Data Protection Commissioner
Data Protection Commissioner

 

 

Data Sharing in the Public Sector

 

Introduction


The Office of the Data Protection Commissioner (“ODPC”) welcomes the decision of the European Court of Justice in the case of Bara & Oths C-201/2014 and notes the strong trend emanating from recent judgments whereby the Court has interpreted the Data Protection Directive so as to extend and to re-enforce the protection of the rights of individuals. The Bara judgment which focused upon a public sector data sharing arrangement re-iterates the importance of informing the data subject about the processing of their personal data as it affects the exercise by the data subjects of their right of access to their personal data, their right to rectify their data being processed and their right to object to the processing of data.

An individual may expect public sector bodies to share their personal data where it is essential and necessary to provide him/her with the services sought and the ODPC fully support the aim of developing more efficient and customer centric public services in this regard. However, this must also be balanced with the fact that individuals need to be informed as to how their personal information is used and for what purpose, who has access to it and how the sharing of that information will impact upon them. Therefore, whilst data sharing can bring benefits in terms of efficient delivery of public services it must be done in a way that respects the rights of individuals to have their personal data treated with care and not accessed or used without good reason.

As such the ODPC recommends that all data sharing arrangements in the public sector should:

  • Have a basis in primary legislation;
  • Be made clear to individuals that their data may be shared and for what purpose;
  • Be proportionate in terms of their application and the objective to be achieved;
  • Have a clear justification for individual data sharing arrangements;
  • Share the minimum amount of data to achieve the stated public service objective;
  • Have strict access and security controls; and
  • Ensure secure disposal of shared data.


It is important to restate from the outset that, subject to the exceptions permitted under the Data Protection Acts 1988 – 2003 (the DPA), all processing of personal data must comply with the principles of data quality as set out in Section 2 and with one of the criteria for making data processing legitimate in Section 2(2A) (and Section 2(2B) if sensitive personal data is involved). In undertaking a review of all current and future data sharing arrangements, public sector bodies should ensure that the following best practice guidelines are considered and applied as appropriate:

1. Demonstrable Justification


The public policy objective being pursued by a particular data sharing arrangement without consent should be explicit. An assessment should be made as to whether the likely benefits of the sharing justify the overriding of the individual's data protection rights. The assessment should represent a careful balancing of these factors. When deciding whether to enter into an arrangement to share personal data (either as a provider, a recipient or both) it is imperative to identify the purpose that it is meant to achieve. In doing so, public sector bodies should consider the potential benefits and risks, either to individuals or society, of sharing the data. An assessment as to the likely results of not sharing the data should also be conducted. As held by the ECJ in the case of Digital Rights Ireland C-293/2012 any legislative measure enacted must meet a proportionality test and be appropriate for attaining the legitimate objectives pursued by the legislation at issue and does not exceed the limits of what is appropriate and necessary in order to achieve those objectives[1].

Please note the following non-exhaustive checklist which should be considered from the outset (either as a provider, a recipient or both):

  • Identify what the arrangement is meant to achieve. All data sharing arrangements should have a clearly understoodset of objectives which are documented and recorded.
  • Identify whether the objective could be achieved without sharing the data or by anonymising it. The default position should be to analyse whether personal data needs to be shared in the first instance in order to achieve the goal(s).
  • Identify the minimum information required to achieve that purpose. All data sharing arrangements should share only the minimum required personal information to achieve the body’s objectives.
  • Identify any risks which the data sharing may pose. When considering whether to implement and place a data sharing agreement on a legislative footing consideration should be given of the fact that such sharing could increase the reluctance of individuals to provide accurate personal data to public sector bodies. It should also take account of any disproportionately negative impact on particular sections of society.
  • Identify when and how often the data should be shared. It is good practice to document this and set out whether the sharing arrangement will be ongoing or periodic or whether it will occur in response to a particular set of events.



