Submission Data Sharing and Governance Bill: Policy Proposals Submission by
Catherine Murphy TD Stephen Donnelly TD McGarr Solicitors 15th September 2014
We the aforementioned wish to make the following observations arising from the Data Sharing and Governance Bill Policy Proposals, dated August 2014. We adopt the numbering scheme used therein.
1. Do you agree with this definition of Data Sharing? No, as it conflates data governance elements and data sharing actions.
2. If you do not agree, how do you believe the definition could be improved? Adopt a clear definition of data sharing, rather than trying to describe a process. An example might be as follows:
It may be also valuable to adopt a clear definition of data governance, so that it can be recognised and separated out from data sharing. The Data Governance Institute defines it as:
“A system of decision rights and accountabilities for information-related processes, executed according to agreed-upon models which describe who can take what actions with what information, and when, under what circumstances, using what methods�
And, finally on definitions, it should also be recognised that the proposed definition introduces, without naming it directly, the concept of Information (or Data) Quality. A good standard definition of Information Quality is:
It is worth noting that these attributes of quality data, "real", "recent", and "relevant", are embedded in the eight fundamental rules of Data Protection which state that personal data must be accurate and up-to-date (Data Protection rule 5), and personal data must be adequate, relevant, and not excessive (Rule 6). If a ‘Privacy by Default’ ethos is adopted and Privacy by Design enforced as a fundamental principle in Public Sector information processing, whether shared data or not, we would suggest that many of the root cause issues identified for issues of information quality and information inefficiency could be addressed in that context. Finally, the proposed action flow contains a reference to a receiving body identifying an existing legal basis for data-sharing, or creating a new one only after it has determined a need for data-sharing. This is not a legitimate sequence. This conceptual error is repeated later where there is reference to departmental operational requirements to transfer data, which do not have any legal basis. Departmental operational convenience should not take precedence over citizens fundamental data rights.
3. What do you believe are the priority areas for data-sharing to contribute to improved public services? The abject, expensive failure of the REACH, public service broker project was described in the Comptroller and Auditor General’s 58th Special Report 2, on eGovernment;
“The Broker concept was innovative and ambitious. Its feasibility, however, was not examined early on and planning was weak. A review of the project in 2002 led to a scaling back of the proposal. In May 2003, a less ambitious project was approved with estimated development costs of €14 million. This project was due for completion in August 2004 but was not completed until December 2005 at a cost of €37 million. Annual running costs for the Broker are in the region of €14 - €15 million.” The REACH programme was effectively the state’s last major attempt to share citizen data across and between departments. As such, it is important that the lessons to be learned from its failure are directly referenced in any future project of this sort. “It is likely that Reach could have delivered the Broker system in a more timely and cost-effective manner had the governance, staffing and risks been 3 managed more rigorously.” Of the examples given of successful data sharing the first is directly referred to in the C&AG’s report in Paragraph 3.36 as using the Broker system to transfer data between systems. The C&AG report does not consider this to be sufficient to justify the Broker’s costs. It also provides, at Appendix A, a full Risk Assessment Model for Information and Communications Technology Transformation. It is vital that any future legislation in this area is introduced only in a way that is fully in compliance with this Model. This is the key priority in contributing to real improved public services.
4. Do you agree that more effective data-sharing can help drive public service reform? Not in isolation. Data Sharing is not a panacea. Sharing of poor quality data in the absence of appropriate controls and governance will not lead to reform of the public sector. It is worth bearing in mind the failure rate for data integration projects runs at approximately 40% due to failure to engage with issues such as Data Governance and 4 Information Quality. Given the very public and trenchant criticisms by the Data Protection Commissioner of the general attitudes and approaches to Data Protection within the Public Sector in recent months (but going back many years) and the apparent difficulties faced by
Public Service management in preventing, detecting, and taking action on foot of breaches of information security and Data Protection, it is our strong opinion any “interoperability framework” for data sharing must be built on very clear fundamental Information Processing Principles, with a very clear common definition, vision, and application of Data Governance. The creation of integrated and shared data sets in private sector organisations has not led to reform or reinvention of those organisations. It is the creation of new organisational capabilities to better manage information that leads to improvement.
5. What are the main areas where you believe that this can be achieved? What should certainly be established is a clear legislative basis for culture change and accountability for the processing of data in the public sector. The creation of a co-ordinated framework for Data Governance across the public sector to include issues such as common standards for data definition, privacy impact assessments as part of legislative review or policy/procedure definition, will provide a platform for reform through better use of data.
