsidiary of, or company controlled (within the meaning given by section 10 of the Act of 1997) by, a body to which paragraph (i), (j), (k), (n) or (o) relates and in respect of which a public service pension scheme exists or applies or may be made, and | ||
(q) any other body specified in an order made under subsection (4). | ||
(2) The Minister may, with the consent of the Minister of the Government in whom functions in relation to that body are vested and having had regard to the matters referred to in subsection (3), by order exempt a body that would otherwise be included in the definition of “public body” in subsection (1). | ||
(3) The Minister shall, prior to making an order under subsection (2), have regard to whether— | ||
(a) the body proposed to be specified in the order is engaged for gain in the production, supply or distribution of goods or the provision of a service, and | ||
(b) the use by that body of information disclosed to it by a public body could lead to the distortion of competition in trade in any goods or services in the State or in any part of the State. | ||
(4) The Minister may, at the request of a body that would not otherwise be included in the definition of “public body” in subsection (1) and with the consent of the Minister of the Government in whom functions in relation to that body are vested, by order designate that body as a public body where— | ||
(a) that body is financed wholly or partly, whether directly or indirectly, by means of moneys provided, or loans made or guaranteed, by a Minister of the Government or the issue of shares held by or on behalf of a Minister of the Government, and | ||
(b) the Minister is satisfied that the principal activity of the body is the delivery of services to the public under an agreement with a public body. | ||
(5) In this section— | ||
“Act of 1998” means the Education Act 1998 ; | ||
“board” has the same meaning as it has in the Act of 1998; | ||
“education and training board” means an education and training board established under section 9 of the Education and Training Boards Act 2013 ; | ||
“exempted body” means— | ||
(a) a body specified or referred to in the Schedule , | ||
(b) a body specified in an order made under subsection (2), | ||
(c) a recognised school (other than a recognised school referred to in subsection (1)(l)), | ||
(d) a board (other than a board referred to in subsection (1)(m)), and | ||
(e) a management committee established under section 37(3) of the Act of 1998; | ||
“recognised school” has the same meaning as it has in the Act of 1998. | ||
Deceased persons | ||
11. Unless the context otherwise requires— | ||
(a) a reference in this Act to a person includes a reference to a deceased person, and | ||
(b) a reference in this Act to personal data or special categories of personal data includes a reference to the personal data or special categories of personal data, as the case may be, of a deceased person. | ||
Exclusions | ||
12. (1) This Act shall not apply to data-sharing for the purposes of— | ||
(a) the prevention, detection or investigation of offences, | ||
(b) the apprehension or prosecution of offenders, | ||
(c) the imposition or execution of a fine or sentence of imprisonment, | ||
(d) the exercise of the functions of the Criminal Assets Bureau, | ||
(e) protecting the security of the State including, but not limited to, the following: | ||
(i) preventing, detecting and investigating offences under the Offences against the State Acts 1939 to 1998, the Criminal Law Act 1976 , the Criminal Justice (Terrorist Offences) Act 2005 and the Criminal Justice (Money Laundering and Terrorist Financing) Act 2010 ; | ||
(ii) protecting the State from— | ||
(I) espionage, | ||
(II) sabotage, | ||
(III) unlawful acts that subvert or undermine, or are intended to subvert or undermine, parliamentary democracy or the institutions of the State, and | ||
(IV) acts of foreign interference that are, or are intended to be, detrimental to the interests of the State and are clandestine or deceptive or involve a threat to any person, | ||
whether directed from, or committed or intended to be committed within, the State or not, | ||
(f) identifying foreign capabilities, intentions or activities within or relating to the State that impact on the international or economic well-being of the State, | ||
(g) co-operating with authorities in other states and international organisations aimed at preserving international peace, public order and security, | ||
(h) the defence of the State, or | ||
(i) the international relations of the State. | ||
(2) Subject to Part 5, this Act shall not apply to the disclosure by a public body to another public body of the personal data of a data subject for the internal administrative purposes of the first or second mentioned public body. | ||
(3) The reference in subsection (2) to internal administrative purposes includes a reference to purposes relating to the employment of the data subject concerned. | ||
PART 3 Regulation of Data-sharing | ||
Data-sharing: requirements | ||
13. (1) This section applies to the disclosure of personal data by a public body to another public body, where there is no other enactment or law of the European Union in operation under which specific provision is made permitting or requiring such data-sharing. | ||
(2) A public body may disclose personal data to another public body, in a case in which this section applies to such disclosure, only where— | ||
(a) the personal data concerned is disclosed— | ||
(i) for the purpose of the performance of a function of the first or second mentioned public body, and | ||
(ii) for one or more of the following purposes: | ||
(I) to verify the identity of a person, where the first or second mentioned public body is providing or proposes to provide a service to that person; | ||
(II) to identify and correct erroneous information held by the first or second mentioned public body; | ||
(III) to avoid the financial or administrative burden that would otherwise be imposed on a person to whom a service is being or is to be delivered by the first or second mentioned public body were the second mentioned public body to collect the personal data directly from that person; | ||
(IV) to establish the entitlement of a person to the provision of a service being delivered by the first or second mentioned public body, on the basis of information previously provided by that person to the first mentioned public body (or another public body that previously disclosed the information to the first mentioned public body); | ||
(V) to facilitate the administration, supervision and control of a service, programme or policy delivered or implemented or being delivered or implemented, as the case may be, by, for or on behalf of the first or second mentioned public body; | ||
(VI) to facilitate the improvement or targeting of a service, programme or policy delivered or implemented or to be delivered or implemented, as the case may be, by, for or on behalf of the first or second mentioned public body; | ||
(VII) to enable the evaluation, oversight or review of a service, programme or policy delivered or implemented or being delivered or implemented, as the case may be, by, for or on behalf of the first or second mentioned public body; | ||
(VIII) to facilitate an analysis of the structure, functions, resources and service delivery methods of the first or second mentioned public body, | ||
(b) the personal data concerned is disclosed under and in accordance with a data-sharing agreement in compliance with Part 4, | ||
(c) the first and second mentioned public body— | ||
(i) comply with the rules, procedures and standards, if any, prescribed under section 64 , | ||
(ii) have regard to the guidelines, if any, issued under section 65 , and | ||
(iii) where subsection (3) of section 66 applies, comply with that subsection, | ||
(d) in a case in which the second mentioned public body is engaged for gain in the production, supply or distribution of goods or the provision of services, the use by that public body of the personal data could not lead to the distortion of competition in trade in those goods or services in the State or in any part of the State, | ||
(e) the personal data concerned has been lawfully obtained and held by the first mentioned public body, and | ||
(f) the personal data concerned is disclosed in accordance with the other provisions of this Act applicable to a disclosure of personal data to which this section applies and any other enactment or law of the European Union applicable to the first or second mentioned public body, and | ||
(g) the disclosure of the personal data is— | ||
(i) necessary for the performance of the functions in relation to which the information is being disclosed, and | ||
(ii) proportionate in the context of the performance of those functions and the effects of the disclosure on the rights of the data subjects concerned. | ||
(3) Subsection (2)(b) shall not apply to the disclosure of personal data under Part 5. | ||
Directions | ||
14. (1) The Minister may, with the consent of such other Minister of the Government, if any, in whom functions in relation to a public body to which the Minister proposes to issue a direction are vested, and having had regard to the matters referred to in subsection (8), direct one or more public bodies to disclose information to one or more other public bodies. | ||
(2) A direction under subsection (1) shall specify the public bodies to which it applies and the information to be disclosed. | ||
(3) A direction under subsection (1) may specify conditions in accordance with which specified information is to be disclosed. | ||
(4) Where a direction under subsection (1) specifies conditions in accordance with which specified information is to be disclosed, those conditions shall be reflected in a data-sharing agreement relating to the disclosure of the information specified in the direction. | ||
(5) Part 4 shall not apply to a data-sharing agreement referred to in subsection (4) unless section 13 applies to the disclosure to which the direction concerned relates. | ||
(6) The Minister shall not issue a direction to a public body under subsection (1) if— | ||
(a) the disclosure of the information concerned is prohibited by a law of the European Union or any enactment, or | ||
(b) compliance with the direction would result in a public body being in breach of this Act, another enactment or a law of the European Union. | ||
(7) Prior to issuing a direction under subsection (1), the Minister shall consult with the public bodies concerned, as well as such other Minister of the Government, if any, as the Minister considers appropriate having regard to the functions of that other Minister. | ||
(8) The Minister, shall for the purposes of subsection (1), have regard to whether the disclosure of the information concerned would— | ||
(a) assist in the carrying out of a function of one or more of the public bodies concerned by— | ||
(i) reducing the duplication of tasks carried out by one or more public bodies, | ||
(ii) increasing the efficiency of a public body in carrying out that function, or | ||
(iii) facilitating an improvement in the quality of services being delivered, | ||
(b) assist a public body in verifying the identity of a person receiving a service being delivered by the public body, | ||
(c) assist in the identification or correction of any erroneous information held by one or more of the public bodies concerned, | ||
(d) reduce the need for a person to provide the same information to more than one public body, | ||
(e) assist a public body in establishing the entitlement of a person to a service being delivered by the public body, | ||