2. Explicit Legal Basis


In general a legal basis for data sharing, including the conditions under which such sharing is permitted, should be set out in primary legislation as provided under Section 2(2A) of the DPA. The ODPC recommends (where appropriate) that the conditions of the data sharing arrangement are outlined clearly and in adequate detail either in primary legislation or alternatively, in secondary legislation (provided a primary legislative basis exists) thereby leaving no room for confusion or doubt as to the nature of the arrangement and providing legal certainty[2]. The legislation should clearly identify the public sector bodies involved, the information that will be shared and the purpose(s) for sharing the information. Public sector bodies should also ensure that adequate, appropriate and relevant safeguards are put in place to protect the data rights of the individual.


3. Transparency


The Law


Personal data must be obtained and processed “fairly and lawfully”. Two situations arise that are specifically regarded in the DPA – firstly where a data controller obtains the personal data directly from an individual and, secondly, where a data controller obtains the personal data through some other means.

In the first case, as per Section 2(2D) of the DPA where personal data is gathered directly from the subject the data controller must provide (unless they already have the information) the following:
Identity of the controller and his representative (if applicable);

  • Purpose of processing;
  • Any other information which is necessary such as identifying recipients or categories of recipients of the data, whether data provision is voluntary or mandatory and details as to the right to information access and the right to data correction pertaining to the data subject.


In the second case, Section 2(2D) of the DPA also provides that where data has not been obtained from the data subject the controller/representative must in advance or at the time of the recording/disclosure provide in addition to the above information the following:

  • Categories of data concerned
  • Identity of the original controller.


The DPA highlights a clear obligation to inform data subjects how their data is or will be processed and processing will not be considered fair unless the data subject is given specific information about the identity of the controller, who the information will be disclosed to, and the purposes for which the data is to be processed. The rationale is that if the processing is to be fair the data subject must be placed in a position to learn of the existence of the processing operation, have access to that information and consequently be able to have that data rectified if required.


Recommendation


There are various exemptions contained in the DPA which may reduce obligations such as the fair processing provisions outlined under Section 2(2D) in certain circumstances. However, it is now settled European case-law that any exemptions should be applied on a very narrow basis in order to protect and uphold the fundamental data rights of the individual[3]. Any exemption in relation to the fair processing provisions can only be relied upon where such an exemption is necessary and proportionate. Therefore, in addition to a general requirement to provide an explicit legal basis for the data sharing arrangement, it is recommended that public bodies who engage in data sharing arrangements should, in advance of any such sharing, inform all individuals whose personal data is being shared of the data sharing arrangement by outlining the information as required to be provided as per Section 2(2D) of the DPA. If a public sector body chooses not to inform individuals that decision should be necessary and proportionate by showing, for example, that the release of this information would jeopardise the achievement of the data sharing objective.

In summary, the ODPC is of the view that even if a legislative measure provides the requisite explicit legal basis to implement a data sharing arrangement it is still incumbent upon all data controllers to ensure that individuals are fully aware of those arrangements and the safeguards contained therein. The question for a public sector body to determine is whether they are satisfied that the explicit details of a data sharing arrangement, which are in the main outlined as part a wider legislative measure expressed in legalistic language, meet the threshold of adequately informing a data subject under the DPA.

The ODPC recommends that the default position should be that full details of all data sharing arrangements (as required by Section 2(2D) of the DPA and irrespective of their official legislative basis and publication thereof) should be explained and outlined to the individuals concerned in plain language, by the public sector bodies involved.


How to Communicate

The ODPC recognises that it is for each public sector body to determine how to inform an individual. For example, in some cases it may be acceptable to have an information notice available so people can access it if they want to, especially when the data sharing is something people are likely to expect and be aware of already. However, in other situations this approach may not be acceptable and a notice, for example, may need to be actively and positively communicated (for example sending a letter, distributing an email etc) to each individual as failure to do so would result in unfairness to the individual. In determining whether active communication is required the following non-exhaustive checklist should be considered:

  • Is the public sector body sharing sensitive personal data?
  • Is the data sharing unexpected or objectionable?
  • Will the data sharing have a significant effect on the individual?
  • Is the data sharing widespread or involving entities which individuals might not expect?
  • Is the sharing being carried out for a range of different purposes?
  • Is the individual likely to suffer any detriment as a result of the data sharing arrangement?


