Ireland - Data sharing arrangements in the public sector - updated guide published by the ODPC
Published 19 April 2016
Following the recent decision by the Court of Justice of the European Union (the "CJEU") in Bara & Others (C-201/14) ("Bara"), the Office of the Data Protection Commissioner (the "ODPC") issued an updated guidance note on 5 February 2016 in respect of data sharing arrangements within the public sector (the "Guidance Note"). In essence, the ODPC reiterated the importance of public sector bodies informing data subjects, where applicable, that their personal data will be shared with other public sector bodies under a data sharing arrangement.
The Bara Decision
The case of Bara concerned the processing of personal income data of self-employed Romanian individuals. This data was transferred from the Romanian national tax administration agency to the Romanian national health insurance fund, resulting in individuals being pursued for the payment of arrears of contributions to the national health insurance regime. The individuals complained that their personal data was used, without their knowledge or consent and without being informed, for purposes other than that for which it had been provided to the tax authority.
The CJEU held that the requirement of fair processing of personal data requires a public sector body to inform data subjects of the fact that their data will be transferred to another public sector body for the purposes of processing by the latter agency. This ensures that the rights of the individual are protected as individuals will be aware of how their personal information is used, for what purpose and how the sharing of that information will impact upon them.
Criteria Required for Data Sharing Among Public Sector Bodies
In light of the Bara decision, and as outlined in more detail below, there is a general requirement for public sector bodies to provide an explicit legal basis for a data sharing arrangement. In addition, the ODPC recommends that a public body that engages in data sharing arrangements should, in advance of sharing personal data, inform all individuals whose personal data will be shared about the data sharing arrangement by outlining the information required to be provided under section 2(2D) of the Data Protection Acts 1988-2003 (the "Acts"). If a public sector body chooses not to inform individuals of the data sharing arrangement, that decision should be necessary and proportionate by showing, for example, that the release of this information would jeopardise the achievement of the data sharing objective. The Guidance Note recommends that all current and future data sharing arrangements in the public sector should consider and apply the following criteria:
- Identify the primary legislation being relied on
The legal basis for data sharing should be set out in primary legislation (with further details provided by way of secondary legislation such as statutory instrument). Such legislation should clearly and unequivocally state the public body concerned, the data to be shared and the purpose for sharing the data. Public bodies should also ensure appropriate safeguards are in place to protect the data protection rights of the individual.
- Transparency - keep individuals fully informed
Pursuant to the Acts, personal data must be obtained and processed "fairly and lawfully". Therefore, even if primary legislation provides a public sector body with a clear legal basis to share personal data, data subjects should be made aware of these arrangements (and all of the safeguards in place) in advance of the data being shared. The onus of informing data subjects is on the public sector body that collected the personal information in the first instance and intends to share that information with another public sector body.
It is important to remember that any public sector body that receives personal data from another public sector body is a data controller and must comply with the Acts.
The manner in which a public sector body decides to communicate to a data subject depends upon the factual scenario of each case. For example, where individuals are likely to expect their personal data to be shared with another public sector body, an information notice available on the webpage of the public sector body that collected the information from the data subject may be sufficient. However, some data sharing arrangements will require more active communication with the data subject. The ODPC sets out the following themes that agencies should consider when deciding the type of notice required:
(a) Is the public sector body sharing sensitive personal data? (b) Is the data sharing unexpected or objectionable? (c) Will the data sharing have a significant effect on the individual? (d) Is the data sharing widespread or involving entities which individuals might not expect? (e) Is the sharing being carried out for a range of different purposes? (f) Is the individual likely to suffer any detriment as a result of the data sharing arrangement?
If the answer is "yes" to any of the above questions, the ODPC strongly recommends that the public sector body that collected the data from the data subject considers actively communicating the detail of the data sharing arrangement to each individual.
All public sector bodies transferring personal data to another public sector body must ensure that the data being transferred is proportionate to meet the objective of the data sharing arrangement. All public sector bodies with data sharing arrangements in place should maintain a record of the following:
- The reason/justification for the data sharing arrangement – what is the objective? This is particularly important in circumstances where consent of the individuals has not been obtained.
- What is the minimum amount of data required to be shared to meet that objective?
- Do the benefits of sharing the information justify overriding the individual's data protection rights?
- What are the likely results of not sharing the information?
- What are the potential benefits and risks to individuals or society where the data is shared?
- Security and Disposal
Where an approved data sharing arrangement is in place, the ODPC requires enhanced controls and security arrangements. Access to personal data should be limited to a small number of public sector body officials on a "need to know" basis and, in accordance with the Acts, data should be destroyed when no longer required.
Recommended next steps
In light of the Guidance Note, we recommend that all public sector bodies conduct a full review of their data sharing arrangements in order to ensure they adhere to the ODPC's recommendations. The following practical steps can be taken:
- Consider and keep a record of the primary legislation being relied on to support the data sharing arrangement;
- Keep an up to date record of the purpose of the data transfer as well as the actual data that is being transferred;
- Consider the best way to notify data subjects that their data will be shared with another public sector body. Ensure that any notice identifies the public sector body that will receive the data, what data they will receive and the purpose of the transfer;
- Consider the proportionality test by completing a data sharing assessment form prior to implementing a data sharing arrangement. The assessment form should incorporate the following "checklist":
(a) Identify what the arrangement is meant to achieve; (b) Identify whether the objective could be achieved without sharing the data or by anonymising it; (c) Identify the minimum information required to achieve that purpose; (d) Identify any risks which the data sharing may pose; and (e) Identify when and how often the data should be shared.
- Put a robust data access and security policy in place for all data collected and processed pursuant to a data sharing arrangement;
- Public sector bodies involved in a data sharing arrangements should establish a common set of operational rules. These rules should include a clear description of the roles and responsibilities of the public sector body involved in the data sharing arrangement and should be made available to the data subject, if necessary;
- Any arrangement or procedure which falls foul of the requirements of the Guidance Note and/or the Acts should be discontinued until it is brought in line with legislation and the Guidance Note; and
- If a public sector body communicates its data sharing arrangement to individuals and, as a result, receives a significant number of negative comments or concerns, it should review the arrangement in question. The public sector body may decide, following analysis to discontinue the arrangement or to reduce the amount of data it shares or the bodies to whom it shares the data.
Read the full Guidance Note here.
Submitted by Rowena McCormack, Associate and Charlotte Burke, Solicitor