(f) facilitate the administration, supervision and control of a service, programme or policy being delivered or implemented, as the case may be, by a public body, | ||
(g) facilitate the improvement or targeting of a service, programme or policy being delivered or implemented, as the case may be, by a public body, | ||
(h) enable the evaluation of a service, programme or policy delivered or implemented or being delivered or implemented, as the case may be, by a public body, or | ||
(i) facilitate an analysis of the structure, functions, resources and service delivery methods of a public body. | ||
(9) A public body to which a direction under subsection (1) applies shall comply with the direction. | ||
(10) Where, following the issue of a direction under subsection (1)— | ||
(a) the disclosure of the information concerned becomes prohibited by a law of the European Union or any enactment, or | ||
(b) compliance with the direction would result in a public body being in breach of this Act, another enactment or a law of the European Union, | ||
the direction shall, subject to subsection (11), cease to have effect. | ||
(11) Where the Data Protection Commission, in exercise of its powers under Article 58(2)(f) of the General Data Protection Regulation, imposes a temporary limitation on a disclosure of information in accordance with a direction under subsection (1), the direction shall cease to have effect until the expiry of that temporary limitation. | ||
PART 4 Data-sharing Agreements | ||
Application (Part 4) | ||
15. (1) Subject to subsection (2), this Part applies to the disclosure of personal data by a public body to another public body where there is no other enactment or law of the European Union in operation under which specific provision is made permitting or requiring such data-sharing. | ||
(2) This Part does not apply to the disclosure of personal data under Part 5. | ||
Obligation to enter into data-sharing agreement | ||
16. A public body shall, in a case in which this Part applies to such disclosure, enter into a data-sharing agreement with the public body to which it proposes to disclose personal data prior to commencing that disclosure. | ||
Formal requirements | ||
17. A data-sharing agreement shall be in writing. | ||
Accession to data-sharing agreement | ||
18. (1) A public body that was not a signatory to a data-sharing agreement on its date of execution may accede to the agreement by executing an accession agreement to the data-sharing agreement. | ||
(2) An accession agreement referred to in subsection (1) shall be executed, on behalf of the public bodies who were parties to the data-sharing agreement concerned immediately prior to the execution of the accession agreement, by the lead agency specified in that data-sharing agreement in accordance with section 21 (1). | ||
(3) A lead agency specified in a data-sharing agreement in accordance with section 21 (1) shall notify the Board prior to executing an accession agreement to that data-sharing agreement. | ||
Content of data-sharing agreement | ||
19. (1) A data-sharing agreement shall— | ||
(a) specify the names of the parties to the agreement in a schedule to the agreement, | ||
(b) specify the information to be disclosed, | ||
(c) specify the purpose of the data-sharing, | ||
(d) specify the function of the public body concerned to which the purpose referred to in paragraph (c) relates, | ||
(e) specify the legal basis for the data-sharing and for any further processing, by the parties to the agreement, of the information to be disclosed under the agreement, | ||
(f) specify whether the impetus for the disclosure of information under the agreement will come from a data subject or a public body, | ||
(g) specify whether, where information is disclosed under the agreement, the disclosure will be of information in relation to individual data subjects or classes of data subjects, | ||
(h) specify whether the disclosure of information under the agreement will be on a once-off or ongoing basis, | ||
(i) specify how the information to be disclosed is to be processed following its disclosure, | ||
(j) specify any restrictions on the disclosure of information after the processing referred to in paragraph (i), | ||
(k) include an undertaking by the parties to the agreement to comply with Article 5 of the General Data Protection Regulation in disclosing information under the agreement, | ||
(l) where a data protection impact assessment has been carried out in relation to the data-sharing, include a summary of the matters referred to in Article 35(7) of the General Data Protection Regulation in a schedule to the agreement, | ||
(m) specify the security measures to apply to the transmission, storage and accessing of personal data, in a manner that does not compromise those security measures, | ||
(n) specify the requirements in relation to the retention of— | ||
(i) the information to be disclosed, and | ||
(ii) the information resulting from the processing of that information, | ||
for the duration of the agreement and in the event that the agreement is terminated, | ||
(o) specify the method to be employed to destroy or delete— | ||
(i) the information to be disclosed, and | ||
(ii) the information resulting from the processing of that information, | ||
at the end of the period for which the information is to be retained in accordance with the agreement, | ||
(p) specify the procedure in accordance with which a party may withdraw from the agreement, | ||
(q) include such other matters as may be prescribed under subsection (2), | ||
(r) include in a schedule to the agreement a statement summarising the analysis of the parties in relation to the extent to which— | ||
(i) the disclosure of the information is necessary for the performance of the functions in relation to which the information is being disclosed, and | ||
(ii) the disclosure and safeguards applicable to that disclosure are proportionate in the context of the performance of those functions and the effects of the disclosure on the rights of the data subjects concerned. | ||
(2) The Minister may prescribe matters, in addition to those listed in subsection (1), to be included in a data-sharing agreement where he or she is satisfied that the inclusion of those matters would— | ||
(a) be consistent with Article 5(1) of the General Data Protection Regulation, and | ||
(b) (i) improve transparency as regards the sharing of information by public bodies, or | ||
(ii) facilitate good governance in the sharing of information by public bodies. | ||
(3) A data-sharing agreement may provide for matters in addition to those listed in subsection (1). | ||
Review of operation of data-sharing agreement | ||
20. (1) The parties to a data-sharing agreement shall review the operation of the agreement on a regular basis, with each such review being carried out on a date that is not more than 5 years from— | ||
(a) in the case of the first such review under this subsection, the date on which the agreement came into effect in accordance with section 61 (in this section referred to as the “effective date”), and | ||
(b) in the case of each subsequent review under this subsection, the date of the previous review under this subsection. | ||
(2) A review under subsection (1) shall consider the impact of the technical, policy and legislative changes that have occurred since the date of the previous review under that subsection or, in the case of the first review under that subsection, the effective date. | ||
(3) Where the parties to a data-sharing agreement consider that it is appropriate following completion of a review under subsection (1), they shall prepare a draft amendment agreement to take account of the technical, policy and legislative changes that have occurred since the date of the previous review under that subsection or, in the case of the first review under that subsection, the effective date. | ||
(4) A draft amendment agreement prepared in accordance with subsection (3) shall be submitted for review in accordance with Chapter 2 of Part 9. | ||
Lead agency | ||
21. (1) A data-sharing agreement shall specify a party (in this Act referred to as the “lead agency”) to that agreement to be responsible for carrying out the functions set out in subsection (3). | ||
(2) Subject to section 38 (1)(e) and in default of agreement, the lead agency in respect of a data-sharing agreement shall— | ||
(a) where one of the parties only to the data-sharing agreement is a controller in respect of the information being or to be disclosed under that agreement, be that party, and | ||
(b) where more than one party to the data-sharing agreement is a controller in respect of the information being or to be disclosed under that agreement, be the controller nominated by those controllers to be the lead agency in respect of that agreement. | ||
(3) The lead agency shall— | ||
(a) where a public body that was not a signatory to the data-sharing agreement concerned on its date of execution accedes to the agreement in accordance with section 18 or where a party withdraws from the agreement, update the schedule referred to in section 19 (1)(a), | ||
(b) notify the parties to the data-sharing agreement concerned of any changes to the schedule referred to in section 19 (1)(a), | ||
(c) where a party that was the lead agency withdraws from the data-sharing agreement concerned, amend the agreement accordingly, and | ||
(d) publish a copy of the conclusions of a review of the data-sharing agreement concerned carried out under section 20 on a website maintained by it or on its behalf. | ||
(4) Where information in respect of a person is, or is believed by the person to be, included in the information disclosed or to be disclosed under a data-sharing agreement, that person may direct a request in relation to the exercise of a right of that person under Article 15, 16, 17, 18, 20 or 21 of the General Data Protection Regulation in respect of that information to the lead agency specified in that data-sharing agreement. | ||
(5) Where a lead agency receives a request in accordance with subsection (4), the lead agency shall— | ||
(a) where the lead agency is not a controller in respect of the information concerned, send the request to the controller, or | ||
(b) where the lead agency is a joint controller (within the meaning of Article 26 of the General Data Protection Regulation) in respect of the information concerned, send the request to the other joint controller, | ||
as soon as practicable following receipt of the request. | ||
Cessation | ||
22. (1) Where a data-sharing agreement expires or is terminated, the lead agency shall notify the Minister as soon as practicable after such expiration or termination, as the case may be. | ||
(2) Where the Minister receives a notification under subsection (1), the Minister shall— | ||
(a) publish, on a website maintained by him or her, a notification to the effect that the data-sharing agreement concerned has expired or has been terminated, as the case may be, and | ||
(b) ensure that where a copy of the data-sharing agreement concerned or documentation in relation thereto is accessed on the website maintained by the Minister that it is clear to the person accessing the information that the agreement concerned has expired or has been terminated, as the case may be. | ||
PART 5 Public service information | ||
Definitions (Part 5) | ||
23. (1) In this Part— | ||
“Act of 2010” means the Civil Partnership and Certain Rights and Obligations of Cohabitants Act 2010 ; | ||
“Act of 2011” means the Ministers and Secretaries (Amendment) Act 2011 ; | ||
“Act of 2012” means the Public Service Pensions (Single Scheme and Other Provisions) Act 2012 ; | ||
