Change to data protection Bill may cause child protection issues

Senator has ‘serious concern’ over amendment to extend definition of public bodies

In some circumstances, ‘public bodies’ will be exempt from various provisions of the legislation in relation to the rights of individuals under data protection law. Photograph: iStockphoto

In some circumstances, ‘public bodies’ will be exempt from various provisions of the legislation in relation to the rights of individuals under data protection law. Photograph: iStockphoto

 

The Government’s plan to extend the definition of “public bodies” in new data protection legislation poses serious legal concerns and may present child protection issues, it has been claimed.

An amendment to the Data Protection Bill 2018 put forward in the Seanad last week, considerably broadens the range of public bodies to include the office of the Director of Corporate Enforcement, schools, and so-called “section 38” organisations that are contracted by the Health Service Executive to provide health or personal social services.

Section 38 agencies are predominantly hospitals and disability services.

In some circumstances, such bodies will be exempt from various provisions of the legislation in relation to the rights of individuals under data protection law. The Bill also proposes to exempt public bodies from the imposition of fines by the Data Protection Commissioner.

Speaking during the committee stage debate, Independent Senator Alice Mary Higgins said she had a “serious concern” about the Government amendment, which was first defeated and then passed after a walk-through vote was called.

Ms Higgins noted the Bill gave powers to public authorities in its later sections “in which the right of individual data subjects can be bypassed”. She also said there was nothing preventing the Government, at a later stage in the Bill’s passage, from exempting companies, voluntary and private, from certain provisions of the legislation.

Ms Higgins accepted that Minister for Justice Charlie Flanagan, in presenting the Bill to the House, had noted that companies contracted by the HSE would be obliged to appoint a data protection officer. She understood his intention.

However, she said the Government’s amendment, in extending the definition of a public authority, did not do that “in the most appropriate way and it opens up other potentially unforeseen dangerous provisions”.

The way the Minister proposed to deal with the concern of companies contracted by the HSE was to amend the definition of “public authority”, which was “significant, so that a public authority can be any private company contracted by the HSE”.

Ms Higgins asked whether children who accessed services that were contracted out by the HSE would be subject to “lesser protections”.

“Private companies may have a contract with the executive in one area of the health service but may have a number of contracts in other areas,” she said.

She suggested the Minister may wish to address this important issue of the regulation of contracted parties with a separate explicit section which set out “proper provisions and protections”.

Ms Higgins also said the Bill was “more focused on actively finding points at which data protection may not apply to public authorities rather than enforcing data protection requirements on private companies”.

‘Rushed through’

She regretted the Bill, which will give effect to the EU General Data Protection Regulation and an associated law enforcement directive, was being “rushed through”.

Ms Higgins said that in seeking to exempt public bodies from fines, the State was contravening good practice and the strong recommendation of both experts, and the EU regulation.

Dr TJ McIntyre, a law lecturer at UCD and chair of the privacy rights group Digital Rights Ireland, said the Bill sought to create a number of blanket exemptions for the State without any proportionality requirements.

This included a provision for processing considered “necessary” for non-statutory schemes, and a provision whereby data collected for one purpose could be used or disclosed for crime or national security purposes.

Dr McIntyre said it was disappointing the Minister had “ignored the strong concerns of the Data Protection Commissioner, as well as the recommendations of the Oireachtas Joint Committee on Justice, which heard numerous experts over the course of three hearings”.