Data sharing and governance act 2019

• Act Number: 5
• Enactment Date: 04 March 2019

Number 5 of 2019
DATA SHARING AND GOVERNANCE ACT 2019
CONTENTS
PART 1
Preliminary and General
1. Short title and commencement
2. Definitions
3. Regulations and Orders
4. Expenses
PART 2
Application of Act
5. Application of Act to special categories of personal data
6. Interaction with Data Protection Acts and General Data Protection Regulation
7. Interaction with Social Welfare Consolidation Act 2005
8. Interaction with other enactments
9. Data-sharing: meaning
10. Public body: meaning
11. Deceased persons
12. Exclusions
PART 3
Regulation of Data-sharing
13. Data-sharing: requirements
14. Directions
PART 4
Data-sharing Agreements
15. Application (Part 4)
16. Obligation to enter into data-sharing agreement
17. Formal requirements
18. Accession to data-sharing agreement
19. Content of data-sharing agreement
20. Review of operation of data-sharing agreement
21. Lead agency
22. Cessation
PART 5
Public service information
23. Definitions (Part 5)
24. Application (Part 5)
25. Administration of Single Public Service Pension Scheme
26. Administration of pre-existing public service pension schemes
27. Public service policy analysis
28. Information requests
29. Data protection impact assessment
30. Anonymisation
31. Pension scheme information systems
32. Transparency
PART 6
Business Information
33. Definitions (Part 6)
34. Application (Part 6)
35. Allocation of unique business identifier number
36. Disclosure of business information
PART 7
Base Registries
37. Designation of base registry
38. Base registry owner
39. Processing of information
40. Terms of service
41. Access to information
42. Obligation to use base registry
PART 8
Personal Data Access Portal
43. Application (Part 8)
44. Establishment of personal data access portal
PART 9
Data Governance
Chapter 1
Data Governance Board
45. Appointment of Board
46. Functions of Board
47. Membership of Board and related matters
48. Committees
49. Disqualification from membership of Board
50. Resignation from membership
51. Casual vacancies
52. Reporting
Chapter 2
Review of Data Sharing Agreements
53. Definitions (Chapter 2)
54. Exclusions (Chapter 2)
55. Public consultation
56. Submission of documentation and information to Board
57. Review of data-sharing agreement
58. Amendments following review
59. Execution of agreement
60. Publication
61. Effective date of agreement
62. Time periods and documentation
Chapter 3
Governance
63. Application (Chapter 3)
64. Rules, procedures and standards
65. Guidelines
66. Model agreements
67. Publication of regulations and guidelines
68. Compliance report
PART 10
Miscellaneous
69. Prohibition on requests for certain documents
70. Specification of information
71. Provision of information on data-sharing
72. Amendment of Act of 1997
73. Amendment of Ministers and Secretaries (Amendment) Act 2011
74. Amendment of Social Welfare Consolidation Act 2005
75. Amendment of National Shared Services Office Act 2017
SCHEDULE
Bodies to which definition of “public body” does not apply
Acts Referred to
Civil Partnership and Certain Rights and Obligations of Cohabitants Act 2010 (No. 24)
Civil Registration Act 2004 (No. 3)
Civil Service Regulation Act 1956 (No. 46)
Communications Regulation (Postal Services) Act 2011 (No. 21)
Companies Act 2014 (No. 38)
Comptroller and Auditor General Acts 1866 to 1998
Copyright and Related Rights Act 2000 (No. 28)
Criminal Justice (Money Laundering and Terrorist Financing) Act 2010 (No. 6)
Criminal Justice (Terrorist Offences) Act 2005 (No. 2)
Criminal Law Act 1976 (No. 32)
Data Protection Act 2018 (No. 7)
Data Protection Acts 1988 to 2018
Education Act 1998 (No. 51)
Education and Training Boards Act 2013 (No. 11)
Electronic Commerce Act 2000 (No. 27)
Employment Equality Act 1998 (No. 21)
European Parliament Elections Act 1997 (No. 2)
Family Law (Divorce) Act 1996 (No. 33)
Family Law Act 1995 (No. 26)
Interpretation Act 2005 (No. 23)
Irish Human Rights and Equality Commission Act 2014 (No. 25)
Local Government Act 2001 (No. 37)
Ministers and Secretaries (Amendment) Act 2011 (No. 10)
National Shared Services Office Act 2017 (No. 26)
Offences against the State Acts 1939 to 1998
Public Service Pay and Pensions Act 2017 (No. 34)
Public Service Pensions (Single Scheme and Other Provisions) Act 2012 (No. 37)
Public Service Superannuation (Miscellaneous Provisions) Act 2004 (No. 7)
Social Welfare Consolidation Act 2005 (No. 26)
Statistics Act 1993 (No. 21)
Taxes Consolidation Act 1997 (No. 39)
Vital Statistics and Births, Deaths and Marriages Registration Act 1952 (No. 8)
Number 5 of 2019
DATA SHARING AND GOVERNANCE ACT 2019
An Act to provide for the regulation of the sharing of information, including personal data, between public bodies; to provide for the regulation of the management of information by public bodies; to provide for the establishment of base registries; to provide for the collection of public service information; to establish the Data Governance Board; to amend the Taxes Consolidation Act 1997 ; to amend the Social Welfare Consolidation Act 2005 ; to amend the Ministers and Secretaries (Amendment) Act 2011 ; to amend the National Shared Services Office Act 2017 ; and to provide for related matters.