“administration”, in relation to a pension scheme, includes the technical and organisational measures implemented by a public service body for the purposes of the administration of the scheme; | ||
“anonymised” in relation to personal data, means processed such that the personal data can no longer be attributed to a specific data subject; | ||
“child” has the same meaning as it has in Part 2 of the Act of 2012; | ||
“civil partner” shall be construed in accordance with section 3 of the Act of 2010; | ||
“former scheme member” means a person who was a member of a public service pension scheme during the period of his or her employment with a public service body, irrespective of whether or not an entitlement has vested in that person as a member of that scheme; | ||
“pension adjustment order” means an order under— | ||
(a) section 12 of the Family Law Act 1995 , | ||
(b) section 17 of the Family Law (Divorce) Act 1996 , | ||
(c) section 121 of the Act of 2010, or | ||
(d) section 187 of the Act of 2010; | ||
“pension scheme beneficiary” means a person, other than a scheme member, former scheme member or pensioner, who has or had an entitlement to a benefit under a public service pension scheme; | ||
“pension scheme membership information” means the information held by or on behalf of a public service body for the purposes of— | ||
(a) keeping full and proper account of the contributions paid or repaid under a public service pension scheme by a scheme member or a former scheme member, | ||
(b) keeping full and proper account of the benefits accrued by or restored to a scheme member or a former scheme member under a public service pension scheme, | ||
(c) keeping full and proper account of all benefits paid or payable to a scheme member, a former scheme member, a pensioner or any other pension scheme beneficiary under a public service pension scheme, | ||
(d) determining the eligibility of a person under a public service pension scheme, | ||
(e) calculating or recalculating the contributions and benefits referred to in paragraphs (a) and (b), or | ||
(f) the effective administration of a public service pension scheme; | ||
“pensioner” means a person who— | ||
(a) is entitled to the payment of a public service pension under a public service pension scheme, | ||
(b) has a preserved benefit under a public service pension scheme, or | ||
(c) is the surviving spouse, civil partner, cohabitant (or surviving former spouse, civil partner or cohabitant) or child of a scheme member or former scheme member who is entitled or may become entitled to the payment of a public service pension; | ||
“pre-existing public service pension scheme” has the same meaning as it has in Part 2 of the Act of 2012; | ||
“preserved benefit” has the same meaning as it has in the Public Service Superannuation (Miscellaneous Provisions) Act 2004 ; | ||
“pseudonymised” in relation to personal data, means processed such that the personal data can no longer be attributed to a specific data subject without the use of additional information, where such additional information is— | ||
(a) kept separately from the personal data, and | ||
(b) subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person; | ||
“public servant” means— | ||
(a) a person who is employed by, or holds any office or other position in, a public service body, | ||
(b) the President, | ||
(c) a Minister of the Government or Minister of State, | ||
(d) a member of Dáil Éireann, | ||
(e) a member of Seanad Éireann, | ||
(f) the holder of a judicial office, | ||
(g) the Comptroller and Auditor General, | ||
(h) a member of a local authority, or | ||
(i) any other person who is a member of a public service pension scheme; | ||
“public service body” has the same meaning as it has in Part 2 of the Act of 2012, subject to the modification that the reference to the Civil Service in the definition of “public service body” in section 5 of that Act shall be construed as a reference to a person or body whose employees are civil servants (within the meaning of the Civil Service Regulation Act 1956 ); | ||
“public service pension” means a periodic payment of a pension or other benefit by whatever name called, which is not a lump sum, payable to or in respect of a public servant or former public servant under a public service pension scheme; | ||
“relevant authority” has the same meaning as it has in Part 2 of the Act of 2012; | ||
“scheme member” means a public servant who is a member of a public service pension scheme, irrespective of whether or not an entitlement has vested in that public servant as a member of that scheme; | ||
“statutory pensions appeal” means a process provided for in an enactment for the resolution of a dispute in relation to an entitlement under a public service pension scheme; | ||
“transfer network” has the same meaning as it has in Part 2 of the Schedule to the Rules for Pre-existing Public Service Pension Scheme Members Regulations 2014 ( S.I. No. 582 of 2014 ). | ||
(2) For the purposes of this Part “cohabitant” has the meaning assigned to it in subsection (1) of section 172 of the Act of 2010 and, in determining whether or not 2 persons are cohabitants, regard shall be had to the circumstances that a court has to take into account under subsection (2) of that section. | ||
(3) In this Part a reference to an entitlement includes a reference to a past, present, future, actual or contingent entitlement. | ||
Application (Part 5) | ||
24. (1) Subject to subsection (2), this Part applies to— | ||
(a) personal data (other than special categories of personal data), and | ||
(b) information other than personal data. | ||
(2) This Part applies to special categories of personal data where the processing of the information concerned is for the purposes of— | ||
(a) the administration of a public service pension scheme, or | ||
(b) an actuarial valuation of a public service pension scheme. | ||
Administration of Single Public Service Pension Scheme | ||
25. (1) A relevant authority or an agent of that authority, where the information concerned is held by that agent, shall at the request of a Minister of the Government provide information referred to in subsection (2) to— | ||
(a) the Minister, for the purposes of— | ||
(i) the performance of a function of the Minister under the Act of 2012, | ||
(ii) the performance of a function conferred on or transferred to the Minister under section 8(3), 9(1)(a), 10 or 17 of the Act of 2011, or | ||
(iii) the administration of the Single Public Service Pension Scheme, | ||
or | ||
(b) the Minister of the Government making the request (where that Minister of the Government is not the Minister) or another relevant authority, for the purposes of— | ||
(i) the performance of a function of that Minister or relevant authority under the Act of 2012, or | ||
(ii) the administration of the Single Public Service Pension Scheme. | ||
(2) The information to be provided under subsection (1) is the following information in respect of the Single Public Service Pension Scheme: | ||
(a) pension scheme membership information in respect of— | ||
(i) a scheme member, | ||
(ii) a former scheme member, | ||
(iii) a pensioner, | ||
(iv) a person who was, but is no longer, a pensioner, | ||
(v) a pension scheme beneficiary, or | ||
(vi) a person whose eligibility under a public service pension scheme is in the process of being determined; | ||
(b) such additional information as may be prescribed. | ||
(3) The Minister shall, when prescribing additional information under subsection (2)(b), have regard to whether the provision of such information to the Minister, another Minister of the Government or another relevant authority would— | ||
(a) reduce the duplication of tasks by relevant authorities or their agents, | ||
(b) increase the efficiency of a relevant authority in carrying out a function of that relevant authority, | ||
(c) improve the quality of services provided by a relevant authority to a scheme member, former scheme member, pensioner, pension scheme beneficiary or a person whose eligibility under a public service pension scheme is in the process of being determined, | ||
(d) improve the quality of information created, held and maintained by relevant authorities, | ||
(e) strengthen the accountability of relevant authorities in relation to the operation of the Single Public Service Pension Scheme, or | ||
(f) improve the quality of analysis and decision-making in relation to the Single Public Service Pension Scheme. | ||
Administration of pre-existing public service pension schemes | ||
26. (1) A public service body or an agent of that body, where the information concerned is held by that agent, shall at the request of a Minister of the Government provide information referred to in subsection (2) to— | ||
(a) the Minister, for the purposes of— | ||
(i) the performance of a function of the Minister under the Act of 2012, | ||
(ii) the performance of a function conferred on or transferred to the Minister under section 8(3), 9(1)(a), 10 or 17 of the Act of 2011, | ||
(iii) the performance of a function of the Minister under an enactment relating to a pre-existing public service pension scheme, or | ||
(iv) the administration of a pre-existing public service pension scheme, | ||
or | ||
(b) the Minister of the Government making the request (where that Minister of the Government is not the Minister) or another public service body, for the purposes of— | ||
(i) the performance of a function of that Minister or public service body under an enactment relating to a pre-existing public service pension scheme, or | ||
(ii) the administration of a pre-existing public service pension scheme. | ||
(2) The information to be provided under subsection (1) is the following information in respect of a pre-existing public service pension scheme: | ||
(a) pension scheme membership information in respect of— | ||
(i) a scheme member, | ||
(ii) a former scheme member, | ||
(iii) a pensioner, | ||
(iv) a person who was, but is no longer, a pensioner, | ||
(v) a pension scheme beneficiary, or | ||
(vi) a person whose eligibility under a public service pension scheme is in the process of being determined; | ||
(b) information relating to— | ||
(i) a statutory pensions appeal of a decision made in relation to an entitlement under the scheme, | ||
(ii) an adjustment to the number of years of service of a person for the purposes of the calculation of an entitlement under the scheme, | ||
(iii) the operation of the transfer network, or | ||
(iv) the administration of a pension adjustment order, whether made or in respect of which an application has been or is proposed to be made, applying to an entitlement under the scheme; | ||
(c) such additional information as may be prescribed. | ||
(3) The Minister shall, when prescribing additional information under subsection (2)(c), have regard to whether the provision of such information to the Minister, another Minister of the Government or a public service body would— | ||
(a) reduce the duplication of tasks by public service bodies or their agents, | ||
(b) increase the efficiency of public service bodies in carrying out their functions, | ||
(c) improve the quality of services provided by a public service body to a scheme member, former scheme member, pensioner or pension scheme beneficiary, | ||
(d) improve the quality of information created, held and maintained by public service bodies, | ||
(e) strengthen the accountability of public service bodies in relation to the operation of pre-existing public service pension schemes, or | ||
(f) improve the quality of analysis and decision-making in relation to pre-existing public service pension schemes. | ||