6. Do you share the assessment that a new legislative framework for data-sharing is required? Please give reasons for your answer. The current proposals start with the assumption that data sharing is inherently beneficial and then seeks examples where that may be true. No basis for the ‘assessment’ that a new legislative framework is required for data sharing is supplied in the paper and so it is impossible to assess its accuracy or otherwise. This is not a rigorous mode of analysis and, coupled with the lack of any demonstration of lessons learned from the REACH programme, does give grounds for concern. The Department would benefit from analysis of the UK Law Commission’s report on Data Sharing between Public Bodies5, which recommended that a full law reform project should be carried out in order to create a principled and clear legal structure for data sharing to meet the needs of society. These needs include efficient and effective government, the delivery of public services and the protection of privacy. Data sharing law must accord with emerging European law and cope with technological advances. The project should include work to map, modernise, simplify and clarify the statutory provisions that permit and control data sharing and review the common law.
7. In terms of the interoperability framework set out above, what do you see as the main obstacles to data-sharing, and how should they be addressed? This is a technical question that falls outside these observations.
8. Do you have suggestions for how best to embed these data protection principles in the Data-Sharing and Governance Bill? The establishment of a co-ordinating, single compliance organisation for Data Protection, including Data Governance standards, training, and procedures, across the public service would have the potential to correct many of the endemic deficiencies and weaknesses in current systems, support the development of public trust in public sector data sharing, and provide a career path option for existing experienced Data Protection Officers in line departments to continue in a Data Protection specialism across the service. The creation of such an entity would also support the effective execution of segregation of duties between the day to day execution of data management and data sharing processes and the oversight and operation of data governance functions. Providing the oversight body with statutory authority for that function would be a strong signal of reform along best practice models. The Data Protection Commissioner should not have a direct role in the governance of data in the public sector, in the same way as the Data Protection Commissioner does not have a direct role in the governance of data in any private sector organisation. While the DPC is a key stakeholder, they are the enforcement authority. Current legislation and the proposed Regulation allow for, and in some cases mandate, prior consultation with the Commissioner for certain categories of Data Processing. Where consulted, the DPC should be expected to provide timely and relevant response. If the Bill creates a Data Governance body, this body could be the interface entity between the Commissioner and individual projects and initiatives in the Public/Civil service. However, internally within the Service, it would be the Data Governance Office who would be the “honest broker� and arbiter of decisions to ensure that decisions and plans are made and executed along agreed upon models. The DPC would input into those decisions on request, as per the current legislative basis under DPA.
9. Do you have any ideas or proposals to ensure that consideration of these proposals benefit from wide public consideration, analysis and debate? The debate, discussion, research and correspondence on this topic should be performed in as transparent a manner as possible. To the greatest extent possible, all documentation, including correspondence, research and observations should be published online on an ongoing basis as it is completed. This includes drafts of legislation and/or Heads of Bills circulated to interested parties.
10. How far can the Bill go in providing the necessary powers to share data while at the same time ensuring clarity around what exactly is permitted? This question does not seem possible to answer in the absence of the text of a draft Bill.
11. Should both personal and sensitive personal data (within the means of the Data Protection Acts) be covered by these provisions? If so, what extra protections are required around sensitive personal data. Yes, insofar as any Bill should include additional safeguards to ensure that sensitive personal data was not accessed or shared inappropriately. It is impossible to say what extra provisions may be required in the absence of any draft Bill.
12. Should the Oireachtas have a role in overseeing or approving some types of data sharing arrangements? This question does not seem possible to answer in the absence of the text of a draft Bill.
13. What other specific data-sharing arrangements should be considered? It is a matter of concern that the examples provided are not generated by any underlying analysis of the principles of good data governance. Instead, they appear to be derived from current operational data practices of a number of departments. One of the Eight Principles of Data Protection law, now granted significant specific legal protections in both irish and European law, including under Article 8 of the European Charter of Fundamental Rights, is that data may only be collected for a 6 single specified, explicit and lawful purpose.â By definition, the data-sharing proposal as it stands now cannot comply with that principle. No citizen could be told or know in advance for what purpose they were supplying their data to any public body.