[4th March, 2019]
Be it enacted by the Oireachtas as follows:
PART 1 Preliminary and General
		Short title and commencement
1. (1) This Act may be cited as the Data Sharing and Governance Act 2019.
	(2) This Act shall come into operation on such day or days as the Minister may by order or orders appoint either generally or with reference to any particular purpose or provision and different days may be so appointed for different purposes or different provisions.
		Definitions
2. In this Act—
	“Act of 1997” means the Taxes Consolidation Act 1997 ;
	“Act of 2005” means the Social Welfare Consolidation Act 2005 ;
	“Act of 2014” means the Companies Act 2014 ;
	“base registry” means a database which is designated as such in an order made under section 37 (1);
	“base registry owner” means a public body specified as such in respect of a base registry in an order made under section 37 (1);
	“Board” has the meaning assigned to it by section 45 (1);
	“company” means a company formed and registered under the Act of 2014 or an existing company within the meaning of that Act;
	“controller” has the same meaning as it has in the General Data Protection Regulation;
	“data protection impact assessment” means an assessment carried out for the purposes of Article 35 of the General Data Protection Regulation;
	“data protection law” means—
	(a) the Data Protection Acts 1988 to 2018,
	(b) the General Data Protection Regulation,
	(c) all law of the State giving further effect to the General Data Protection Regulation, and
	(d) all law of the State giving effect or further effect to Directive 2016/680;
	“data protection officer” in respect of a public body, means the person designated in accordance with Article 37 of the General Data Protection Regulation;
	“data-sharing” shall be construed in accordance with section 9 ;
	“data-sharing agreement” means an agreement between two or more public bodies which provides for the disclosure of information by one or more of the parties to the agreement to one or more of the other parties to the agreement;
	“data subject” has the same meaning as it has in the General Data Protection Regulation;
	“database” has the same meaning as it has in the Copyright and Related Rights Act 2000 ;
	“Directive 2016/680” means Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA1 ;
	“enactment” has the same meaning as it has in the Interpretation Act 2005 ;
	“General Data Protection Regulation” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC2 ;
	“information” includes data;
	“information system” has the same meaning as it has in the Electronic Commerce Act 2000 ;
	“lead agency” has the meaning assigned to it by section 21 ;
	“Minister” means the Minister for Public Expenditure and Reform;
	“personal data” has the same meaning as it has in the General Data Protection Regulation;
	“prescribed” means prescribed by regulations made by the Minister under section 3 (1);
	“processing” has the same meaning as it has in the General Data Protection Regulation;
	“public body” shall be construed in accordance with section 10 ;
	“public service pension scheme” has the same meaning as it has in Part 4 of the Public Service Pay and Pensions Act 2017 ;
	“special categories of personal data” means information referred to in Article 9(1) of the General Data Protection Regulation.
		Regulations and Orders
3. (1) The Minister may by regulations provide for any matter referred to in this Act as prescribed or to be prescribed.
	(2) Without prejudice to any provision of this Act, regulations under this section may contain such incidental, supplementary and consequential provisions as appear to the Minister to be necessary or expedient for the purposes of the...