Public service policy analysis | ||
27. (1) A public service body or an agent of that body, where the information concerned is held by that agent, shall at the request of the Minister provide information referred to in subsection (2) to the Minister for the purposes of— | ||
(a) the performance of a function conferred on or transferred to the Minister under section 8(3), 9(1)(a), 10 or 17 of the Act of 2011, | ||
(b) carrying out actuarial calculations in respect of public service pension schemes or public expenditure, | ||
(c) calculating the adjustment to the expenditure by a public service body consequent upon the implementation of a policy or proposed policy of the Government, | ||
(d) assessing the current and future staffing requirements of a public service body, | ||
(e) developing, and analysing the consequences of, a policy or proposed policy of the Government for the purposes of— | ||
(i) eliminating discrimination, | ||
(ii) promoting equality of opportunity and treatment, or | ||
(iii) protecting human rights, | ||
in public service bodies, or | ||
(f) carrying out an analysis of the structure, functions, resources and service delivery methods of a public service body. | ||
(2) The information to be provided under subsection (1) is the following: | ||
(a) the information referred to in section 25 (2)(a) and section 26 (2)(a) and (b); | ||
(b) demographic information relating to a public servant, including age, gender and any disclosed disability; | ||
(c) information relating to the employment of a public servant, including payment-related information and information relating to the public servant’s employer, contract of employment, length of service and grade; | ||
(d) such additional information as may be prescribed. | ||
(3) The Minister shall have regard to the following when prescribing additional information under subsection (2)(d): | ||
(a) the need to strengthen the accountability of public service bodies; | ||
(b) the need to improve the quality of decision-making of public bodies; | ||
(c) the need to promote an evidence-based approach to the development of policy; | ||
(d) the need to increase the efficiency of public service bodies in carrying out their functions; | ||
(e) the need to ensure adequate information is available to facilitate effective staffing requirements planning across the public service; | ||
(f) the need to facilitate trend analysis, scenario testing and forecasting in relation to— | ||
(i) the number of public servants, and | ||
(ii) expenditure on pay and pensions by public service bodies; | ||
(g) the need to ensure adequate information is available to develop, implement and monitor policies for the purposes of— | ||
(i) eliminating discrimination, | ||
(ii) promoting equality of opportunity and treatment, or | ||
(iii) protecting human rights, | ||
in public service bodies. | ||
(4) In paragraph (e) of subsection (1) and paragraph (g) of subsection (3)— | ||
“discrimination” shall be construed in accordance with section 6 of the Employment Equality Act 1998 ; | ||
“human rights” has the same meaning as it has in Part 3 of the Irish Human Rights and Equality Commission Act 2014 . | ||
Information requests | ||
28. A request under section 25 , 26 , or 27 may specify— | ||
(a) the classes of information required, | ||
(b) the period of time to which the information requested relates, | ||
(c) the format in which the information requested is to be provided, and | ||
(d) the date by which the information requested is to be provided. | ||
Data protection impact assessment | ||
29. The Minister shall, prior to prescribing any additional information to be provided under section 25 , 26 or 27 , carry out an assessment of the potential impact of the processing of that information on the protection of personal data. | ||
Anonymisation | ||
30. Where personal data is provided to the Minister under section 27 , it shall be anonymised or, where anonymisation of the information concerned would prevent the purpose for which the information is being provided from being achieved, pseudonymised, as soon as practicable following receipt of the information by the Minister. | ||
Pension scheme information systems | ||
31. (1) The Minister may establish a database comprising all of the information provided to the Minister under section 25 . | ||
(2) The Minister may establish an information system for any or all of the following purposes: | ||
(a) enabling a public service body to access information held on the database referred to in subsection (1); | ||
(b) facilitating the calculation of the entitlement or liability of a person under the Act of 2012; | ||
(c) administering entitlements and liabilities under the Act of 2012. | ||
(3) Where an information system referred to in subsection (2) is established, a public service body shall establish and maintain a connection between that information system and an information system under the control of the public service body in order to facilitate— | ||
(a) the transfer, from that public service body to the Minister, of information requested under section 25 , and | ||
(b) the querying by that public service body of the database referred to in subsection (1) and the database, if any, which is part of an information system referred to in subsection (2), and the provision of the results of such querying to that public service body. | ||
(4) The Minister may disclose information to a public service body through an information system referred to in subsection (2), or other secure means, for the purposes described in that subsection. | ||
(5) The Minister shall be the controller in respect of personal data stored on— | ||
(a) the database referred to in subsection (1), and | ||
(b) the database, if any, which is part of an information system referred to in subsection (2), | ||
for the purposes of the General Data Protection Regulation. | ||
Transparency | ||
32. The Minister shall publish, on a website maintained by him or her, the following in respect of information disclosed under this Part: | ||
(a) a description of the information provided; | ||
(b) the name of the public service body providing the information; | ||
(c) the provision of this Part under which the information is provided; | ||
(d) a description of the processing to which the information is subject; | ||
(e) a description of the restrictions, if any, which apply to the further disclosure of the information; | ||
(f) where a data protection impact assessment has been carried out in relation to the processing of the information, a summary of the matters referred to in Article 35(7) of the General Data Protection Regulation; | ||
(g) a description of the security measures applying to the processing of the information; | ||
(h) a description of the policies regarding the retention and destruction of the information; | ||
(i) whether or not the information will be anonymised or pseudonymised following disclosure under this Part; | ||
(j) such other details as the Minister considers necessary for the purposes of providing transparency with regard to the processing of the information. | ||
PART 6 Business Information | ||
Definitions (Part 6) | ||
33. (1) In this Part— | ||
“business information” means the following information in respect of an undertaking: | ||
(a) the unique business identifier number; | ||
(b) the registered name, if any; | ||
(c) the business or operating name, if any; | ||
(d) the address (including the postcode (if any) within the meaning of section 66 of the Communications Regulation (Postal Services) Act 2011 ) at which the undertaking carries on business or ordinarily resides; | ||
(e) the number, if any, allocated or issued by a public body under an enactment or law of the European Union; | ||
(f) the number, if any, assigned in a register held or maintained by a public body under an enactment or law of the European Union; | ||
(g) the legal form; | ||
(h) the number of employees, if any; | ||
(i) the annual turnover; | ||
(j) the net assets; | ||
(k) in respect of the principal activity carried on by the undertaking, the NACE classification code, if any, as determined in accordance with Regulation (EC) No. 1893/2006 of the European Parliament and of the Council of 20 December 20063 , as amended by Regulation (EC) No 295/2008 of the European Parliament and of the Council of 11 March 20084 and Regulation (EU) No 70/2012 of the European Parliament and of the Council of 18 January 201255 ; | ||
(l) in the case of a natural person, a partnership of natural persons or an unincorporated body of natural persons, the nationality of the person or persons, as the case may be; | ||
(m) in the case of a legal person, the state under the law of which the legal person was established; | ||
(n) such other information as may be prescribed by the Minister, having regard to the matters referred to in subsection (3); | ||
“net assets”, in relation to an undertaking, means the total assets of the undertaking less the total liabilities of the undertaking as shown in the financial statements of the undertaking; | ||
“turnover”, in relation to an undertaking, means the amounts of revenue derived from the provision of goods and services falling within the undertaking’s ordinary activities, after deduction of— | ||
(a) trade discounts, | ||
(b) value-added tax, and | ||
(c) any other taxes based on the amounts so derived, | ||
and, in the case of an undertaking whose ordinary activities include the making or holding of investments, includes the gross revenue derived from such activities; | ||
“undertaking” means— | ||
(a) a natural person or partnership of natural persons engaged for gain in the production, supply or distribution of goods or the provision of a service, | ||
(b) a body corporate, or | ||
(c) an unincorporated body of natural persons. | ||
(2) For the purposes of the definition of “business information” in subsection (1), a company shall be deemed to be ordinarily resident at its registered office, and every other body corporate and every unincorporated body shall be deemed to be ordinarily resident at its principal office or place of business. | ||
(3) The matters to which the Minister is to have regard for the purposes of paragraph (n) of the definition of “business information” in subsection (1) are whether the disclosure of the information concerned under section 36 would— | ||
(a) facilitate the carrying out of a function of a public body by— | ||
(i) reducing duplication of tasks carried out by one or more public bodies, | ||
(ii) increasing the efficiency of a public body in carrying out that function, or | ||
(iii) improving the quality of services provided or to be provided by the public body, | ||
(b) assist a public body in verifying the identity of a person receiving a service, | ||
(c) assist in the identification and correction of erroneous information held by a public body, | ||
(d) reduce the need for a person to provide the same information to more than one public body, | ||
(e) assist a public body in establishing the entitlement of a person to a service, | ||
(f) facilitate the administration, supervision and control of a service, programme or policy being delivered or implemented or to be delivered or implemented, as the case may be, by a public body, | ||
(g) facilitate the improvement or targeting of a service, programme or policy being delivered or implemented or to be delivered or implemented, as the case may be, by a public body, or | ||
(h) facilitate the evaluation of a service, programme or policy delivered or implemented or being delivered or implemented, as the case may be, by a public body. | ||
Application (Part 6) | ||