If any of these questions are answered “Yes” it would strongly suggest that a public sector body may need to consider actively communicating the detail of the data sharing arrangement to each individual.


Who communicates?


It is important to ensure that the public sector bodies involved in data sharing work together to ensure that the individuals concerned know who has, or will have, their data and what it is being used for, or will be used for. The primary responsibility for communicating to the individual should fall to the public sector body that collected the data initially. Furthermore, any data sharing arrangement should be reflected in a data sharing agreement which should set out appropriate common rules (including the communication responsibilities) between the bodies. The public sector body receiving the personal data also has an obligation to inform the individual.


4. Authorisation


Any decision to share personal data between public bodies (and thereby to set aside a person's right to privacy) must not be taken lightly. This is especially the case when bulk data is shared. Such decisions should only be taken following due consideration at senior management level.


5. Data minimisation

Only the minimum amount of personal data should be shared. In many cases all that may be required is a "yes" or "no" in regard to whether an individual is, for example, a holder of a permit or a license.


6. Data Access and Security:


Enhanced access controls and security requirements should apply to personal data shared and received as part of an approved data sharing arrangement. Access to such data should be limited to a very small number of officials and public sector bodies should employ a ‘need to know’ basis thereby ensuring that other organisations should only have access to the data if they need it, and that only relevant staff within those organisations should have access to the data. Arrangements in this respect should also address any necessary restrictions on onward sharing of data with third parties.

Security measures should rule out any possibility of data leakage (bearing in mind the increased emphasis on the State's responsibility to prevent data breaches and the reputational damage that would result from failure to protect shared personal data). It is important that public sector bodies ensure that the personal data will be protected at all stages of the arrangement i.e. during the transmission, receipt of the data, and while the data remains with either party. Furthermore, it is important that the recipient organisation understands the nature and sensitivity of the data being shared and that common rules for its security are established.


7. Data Retention:


Personal data provided as part of an approved data sharing arrangement should be securely destroyed when no longer required. The ODPC recommends that public bodies should specify the conditions and the period for which the data may be retained and that such conditions are necessary and proportionate in relation to the purpose to be achieved.


8. Governance:


Public sector bodies involved in a data sharing arrangement will have their own responsibilities and liabilities in respect of the data they process. As alluded to, it is important that those entities involved in a data sharing initiative set out a common set of operational rules to be adopted in a data sharing agreement which is then reviewed on a regular basis to ensure that the data sharing initiative is meeting its objectives, that safeguards continue to match any risks posed, that records are accurate and up to date, that adherence to a consistent retention policy for all records is kept, and that the appropriate security measures remain in place. A clear description of the roles and responsibilities of public sector bodies in any data sharing arrangement should be made available to the data subject with regard to exercising their data rights.


9. And finally:


If a public sector body informs people about their data sharing arrangement and consequently receives a significant number of negative comments or concerns it should review the arrangement and data sharing in question. In particular, the body should carry out an analysis of the issues raised and decide whether the sharing can go ahead or continue. Alternatively, it may need to reduce the amount of data it shares or share it with fewer organisations. In large scale data sharing operations, it is good practice to set up focus groups to explore individuals’ concerns and to develop more publicly acceptable ways of dealing with the issues that the data sharing was intended to address.

[1] Note also Article 52 of the Charter of Fundamental Human Rights whereby any limitation on those rights must provided by a legislative measure, and subject to the principle of proportionality, limitations may only be made if they are necessary and genuinely meet the objectives of a general interest or the need to protect the rights and interest of others.

[2] The ODPC recognises that whilst data sharing arrangements need to have a basis in primary legislation public
sector bodies may at a later juncture and in advance of any data sharing outline the details of the arrangement
by prescribing same in secondary legislation such as a statutory instrument.
[3] See for example the ECtHR cases of Delcourt (17th January 1970) & Klass v Germany (1978) highlighting that any limitations imposed on a fundamental right must be viewed restrictively and also note for example the ECJ joined cases of C- 293/12 & C-594/12 (Digital Rights Ireland)