Clear in Principle, Opaque in Practice: Data sharing between public bodies during COVID-19

 Róisín Costello, Dublin City University

The ongoing public health crisis generated by COVID-19 has drawn particular attention to the issue of data sharing between public bodies, as both Government departments as well as public bodies like the HSE seek to co-ordinate data collection and to map vectors for disease transmission and service need. The Data Protection Commissioner’s request to the Department of Social Protection concerning its access to travel information of individuals in receipt of social welfare, as well as the creation of dossiers on autistic children have raised concerns over just how data is shared between public bodies - and (as in the case of the daa) between public and non-State bodies.

 

The Data Protection Commission (DPC) has previously emphasised the need for transparency in public sector use of data and the need to ensure individuals are informed about how their personal information is used and for what purpose, who can access the information, and how the sharing of their data will impact them. These points of emphasis echo the decision of the CJEU in Bara to the effect that public sector use of personal data should be undertaken in a manner that reinforces the data protection rights of individuals. Yet the operation of data sharing between public bodies in Ireland is often only superficially clear and practically opaque.

 

The existence of a public health emergency has broadened the legal basis for the collection and processing of personal data under the GDPR, in particular in respect of health related data under Article 9. In the current context, Articles 9(2)(h) and (i) permit ‘special category data’ as defined under Article 9 to be processed in order to provide occupational or preventative medical services (h) or in order to serve the public interest in the area of public health in particular in the protection against serious cross-border threats to health.

 

There would seem, therefore, to be a range of variously specific legal basis on which public bodies can rely in the collection and processing of personal data during COVID-19 where the public interest and public health are concerned. However, the processing of such data, and its sharing must comply with the data protection principles and informational requirements outlined by Articles 12, 13 and 14 GDPR.

 

Yet beyond these basic informational requirements premised on a notice and consent model, there is little information publicly available which explains in detail what data is shared – and with who. The Data Sharing and Governance Act 2019 was introduced in an attempt to remedy this lack of transparency and to provide a unified legislative schema for data sharing between public bodies. The Act provides for the introduction of rules, guidelines and governance standards for data sharing.

 

In particular, the Act provides for the creation and publication of data sharing agreements in an effort to clarify what data is being shared and between which state bodies. The Act would therefore provide for greater transparency, as well as providing for the creation of broader and more specific data governance architectures. However, the provisions under s.15-22 which govern the creation of Data Sharing Agreements as well as under s.63-66 dealing with governance of data including special category data (which includes health data), have not been commenced as of writing.

 

The result is, that while non special category data can be shared for one of the broadly drawn, functional reasons outlined in s.13, the public bodies involved are not obliged to publish details as to the agreements in respect of such sharing beyond the more minimal requirements under the GDPR and the 2018 Act which are directed at the individuals whose data is involved, rather than the public at large.

 

This means that the extent to which data is being shared among public bodies, and which public bodies are sharing such data, is difficult to gauge for those not actively and individually involved in the process. While the broad principles of the operation of data sharing may be discernible, the practical operation and more granular detail of sharing is less clear.

 

Róisín Á Costello is an Assistant Professor at Dublin City University School of Law & Government.

Suggested citation: Roisin Costello, ‘Clear in Principle, Opaque in Practice: Data sharing between public bodies during COVID-19’ (20 April 2021) https://tcdlaw.blogspot.com/2021/04/clear-in-principle-opaque-in-practice.html.