34. (1) This Part applies to the disclosure of business information by a public body to another public body where there is no other enactment or law of the European Union in operation under which specific provision is made permitting or requiring such data-sharing. | ||
(2) Subject to subsection (3), this Part shall not affect the operation of any restriction or prohibition contained in another enactment or law of the European Union on the disclosure of business information. | ||
(3) The Revenue Commissioners may disclose business information that is taxpayer information (within the meaning of section 851A of the Act of 1997) in accordance with this Part. | ||
Allocation of unique business identifier number | ||
35. (1) The Minister may, for the purpose of uniquely identifying an undertaking, allocate and issue a number (to be known as the “unique business identifier number”) to that undertaking. | ||
(2) The Minister may, with the consent of such other Minister of the Government, if any, in whom functions in relation to the public body are vested, by order delegate his or her functions under subsection (1) to a public body. | ||
Disclosure of business information | ||
36. A public body may disclose business information to another public body where the information is disclosed— | ||
(a) for the purpose of the performance of a function of the first or second mentioned public body, and | ||
(b) for one or more of the purposes specified in section 13 (2)(a)(ii). | ||
PART 7 Base Registries | ||
Designation of base registry | ||
37. (1) The Minister may, with the consent of such other Minister of the Government, if any, in whom functions in relation to the public body are vested, by order designate a database, the copyright in which is owned by a public body, as a base registry. | ||
(2) An order under subsection (1) shall specify— | ||
(a) the name of the base registry, | ||
(b) the public body that shall be the base registry owner in respect of the base registry, | ||
(c) the purpose for which the information in the base registry may be processed by a public body accessing the base registry, | ||
(d) the information to be contained in the base registry, and | ||
(e) the name and associated description of each field in the database. | ||
(3) The Minister may make an order under subsection (1) only if he or she is satisfied that it is necessary to do so for the purposes of— | ||
(a) ensuring the consistency and accuracy of information which is frequently used by public bodies in the performance of their functions, | ||
(b) avoiding the burden that would otherwise be imposed on a person to whom a service is being or is to be delivered by a public body if the information concerned was collected directly from that person, and | ||
(c) avoiding the duplication of databases maintained by public bodies. | ||
(4) The Minister shall, when making an order under subsection (1), have regard to whether the designation of the database concerned as a base registry would— | ||
(a) reduce the duplication of tasks carried out by public bodies, | ||
(b) increase the efficiency of public bodies in carrying out their functions, | ||
(c) improve the quality of services provided by public bodies, | ||
(d) assist a public body in verifying the identity of a person receiving a service being delivered or to be delivered by a public body, | ||
(e) reduce the need for a person to provide the same information to different public bodies, | ||
(f) assist a public body in establishing the entitlement of a person to a service being delivered or to be delivered by a public body, | ||
(g) facilitate the administration, supervision and control of a service, programme or policy being delivered or implemented or to be delivered or implemented, as the case may be, by a public body, | ||
(h) facilitate the improvement or targeting of a service, programme or policy being delivered or implemented or to be delivered or implemented, as the case may be, by a public body, | ||
(i) facilitate the evaluation of a service, programme or policy delivered or implemented or being delivered or implemented, as the case may be, by a public body, | ||
(j) assist in ensuring that information held by one or more public bodies is up to date, or | ||
(k) assist in improving the accuracy of information held by one or more public bodies. | ||
Base registry owner | ||
38. (1) A base registry owner shall— | ||
(a) take all reasonable steps to ensure that the information contained in the base registry is— | ||
(i) accurate, | ||
(ii) up to date, and | ||
(iii) a complete record of the information specified in the order made under section 37 (1) relating to the base registry, | ||
(b) ensure that the information contained in the base registry may be accessed by a public body which requires access to that information for the purpose of the performance of a function of the public body, | ||
(c) put in place appropriate administrative and technical measures to control and monitor access to the base registry, | ||
(d) publish a description of the measures referred to in paragraph (c) on the website maintained by it, and | ||
(e) where the information contained in the base registry includes personal data, be the lead agency in respect of the data-sharing agreement relating to the disclosure of the information to public bodies accessing the information on the base registry. | ||
(2) In this section and sections 39 to 42 , a reference to a base registry is a reference to the base registry in respect of which the base registry owner concerned has been specified as such in an order made under section 37 (1). | ||
Processing of information | ||
39. A base registry owner shall have the power to process the information specified in an order made under section 37 (1) relating to a base registry where that information is processed for the purposes of complying with the obligations of the base registry owner under section 38 , notwithstanding that the base registry owner has no such power under another enactment or law of the European Union. | ||
Terms of service | ||
40. (1) A base registry owner shall prepare, with the consent of the Minister, following consultation with the Board, the form of an agreement (in this section referred to as a “terms of service”) specifying the terms and conditions in accordance with which access to a base registry is to be provided to a public body. | ||
(2) The Minister shall publish, on a website maintained by him or her, terms of service prepared in accordance with subsection (1). | ||
(3) A base registry owner and a public body accessing a base registry shall comply with the terms of service relating to that base registry. | ||
Access to information | ||
41. A base registry owner may, for the purposes of meeting its obligation under section 38 (1)(a)— | ||
(a) amend the information contained in a base registry, and | ||
(b) access information, held by another public body, specified in the order made under section 37 (1) relating to the base registry. | ||
Obligation to use base registry | ||
42. (1) Subject to subsection (3), where the information contained in a base registry meets the qualitative requirements of a public body in respect of the purpose for which it intends to use that information, the public body shall not collect such information for that purpose from a source other than the base registry, save where the information so collected is collected for the purposes of enabling that public body to access information on the base registry relating to the information so collected. | ||
(2) A base registry owner may appoint a public body for the purposes of subsection (3). | ||
(3) Where a base registry owner appoints a public body for the purposes of this subsection, that public body may collect information in respect of which the base registry concerned has been designated for the purposes of providing that information to the base registry owner in order to assist the base registry owner in complying with its obligations under section 38 (1)(a). | ||
(4) A public body that is required to access information stored in a base registry in accordance with subsection (1), or that provides information to a base registry owner in accordance with subsection (3), shall put in place the administrative and technical measures necessary to access or provide that information, as the case may be. | ||
PART 8 Personal Data Access Portal | ||
Application (Part 8) | ||
43. This Part applies to personal data (including special categories of personal data). | ||
Establishment of personal data access portal | ||
44. (1) The Minister may, with the approval of the Government, establish an information system for the purpose of enabling a data subject to— | ||
(a) exercise his or her rights under the General Data Protection Regulation, and | ||
(b) view information in relation to the personal data breaches, if any— | ||
(i) which affect his or her personal data, and | ||
(ii) in respect of which a notification has been made for the purposes of Article 34(1) of the General Data Protection Regulation. | ||
(2) The information system referred to in subsection (1) shall incorporate a website (to be known as the “Personal Data Access Portal”) which may include facilities by means of which a data subject may— | ||
(a) view personal data relating to him or her held by a public body, together with the information relating to that personal data referred to in Article 15 of the General Data Protection Regulation, | ||
(b) view information in relation to the personal data breaches, if any— | ||
(i) which affect his or her personal data, and | ||
(ii) in respect of which a notification has been made for the purposes of Article 34(1) of the General Data Protection Regulation, | ||
(c) view a copy of a data-sharing agreement under which his or her personal data has been disclosed between public bodies, and | ||
(d) send a request to a public body in relation to the exercise by him or her of the rights provided for in Articles 15, 16, 17, 18, 19, 20 and 21 of the General Data Protection Regulation. | ||
(3) Where an information system referred to in subsection (1) includes a facility referred to in subsection (2) in respect of a public body, that public body shall use all reasonable endeavours to put in place and maintain technical and administrative measures for the purposes of— | ||
(a) enabling the provision of the information referred to in subsection (2)(a), (b) and (c) held by that public body to the information system referred to in subsection (1) for the purpose of allowing it to be viewed by the data subject to whom it relates, and | ||
(b) facilitating the sending of— | ||
(i) a request referred to in subsection (2)(d), and | ||
(ii) a response to such a request. | ||
(4) A public body may disclose information to the Minister through the information system referred to in subsection (1) for the purpose of— | ||
(a) providing the information referred to in subsection (2)(a), (b) or (c), or | ||
(b) facilitating or responding to a request referred to in subsection (2)(d). | ||
(5) Information shall not be disclosed in accordance with subsection (4) unless the data subject concerned has— | ||
(a) requested to view the information referred to in subsection (2)(a), (b) or (c), or | ||
(b) made a request referred to in subsection (2)(d), | ||
through the information system referred to in subsection (1). | ||
(6) The information disclosed in accordance with subsection (4) shall be stored on the information system referred to in subsection (1) only for so long as is necessary to facilitate the completion of the actions referred to in subsection (2). | ||
