A Collection is a selection of features, articles, comments and opinions on any given theme or topic. It allows you to stay up‑to‑date with what interests you most.
Login here to access your saved articles and followed authors.
We have sent you an email so you can reset your password.
Sorry, we had a problem.
Tags related to this article
Published 19 April 2016
Following the recent decision by the Court of Justice of the European Union (the "CJEU") in Bara & Others (C-201/14) ("Bara"), the Office of the Data Protection Commissioner (the "ODPC") issued an updated guidance note on 5 February 2016 in respect of data sharing arrangements within the public sector (the "Guidance Note"). In essence, the ODPC reiterated the importance of public sector bodies informing data subjects, where applicable, that their personal data will be shared with other public sector bodies under a data sharing arrangement.
The Bara Decision
The case of Bara concerned the processing of personal income data of self-employed Romanian individuals. This data was transferred from the Romanian national tax administration agency to the Romanian national health insurance fund, resulting in individuals being pursued for the payment of arrears of contributions to the national health insurance regime. The individuals complained that their personal data was used, without their knowledge or consent and without being informed, for purposes other than that for which it had been provided to the tax authority.
The CJEU held that the requirement of fair processing of personal data requires a public sector body to inform data subjects of the fact that their data will be transferred to another public sector body for the purposes of processing by the latter agency. This ensures that the rights of the individual are protected as individuals will be aware of how their personal information is used, for what purpose and how the sharing of that information will impact upon them.
Criteria Required for Data Sharing Among Public Sector Bodies
In light of the Bara decision, and as outlined in more detail below, there is a general requirement for public sector bodies to provide an explicit legal basis for a data sharing arrangement. In addition, the ODPC recommends that a public body that engages in data sharing arrangements should, in advance of sharing personal data, inform all individuals whose personal data will be shared about the data sharing arrangement by outlining the information required to be provided under section 2(2D) of the Data Protection Acts 1988-2003 (the "Acts"). If a public sector body chooses not to inform individuals of the data sharing arrangement, that decision should be necessary and proportionate by showing, for example, that the release of this information would jeopardise the achievement of the data sharing objective. The Guidance Note recommends that all current and future data sharing arrangements in the public sector should consider and apply the following criteria:
It is important to remember that any public sector body that receives personal data from another public sector body is a data controller and must comply with the Acts.
The manner in which a public sector body decides to communicate to a data subject depends upon the factual scenario of each case. For example, where individuals are likely to expect their personal data to be shared with another public sector body, an information notice available on the webpage of the public sector body that collected the information from the data subject may be sufficient. However, some data sharing arrangements will require more active communication with the data subject. The ODPC sets out the following themes that agencies should consider when deciding the type of notice required:
(a) Is the public sector body sharing sensitive personal data? (b) Is the data sharing unexpected or objectionable? (c) Will the data sharing have a significant effect on the individual? (d) Is the data sharing widespread or involving entities which individuals might not expect? (e) Is the sharing being carried out for a range of different purposes? (f) Is the individual likely to suffer any detriment as a result of the data sharing arrangement?
If the answer is "yes" to any of the above questions, the ODPC strongly recommends that the public sector body that collected the data from the data subject considers actively communicating the detail of the data sharing arrangement to each individual.
Recommended next steps
In light of the Guidance Note, we recommend that all public sector bodies conduct a full review of their data sharing arrangements in order to ensure they adhere to the ODPC's recommendations. The following practical steps can be taken:
(a) Identify what the arrangement is meant to achieve; (b) Identify whether the objective could be achieved without sharing the data or by anonymising it; (c) Identify the minimum information required to achieve that purpose; (d) Identify any risks which the data sharing may pose; and (e) Identify when and how often the data should be shared.
Read the full Guidance Note here.
Submitted by Rowena McCormack, Associate and Charlotte Burke, Solicitor
Return to main page >>>
+353 (0)1 231 9628
Suzanne Wharton, James Hazlett
Catrin Davies, Tom Bedford
Suzanne Wharton, Naomi Park, Rozie Rafiq
Julian Miller, Philip Murrin
Kylie Poyner, Lucy Beach
Richard Highley, Kevin Hawthorn, Francesca Muscutt
David Johnson, Andrew Parker
Thomas Jordan, Barbara Goddard
Peter Allchorne, Annabel Lingham
Anthony Menzies, Hans Allnutt, Franc Gozalvez
Andrea Ward, David Knapp
Andrea Ward, Tom Walshaw, David Knapp, Joanne Kingsland
Claire Laver, David Williams, Jennifer Brown
Helen Falconer, David Williams
Claire Laver, Helen Laight