Legalize
Legalize / Ireland / Act

Data Sharing and Governance Act 2019

Type Act
Publication 2019-03-04
State In force
Source Irish Statute Book
Reform history JSON API

PART 1 Preliminary and General

1. Short title and commencement

1. (1) This Act may be cited as the Data Sharing and Governance Act 2019.

(2) This Act shall come into operation on such day or days as the Minister may by order or orders appoint either generally or with reference to any particular purpose or provision and different days may be so appointed for different purposes or different provisions.

2. Definitions

2. In this Act—

“Act of 1997” means the Taxes Consolidation Act 1997;

“Act of 2005” means the Social Welfare Consolidation Act 2005;

“Act of 2014” means the Companies Act 2014;

“base registry” means a database which is designated as such in an order made under section 37(1);

“base registry owner” means a public body specified as such in respect of a base registry in an order made under section 37(1);

“Board” has the meaning assigned to it by section 45(1);

“company” means a company formed and registered under the Act of 2014 or an existing company within the meaning of that Act;

“controller” has the same meaning as it has in the General Data Protection Regulation;

“data protection impact assessment” means an assessment carried out for the purposes of Article 35 of the General Data Protection Regulation;

“data protection law” means—

(a) the Data Protection Acts 1988 to 2018,

(b) the General Data Protection Regulation,

(c) all law of the State giving further effect to the General Data Protection Regulation, and

(d) all law of the State giving effect or further effect to Directive 2016/680;

“data protection officer” in respect of a public body, means the person designated in accordance with Article 37 of the General Data Protection Regulation;

“data-sharing” shall be construed in accordance with section 9;

“data-sharing agreement” means an agreement between two or more public bodies which provides for the disclosure of information by one or more of the parties to the agreement to one or more of the other parties to the agreement;

“data subject” has the same meaning as it has in the General Data Protection Regulation;

“database” has the same meaning as it has in the Copyright and Related Rights Act 2000;

“Directive 2016/680” means Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA^1;

“enactment” has the same meaning as it has in the Interpretation Act 2005;

“General Data Protection Regulation” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC^2;

“information” includes data;

“information system” has the same meaning as it has in the Electronic Commerce Act 2000;

“lead agency” has the meaning assigned to it by section 21;

“Minister” means the Minister for Public Expenditure and Reform;

“personal data” has the same meaning as it has in the General Data Protection Regulation;

“prescribed” means prescribed by regulations made by the Minister under section 3(1);

“processing” has the same meaning as it has in the General Data Protection Regulation;

“public body” shall be construed in accordance with section 10;

“public service pension scheme” has the same meaning as it has in Part 4 of the Public Service Pay and Pensions Act 2017;

“special categories of personal data” means information referred to in Article 9(1) of the General Data Protection Regulation.

3. Regulations and Orders

3. (1) The Minister may by regulations provide for any matter referred to in this Act as prescribed or to be prescribed.

(2) Without prejudice to any provision of this Act, regulations under this section may contain such incidental, supplementary and consequential provisions as appear to the Minister to be necessary or expedient for the purposes of the regulations.

(3) Every order (other than an order under section 1(2)) and regulation under this Act shall be laid before each House of the Oireachtas as soon as may be after it is made and, if a resolution annulling the order or regulation is passed by either such House within the next 21 days on which that House sits after the order or regulation is laid before it, the order or regulation shall be annulled accordingly, but without prejudice to the validity of anything previously done thereunder.

4. Expenses

4. The expenses incurred by the Minister in the administration of this Act shall be paid out of monies provided by the Oireachtas.

PART 2 Application of Act

5. Application of Act to special categories of personal data

5. This Act, other than Part 5, Part 8 and Chapter 3 of Part 9, shall not apply to special categories of personal data.

6. Interaction with Data Protection Acts and General Data Protection Regulation

6. (1) Subject to subsections (2) and (3), nothing in this Act shall affect the operation of data protection law.

(2) Section 38 of the Data Protection Act 2018 shall not apply to the disclosure of information by one public body to another public body.

(3) Regulations made under section 38(4) of the Data Protection Act 2018 shall not constitute an enactment under which specific provision is made permitting or requiring data-sharing for the purpose of sections 13(1), 15(1) or 34(1).

7. Interaction with Social Welfare Consolidation Act 2005

7. (1) Subject to subsection (2), this Act, other than Part 5 and Chapter 3 of Part 9, does not affect the operation of the Act of 2005.

(2) Notwithstanding section 262(6)(b) of the Act of 2005, a specified body (in this section referred to as the “first mentioned specified body”) may, subject to subsection (3), disclose the information comprised in a person’s public service identity to another specified body (in this section referred to as the “second mentioned specified body”), where the information is disclosed in accordance with this Act.