(7) A public body that discloses personal data to the Minister in accordance with subsection (4) shall be the controller in respect of that personal data for the purposes of the General Data Protection Regulation. | ||
(8) Nothing in this section shall be construed as requiring the disclosure of information in relation to a person to that person where the disclosure of that information to that person— | ||
(a) is prohibited under an enactment or a law of the European Union, or | ||
(b) may be restricted in accordance with an enactment or a law of the European Union. | ||
(9) In this section “personal data breach” has the same meaning as it has in the General Data Protection Regulation. | ||
PART 9 Data Governance | ||
Chapter 1 Data Governance Board | ||
Appointment of Board | ||
45. (1) The Minister shall, in accordance with section 47 , appoint a board to be known as the Data Governance Board (in this Act referred to as the “Board”). | ||
(2) Subject to this Act, the Board shall be independent in the performance of its functions. | ||
Functions of Board | ||
46. (1) The Board shall— | ||
(a) advise the Minister in relation to the prescribing of rules, procedures and standards under section 64 , | ||
(b) advise the Minister in relation to the preparation of guidelines under section 65 , | ||
(c) promote compliance by public bodies with guidelines issued under section 65 , | ||
(d) advise the Minister in relation to the monitoring of compliance by public bodies with rules, procedures and standards prescribed under section 64 and guidelines issued under section 65 , | ||
(e) review data-sharing agreements in accordance with Chapter 2, | ||
(f) advise the Minister in relation to the making of an order under section 37 (1), and | ||
(g) advise the Minister, on request, in relation to the performance of the functions of the Minister under this Act. | ||
(2) The Board may exercise its functions notwithstanding one or more vacancies in its membership. | ||
(3) The Board may regulate its own procedure. | ||
(4) The Minister shall provide such administration and support services to the Board as are necessary for the performance of the functions of the Board. | ||
(5) The Minister may enter into an arrangement for the provision of consultancy, advice or other services to the Board. | ||
Membership of Board and related matters | ||
47. (1) The Board shall consist of not less than 6 and not more than 12 members. | ||
(2) The members of the Board shall be appointed by the Minister. | ||
(3) The Minister, in appointing the members of the Board, shall ensure that the members are persons who have the necessary knowledge, experience and competence in relation to the functions of the Board, including in relation to the protection of personal data. | ||
(4) When appointing members of the Board, the Minister shall have regard to— | ||
(a) the objective that at least 40 per cent of members of the Board shall be women and at least 40 per cent shall be men, and | ||
(b) the guidelines, if any, prepared by the Minister in relation to appointments to boards of State bodies. | ||
(5) The Minister may, following consultation with the Minister, if any, in whom functions in relation to the public body are vested, appoint a person who is an employee of, or holds an office or other position in, a public body to be a member of the Board. | ||
(6) The Minister may appoint not less than 2 persons who are not employees of, or the holders of an office or other position in, a public body to be a member of the Board. | ||
(7) The Minister shall ensure, where practicable, that not less than one third of the members of the Board are appointed pursuant to subsection (6). | ||
(8) The Minister may from time to time appoint one member of the Board to act as its Chairperson. | ||
(9) The Minister shall determine the terms and conditions of appointment of a member of the Board on appointment. | ||
(10) Subject to subsection (11), each member of the Board shall hold office for 3 years from the date of his or her appointment. | ||
(11) A person’s appointment under subsection (5) shall be terminated with effect from the earlier of— | ||
(a) the date on which the person ceases to be employed by, or to hold an office or other position in, the public body concerned, and | ||
(b) the date that is 3 years from the date of their appointment. | ||
(12) A member of the Board whose term of office expires by the effluxion of time or whose appointment is terminated in accordance with subsection (11) shall be eligible for reappointment to the Board, but the total period of membership of the Board of a person shall not exceed 9 years. | ||
(13) A member of the Board who is not employed by, or does not hold an office or position in, a public body may be paid, out of moneys provided by the Oireachtas, such remuneration and allowances for vouched expenses incurred by the member as the Minister may determine. | ||
Committees | ||
48. (1) The Board may establish such committees as it considers necessary or desirable to advise it in the performance of its functions and may appoint such members to such a committee as it considers necessary. | ||
(2) A committee established under subsection (1) may include persons who are not members of the Board, but shall include not less than one member of the Board. | ||
(3) The Board shall determine the terms of reference and procedures of a committee established under subsection (1). | ||
(4) A member of a committee established under subsection (1) who is not a member of the Board may be paid, out of moneys provided by the Oireachtas, such remuneration and allowances for vouched expenses incurred by the member as the Minister may determine. | ||
(5) A committee established under subsection (1) shall prepare and submit a report on its activities to the Board on a regular basis. | ||
(6) A report prepared and submitted by the Board under section 52 shall include a summary of the activities of the committees, if any— | ||
(a) established under subsection (1), and | ||
(b) in existence in the period to which the report relates. | ||
(7) A committee established under subsection (1) may be dissolved by a resolution of the Board at any time and shall stand dissolved on the date that is 2 years from the date of its establishment, unless the Board resolves that the committee is to continue in existence. | ||
Disqualification from membership of Board | ||
49. A person shall cease to be qualified to become a member of, and shall cease to be a member of, the Board if he or she— | ||
(a) is nominated as a member of Seanad Éireann, | ||
(b) is elected as a member of either House of the Oireachtas or of the European Parliament, | ||
(c) is regarded pursuant to Part XIII of the Second Schedule to the European Parliament Elections Act 1997 as having been elected to the European Parliament, | ||
(d) is a Judge, Advocate General or Registrar of the Court of Justice of the European Union, | ||
(e) is a member of the Commission of the European Union, | ||
(f) is a member of the Court of Auditors of the European Union, | ||
(g) is appointed under the Constitution as a Judge or as the Comptroller and Auditor General, | ||
(h) becomes a member of a local authority, | ||
(i) becomes a Commissioner for Data Protection or a member of staff of the Data Protection Commission, | ||
(j) has not been issued with a tax clearance certificate in accordance with section 1095 of the Act of 1997 or has been issued with a tax clearance certificate under that section which has been rescinded under subsection (3A) of that section, | ||
(k) is undergoing a sentence of imprisonment for any term exceeding 6 months imposed by a court of competent jurisdiction in the State, | ||
(l) is disqualified or restricted from being a director of any company, or | ||
(m) is adjudicated bankrupt. | ||
Resignation from membership | ||
50. (1) A member of the Board may resign by notice in writing to the Chairperson or, where that member is the Chairperson, by notice in writing to the Minister. | ||
(2) A resignation under subsection (1) shall take effect on— | ||
(a) the date specified in the notice, or | ||
(b) where no date is specified in the notice, the date on which the Chairperson or Minister, as the case may be, receives the notice. | ||
(3) A person shall be taken to have resigned as a member of the Board where the person is absent, due to illness, from more than 50 per cent of the meetings of the Board held during a 12 month period commencing on the date of a meeting. | ||
(4) A resignation under subsection (3) shall take effect on the next day after the end of the 12 month period concerned. | ||
(5) A person who resigns as a member of the Board under this section also ceases on such resignation to be a member of any body to which he or she was elected, nominated or appointed by the Board. | ||
Casual vacancies | ||
51. If a member of the Board— | ||
(a) dies, | ||
(b) resigns, | ||
(c) ceases to be qualified for office and ceases to hold office, or | ||
(d) is removed from office in accordance with their terms and conditions of appointment, | ||
the Minister may appoint a person to be a member of the Board to fill the casual vacancy so occasioned in the same manner as the member of the Board who occasioned the casual vacancy was appointed. | ||
Reporting | ||
52. (1) The Board shall, not later than 30 June in each year, prepare and submit to the Minister a report on— | ||
(a) the performance by it of its functions under this Act, and | ||
(b) the matters, if any, on which advices have been provided to it by the committees, if any, established under section 48 (1), | ||
in the immediately preceding year, or, in the case of the period from the date the Board is first appointed to the next following 30 June, that period. | ||
(2) The Minister shall, as soon as may be after receiving a report under subsection (1)— | ||
(a) cause copies of it to be laid before each House of the Oireachtas, and | ||
(b) publish a copy of it on a publicly accessible website. | ||
Chapter 2 Review of Data Sharing Agreements | ||
Definitions (Chapter 2) | ||
53. In this Chapter— | ||
“designated lead agency”, in relation to a proposed agreement, means the public body specified as the lead agency therein; | ||
“proposed agreement” means— | ||
(a) a draft data-sharing agreement under which it is proposed that personal data will be disclosed following execution of the draft agreement, or | ||
(b) an existing data-sharing agreement, as amended by a draft amendment agreement, under which it is proposed that personal data will be, or will continue to be, disclosed following execution of the draft agreement; | ||
“proposed party”, in relation to a proposed agreement, means a public body that is proposed to be a party thereto. | ||
Exclusions (Chapter 2) | ||
54. This Chapter shall not apply to an amendment to a data-sharing agreement for the purpose of— | ||
(a) updating the schedule referred to in section 19 (1)(a), or | ||
(b) reflecting a change to the lead agency in accordance with section 21 (3)(c). | ||
Public consultation | ||
55. (1) Each of the proposed parties to a proposed agreement shall publish on a website accessible to the public— | ||
(a) a copy of the proposed agreement, | ||
(b) where a data protection impact assessment has been carried out in relation to the processing proposed to be undertaken under the proposed agreement, a summary of the matters referred to in Article 35(7) of the General Data Protection Regulation, | ||
(c) where no data protection impact assessment has been carried out in relation to the processing proposed to be undertaken under the proposed agreement, a summary of the reasons why no data protection impact assessment has been carried out, | ||
