The Department of Public Expenditure, National Development Plan Delivery and Reform has published a Data Sharing Agreement Register. The Register contains the Data Sharing Agreements that have been published under the Data Sharing and Government Act 2019 so far. In addition, it contains the Data Governance Board’s recommendations for Data Sharing Agreements prepared under the Data Sharing and Governance Act.
Our Public, Regulatory & Investigations team examines some of the Data Governance Board’s recommendations and summarises the steps required to put in place DSAs under the DSGA.
The final provisions of the Data Sharing and Governance Act (DSGA) came into force on 16 December 2022. In summary, its primary objective is to regulate how and when public bodies can share personal data with other public bodies and whether a Data Sharing Agreement (DSA) is required. These issues are discussed in further detail in our previous articles : Data Sharing and Governance Act 2019: What Next for Public Sector Bodies? and Data Sharing and Governance Act 2019: Final Commencement Date Extended. In addition, this was also discussed at our webinar on Data Sharing and Governance Act 2019.
If a DSA is required, it must be completed in accordance with the DSGA. The Data Governance Board recommends following their DSA template, which can be accessed online. The recently published Register contains details of all data sharing agreements (DSAs) that have successfully completed the processes set out in the DSGA Data Sharing Playbook, all accession agreements and any withdrawals from these agreements.
The Register also acts as a guide to those who are unclear as to their obligations under the DSGA, by providing examples that a public body can use as a reference when entering into their own DSA. This is particularly useful given that there is no definition of “specific provision” in the DSGA, meaning that it is not always entirely clear when a DSA will be required.
The Register contains a variety of DSAs. Examples include DSAs relating to:
- The sharing of next of kin data between the Departments of Social Protection and the Department of Foreign Affairs (DFA) to facilitate the DFA in providing consular services to next of kin in the event of the death or serious injury of an Irish citizen abroad.
- The sharing of personal data between the Department of Social Protection and the Health Information and Quality Authority (HIQA) to assist HIQA to contact people regarding the National End of Life Survey. The Data Governance Board recommended here that further information was required to be provided to it and included in the DSA regarding the purpose of the survey.
- The sharing of personal data between the Department of Social Protection and DFA to assist in verifying that details presented by an applicant for entry to the Foreign Birth Register are authentic and correct, as the DFA maintains the Foreign Birth Registry.
Steps to put in place to ensure an effective DSA
A DSA is required if there is no “specific provision” of law in place permitting or requiring the data sharing between the relevant public bodies. We have outlined 9 key steps in the DSA process to assist public bodies in complying with their obligations under the DSGA:
- Ensure you have prepared for data sharing: The data to be shared must be identified and the disclosing public body must ensure that it has a legal basis to collect the personal data in the first place.
- Data Officers review: The data officers of the public bodies involved should communicate and agree that the requested data may be shared in accordance with their own governing legislation and the DSGA. The public body should consider whether a Data Protection Impact Assessment is needed to support the DSA. In addition, they should also agree who will take on the role of Lead Agency as defined in Section 21 of the DSGA. The Board recommends that the Lead Agency must complete Schedule A regarding the Evaluation for a Data Impact Assessment.
- Preparing the DSA: A DSGA compliant DSA should then be prepared by the Lead Agency’s data officer. This should then be reviewed by the Data Protection Officer (DPO) and a security specialist before being issued to the other party for completion.
- Public consultation: All DSAs will be published online for a period of 28 days. The public bodies must, on the same date as the consultation, publish a notice on their website outlining that they are proposing to enter into a DSA. The documents that are accessible to the public should be stated and include a link to the relevant DSA and DPO statement on the public consultation website. The Data Governance Unit will then compile all submissions made from the public consultation process and refer them to the data officers of the public body.
- Public sector bodies review: The public bodies will consult on the submissions received from the Data Governance Unit and may make amendments to the DSA. Once complete, the Lead Agency will send the final DSA to the Data Governance Board for review.
- The Board’s review: The Board’s review may involve seeking information from the Lead Agency and consulting with relevant Ministers. The Board will seek advice from their Data Sharing Committee, which will review the DSA and advise the Board of their findings. Once the Board has completed its review, there may be one of two outcomes: a further review is required due to substantive issues or no further review.
- Public sector bodies address recommendations: The public body may seek clarity from the Board on their recommendations. If amendments contain substantive issues, these must be resubmitted to the Board for further review. Once all recommendations have been addressed, the DSA will then be signed by an authorised signatory from the public bodies, and each DPO will update their DPO Statement.
- Publication of the DSA: The Lead Agency’s data officer will be responsible for sending the final executed DSA to the Minister within 10 days. The Data Governance Unit, on behalf of the Minister, will publish a list of the documents the Minister has received. The Lead Agency will be responsible for publishing the final executed DSA on their website. The Board will also publish the executed DSA and their recommendations on their website.
- DSA implementation: The Lead Agency data officer will be responsible for informing the Board of any changes to the DSA during the lifetime of the agreement.
The time required to complete each stage depends on the complexity of the proposed data sharing and how many public sector bodies are involved. Following each of these steps will assist in ensuring that you fulfil your obligations under the DSGA.
It is important for public bodies to review their obligations under the DSGA and to ensure that a DSA is put in place, following the above steps, if one is required.
If you would like to talk to us about complying with your obligations under the DSGA, please contact a member of our Public, Regulatory & Investigations team.
The content of this article is provided for information purposes only and does not constitute legal or other advice.