The final provisions of the Data Sharing and Governance Act 2019 (DSGA) come into force on 31 March 2022. As this date approaches, it is important for public bodies to consider the Act, and how it affects them. Public bodies should be familiar with the Data Sharing Playbook, Guidance Note and Guidelines published by the Office of the Government Chief Information Officer (OGCIO) on data sharing under the DSGA. We take a look at the key requirements and timelines that apply.
DSGA obligations and requirements
The DSGA regulates how and when public bodies can share personal data with other public bodies when providing public services. It also establishes the Data Governance Board to promote and advise on compliance with the DSGA.
The main obligation is that public bodies must follow the data sharing requirements set out in Part 3 of the DSGA. In summary, this involves identifying a specific provision of law requiring or permitting the data sharing to take place. If no specific provision of law exists, public bodies must take additional steps to comply with the DSGA. These steps include putting in place a data sharing agreement in accordance with Part 4 of the DSGA and submitting this to the Data Governance Board for public consultation. We look at these requirements in further detail below.
It is important to note that the requirements of the DSGA are in addition to, and not instead of, the requirements under data protection legislation. The DPC’s Guidance Note on Data Sharing in the Public Sector should also be considered.
A specific provision of law
If a public body can point to a specific provision of law that either permits or requires the data sharing to take place, there is no requirement to put in place a data sharing agreement. The level of specificity required is not set out in the DSGA. However, based on guidance issued from the OGCIO on this point, it appears that the level of specificity required is quite high, and that the relevant statutory power or obligation to share the data should be express, rather than implied. In this regard, the OGCIO guidance refers to sections 265 to 270 of the Social Welfare Consolidation Act 2005 as examples of specific statutory provisions. These provisions expressly set out the type of body that may share data along with the type of information that may be shared and the purpose behind the sharing. Ultimately, whether a statutory provision will meet the necessary threshold of specificity will require an analysis of each relevant legislative provision.
Data sharing agreements
A data sharing agreement is required if there is no specific provision of law in place permitting the data sharing between the relevant public bodies. The data sharing agreement will need to demonstrate two things:
- that the disclosure of the personal data is necessary to perform a function of either public body, and
- that at least one of eight statutory purposes set out in section 13(2)(a) of the DSGA applies. For example, that the purpose of the data sharing is to support the ”once only” principle, namely that persons should not have to provide the same information multiple times to different public bodies.
Data sharing agreements will also need to comply with additional requirements relating to proportionality and necessity and any rules, procedures, standards and guidelines issued under the DSGA.
The data sharing agreement must also be subject to a public consultation process, during which members of the public will have 28 days to make submissions on the draft agreement. Lastly, once the public consultation process is complete, the data sharing agreement is executed by the relevant public bodies and published by the lead public body along with the Data Governance Board. Template documents to include the data sharing agreement and public consultation notice are available on www.gov.ie.
A phased approach
The DSGA has been commenced in stages. A small number of provisions came into force in April 2019, such as preliminary and general provisions and provisions relating to the collection and processing of public service pension data. On 7 July 2021, the majority of the DSGA came into force, including the establishment of the Data Governance Board, and the requirement for data sharing agreements. The two remaining provisions, sections 6(2) and 6(3), will come into force on 31 March 2022. This is significant as it means that, from 31 March 2022, section 38 of the Data Protection Act 2018, which gives effect to Article 6(1)(e) GDPR, can no longer be relied on as a valid legal basis for data sharing arrangements between public bodies.
Key steps between now and 31 March 2022
If you rely on section 38 of the Data Protection Act 2018 to share personal data with another public body, you should make arrangements to prepare draft Data Sharing Agreements and Data Protection Officer statements so that they are ready for public consultation. Based on OGCIO guidance, it is also expected that public bodies will appoint a data officer to act as the contact point between other public bodies and the Data Governance Unit in the OGCIO
A senior official (principal officer) may also need to be appointed to act as an authorised signatory, who will execute the data sharing agreements and will be accountable for the data sharing within the public body.
If you would like to talk to us about making adequate preparations in advance of commencement of the final DSGA provisions, please contact a member of our Public, Regulatory & Investigations team.
The content of this article is provided for information purposes only and does not constitute legal or other advice.
