It is seldom that a piece of new law brings a level of anticipation, consternation, broad interest and (due to the ironically high amount of unrequested email correspondence it initially precipitated) public ire, but the GDPR is no ordinary new law. By comparison, the Data Protection Act 2018 (the "2018 Act") (the Irish implementing legislation) received little fanfare despite the 'twelfth hour' nature of its passing by the Oireachtas.
Flying even further under the radar is the Data Sharing and Governance Bill 2018 (the "Bill"), which was published on 12 June by the Department of Public Expenditure and Reform and which forms part of the Government's eGovernment Strategy 2017-2020.
The idea behind the Bill is to facilitate the more efficient use of data in the provision of public services, thereby reducing duplication of effort and cutting down on wasted time and money. This, in turn, will support better services for individuals and businesses and enhance policy implementation across the public service. The Bill has two main goals: to provide a legal basis for public bodies sharing data between each other (the "sharing"); but also to set down safeguards for the individuals whose data is being shared (the "governance").
The Bill's provisions include:
Allowing for the sharing of personal data by public bodies for the performance of their lawful functions for specified purposes, including: identity verification; avoiding financial and administrative cost; establishing entitlement of a person to a service; facilitating administration of services; and allowing evaluation and analysis of service delivery. Requiring that the sharing be carried out in accordance with a "data sharing agreement" that must be in place before the sharing starts and that must address certain matters, including what data is to be shared and how it will be processed. Allowing the Minister for Public Expenditure and Reform to designate a "base registry" that must be used by public bodies as the authoritative source for the information contained in it. Issuing "Unique Business Identifier Numbers" to allow for datasets on individual businesses to be created and used in identifying a business across its interactions with public bodies. Provision for the creation of a "Personal Data Access Portal" to facilitate the exercise of rights of individuals under GDPR. Allowing for the creation of a "Data Governance Board" which will offer advice, monitor compliance and review...