(d) a statement from the data protection officer of each of the proposed parties to the effect that the data protection officer concerned— | ||
(i) has reviewed the proposed agreement, and | ||
(ii) is satisfied that compliance by the proposed parties with the terms of the proposed agreement would not result in a contravention of data protection law, | ||
(iii) is satisfied that the agreement is consistent with Article 5(1) of the General Data Protection Regulation, | ||
and | ||
(e) a notice— | ||
(i) stating that the proposed party is intending to enter into the proposed agreement, | ||
(ii) stating where, on a website accessible to the public, the documents referred to in paragraphs (a) to (d) can be accessed, | ||
(iii) inviting the making, during the period specified by the Board for this purpose, of submissions in relation to the proposed agreement to the designated lead agency, and | ||
(iv) stating the date of publication of the notice. | ||
(2) The proposed parties to a proposed agreement shall publish the information referred to in subsection (1) on the same date. | ||
(3) The designated lead agency concerned shall notify the Board of the publication of the information referred to in subsection (1). | ||
(4) The proposed parties to a proposed agreement shall consider the submissions, if any, made in response to the invitation referred to in subsection (1)(e)(iii) and may, where those proposed parties consider it appropriate, amend the proposed agreement concerned to take into account any such submissions. | ||
Submission of documentation and information to Board | ||
56. (1) The designated lead agency concerned shall, within the period specified by the Board for this purpose, submit the following to the Board: | ||
(a) a copy of the proposed agreement (as amended in accordance with section 55 (4), where applicable); | ||
(b) where a data protection impact assessment has been carried out in relation to the processing proposed to be undertaken under the proposed agreement, a summary of the matters referred to in Article 35(7) of the General Data Protection Regulation; | ||
(c) the statements referred to in section 55 (1)(d); | ||
(d) such information as the Board may specify in relation to the submissions, if any, made in response to the invitation referred to in section 55 (1)(e)(iii). | ||
(2) The designated lead agency concerned shall provide such additional information relating to the proposed agreement as is requested by the Board, following receipt of the documentation referred to in subsection (1), within the period specified by the Board for this purpose. | ||
Review of data-sharing agreement | ||
57. (1) The Board shall review the documentation submitted under section 56 (1) and the additional information, if any, provided under section 56 (2). | ||
(2) The Board shall have regard to the following matters when carrying out a review under this section: | ||
(a) the extent to which the proposed agreement concerned complies with this Act; | ||
(b) the extent to which the proposed agreement concerned reflects the model agreement, if any, prepared or revised under section 66 (1) for the purpose of the enactment in connection with which the proposed agreement is to be entered into; | ||
(c) whether compliance by the proposed parties with the terms of the proposed agreement concerned would result in a contravention of data protection law; | ||
(d) where a data protection impact assessment has been carried out in relation to the processing proposed to be undertaken under the proposed agreement concerned, the summary of the matters referred to in Article 35(7) of the General Data Protection Regulation submitted in accordance with section 56 (1)(b); | ||
(e) the extent to which the proposed agreement concerned complies with the orders and regulations, if any, made under this Act; | ||
(f) the provisions of the proposed agreement concerned relating to the security measures to apply to the transmission, storage and accessing of personal data; | ||
(g) the submissions, if any, made in response to the invitation referred to in section 55 (1)(e)(iii); | ||
(h) whether, in the opinion of the Board, the proposed agreement concerned is in the public interest. | ||
(3) The Board may, when carrying out a review under this section, consult with the Ministers of the Government, if any, in whom functions relating to the proposed parties to the proposed agreement concerned are vested and such other person as the Board considers appropriate having regard to the subject matter of the proposed agreement concerned. | ||
(4) The Board shall notify the designated lead agency concerned following completion of the Board’s review under this section. | ||
(5) A notification under subsection (4) shall— | ||
(a) specify the recommendations, if any, of the Board as regards amendments to the proposed agreement concerned, | ||
(b) where the Board is of the view that its recommendations concern substantive issues, state that the proposed agreement is to be submitted to the Board following amendment for further review under this section. | ||
(6) The proposed parties to the proposed agreement concerned shall take account of the recommendations, if any, notified to the designated lead agency under subsection (4) and amend the proposed agreement accordingly. | ||
Amendments following review | ||
58. Where a proposed agreement is amended following receipt of a notification under section 57 (4) containing the statement referred to in section 57 (5)(b), the designated lead agency shall submit the proposed agreement, as amended, to the Board and section 57 shall apply as if the amended agreement was documentation submitted under section 56 (1). | ||
Execution of agreement | ||
59. Where, following a review of a proposed agreement under section 57 — | ||
(a) the Board does not specify any recommendations in the notification given under section 57 (4) on foot of the review, or | ||
(b) the Board specifies recommendations in the notification given under section 57 (4) on foot of that review and the following conditions are met: | ||
(i) the notification does not contain the statement referred to in section 57 (5)(b); | ||
(ii) the proposed parties are satisfied that the amendments made by them to the proposed agreement take account of the recommendations in that notification, | ||
the proposed agreement may be executed by the proposed parties. | ||
Publication | ||
60. (1) The lead agency in respect of a data-sharing agreement shall send to the Minister— | ||
(a) within 10 days of the execution of the agreement, a copy of the agreement, and | ||
(b) within 10 days of the accession to or withdrawal from the agreement of any party, notification of such accession or withdrawal in writing. | ||
(2) The Minister shall cause copies of the documents received by him or her under subsection (1)— | ||
(a) to be laid before each House of the Oireachtas, and | ||
(b) to be sent to the Board. | ||
(3) The Minister shall publish, on a website maintained by him or her, a list of all documents received by him or her under subsection (1). | ||
(4) The lead agency in respect of a data-sharing agreement shall publish a copy of the agreement on the website maintained by it as soon as practicable after sending a copy of the agreement to the Minister in accordance with subsection (1). | ||
(5) The Board shall publish the following on the website maintained by it following receipt of a copy of the data-sharing agreement in accordance with subsection (2): | ||
(a) a copy of the agreement; | ||
(b) where a data protection impact assessment has been carried out in relation to the processing proposed to be undertaken under the proposed agreement, a summary of the matters referred to in Article 35(7) of the General Data Protection Regulation; | ||
(c) a copy of the recommendations, if any, made under section 57 (2). | ||
(6) The Minister shall, on request from a Committee, send a copy of a data-sharing agreement received by him or her under subsection (1) to that Committee. | ||
(7) In subsection (6), “Committee” means a Committee appointed by either House of the Oireachtas or jointly by both Houses of the Oireachtas, other than— | ||
(a) the Committee on Members’ Interests of Dáil Éireann or the Committee on Members’ Interests of Seanad Éireann, or | ||
(b) a subcommittee of a Committee referred to in paragraph (a). | ||
Effective date of agreement | ||
61. A data-sharing agreement under which it is proposed that personal data will be disclosed shall come into effect on the date of its publication in accordance with section 60 (4). | ||
Time periods and documentation | ||
62. (1) The Board shall specify— | ||
(a) the time periods referred to in section 55 (1)(e)(iii) and section 56 , and | ||
(b) the information to be submitted in accordance with section 56 (1)(d). | ||
(2) The time period specified by the Board for the purposes of section 55 (1)(e)(iii) shall not be less than 14 days. | ||
Chapter 3 Governance | ||
Application (Chapter 3) | ||
63. This Chapter applies to— | ||
(a) personal data (including special categories of personal data), and | ||
(b) information other than personal data. | ||
Rules, procedures and standards | ||
64. (1) The Minister may, for the purposes referred to in subsection (2), prescribe rules, procedures and standards in relation to— | ||
(a) the operation and use of base registries, | ||
(b) the accessing of personal data by persons— | ||
(i) employed by, or holding an office or other position in a public body, or | ||
(ii) employed by a person acting for or on behalf of a public body, | ||
(c) the recording of information relating to the accessing of personal data held by, or for or on behalf of, public bodies, | ||
(d) the management, preparation and publication of information for re-use by persons other than public bodies, | ||
(e) the processing of personal data by a public body designated in an order made under section 10 (4), | ||
(f) the conduct of data protection impact assessments by public bodies, and | ||
(g) other matters relating to the management of information held by public bodies. | ||
(2) The purposes referred to in subsection (1) are as follows: | ||
(a) to improve the quality and accuracy of information created, held and maintained by public bodies; | ||
(b) to promote increased sharing of information between public bodies in accordance with this Act and any other enactment providing for such sharing of information; | ||
(c) to ensure a consistent approach to the management of information by public bodies so as to facilitate the exchange of information between them; | ||
(d) to increase the usefulness of information held by public bodies for the purposes of— | ||
(i) performing their functions, | ||
(ii) modernising and developing public services, | ||
(iii) evaluating the effectiveness of services provided by public bodies, and | ||
(iv) evaluating the effectiveness of expenditure by public bodies; | ||
(e) to ensure that information is managed by public bodies in accordance with international best practice as regards data protection; | ||
(f) to improve the availability and accessibility for re-use and redistribution of information, other than personal data, held by public bodies. | ||
(3) A rule, procedure or standard prescribed under subsection (1)(a) shall apply to information— | ||
(a) collected for statistical purposes in accordance with the Statistics Act 1993 , or | ||
(b) disclosed in accordance with regulations made under section 2 of the Vital Statistics and Births, Deaths and Marriages Registration Act 1952 . | ||
Guidelines | ||
