The Data Sharing and Governance Act 2019 (the “Act”) was signed into law by the President of Ireland, Michael D. Higgins on the 4thof March 2019. The Act sets out to strengthen and provide clarity in relation to the data sharing rights and responsibilities of public agencies.
The Act aims to reduce the administrative burdens that are associated with the need for people living in Ireland to provide their personal data to public agencies. The Act delivers on this aim by providing for:
- the regulation of the sharing of information, including personal data, between public agencies;
- the regulation of the management of information by public agencies,
- the establishment of base registers;
- the collection of public service information, as well as,
- to establish the Data Governance Board; to amend the Taxes Consolidation Act 1997;
- to amend the Social Welfare Consolidation Act 2005;
- to amend the Ministers and Secretaries (Amendment) Act 2011, and
- to amend the National Shared Services Office Act 2017.
The rest of this article will discuss the changes introduced by the Act as relevant for Irish public organisations.
Data Sharing
The Act allows for the personal data of data subjects to be shared between public agencies provided that it is in the performance of a function. The sharing has to be carried out for one of a number of purposes. These are clearly set out in the Act. For example, to identify and correct erroneous information held by a public agency.
The Act only applies where there is no other law of the European Union (EU) permitting or requiring the sharing of personal data of data subjects.
Unlike the General Data Protection Regulation (GDPR), the Act does cover the personal data of deceased individuals.
Data sharing agreements must be in place before data sharing can take place between public agencies.
The Act does not apply to the sharing of Special Categories of Data except in relation to Part 5 of the Act on public service pension schemes.
Base Registry
Part 7 S.38(1) of the Act allows the Minister for Public Expenditure and Reform to designate base registries for use by public agencies so that they can access personal data without having to collect it directly from service users. The registry must have a data controller who must ensure that the personal data is accurate, relevant and up to date.
Personal Data Access Portal
Part 8 S.44(1) of the Act provides for the establishment of a personal data access portal. This is a portal that would allow individuals to view their personal data as well as information in relation to any data breaches affecting their personal data and data sharing agreements under which their personal data is processed. This is very much in keeping with the spirit of the GDPR, especially Article 20 – the right to data portability.
Data Governance Board
Part 9 S.46(1) of the Act allows for the establishment of a Data Governance Board. The Board will advise the Minister of Public Expenditure and Reform in relation to the prescribing of rules, procedures and standards that affect data sharing between public agencies. One of their roles will be to review the data sharing agreements in place. They will also produce a yearly compliance report for the Minister.
Exclusions
Part 2 S.12(1) of the Act looks at the areas in which the new law does not apply. The vast majority of it relates to criminal investigations. For example, the Act does not apply to data-sharing for the purposes of the exercise of the functions of the Criminal Assets Bureau.
Key Takeaway
For those clients of Trilateral that are Irish public agencies, we could recommend that you familiarise yourself with the new Act. The Act sets out a series of important governance measures to ensure that personal data is shared by public agencies in a lawful, proportionate and transparent manner in accordance with national and EU data protection law. Whilst the Act is still waiting for commencement, we would advise public agencies, to ensure that they have a Record of Processing Activities. This will be crucial for complying with the evidence-based approach, which will be set in place by the new Act.
For more information please refer to our service pages or contact our Data Governance team.