14. Should a general provision be added to enable widespread access to information on Births, Marriages and Civil Partnerships? In principle yes, although there appears to be a wider dispute emerging concerning the classification of birth, death, marriage and civil partnership records held by the General Register Office which must very urgently be addressed in advance of any legislative proposals emerging under the scope of this potential bill. The respondents, in particular Deputy Murphy, make the argument that access to these records, as has been the practice, is vital for the continuation of legitimate genealogical research. The Minister for Public Expenditure and Reform has previously stated that access to these records does not constitute “personal information” under 7 the Freedom of Information Acts , and that legal clarity was sought on this point from the GRO, however the DPC has recently instructed the Department of Social Protection to remove the GRO records of living people from a public facing database8. It is the view of the respondents that public access to these records should continue although it remains to be urgently clarified if there is a conflict with EU Data Protection Law in the first instance.
15. Some jurisdictions are examining the concept of an “honest broker” or “trusted third party” – this would have the power to accept any data and process it on behalf of the public bodies, while preventing the public body from accessing the raw data. Is this a concept that could be usefully included in the Bill? See the C&AG’s 58th Special Report from 20079 on the Irish State’s previous failed attempt to introduce a Public Service broker model.
16. Should specific provisions relating to the sharing of “anonymized” data be included? This is impossible to answer without further context. It is unclear whether it is being asked if anonymised data should be protected or de-anonymised.
17. Do you agree that “The problem [of data governance] is therefore primarily one of better implementation, rather than an absence of legislation? Yes, though it would be helpful to have been provided with the context and source of the quoted statement.
18. Should the Data Protection Commissioner have a role in monitoring and reporting on compliance with these governance positions? The DPC is an enforcement entity and is required, under CJEU case law10, to be independent in her functions from the executive. It is therefore not suitable to have the Commissioner made responsible for operational functions within departments. We have proposed (in response to question 8 above) a model for a public sector Data Governance and protection which does not threaten the DPC’s independence in the operation of her enforcement functions.
19. In what circumstances should a Department be able to “opt-out” of the transparency requirement for a particular data-sharing arrangement? This is impossible to answer without sight of the proposed transparency requirements.
20. Is it practicable for these arrangements to apply to all existing data-sharing arrangements, not just new ones? It is unclear that any bill could lawfully apply the proposed data sharing plan to any arrangements. Beyond this, this is an operational question for the emanations of the state.
21. Is the base register concept a useful one? 22. What other base registers could usefully be defined? This is a database of identity in all but name. Much greater debate on the significance of such a database being compiled by the state is required before an ID database and, potentially, accompanying card are introduced. The proposal that the any proposed Data Governance Bill would include a ‘requirement to unambiguously identify oneself’ is a very significant alteration in the balance of duties between Irish citizens and the Irish state and requires much more consideration and ought not to form any part of this Bill.
References 1
https://www.elsevier.com/books/executing-data-quality-projects/mcgilvray/978-0-12-374369-5
2
http://www.audgen.gov.ie/documents/vfmreports/58_eGovernment.pdf
3
ibid
4
The 40% statistic is sourced from Philip Howard Bloor’s 2011 white paper on Data Migration (http://www.bloorresearch.com/research/white-paper/data-migration-white-paper/). A 2007 study by Bloor research found an 80% failure rate for data migration: (http://www.bloorresearch.com/research/white-paper/data-migration/). 5
http://lawcommission.justice.gov.uk/docs/lc351_data-sharing.pdf
6
http://www.dataprotection.ie/docs/A-Guide-for-Data-Contollers/696.htm#2
7
Oireachtas Debates, 12 November 2013 (http://oireachtasdebates.oireachtas.ie/Debates%20Authoring/DebatesWebPack.nsf/committeetakes/FI2201 3111200010?opendocument) 8
http://www.irishtimes.com/news/ireland/irish-news/genealogy-site-left-personal-data-open-to-identity-thi eves-says-commissioner-1.1872664 9
http://www.audgen.gov.ie/documents/vfmreports/58_eGovernment.pdf
10
European Commission -v- Hungary, Case No. C-288/12 http://curia.europa.eu/juris/document/document.jsf;jsessionid=9ea7d2dc30d6b81f457985ef468bb259fea824ff c31e.e34KaxiLc3qMb40Rch0SaxuOb3f0?text=&docid=153035&pageIndex=0&doclang=EN&mode=req&dir=&occ=first &part=1&cid=74505