65. (1) The Minister may, after consultation with such (if any) other Ministers of the Government as the Minister considers appropriate, prepare and issue guidelines (including guidelines in relation to rules, procedures or standards prescribed under section 64 ) to assist public bodies in the performance of their functions under this Act or other enactments relating to data-sharing. | ||
(2) Public bodies shall have regard to the guidelines, if any, issued under this section in the performance of their functions under this Act and the provisions of other enactments relating to data-sharing. | ||
Model agreements | ||
66. (1) The Minister may, after consultation with such (if any) other Ministers of the Government as the Minister considers appropriate, prepare or revise model data-sharing agreements for the purpose of this Act or another enactment relating to data-sharing. | ||
(2) The Minister may request the Board to provide advice in relation to the preparation or revision of model data-sharing agreements. | ||
(3) Where a model data-sharing agreement has been prepared or revised, as the case may be, for the purpose of an enactment under subsection (1), a public body entering into a data-sharing agreement for the purpose of that enactment shall use the model data-sharing agreement as a basis for the data-sharing agreement to be entered into by it. | ||
Publication of regulations and guidelines | ||
67. The Minister shall publish, on a website maintained by him or her— | ||
(a) the rules, procedures and standards, if any, prescribed under section 64 , and | ||
(b) the guidelines, if any, issued under section 65 . | ||
Compliance report | ||
68. (1) The Board may by notification in writing request a public body to provide a compliance report within a particular time. | ||
(2) A public body shall provide the Board with a compliance report within the time period specified in a notification given to the public body under subsection (1). | ||
(3) In this section, “compliance report” means a statement signed by— | ||
(a) the person who is the accounting officer, in relation to the appropriation accounts of the public body concerned, for the purposes of the Comptroller and Auditor General Acts 1866 to 1998, or | ||
(b) where there is no such accounting officer, the person who holds, or performs the functions of, the office of chief executive officer (by whatever name called) of the public body, | ||
detailing how the public body has complied with its obligations under this Act and the orders and regulations, if any, made under this Act. | ||
PART 10 Miscellaneous | ||
Prohibition on requests for certain documents | ||
69. (1) The Minister may, following consultation with any relevant Minister of the Government and having had regard to the matters referred to in subsection (4), prescribe— | ||
(a) certain documents or classes of document the provision of which a public body shall not request from a person (other than a public body) in original, copy or electronic form, or | ||
(b) certain uses for the purposes of which a public body shall not request the provision of certain documents or classes of documents from a person (other than a public body) in original, copy or electronic form. | ||
(2) A public body shall not— | ||
(a) request a document or class of document which is prescribed under subsection (1)(a), or | ||
(b) request a document or class of document for the purposes of a use of such a document or class of document which is prescribed under subsection (1)(b). | ||
(3) In this section “relevant Minister of the Government” means a Minister of the Government the exercise of whose functions would be affected by the making of an order proposed to be made under subsection (1). | ||
(4) The matters to which the Minister is to have regard for the purposes of subsection (1) are as follows: | ||
(a) whether the proposed prohibition would facilitate the carrying out of a function of a public body by— | ||
(i) reducing the duplication of tasks carried out by one or more public bodies, | ||
(ii) increasing the efficiency of the public body in carrying out the function, or | ||
(iii) facilitating an improvement in the quality of services being delivered by one or more public bodies; | ||
(b) whether the proposed prohibition would reduce the need for a person to provide the same information to more than one public body. | ||
Specification of information | ||
70. (1) The Minister may, with the consent of such other (if any) Minister of the Government as the Minister considers appropriate having regard to the functions of that other Minister, for the purposes of— | ||
(a) ensuring greater consistency and accuracy of information held and managed by public bodies, and | ||
(b) increasing the usefulness of information held and used by public bodies for the purposes of— | ||
(i) performing their functions, | ||
(ii) modernising and developing public services, | ||
(iii) evaluating the effectiveness of services provided by public bodies, and | ||
(iv) evaluating the effectiveness of expenditure by public bodies, | ||
direct a public body to collect information or classes of information specified in the direction. | ||
(2) A direction under subsection (1) may specify the format in which the information is to be stored following collection. | ||
(3) A public body to which a direction under subsection (1) applies shall comply with the direction. | ||
(4) This section applies to— | ||
(a) personal data (including special categories of personal data), and | ||
(b) information other than personal data, | ||
whether or not the disclosure of that information is regulated by this or any other enactment. | ||
Provision of information on data-sharing | ||
71. (1) The Minister may direct a public body to provide him or her with the information specified in subsection (2). | ||
(2) The information referred to in subsection (1) is as follows: | ||
(a) a list of all data-sharing arrangements that that body has engaged in with other public bodies under this or any other enactment, setting out in respect of each such arrangement— | ||
(i) the names of the participants in the arrangement, | ||
(ii) the purpose of the data-sharing, | ||
(iii) the function of the public body concerned to which the purpose referred to in subparagraph (ii) relates, | ||
(iv) the legal basis for the data-sharing and any further processing, by the parties to the arrangement, of the information disclosed pursuant to the arrangement, | ||
(v) a description of the information disclosed pursuant to the arrangement, | ||
(vi) how the information is processed following its disclosure, | ||
(vii) any restrictions on the disclosure of information after the processing of such information referred to in subparagraph (vi), | ||
(viii) where a data protection impact assessment has been carried out, a summary of the matters referred to in Article 35(7) of the General Data Protection Regulation, | ||
(ix) the security measures applied to the transmission, storage and accessing of personal data, in a manner that does not compromise those security measures, | ||
(x) the requirements in relation to the retention of— | ||
(I) the information disclosed, and | ||
(II) the information resulting from the processing of that information, | ||
for the duration of the arrangement and in the event that the arrangement is terminated, and | ||
(xi) the method employed or to be employed to destroy or delete— | ||
(I) the information disclosed, and | ||
(II) the information resulting from the processing of that information, | ||
at the end of the period for which the information is to be retained in accordance with the arrangement; | ||
(b) any alteration of the data-sharing arrangements referred to in subsection (2) in the period since the public body last provided information on such data-sharing arrangements to the Minister; | ||
(c) such additional information as may be prescribed under subsection (5). | ||
(3) A direction under subsection (1) may specify that the information be provided— | ||
(a) on a periodic basis, or | ||
(b) on each occasion that a new arrangement is entered into or an existing arrangement is altered in any way. | ||
(4) A public body to which a direction under subsection (1) applies shall comply with the direction. | ||
(5) The Minister may, for the purposes of— | ||
(a) increasing transparency in the activities of public bodies as regards their sharing of information under this Act or any other enactment, and | ||
(b) promoting good governance in the sharing of information under this Act or any other enactment, | ||
prescribe additional information to be provided by a public body in receipt of a direction under subsection (1). | ||
(6) The Minister shall publish, on a website maintained by him or her, all of the information received by him or her pursuant to a direction issued under subsection (1). | ||
Amendment of Act of 1997 | ||
72. Section 917D of the Act of 1997 is amended in subsection (1) by the substitution of the following definition for the definition of “digital signature”: | ||
“ ‘digital signature’ in relation to a person, means— | ||
(a) a qualified certificate (within the meaning of the Electronic Commerce Act 2000 ) provided to the person by the Revenue Commissioners (or a person appointed in that behalf by the Revenue Commissioners), and | ||
(b) an advanced electronic signature (within the meaning of that Act) generated using the qualified certificate referred to in paragraph (a);”. | ||
Amendment of Ministers and Secretaries (Amendment) Act 2011 | ||
73. Section 17A of the Ministers and Secretaries (Amendment) Act 2011 is amended by the substitution of the following subsection for subsection (2): | ||
“(2) Information provided to the Minister under subsection (1) shall not include any personal data (within the meaning of the General Data Protection Regulation), unless that information is provided in accordance with Part 5 of the Data Sharing and Governance Act 2019.”. | ||
Amendment of Social Welfare Consolidation Act 2005 | ||
74. Schedule 5 to the Act of 2005 is amended by the insertion, in paragraph 1(4), of “the National Shared Services Office,” after “the National Council for Special Education”. | ||
Amendment of National Shared Services Office Act 2017 | ||
75. Section 6 of the National Shared Services Office Act 2017 is amended in subsection (1) by the substitution of “An Oifig Náisiúnta um Sheirbhísí Comhroinnte” for “Oifig Náisiúnta Seirbhísí Comhroinnte”. | ||
SCHEDULE Bodies to which definition of “public body” does not apply | ||
Section 10 (5) | ||
1. Any body corporate established by Act of Parliament before 6 December 1922 that, upon its establishment, was of a commercial character. | ||
2. An Post. | ||
3. Bord na gCon. | ||
4. Bord na Móna Plc. | ||
5. Central Bank of Ireland. | ||
6. Córas Iompair Éireann. | ||
7. Coillte Cuideachta Ghníomhaíochta Ainmnithe. | ||
8. Cólucht Groighe Náisiúnta na hÉireann Cuideachta Ghníomhaíochta Ainmnithe (The Irish National Stud Designated Activity Company). | ||
9. Cork Airport Authority, public limited company. | ||
10. daa, public limited company. | ||
11. Drogheda Port Company. | ||
12. Dublin Port Company. | ||
13. EirGrid Plc. | ||
14. Electricity Supply Board. | ||
15. Ervia. | ||
16. Galway Harbour Company. | ||
17. Horse Racing Ireland. | ||
18. Irish Aviation Authority. | ||
19. New Ross Port Company. | ||
20. Port of Cork Company. | ||
21. Port of Waterford Company. | ||
22. Raidió Teilifís Éireann. | ||
23. Shannon Airport Authority, public limited company. | ||
24. Shannon Foynes Port Company. | ||
25. Teilifís na Gaeilge. | ||
26. Voluntary Health Insurance Board. | ||
27. A subsidiary of a body to which this Schedule relates, including a subsidiary of such a subsidiary. | ||
1 OJ No. L 119, 4.5.2016, p. 89. 2 OJ No. L 119, 4.5.2016, p. 1. 3 OJ No. L 393, 30.12.2006, p. 1. |