(3) The first mentioned specified body may not disclose the information comprised in a person’s public service identity to the second mentioned specified body for the purpose specified in section 13(2)(a)(ii)(VIII).

(4) The reference in subsections (2) and (3) to the disclosure of the information referred to in those subsections includes the accessing of that information by the second mentioned specified body where that information is contained in a base registry in respect of which the first mentioned specified body is the base registry owner.

(5) In this section—

“specified body” has the same meaning as it has in section 262 of the Act of 2005;

“public service identity” has the same meaning as it has in section 262 of the Act of 2005, subject to the modification that the reference, in the definition of that phrase in subsection (1) of that section, to information specified in subsection (3) of that section shall not include a reference to special categories of personal data.

8. Interaction with other enactments

8. (1) Subject to section 34(3), nothing in this Act shall affect the operation of section 851A of the Act of 1997.

(2) Subject to section 64(3), this Act shall not apply to information—

(a) collected for statistical purposes in accordance with the Statistics Act 1993, or

(b) disclosed in accordance with regulations made under section 2 of the Vital Statistics and Births, Deaths and Marriages Registration Act 1952.

(3) This Act, other than Chapter 3 of Part 9, shall not apply to the disclosure of information under the Civil Registration Act 2004.

9. Data-sharing: meaning

9. (1) In this Act, “data-sharing” means the disclosure of information, including personal data, by a public body to another public body.

(2) For the purposes of this Act, an addition or change to the information held on an information system under the control of a public body that results automatically from an addition or change to information held on an information system under the control of another public body, is deemed to be a disclosure by the second mentioned public body to the first mentioned public body of the information so added or changed on the information system under the control of the first mentioned public body.

10. Public body: meaning

10. (1) In this Act, “public body” means—

(a) a Minister of the Government,

(b) the Attorney General,

(c) the Comptroller and Auditor General,

(d) the Revenue Commissioners,

(e) the Commissioners of Public Works in Ireland,

(f) the Commissioner of Valuation,

(g) the Garda Síochána,

(h) the Defence Forces,

(i) a local authority for the purposes of the Local Government Act 2001,

(j) the Health Service Executive,

(k) an education and training board,

(l) a recognised school established and maintained by an education and training board,

(m) a board of a recognised school established and maintained by an education and training board,

(n) a body (other than an exempted body) established—

(i) by or under an enactment (other than the Act of 2014 or a former enactment relating to companies within the meaning of section 5 of that Act), or

(ii) under the Act of 2014, or a former enactment relating to companies within the meaning of section 5 of that Act, in pursuance of powers conferred by or under another enactment, and financed wholly or partly by means of moneys provided, or loans made or guaranteed, by a Minister of the Government or the issue of shares held by or on behalf of a Minister of the Government,

in respect of which a public service pension scheme exists or applies or may be made,

(o) a body (other than an exempted body) that is wholly or partly funded directly or indirectly out of moneys provided by the Oireachtas or from the Central Fund or the growing produce of that Fund and in respect of which a public service pension scheme exists or applies or may be made,

(p) any subsidiary of, or company controlled (within the meaning given by section 10 of the Act of 1997) by, a body to which paragraph (i), (j), (k), (n) or (o) relates and in respect of which a public service pension scheme exists or applies or may be made, and

(q) any other body specified in an order made under subsection (4).

(2) The Minister may, with the consent of the Minister of the Government in whom functions in relation to that body are vested and having had regard to the matters referred to in subsection (3), by order exempt a body that would otherwise be included in the definition of “public body” in subsection (1).

(3) The Minister shall, prior to making an order under subsection (2), have regard to whether—

(a) the body proposed to be specified in the order is engaged for gain in the production, supply or distribution of goods or the provision of a service, and

(b) the use by that body of information disclosed to it by a public body could lead to the distortion of competition in trade in any goods or services in the State or in any part of the State.

(4) The Minister may, at the request of a body that would not otherwise be included in the definition of “public body” in subsection (1)and with the consent of the Minister of the Government in whom functions in relation to that body are vested, by order designate that bodyas a public body where—

(a) that body is financed wholly or partly, whether directly or indirectly, by means of moneys provided, or loans made or guaranteed, by a Minister of the Government or the issue of shares held by or on behalf of a Minister of the Government, and

(b) the Minister is satisfied that the principal activity of the body is the delivery of services to the public under an agreement with a public body.

(5) In this section—

“Act of 1998” means the Education Act 1998;

“board” has the same meaning as it has in the Act of 1998;

“education and training board” means an education and training board established under section 9 of the Education and Training Boards Act 2013;

“exempted body” means—

(a) a body specified or referred to in the Schedule,

(b) a body specified in an order made under subsection (2),

(c) a recognised school (other than a recognised school referred to in subsection (1)(l)),

(d) a board (other than a board referred to in subsection (1)(m)), and

(e) a management committee established under section 37(3) of the Act of 1998;

“recognised school” has the same meaning as it has in the Act of 1998.

11. Deceased persons

11. Unless the context otherwise requires—

(a) a reference in this Act to a person includes a reference to a deceased person, and

(b) a reference in this Act to personal data or special categories of personal data includes a reference to the personal data or special categories of personal data, as the case may be, of a deceased person.

12. Exclusions

12. (1) This Act shall not apply to data-sharing for the purposes of—

(a) the prevention, detection or investigation of offences,

(b) the apprehension or prosecution of offenders,

(c) the imposition or execution of a fine or sentence of imprisonment,

(d) the exercise of the functions of the Criminal Assets Bureau,

(e) protecting the security of the State including, but not limited to, the following:

(i) preventing, detecting and investigating offences under the Offences against the State Acts 1939 to 1998, the Criminal Law Act 1976, the Criminal Justice (Terrorist Offences) Act 2005 and the Criminal Justice (Money Laundering and Terrorist Financing) Act 2010;

(ii) protecting the State from—

(I) espionage,

(II) sabotage,

(III) unlawful acts that subvert or undermine, or are intended to subvert or undermine, parliamentary democracy or the institutions of the State, and

(IV) acts of foreign interference that are, or are intended to be, detrimental to the interests of the State and are clandestine or deceptive or involve a threat to any person,

whether directed from, or committed or intended to be committed within, the State or not,

(f) identifying foreign capabilities, intentions or activities within or relating to the State that impact on the international or economic well-being of the State,

(g) co-operating with authorities in other states and international organisations aimed at preserving international peace, public order and security,

(h) the defence of the State, or

(i) the international relations of the State.

(2) Subject to Part 5, this Act shall not apply to the disclosure by a public body to another public body of the personal data of a data subject for the internal administrative purposes of the first or second mentioned public body.

(3) The reference in subsection (2) to internal administrative purposes includes a reference to purposes relating to the employment of the data subject concerned.

PART 3 Regulation of Data-sharing

13. Data-sharing: requirements

13. (1) This section applies to the disclosure of personal data by a public body to another public body, where there is no other enactment or law of the European Union in operation under which specific provision is made permitting or requiring such data-sharing.

(2) A public body may disclose personal data to another public body, in a case in which this section applies to such disclosure, only where—

(a) the personal data concerned is disclosed—

(i) for the purpose of the performance of a function of the first or second mentioned public body, and

(ii) for one or more of the following purposes:

(I) to verify the identity of a person, where the first or second mentioned public body is providing or proposes to provide a service to that person;

(II) to identify and correct erroneous information held by the first or second mentioned public body;

(III) to avoid the financial or administrative burden that would otherwise be imposed on a person to whom a service is being or is to be delivered by the first or second mentioned public body were the second mentioned public body to collect the personal data directly from that person;

(IV) to establish the entitlement of a person to the provision of a service being delivered by the first or second mentioned public body, on the basis of information previously provided by that person to the first mentioned public body (or another public body that previously disclosed the information to the first mentioned public body);

(V) to facilitate the administration, supervision and control of a service, programme or policy delivered or implemented or being delivered or implemented, as the case may be, by, for or on behalf of the first or second mentioned public body;

(VI) to facilitate the improvement or targeting of a service, programme or policy delivered or implemented or to be delivered or implemented, as the case may be, by, for or on behalf of the first or second mentioned public body;

(VII) to enable the evaluation, oversight or review of a service, programme or policy delivered or implemented or being delivered or implemented, as the case may be, by, for or on behalf of the first or second mentioned public body;

(VIII) to facilitate an analysis of the structure, functions, resources and service delivery methods of the first or second mentioned public body,

(b) the personal data concerned is disclosed under and in accordance with a data-sharing agreement in compliance with Part 4,

(c) the first and second mentioned public body—

(i) comply with the rules, procedures and standards, if any, prescribed under section 64,

(ii) have regard to the guidelines, if any, issued under section 65, and

(iii) where subsection (3) of section 66 applies, comply with that subsection,

(d) in a case in which the second mentioned public body is engaged for gain in the production, supply or distribution of goods or the provision of services, the use by that public body of the personal data could not lead to the distortion of competition in trade in those goods or services in the State or in any part of the State,

(e) the personal data concerned has been lawfully obtained and held by the first mentioned public body, and

This document does not substitute the official text published in the Irish Statute Book. We accept no responsibility for any inaccuracies arising from the transcription of the original into this format.